Software Defined Perimeter

So#ware  Defined  Perimeter  

A  new  approach  to  access  control    

Junaid Islam, Co Chair

Before  we  start,  two  ideas  we  believe  strongly  

•

Complexity  is  the  primary  reason  security  systems  fail  (Junaid  said  this)  

•

The  ideal  security  solu?on  should  just  work  (what  Bob  wants)    

4  

Fundamental  Problem:    

DNS  

Connec?on-­‐oriented  protocol  

Client  connects  to  server  before  authen?ca?on  

Vulnerability  is  unauthen?cated  connec?vity  

AOacks  

Server  exploita?on  

Creden?al  the#  

Connec?on  hijacking  

Who  are  you?   Alice,  p@ssw0rd   You’re  authorized.   Hello  10.0.0.1,  I’d  like  some  data  

Internet  

Connec<vity  &  Visibility:  Not  a  New  Problem  

Wall  off  the  enterprise  

Hide  the  applica?ons  

Tightly  manage  the  computers  

Alice  

Bob  

SaaS  

IaaS  

479729cec9a2187c914df2b3078e320f  

6  

Business  2.0:  The  Perimeter  Crumbled  

Phishing  

Alice  

Bob  

The  world  needs  a  new  security  model  !!!  

,  BYOD  ,  SaaS  ,  IaaS  ,  Contractors,  subject  maOer  experts,  outsourced  so#ware  and  IT,  channel  partner,  ERP  professional  

Remove  connec?vity  

Remove  visibility  

Cloud  &  BYOD  friendly  

How  SDP  Started:  Big  companies  with  BIG  problems  

Connec?ng  200,000  users     to  data  center-­‐cloud  apps  

Monitoring  and  upda?ng   vehicle  so#ware    

Enabling  "customer   controlled"  services    

8  

Current  Connec<vity  Model    

Connect to

Application

Denial  of  Service  

Provide

Credentials

Creden@al  TheA  

Server  Exploita@on  

Multifactor

Token

Connec@on  Hijacking  

APT/Lateral  Movement  

Solu<on  Requirements    

Insider Threat

No secrets

Mobile Devices

Highly scalable

10  

SoYware  Defined  Perimeter    

Connect  to  

Applica?on  

Provide  

Creden?als  

Mul?factor  

Token  

SDP  Architecture    

SDP  Controller  

SDP   Gateways  

2.  User  Authen?ca?on  &  Authoriza?on  

Enterprise  iden?ty:  separa?on  of  trust   SAML  IdP  integrated  with  LDAP  groups  

0.  One  ?me  on-­‐boarding  

Client  root  of  trust  

Digital  ar?facts  &  thin  client  

3.  Dynamically  Provisioned  Connec?ons  

Applica?ons  isolated  and  protected   Usability:  portal  page  of  applica?ons  

3.  Dynamic  Conne c<on  

3.  Dynamic  Conne_c<on  

Hos<ng   &  IaaS   DMZ  &   Data  Center   SDP   Client   Crypto  Client   Crypto   Gateway   IP’s  

1.   Device  Authen?ca?on  &  Authoriza?on  

SPA:  an?  DDoS,  defeats  SSL  aOacks   mTLS  &  fingerprint:  an?  creden?al  the#  

SAML   IdP   Issuing  

Key  SDP  Features      

•

64  bit  id  is  not  secret  (can  be  listed)  

•

SPA  can  carry  payload  for  Auto/IoT  applica?ons  

•

AOacks  can  be  detected  in  the  first  packet  

Defea<ng  A^acks  on  the  Extended  Enterprise  

      _{User  name}  

Password  

•

Server  exploita?on:  constant  aOacks  

Misconfigura?ons  

Vulnerabili?es  

Injec?ons  

Denial  of  Service  

•

Creden?al  the#:  ⅔  of  Verizon  DBIR  

Phishing  

Keyloggers  

Brute  force  

•

Connec?on  hijacking:  stealthiest  

Man-­‐in-­‐the-­‐Middle  

Cer?ficate  forgery  

DNS  poisoning  

14  

SDP  Provides  Real  Time  Threat  Detec<on  

SDP  Cryptography  Profile  

•  ECDHE-­‐RSA-­‐AES256-­‐GCM-­‐SHA384  TLS  suite  

ECDHE:    

