network field day 11 - skyport systems presentation
Post on 13-Apr-2017
1.242 Views
Preview:
TRANSCRIPT
Company Confidential1
Skyport SystemsNet Field Day 11
January 2016
Company Confidential2
The Fallacy of Security Technology
“If you think technology can fix security, you don’t understand technology and you don’t understand security.” ~ Briankrebs.com
Company Confidential3
A Platform Approach: Not a Product Approach
Software-Defined Perimeters that Operate at the
Application Layer
Protect Against Low-Level
Rootkits/Malware, BIOS, SSD Firmware, Physical Ports, IPMI
Forensics that cannot be modified or by employees or
third parties
Company Confidential5
A High-Performance, Secure Enterprise Platform
Runs your application VMs
Trusted Hardware Platform
Hardened HW/SW stack
Security I/O Co-processor
Designed for hostile environments - Branch, remote location, Datacenter
Security is built-in and invisible - Protects platform, workloads, compliance
No special skills required- Plug and play, no integration or modifications
No performance compromise - Enforcement offloaded to co-processor
Company Confidential7
• Secure Architecture that substantiates architectural integrity from the ground up
• Hardware-enforced security policy and forensic logging at application edge
• Abstracts security execution from application execution
SkySecure Enclave
x86 subsystem communicates only through I/O controller
SECURITY CO-PROCESSOR
x86 SYSTEM
Company Confidential8
Software-Defined Perimeter: DMZ per VM
ShieldNET
ShieldID
ShieldFS
ShieldADMIN
ShieldWEB
File Systems and Content Filtering
Administrative Privileged Access
Identity Management Proxy
Web Applications and Crypto/Credential Proxy
Domain Name and Zone Based Access
Company Confidential9
Private DMZ per VMTraditional Zone-BasedNetwork Security
SkySecure Per-VM DMZ
DMZ Network Zone
Security I/O Co-processor
DMZVM
DMZVM
DMZVM
• Protections limited to network perimeter
• No protection between systems in DMZ
• Complex integration and management
• Zero-trust architecture based on hardware
• Applications are always protected
• Defends workloads against compromise
Company Confidential10
SkySecure Center
Secure Audit / Log
VM Mgmt
Traffic Intelligence
WebUI Service
Security Data Warehouse Real-time Data Service
Security Reporting
Real-time Analytics
Device Mgmt
Policy Mgmt
Key Mgmt
Remote Attestation
Authentication / Secure Enclave
HSM CredentialMgmt
Company Confidential11
SkySecure Center: Traffic Intelligence
Company Confidential12
Initial Deployment Use CasesExposed DMZ Applications
Critical IT Systems
Branch / Untrusted
Out-of-Compliance Applications
• Secure File Transfer
• Web / E-Commerce Applications
• Cloud/API gateways
• Web authentication servers
• Active Directory
• DNS / DHCP• Software
distribution• DevOps / SDN
Controllers
• Branch consolidation
• Trusted application deployment in hostile locations
• End-of-Support Applications and Operating Systems
• Windows XP / 2003 / 2008, RHEL4/5, etc
• Web servers with unpatched SSL vulnerabilities
Company Confidential13
Win2012R2 - Unsecured
(truncated)
• No protection• Accepting HTTPS
connections
Company Confidential14
Win2012R2 – Micro-segmented
(truncated)
• Firewall allowing HTTPS inbound
• Accepting HTTPS connections
Company Confidential15
Win2012R2 - SkySecure
• “IP Forwarding” is only non-info plugin returning a result.• MS14-066 and MS15-034 critical MS vulnerabilities mitigated entirely
• ShieldWeb-In Enabled
• Accepting HTTPS connections
Company Confidential16
Contrast: Point Product Approach to Security
HardenedHardware
HardenedFirmware
Network
HardenedVM Environment (Compartment)
TPM ManagementSecure IPMI/ILOTamper Detection
Signed BIOSUSB Disable/Monitor
PCAP Tooling, IPFIX/SFlow MonitorPassive Taps, Network Packet BrokerIDS/IPS
HypervisorMicro-segmentationWeb Application FirewallVirtual FirewallSW SigningKey Management
HardenedCtrl/Mgmt Plane
Operations ManagementJump Servers/SAWsSecure Logging/Analysis/SIEMSecure Backup
Company Confidential17
Thank You
top related