software defined perimeter - internet2 · 2015. 10. 5. ·...
TRANSCRIPT
-
So#ware Defined Perimeter
A new approach to access control
Junaid Islam, Co Chair
Software Defined Perimeter
-
Before we start, two ideas we believe strongly
• Complexity is the primary reason security systems fail (Junaid said this)
• The ideal security solu?on should just work (what Bob wants)
2 Internet 2 Technology Exchange 2015
-
3
600+ U.S. Vic
-
4
Fundamental Problem:
DNS
Alice 10.0.0.1
10.0.0.2
10.0.0.3
Connec?on-‐oriented protocol Client connects to server before authen?ca?on Vulnerability is unauthen?cated connec?vity
AOacks Server exploita?on Creden?al the# Connec?on hijacking
Alice p@ssw0rd IP addr o
f finance server?
10.0.0.1
Who are you? Alice, p@ssw0rd You’re authorized.
Hello 10.0.0.1, I’d like some data
& visibility
-
Internet
5
Connec
-
SaaS
IaaS
479729cec9a2187c914df2b3078e320f
6
Business 2.0: The Perimeter Crumbled Phishing
Alice
Bob
The world needs a new security model !!!
Enterprise
, BYOD , SaaS , IaaS , Contractors, subject maOer experts, outsourced so#ware and IT, channel partner, ERP professional
Remove connec?vity Remove visibility
Cloud & BYOD friendly
-
7
How SDP Started: Big companies with BIG problems
Connec?ng 200,000 users to data center-‐cloud apps
Monitoring and upda?ng vehicle so#ware
Enabling "customer controlled" services
Internet 2 Technology Exchange 2015
-
8
Current Connec
-
9
Solu
-
10
SoYware Defined Perimeter
Connect to Applica?on
Provide Creden?als
Mul?factor Token
Internet 2 Technology Exchange 2015
-
11
SDP Architecture
SDP Controller
SDP Gateways
2. User Authen?ca?on & Authoriza?on Enterprise iden?ty: separa?on of trust SAML IdP integrated with LDAP groups
0. One ?me on-‐boarding Client root of trust Digital ar?facts & thin client
3. Dynamically Provisioned Connec?ons Applica?ons isolated and protected Usability: portal page of applica?ons
3. Dynamic Conne
c
-
Key SDP Features
• 64 bit id is not secret (can be listed) • SPA can carry payload for Auto/IoT applica?ons
• AOacks can be detected in the first packet
12 Internet 2 Technology Exchange 2015
-
Defea
-
14
SDP Provides Real Time Threat Detec
-
SDP Cryptography Profile • ECDHE-‐RSA-‐AES256-‐GCM-‐SHA384 TLS suite
ECDHE: Ellip?c Curve Diffie–Hellman Ephemeral Ellip?c curve pre-‐master keys Generate the four symmetric keys of the TLS Ephemeral keys per session Perfect Forward Secrecy But not client or server authen?ca?on
RSA: Public/private key pair with an X.509 cer?ficate Client and server authen?ca?on Vidder’s implementa?on:
Cer?ficates “pinned” to a trusted root cer?ficate Not the hundreds of (possibly compromised) roots browsers trust Employs OCSP stapling (RFC 6066) Forwards the OCSP response with TLS Server hello Reduces the load on the OCSP responder Mi?gates a DoS of the OCSP responder
AES256-‐GCM: Advanced Encryp?on Standard (NIST FIPS 197) Symmetric key encryp?on 256 bit cipher block size Galois/Counter Mode
Block cipher that simultaneously computes encryp?on and integrity PC’s and servers implement GCM in hardware Negligible performance impact due to encryp?on of the data
SHA384: Secure Hash Algorithms (and member of SHA-‐2) Generates a 384 bit hash Verifies integrity of the clear text Client/Server handshake
15
• Single Packet Authoriza?on (SPA) History: Invented >10 years ago Commonly used for super user ssh access to servers Mi?gates aOacks by unauthorized users
Algorithm Based on RFC 4226, "HOTP” HMAC-‐based One-‐Time Password Used for hardware/so#ware one ?me password tokens 128-‐bit random number seed 128-‐bit non-‐secret counter
So#ware Defined Perimeter: SPA occurs before TLS (SSL) connec?on Mi?gates aOacks on TLS by unauthorized users See AOacks on SSL/TLS
SPA = UID, OTP, CTR, GMAC UID = Universal ID of SDP Client OTP = HMAC[seed | CTR] GMAC = E client private key [HMAC[UID | OTP | CTR]] Each client has an id, seed, and counter Counter is incremented, appended to seed, and hashed UID, OTP, CTR, & and the counter are sent as clear text. The counter is increment to mi?gate playback aOacks. The packet is also signed to provide integrity checking.
-
16
A^acks on SSL/TLS Name Date A^ack Unauthorized Authorized Users SSLstrip Feb 2009 hOp to hOps SPA No hOp DigiNotar Sept 2011 MitM forged certs SPA Pinned certs BEAST Apr 2012 Java Applet oracle SPA Client-‐based CRIME Sept 2012 MitM SPDY compressing oracle SPA No compression Lucky 13 Feb 2013 MitM CBC padding oracle SPA GCM TIME Mar 2013 Browser JavaScript ?ming oracle SPA Client-‐based RC4 biases Mar 2013 MitM RC4 oracle SPA No cypher nego?a?on BREACH Aug 2013 Website redirect, compression SPA No redirect or compression goto fail Feb 2014 MitM counterfeit key via coding error SPA Pinned dedicated cert Triple Handshake Mar 2014 Server MitM on client cert SPA Pinned dedicated cert Heartbleed Apr 2014 OpenSSL bug SPA Not single-‐ended SSL BERserk Sept 2014 MitM PKCS#1.5 padding SPA Not Mozilla NSS Poodle Oct 2014 MitM SSLv3 oracle SPA No cypher nego?a?on Poodle++ Dec 2014 MitM JavaScript ?ming oracle SPA Client-‐based FREAK Mar 2015 MitM nego?a?on 512 bit key SPA No key nego?a?on Bar-‐mitzvah Mar 2015 View RC4 SPA No RC4 logjam May 2015 MitM downgrade to 512 bit key SPA No suite nego?a?on
-
Current SDP Workgroup Ac
-
Typical Denial of Service (DoS) A^acks • Applica?on layer
SQL statements that DoS the database Many false posi?ves punish legi?mate users PrecisionAccess defeats this with no false posi?ves
• User name/password Compromise or DoS each user Cannot be stopped with tradi?onal tools PrecisionAccess defeats this with no users compromised
• SSL nego?a?on Single laptop can DoS a server Very expensive to stop with tradi?onal tools PrecisionAccess defeats this with very liOle effort
• Bandwidth consump?on > 100’s Gbps Cannot be stopped by do it yourself tools SDP’ scale out at AWS mi?gates Tbps
18
DoS Protec?on Service
DIY: WAF & Load Balancer
PA
-
19
Na
-
Global Beverage Company
AWS
SDP Controller
Business Objec
-
Chip Design Company
21
App
Business Objec
-
Global Automo
-
Closing comments
• SDP is really simple
• SDP supports a wide range of applica?ons
• SDP is a collabora?ve effort – so join the team!
23 Internet 2 Technology Exchange 2015
-
24
Contact Informa