Ellip?c  Curve  Diffie–Hellman  Ephemeral     Ellip?c  curve  pre-­‐master  keys    

Generate  the  four  symmetric  keys  of  the  TLS     Ephemeral  keys  per  session  

Perfect  Forward  Secrecy  

But  not  client  or  server  authen?ca?on  

RSA:    

Public/private  key  pair  with  an  X.509  cer?ficate     Client  and  server  authen?ca?on    

Vidder’s  implementa?on:    

Cer?ficates  “pinned”  to  a  trusted  root  cer?ficate  

Not  the  hundreds  of  (possibly  compromised)  roots  browsers  trust     Employs  OCSP  stapling  (RFC  6066)  

Forwards  the  OCSP  response  with  TLS  Server  hello   Reduces  the  load  on  the  OCSP  responder   Mi?gates  a  DoS  of  the  OCSP  responder  

AES256-­‐GCM:    

Advanced  Encryp?on  Standard  (NIST  FIPS  197)     Symmetric  key  encryp?on    

256  bit  cipher  block  size   Galois/Counter  Mode  

Block  cipher  that  simultaneously  computes  encryp?on  and  integrity   PC’s  and  servers  implement  GCM  in  hardware    

Negligible  performance  impact  due  to  encryp?on  of  the  data  

SHA384:    

Secure  Hash  Algorithms  (and  member  of  SHA-­‐2)  

•

Single  Packet  Authoriza?on  (SPA)  

History:  

Invented  >10  years  ago  

Commonly  used  for  super  user  ssh  access  to  servers     Mi?gates  aOacks  by  unauthorized  users  

Algorithm  

Based  on  RFC  4226,  "HOTP”   HMAC-­‐based  One-­‐Time  Password  

Used  for  hardware/so#ware  one  ?me  password  tokens   128-­‐bit  random  number  seed  

128-­‐bit  non-­‐secret  counter    

So#ware  Defined  Perimeter:  

SPA  occurs  before  TLS  (SSL)  connec?on   Mi?gates  aOacks  on  TLS  by  unauthorized  users   See  AOacks  on  SSL/TLS    

SPA  =  UID,  OTP,  CTR,  GMAC  

UID  =  Universal  ID  of  SDP  Client   OTP  =  HMAC[seed  |  CTR]  

GMAC  =  E  client  private  key  [HMAC[UID  |  OTP  |  CTR]]  

Each  client  has  an  id,  seed,  and  counter  

Counter  is  incremented,  appended  to  seed,  and  hashed   UID,  OTP,  CTR,  &  and  the  counter  are  sent  as  clear  text.  The   counter  is  increment  to  mi?gate  playback  aOacks.  The  packet   is  also  signed  to  provide  integrity  checking.  

16  

A^acks  on  SSL/TLS  

Name   Date   A^ack   Unauthorized   Authorized  Users  

SSLstrip   Feb  2009   hOp  to  hOps   SPA   No  hOp  

DigiNotar   Sept  2011   MitM  forged  certs   SPA   Pinned  certs  

BEAST   Apr  2012   Java  Applet  oracle   SPA   Client-­‐based  

CRIME   Sept  2012   MitM  SPDY  compressing  oracle   SPA   No  compression  

Lucky  13   Feb  2013   MitM  CBC  padding  oracle   SPA   GCM  

TIME   Mar  2013   Browser  JavaScript  ?ming  oracle   SPA   Client-­‐based  

RC4  biases   Mar  2013   MitM  RC4  oracle   SPA   No  cypher  nego?a?on  

BREACH   Aug  2013   Website  redirect,  compression   SPA   No  redirect  or  compression   goto  fail   Feb  2014   MitM  counterfeit  key  via  coding  error   SPA   Pinned  dedicated  cert   Triple  Handshake   Mar  2014   Server  MitM  on  client  cert   SPA   Pinned  dedicated  cert  

