synchronizing and securing the enterprise network with new … · 2018-06-29 · • standard: 400...
TRANSCRIPT
© 2018 Microsemi, a wholly owned subsidiary of Microchip Technology Inc. 1
Synchronizing and Securing the Enterprise Network with New Timing Technologies
Barry DroppingSenior Director of Product Management
2© 2018 Microsemi
Time Enables ALL Infrastructures
Data Centers Power Grid Communications
Wireline Communications Secure Communications
Cellular Communications
Enterprise Communications
Seismic Exploration
Financial Exchanges
3© 2018 Microsemi
Use of GPS Timing in Critical Infrastructure / Key Resource Sectors in U.S.
Chemical
Commercial Facilities
Communications
Critical Manufacturing
Dams
Defense Industrial Base
Emergency Services
Energy
Financial Services
Food and Agriculture
Government Facilities
Healthcare
Information Technology
Nuclear Systems
Transportation Systems
Water Systems
Of the 16 Critical Infrastructure / Key
Resource sectors in the U.S., 15 use GPS for
timing.
GPS timing is deemed essential for 13 of the
sectors.
[Source: U.S. DHS]
4© 2018 Microsemi
European MiFID II Legislation• New time stamping requirements in financial transactions
• Requires a system of traceability to UTC.
• Systems must be very time accurate and precise
• Needed to accurately audit all trading activity
Reference time may be UTC disseminated by a satellite system
Timing Requirement• 100 Microseconds to UTC on all trading machines
Banks and trading venues around the world are following this new standard
European MiFID II driving Worldwide Timing TrendUTC Traceability Required in Stock Trading
5© 2018 Microsemi
Generalized MiFID II RequirementsTiming Master, Slave and Monitoring is needed
Timing Master
Timing Slaves
<100 Microseconds
Trading System
Time Monitor/Auditing
Satellite based UTC timing reference
Atomic clock based backup
oscillator
Software/hardware to keep time accurate at the timestamping clients/slaves
Monitoring/Auditing means to monitor
time accuracy and demonstrate compliance
6© 2018 Microsemi
Data Security Standard 3.2 (April 2016)
“When clocks are not properly synchronized it can be difficult, if not impossible, to compare log files from different systems and establish an exact sequence of events (crucial for forensic analysis in the event of a breach).
“For post incident forensics teams, the accuracy and consistency of time across all systems and the time of each activity is critical in determining how the systems were compromised.”
Payment Card Industry Applies to organizations that process Visa, MasterCard, etc. payments
• Section 10.4 Using time synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.
– 10.4.1 Critical systems have the correct and consistent time.
– 10.4.2 Time data is protected.
– 10.4.3 Time settings are received from industry accepted time sources.
7© 2018 Microsemi
Enterprise Time of Day Landscape
Accurate/Secure/Reliable ToD for servers/routers/applications for improved network operations and business operations
Log file time stamps•Improve log integrity •Improved SIEM/NMS reporting •Speed fault diagnosis
Log file time stamps•Improve log integrity •Improved SIEM/NMS reporting •Speed fault diagnosis
Log file time stamps•Improve log integrity •Improved SIEM/NMS reporting •Speed fault diagnosis
Network Security•Access rights•Non-repudiation•Kerberos•Firewall workaround
Network Operations•Backup/archival/ retrieval•Windows Directory Services•Memcache timestamping•Distributed database alignment•Routers (Stratum 2 down)•Legal/regulatory requirements
Network Operations•Backup/archival/ retrieval•Windows Directory Services•Memcache timestamping•Distributed database alignment•Routers (Stratum 2 down)•Legal/regulatory requirements
“Real World” time values•Email servers•Phone systems•Workstation clocks•Software makefile operations•Business transaction time stamps
10© 2018 Microsemi
Hardware Clock (1PPS)• <15 nanoseconds RMS to UTC(USNO) while tracking GPS
24 Hour Holdover Accuracy (if GPS signal is disconnected)• Standard: 400 microseconds
• OCXO: 25 microseconds
• Rubidium: <1 microsecond, <3 us at 3 days
Hardware based NTP and PTP timestamps • Improves time accuracy at the NTP/PTP client
• Patented Microsemi NTP packet timestamping algorithm continuously monitors and compensates for all internal delays in real time.
