Transforming Security: Containers, Virtualization and Softwarization
Post on 15-Dec-2016
222 Views
Preview:
Transcript
SESSION ID:
#RSAC
Dennis R Moreau
Transforming Security: Containers, Virtualization and the Softwarization of Controls
ASD-W03
Senior Engineering ArchitectVMware Office of the CTSO@DoctorMoreau
#RSAC
The Security Problem
2
Security breach rates and losses continue to outpace security spend in “the year of the breach”.
IT Spend
Security Spend
Security Breaches
#RSAC
Complexity: Complex Attack Behavior
HW & FW
OS
Application
Operating
Application
MMUsSMMUEFIControllersSupply Chain…
OverflowsInsertionMalformation …
dll injectionSVC VulnsROP …
OS
Application
Recon & Lateral Movement
……… …
HW & FW
IaaS
SaaS
#RSAC
Complexity: Many Required Security Controls
Source: SANS 20 Critical Cyber Controls – Fall 2014https://www.sans.org/media/critical-security-controls/fall-2014-poster.pdf
!
#RSAC
Complexity: Many Security Control Standards
5https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf
NIST 800-53, ISO 27002, NSA Top 10,GCHQ 10 Steps, PCI DSS, HIPAA, NERC,CSA, FISMA, ITIL KPIs, …
#RSAC
Complexity: The Balkanization of Security
Security
Controls
Rules, Lang & Logic
Control Boundary
Object
Type
Consoles Agents
Placement Constraints
SNORT, FW 5-tuples, OWASP, YARA, XACML…
End Point, Network, VLAN, Domain, Process, OU …
User, Application, Data Class, Service, DB…
ConsolesLogs, Alerts, Rules, Workflow…
DB, App, OS, NAT, LB, L4, L3 …
#RSAC
Complexity: No Finish Line
Change!EvolvingStandards
Control
Technology
Growth Scale
Agility++
New Bus. Need
New Regulation
New Threats
New Governance
#RSAC
Complexity: IT Architecture
Highly Connected
Complex Service Protocols
EP controls with weak isolation
NW controls with weak context
EP <-> NW mismatch
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
…
App2App1 App3 App4
FW
IPS
#RSAC
Complexity is the Problem!
Misconfiguration is very common (Gartner: 95%* of FW breaches attributable to misconfiguration)
*Gartner, Inc. “One Brand of Firewall Is a Best Practice for Most Enterprises”. November 28, 2012.
*Gartner, Inc. “ …75 Percent of Mobile Security Breaches Will Be the Result of Mobile Application Misconfiguration” http://www.gartner.com/newsroom/id/2846017
We need architecturally simplified security provisioning, operation, response and analytics.
#RSAC
Virtualization and the Softwarization of Security Controls: Enabling Policy Simplification
10
#RSAC
Visibility: Micro-segmentation and SW
• Understand Traffic
• Here, > 80% is East-West
• Largely uninspected and
unprotected
• Ops: Clearly not optimized
Source: Networking data from Arkin.net deployments
#RSAC
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
…
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
…
App2App1 App3 App4 App2App1 App3 App4
FW
IPS
FW
IPS
Enabled by: Network Virtualization
Containment & Protection
#RSAC
Network Virtualization
GuestvSwitch
GuestvSwitch
ComputeIsolation
NetworkIsolation
V Network Ctrl
V Server Ctrl
ProvisioningProtectionIntrospection …
IP Address SpaceRoutingFirewall …
#RSAC
Transport Network
Network Virtualization: Overlays
L2
L2
Tenant B
L2
L2
L2Tenant C
L2
L2
L2
VM
VM
VM
VM
VM
VM
VM
VM
L2 IP UDP VXLAN PayloadL2 IP
PayloadL2 IP
PayloadL2 IP
PayloadL2 IP
OverlaysController
#RSAC
Micro-segments: A new policy primitive
App/SvcSegment
GuestvSwitchGuest
vSwitch
Guest vSwitch
Aligned Isolation:• Routing• NAT• dFW
Policy Boundary Invariant
#RSAC
Simplify: Smaller more aligned policy
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
dFW
…
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
…
App2App1 App3 App4 App2App1 App3 App4
dFW dFW dFW
eFW eFW
Policy here crosses many apps … App1 – App4
Policy here can align onone App/Svc
Much smaller policy sets Much more coherent policy
Policy--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------…--------------------------------------------------
Policy------------------------------…--------------------
Policy----------------------------------------…--------------------
Policy------------------------------…--------------------
Policy------------------------------…--------------------
Policy------------------------------…--------------------
#RSAC
Simplify: Change with less side effect
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
FW
…
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
…
App2App1 App3 App4 App2App1 App3 App4
FW FW FW
FW FW
Policy change here is coupled across apps
Policy change here is far safer
Much simpler mitigation Much safer rule deletion
Policy------------------------------…--------------------
Policy----------------------------------------…--------------------
Policy------------------------------…--------------------
Policy------------------------------…--------------------
Policy------------------------------…--------------------
Policy--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------…--------------------------------------------------
#RSAC
Simplify: Policy that follows the workload
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