Heartbleed   Apr  2014   OpenSSL  bug   SPA   Not  single-­‐ended  SSL  

BERserk   Sept  2014   MitM  PKCS#1.5  padding   SPA   Not  Mozilla  NSS  

Poodle   Oct  2014   MitM  SSLv3  oracle     SPA   No  cypher  nego?a?on  

Poodle++   Dec  2014   MitM  JavaScript  ?ming  oracle   SPA   Client-­‐based  

FREAK   Mar  2015   MitM  nego?a?on  512  bit  key   SPA     No  key  nego?a?on  

Bar-­‐mitzvah   Mar  2015   View  RC4   SPA   No  RC4  

Current  SDP  Workgroup  Ac<vi<es    

•

Suppor?ng  DHS  contract  for  Terabit  scale  DDoS  solu?on  

•

Coordina?ng  development  efforts  of  commercial  partners  

Typical  Denial  of  Service  (DoS)  A^acks  

• 

Applica?on  layer  

SQL  statements  that  DoS  the  database    

Many  false  posi?ves  punish  legi?mate  users  

PrecisionAccess  defeats  this  with  no  false  posi?ves  

• 

User  name/password    

Compromise  or  DoS  each  user  

Cannot  be  stopped  with  tradi?onal  tools  

PrecisionAccess  defeats  this  with  no  users  compromised  

• 

SSL  nego?a?on    

Single  laptop  can  DoS  a  server    

Very  expensive  to  stop  with  tradi?onal  tools  

PrecisionAccess  defeats  this  with  very  liOle  effort  

• 

Bandwidth  consump?on  

>  100’s  Gbps  

Cannot  be  stopped  by  do  it  yourself  tools  

SDP’  scale  out  at  AWS  mi?gates  Tbps  

18  

Na<onal  Cyber  Security  Framework  

Device Attacks

Internet Attacks

Server Attacks

RAM

Scraping

Data

Theft

Credential

Theft

Connection

Hijacking

of Service

Denial

Threats

Insider

Exploits

Server

Software Defined

Perimeter

File & Memory

Protection

Behavior

Profiling

Server

Global  Beverage  Company  

AWS  

SDP  Controller  

Business  Objec<ve:  

Minimize  opera?onal  costs  and  maximize  flexibility  

Vidder  SDP  Solu<on:  

ü 

Secures  partner  employee  access  to  the  required  apps  

ü 

Protects  against  DDOS  and  server  vulnerability  aOacks  

ü 

Brings  visibility  into  which  individuals  are  accessing  

which  applica?ons,  from  where,  and  when  

ü 

Mi?gates  creden?al  the#  and  eases  password  

management  with  transparent  MFA    

ü 

Delivers  a  single  solu?on  for  both  web-­‐based  and  fat  

applica?ons  

Browser  

ERP  Apps  (SAP)  

Supply  Chain  Partners   Data  Center  

SDP  Gateway  

Chip  Design  Company  

App  

Business  Objec<ve:  

Accelerate  chip  design  process  by  leveraging  public  clouds  

Vidder  SDP  Solu<on:  

ü 

 Secures  design  engineers’  access  to  cloud-­‐based  environment  at  

customer  sites  

ü 

Single  tenant  SDP  federates  to  each  IAM  

ü 

Customer  VPC  enclaves  not  reachable  from  Internet  

ü 

Flexible  SDP  deployment  enables  dynamic  customer  use  

Browser   SDP  Gateway   Enclave  A   Company  B   Company  A     VPC   App   Enclave  B     VPC   Enclave  C     VPC   AWS   SDP  Controller  

Global  Automo<ve  Company  

Business  Objec<ve:  

Enable  in  field  vehicle  upgrades  to  retain  customers  and  "sell"  new  features    

Vidder  SDP  Solu<on:  

ü 

Vehicle  status  delivered  in  a  single  SPA  packet  

ü 

Provides  a  common  access  pla•orm  for  apps  regardless  

of  where  they  are  deployed:  in  internal  data  center  or  

(mul?ple)  cloud  sites  

ü 

Op?mizes  packet  path  to  op?mize  user  experience  

SDPController  

SDPGateway  

SDP  Gateway  

Closing  comments    

•

SDP  is  really  simple  

•

SDP  supports  a  wide  range  of  applica?ons  

24  

Contact  Informa<on  

Junaid  Islam  

CTO  Vidder