Accuracy AdvantagesHardware Time Stamping for Better Overall Performance
..... .......
Precise & Accurate
Rubidium Atomic clock for best possible holdover accuracy
Accuracy Security Reliability
Rubidium atomic clocks maintain accurate time allowing IT team to fix GPS cable or antenna problems (i.e. lightning strike, etc.)
Rubidium atomic clocks maintain accurate time allowing IT team to fix GPS cable or antenna problems (i.e. lightning strike, etc.)
11© 2018 Microsemi
NEW SyncServer NTP ReflectorTM TechnologyUltra Accurate, Line Speed NTP Operations With Security-Hardening
Accuracy Security Reliability
Hardware
NTP ReflectorTM & Packet Limiters
CPU
Inbound NTP Packets
Time-Stamped NTP Packets
• Security Hardened NTP Operations
• Extremely accurate and ultra high capacity NTP timestamping
Non-NTP Traffic
NETWORK
• Protects CPU from DoS attacks
• All packets to CPU are bandwidth limited with user notification of network packet load changes
S600 NTP Reflector Advantages
Dropped
12© 2018 Microsemi
S600 NTP Operational EffectivenessNTP Clock Accuracy Virtually Immune to NTP Packet Load
NTP Operations S600 Standard NTPd S600 NTP Reflector
Time Accuracy 5 microseconds to UTC, 15 us 1Load Independent
~0.015 microseconds RMS to UTCLoad Independent
Server Capacity 10,000 NTP requests/second 360,000 NTP requests/second
Accuracy Security Reliability
S600 S600
13© 2018 Microsemi
Simultaneous PTP GrandmasterMulti-Port/Profile flexibility
Multicast Profiles• Default Profile Multicast Master
• Enterprise/Hybrid Profile Master
• 1PPS rate: 360,000 slaves
• 128PPS rate: >2,800 slaves
Telecom 2008 Profile• Up to 800 slaves at 128 PPS
PTP Grandmaster Operations Versatile PTP Grandmaster well Suited for Enterprise Operations now and in the Future
Advantages Nanosecond caliber time stamps
Extremely high capacity
Required for financial trading firms• MiFID II 100 microsecond to UTC
Compliance
Accuracy Security Reliability
14© 2018 Microsemi
4 Independent LAN ports• Management relegated to only LAN1
CPU Protection against DoS attacks
NTP Reflector
3rd Party X.509 Certificates
TACACS+, RADIUS, LDAP
SSL/HTTPS Only (no HTTP)
Separate Access Control Lists per port
NTP MD5 Authentication
NTP Autokey (Server & Client)
Service termination capability
Security AdvantagesSecurity-hardening for timing and management is essential
Accuracy Security Reliability
15© 2018 Microsemi
Timing• Standard NTP capacity 10,000 NTP requests per second
• Upgraded capacity 360,000 NTP requests per second
• OCXO & Rubidium Upgrades
• NTPd for time crosschecking
• GPS, GLONASS and/or BeiDou Constellations
Design• Active Thermal Compensation Technology
• Upgraded components to support a wide -20C to 65C temperature specification (non-rubidium product)
• Dual-corded power supply option (with load-leveling/monitoring)
• Vibration tested per MIL-STD-810G; Altitude tested 13,000 ft. (3900 m)
• Earthquake/Seismic tested to ETSI ETS 300 019 2-3/ NEBS GR-63 CORE 4.4
Reliability AdvantagesTiming Reliability is as Important as Design Reliability
MIL-STD
810G
Accuracy Security Reliability
16© 2018 Microsemi
PTP Input OptionBack-up to GPS –or– Tunnel accurate time over network into GPS-denied locations
Input treated like GPS/GNSS
Can be prioritized as an input
Telecom 2008 Unicast Profile
Up to 128 packets per second
Includes Automatic Asymmetry Compensation• If GNSS is available the PTP Input is automatically
characterized and calibrated.