dFW
…
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
…
App2App1 App3 App4 App2App1 App3 App4
dFW dFW dFW
eFW eFW
Only traffic steering determines protection/visibility
Classification (SG) determines protection & visibility
Protection scales with hypervisors
#RSAC
Simplify: Default deny posture
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
dFW
…
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
…
App2App1 App3 App4 App2App1 App3 App4
dFW dFW dFW
eFW eFW
Default deny policy here is blunt, coupled across apps, partial and weakly scale-able
Default deny policy here is precise,efficient, scale-able, …
Recon and lateral in the DCis much more visible and difficult
#RSAC
Simplify: Intrinsic E/W visibility/control
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
dFW
…
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
…
App2App1 App3 App4 App2App1 App3 App4
dFW dFW dFW
eFW eFW
E/W traffic hair-pinned for visibility at the DC edge
All E/W traffic is visible and filtered according to policy
Complete E/W visibility & control No hairpin management
#RSAC
Control Placement and Segments
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
FW
SC
…
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
…
App2App1 App3 App4 App2App1 App3 App4
FW
SC
FW
SC
FW
SC
FW
SC
FW
SC
Enabled by: Network Virtualization +Sofwarization of Security Controls
#RSAC
Virtualization and the Softwarization of Security Controls: Improved Alignment
22
#RSAC
≢
Align: NW/EP Control Aligned on Segments
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
FW
IPS
…
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
…
App2App1 App3 App4 App2App1 App3 App4
FW
IPS
FW
IPS
FW
IPS
FW
IPS
FW
IPS
EPEP EP
EPEP EP EPEP EP
EPEP EP
EP EP
EP EP
EPEP EP EPEP EP EP EP
EPEP EP EPEP EP EP EP
NW Policy(IF, Subnet, DHCP Scope, …)
EP Policy(Asset, HostID, SID, Svr Role, TPM…)EP IdentifiersEP Boundaries
NW IdentifiersNW Boundaries
App Seg
EP IdentifiersEP Boundaries
NW IdentifiersNW Boundaries
≡
≡
EP
MS
NW
VMIDMSID
EP
NW
NW
P1(MSID)
PN(MSID)
…
#RSAC
Align: Coordinated Controls
24
Segment dFW WAF
DetectHere
OWASP Rules
vFW
BlockHere
FW Rules
Then …
Expensivedetection, so …
#RSAC
Align: Coordinated Controls
25
Segment dFW WAF
OWASP Rules
vFW
FW Rules
IPS
SNORT Rules
Rule N+1Rule N+2…Emergent
Vulnerability
ObservedAnomaly
#RSAC
Align: Controls Context
26
Segment dFW WAF IPS AA
OWASPRules
SNORTRules
vFW
FW Rules
ProtocolDefn
Resultant Protection Policy
AccessRules
Order Matters: So topological context is required for many security use cases.
Visibility &Semantics
here …
… depends onpolicy and filtering
here
#RSAC
Containers and Operationally Plausible Default Deny Policy
27
#RSAC
Sources of Plausible Micro-segment Policy
1. Provenance, Manifests & Provisioning Information
2. Application Network Behavior
3. Infrastructure Services (or Micro-services) Connectivity & Dynamics
#RSAC
Namespace
Volume Service
Containers: App/Svc Focused Context
29
Ex. Authoritative Context
App Configuration & Resources
Resource Sharing Across Apps
Colocation of Containers
Service Components
Services within a Namespace
Network Dynamics (LB, HA, …)
Example Contextual Structure
RC
Volume Service
Pod
Container
App Env
App
Pod
Container
App Env
App
…
LB
#RSAC
Containers: EP Compliance
30
Compliance scan of Docker imageUsage: docker-oscap image IMAGE_NAME [OSCAP_ARGUMENTS]
Compliance scan of Docker containerUsage: docker-oscap container CONTAINER_NAME [OSCAP_ARGUMENTS]
"Vulnerability scan of Docker image"Usage: docker\-oscap image\-cve IMAGE_NAME [--results oval-results-
file.xml [--report report.html]]"Vulnerability scap of Docker container"
Usage: oscap-docker container-cve CONTAINER_NAME [--results oval-results-file.xml [--report report.html]]Ref: https://github.com/OpenSCAP/container-compliance
#RSAC
Alignment: Network Context
Hosted Protection
Premise
Protection
LB
SVC
SVC SVC
SVC
SVC SVC
Web Service
Web Cont Web Cart
SAP MT
SAP
DB DB
Control placement determines:• Meaning of Log and Alert signals• Up/Down stream interference• Affected assets• Mitigation options
#RSAC
But “containers don’t contain”
32
Provider
Attest: ----- ----- -----
Tenant Tenant Tenant
Audit: ----- ----- ----
Docker Engine
Operating System instance
App 1
Bins/Libs
App 2
Bins/Libs
App 2
Bins/Libs
Shared: IDs, filesystem, services, resources …
Process and Name Space Isolation
Audit: ----- ----- ----
Process/Namespace Isolation
… but could be much better
Better IsolationIsolated Controls (independent)Mature Security Mgmt (Gartner)Normalized Policy Locus
Between WL and Hosting(hybrid/multi-cloud)
Mis-alignmenthttps://opensource.com/business/14/7/docker-security-selinux
http://www.projectatomic.io/blog/2014/09/yet-another-reason-containers-don-t-contain-kernel-keyrings/
http://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/
Gartner: Security Properties of Containers Managed by Docker
#RSAC
Directional: Containers + Virtualization
FW (app)IPS (app)WAF (app)NGFW (app)…
WAFIPSNGFWFW
LogsAlertsBehavior
Analytics
Where else might this behavior be expressed?...