• Characterizes up to 32 different paths
PTPINPUT
Accuracy Security Reliability
17© 2018 Microsemi
Tunnel time via PTP into remote location where GNSS antenna is not practical, or PTP is a backup to GNSS
PTP Output/Input Application Example
WAN/LAN
Telecom Profile Master Telecom Profile Slave
Accuracy Security Reliability
18© 2018 Microsemi
Synchronize 100,000’s of NTP clients• High availability NTP/PTP service operations
Security choices: • Solid range of security hardening features
as standard
• Security-Hardened NTP operations
Reliable source of time• High accuracy, high capacity time stamps, oscillator upgrades
• Very reliable design features: Wide temp. range, shock & vibration, dual power supplies, etc.
Best in class Network Time Server!
The Microsemi SyncServer S600Industry Leading Security, Accuracy, Reliability and Flexibility
Accuracy Security Reliability
19© 2018 Microsemi
Secure Firewall Overlay
Identifies spoofing and jamming and protects GPS systems
Integrates seamlessly between existing GPS antenna and GPS system
Optional external 1PPS and 10 MHz timing reference inputs for extended holdover and enhanced detection capabilities
Local and remote CLI in addition to secure and easy-to-use web interface
Seamless integration with TimePictra provides end-to-end management
20© 2018 Microsemi
System designers can no longer treat GPS as a “trusted” source of time
• GPS signal-in-space threats are not just a theoretical possibility –they have been realized
• Measures must be taken to ensure your system is not vulnerable to signal-in-space attacks
Securing GPS-based systems from signal-in-space attacks requires a layered approach to system design
• Detection: Rapidly identify local GPS anomalies such as spoofing or jamming
• Resiliency: Design systems that can continue their operations during periods of GPS outages
• Visibility: Provide situational awareness of the GPS environment
Last but not least: The sky is not falling
• Practical things can be done today to harden your system against signal-in-space threats
Key Points
Design Approach for Securing Systems Against GPS Signal-in-Space Threats
VISIBILITY
DETECTION
RESILIENCY
21© 2018 Microsemi
Microsemi, a wholly owned subsidiary of Microchip Technology Inc. (Nasdaq: MCHP), offers a comprehensive portfolio of semiconductor and systemsolutions for aerospace & defense, communications, data center and industrial markets. Products include high-performance and radiation-hardenedanalog mixed-signal integrated circuits, FPGAs, SoCs and ASICs; power management products; timing and synchronization devices and precise timesolutions, setting the world's standard for time; voice processing devices; RF solutions; discrete components; enterprise storage and communicationsolutions, security technologies and scalable anti-tamper products; Ethernet solutions; Power-over-Ethernet ICs and midspans; as well as custom designcapabilities and services. Learn more at www.microsemi.com.
Microsemi makes no warranty, representation, or guarantee regarding the information contained herein or the suitability of its products and services for any particular purpose, nor does Microsemiassume any liability whatsoever arising out of the application or use of any product or circuit. The products sold hereunder and any other products sold by Microsemi have been subject to limitedtesting and should not be used in conjunction with mission-critical equipment or applications. Any performance specifications are believed to be reliable but are not verified, and Buyer must conductand complete all performance and other testing of the products, alone and together with, or installed in, any end-products. Buyer shall not rely on any data and performance specifications orparameters provided by Microsemi. It is the Buyer’s responsibility to independently determine suitability of any products and to test and verify the same. The information provided by Microsemihereunder is provided “as is, where is” and with all faults, and the entire risk associated with such information is entirely with the Buyer. Microsemi does not grant, explicitly or implicitly, to any partyany patent rights, licenses, or any other IP rights, whether with regard to such information itself or anything described by such information. Information provided in this document is proprietary toMicrosemi, and Microsemi reserves the right to make any changes to the information in this document or to any products and services at any time without notice.
©2018 Microsemi, a wholly owned subsidiary of Microchip Technology Inc. All rights reserved. Microsemi and the Microsemi logo are registered trademarks of Microsemi Corporation. All othertrademarks and service marks are the property of their respective owners.
Microsemi HeadquartersOne Enterprise, Aliso Viejo, CA 92656 USAWithin the USA: +1 (800) 713-4113Outside the USA: +1 (949) 380-6100Sales: +1 (949) 380-6136Fax: +1 (949) 215-4996email: [email protected]
Thank You