Registry
Labels, Provenance,
Testing
Containers
Docker Daemon
Images
Policy
Same App IDsSame BoundariesShared Context…Aligned:
AppsServerNetwork
More actionable context, so responseis more efficient & accurate, reduced dwell time
#RSAC
Containers + Virtualization
34VMworld 2015: NET6639 - Next Horizon for Cloud Networking and Security:
https://www.youtube.com/watch?v=RBJ-KoAM-OQ&feature=youtu.be
Provider
Attest: ----- ----- -----
Tenant Tenant Tenant
Audit: ----- ----- ---- Consistent boundary X Stack
Same identifier (msid, vmid)Alignment … in any state Independent verificationAuthoritative context (OOB)
Control Boundary &Controls Alignment
VM vServer & vSwitch
Docker Engine
Operating System instance
App 1
Bins/Libs
App 2
Bins/Libs
App 2
Bins/Libs
vSwitch vSwitch vSwitchAudit: ----- ----- ----
Audit: ----- ----- ----
#RSAC
Application Blueprint Example - vRealize
35
Application structure and external connectivity are completely exposed to inform operationally plausible security policy
#RSAC
Enterprise Infrastructure & Containers
36
Infrastructural Context
Leveraging of PBS, PBN, Infrastructural Services
Legacy apps to cloud native apps, on the same infrastructure
Integration of governance, CJA, context (for logs, alerts, response RCA, …)
…
ESXPhoton OS
ESXPhoton OS
ESXPhoton OS
KubernetesMESOS
Photon Cont 1
Photon Cont 2
Photon Cont 3
CreateGet pods
Create Kubernetes Cluster
PhotonMachine
#RSAC
App Behavior Analysis: Arkin Example
37
Insight into application network behavior drives 1st order operationally plausible default deny posture.
#RSAC
Container
38
Intrinsically Captures Application Structure, Provenance, and Classification (pre-launch)
Always Current Configuration (immutability)
No “intended” vs. “actual” gap
Operations & Security perspectives
Immutability accommodates “moving target” defense techniques
Expose implicit network requirements in App context context.
Expose implicit app deployment requirements
Level of req’d awareness of virtual network topology
Req’d SVCs
#RSAC
Refining Micro-Segmentation Using Analytics
39
#RSAC
Sources of Plausible Micro-segment Policy
1. Provenance, Manifests & Provisioning Information
2. Application Network Behavior
3. Infrastructure Services (or Micro-services) Connectivity & Dynamics
#RSAC
Micro-Segmentation: Model & Secure
• Model apps, app tiers, regulatory
scopes, network, org boundaries,
etc.
• Default Deny: Only allow what’s
necessary, Deny everything else.
Source: Arkin.net Screenshot
#RSAC
Micro-Segmentation in Action: Modeling Security Groups
Source: Arkin.net Screenshot
Segment by applications, app tiers, security zones, L2/L3 network boundaries, virtual-physical boundaries, organizational levels, etc
#RSAC
Micro-Segmentation in Action: Modeling Security Policies
Source: Arkin.net Screenshot
Inter and Intra Segment (VM to VM) Communication
Some services require internet access.
“Deny All” to these segments (…and confirm it)
Allowed access to shared services
#RSAC
Micro-Segmentation in Action: Validate Compliance
Source: Arkin.net Screenshot
Runtime Effective Policy between any two points in the Datacenter
#RSAC
Summary
45
#RSAC
Summary
46
Complexity is at the heart of today’s security challenge
Virtualization and Softwarization allows app focused placement and policy alignment
Containerization provides the essential context for realizing an operationally plausible default deny policy
This resulting in transformationally simpler policy and more effective protection.
#RSAC
Apply: Assess
47
When you return to work:
Evaluate your current policy complexity
Policy set size
Policy testing workflow
Estimate its effect on security policy management
Latency in security policy updates
Estimate the degree of your “default deny” posture
Identify related instances of policy misconfiguration
#RSAC
Apply: Dev Ops
48
As move forward in DevOps:
For selected applications determine
Operationally plausible default deny posture by observed logs
Application policy requirements from container blueprints/manifests
Application component dynamics: continuity, scaling, …
For important and cross application cutting services
Document discovery, election, failover, … protocol dynamics
#RSAC
Apply: Plausible Micro-segment Policy
Plausible Policy Information Sources
1. Provenance, Manifests & Provisioning Information
2. Application Network Behavior
3. Infrastructure Services (or Micro-services) Connectivity & Dynamics
#RSAC
Thank You!
Questions?Dennis R Moreau: dmoreau@vmware.com
top related