AltSecCon, March 2011
Winston Morton
Topics of DiscussionThe Definition of the Cloud
Cloud Computing and Risk Mitigation
Traditional Intrusion Prevention
Virtualized Intrusion Prevention
Intrusion Prevention in Cloud Computing
Industry Trends
Questions
What is the The Cloud What does “To the cloud” mean?
Why do they always spin something to get to the cloud?
Definition of the Cloud About 432 definitions out there A shared computing resource with the ability to be
delivered via Internet from multiple locations to multiple locations Public Cloud - Delivered to Multiple Customers Private Cloud - Delivered to one Customer Virtual Private Cloud – An isolated subset of the public
cloud with dedicated network and computing resources to one customer.
And yes….IBM did this 20 years ago before the brief period of customer owned client/server technologies…….(of course the Internet as we know it didn’t exist back then)
Why has the risk model changed? Private cloud deployments have virtualized natural
network aggregation points use for Network Security Public cloud providers control critical elements of a
comprehensive security program Cloud provider evaluation criteria (Gartner)
Privileged user access Regulatory compliance Data location Data segregation Recovery Investigative support Long-term viability
Microsoft BPOS cloud service hit with data breachA 'small number' of Offline Address Book users had some of their data accessedBy Andreas Udo de Haes, Webwereld NetherlandsDecember 22, 2010 11:39 AM ET
The Ownership of Risk The Ownership of risk hasn’t changed but Controls have.
The ownership of the data clearly stays with the customer
In many cases when outsourcing you have less ancillary access to data (in transit or at rest)
Intrusion prevention sometimes relies on ancillary data
The cloud service provider generally does not take ownership or risk of loss of data beyond the cost of the service
Your risk tolerance needs to match the cloud delivery model (this generally comes down to a financial decision)
In the SME market risk may go down rather than up with a cloud model
You can’t outsource accountability!
Amazon Web Services (AWS) Section 11. Limitations of Liability.
WE AND OUR AFFILIATES OR LICENSORS WILL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES (INCLUDING DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, OR DATA), EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. FURTHER, NEITHER WE NOR ANY OF OUR AFFILIATES OR LICENSORS WILL BE RESPONSIBLE FOR ANY COMPENSATION, REIMBURSEMENT, OR DAMAGES ARISING IN CONNECTION WITH:
(A) YOUR INABILITY TO USE THE SERVICES, INCLUDING AS A RESULT OF ANY (I) TERMINATION OR SUSPENSION OF THIS AGREEMENT OR YOUR USE OF OR ACCESS TO THE SERVICE OFFERINGS, (II) OUR DISCONTINUATION OF ANY OR ALL OF THE SERVICE OFFERINGS, OR, (III) WITHOUT LIMITING ANY OBLIGATIONS UNDER THE SLAS, ANY UNANTICIPATED OR UNSCHEDULED DOWNTIME OF ALL OR A PORTION OF THE SERVICES FOR ANY REASON, INCLUDING AS A RESULT OF POWER OUTAGES, SYSTEM FAILURES OR OTHER INTERRUPTIONS;
(B) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; (C) ANY INVESTMENTS, EXPENDITURES, OR COMMITMENTS BY YOU IN CONNECTION WITH THIS
AGREEMENT OR YOUR USE OF OR ACCESS TO THE SERVICE OFFERINGS; OR(D) ANY UNAUTHORIZED ACCESS TO, ALTERATION OF, OR THE DELETION, DESTRUCTION, DAMAGE, LOSS OR
FAILURE TO STORE ANY OF YOUR CONTENT OR OTHER DATA. IN ANY CASE, OUR AND OUR AFFILIATES’ AND LICENSORS’ AGGREGATE LIABILITY UNDER THIS AGREEMENT WILL BE LIMITED TO THE AMOUNT YOU ACTUALLY PAY US UNDER THIS AGREEMENT FOR THE SERVICE THAT GAVE RISE TO THE CLAIM DURING THE 12 MONTHS PRECEDING THE CLAIM.
Microsoft Online Services Section 8. Limitation of liability. Limitation on liability. Except as otherwise provided in this Section, to the extent permitted by applicable law, the
liability of Microsoft and of Microsoft’s contractors to Customer arising under this agreement is limited to direct damages up to the amount Customer paid Microsoft for the Online Service and/or Client Software giving rise to that liability during the (1) Term or (2) twelve months prior to the filing of the claim, whichever is less. These limitations apply regardless of whether the liability is based on breach of contract, tort (including negligence), strict liability, breach of warranties, or any other legal theory. However, these monetary limitations will not apply to: Microsoft’s obligations under the Section titled "Defense of infringement and misappropriation claims"; liability for damages awarded by a court of final adjudication for Microsoft’s or its employees’ or agents’ gross negligence
or willful misconduct; liabilities arising out of any breach by Microsoft of its obligations under the Section entitled "Confidentiality"; or liability for personal injury or death caused by Microsoft’s negligence or that of its employees or agents or for fraudulent
misrepresentation.
EXCLUSION OF CERTAIN DAMAGES. TO THE EXTENT PERMITTED BY APPLICABLE LAW, WHATEVER THE LEGAL BASIS FOR THE CLAIM, NEITHER PARTY, NOR ANY OF ITS AFFILIATES OR SUPPLIERS, WILL BE LIABLE FOR ANY INDIRECT DAMAGES (INCLUDING, WITHOUT LIMITATION, CONSEQUENTIAL, SPECIAL OR INCIDENTAL DAMAGES, DAMAGES FOR LOST PROFITS OR REVENUES, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION) ARISING IN CONNECTION WITH THIS AGREEMENT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES OR IF SUCH POSSIBILITY WAS REASONABLY FORESEEABLE. HOWEVER, THIS EXCLUSION DOES NOT APPLY TO EITHER PARTY’S LIABILITY TO THE OTHER FOR VIOLATION OF ITS CONFIDENTIALITY OBLIGATIONS OR OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS.
Concept of Intrusion Prevention Stop intrusions BEFORE they happen
As opposed to Intrusion Detection Requires system to take action on potential risks
In-line systems can drop malicious traffic before it gets to critical infrastructure
Automated or with human intervention Can be programmed with very different “personalities” depending on
location (i.e. In front of firewall, In Front of a Critical Server, etc)
Modern IPS Systems have a real time database of threats Many of which may not apply to your environment Allows for Zero-Day detection of new threats and applies new rules
before your systems are compromised (Virtual Patching)
IPS systems also provide an important audit trail In the case of a breach IPS events need to correlated with firewall logs,
user account logs, server access logs, virus scan logs, etc
Concept of Intrusion Prevention Traditional Intrusion Prevention Systems
Client Based (Desktop) Generally proactive management of accounts and potential spyware,
rootkits, etc Watch incoming and outgoing connections for warning signs
Host Based (Server) Very specific inspection of application requests and common exploit
techniques targeted at the host system Account abuse detection, time of day detection, etc
Network Based Deep packet inspection Broad long term analysis (looking for “low and slow” attacks) Denial of service, network scanning/mapping attempts Exploits of know vulnerabilities
Concept of Intrusion Prevention Traditional Enterprise Approach
EnterpriseInternet
Host Based Intrusion
Prevention
Client Based Intrusion
Prevention
Network Based Intrusion
PreventionCorrelated Event
Management
Concept of Intrusion Prevention Virtual Intrusion Prevention
Virtual machine embedded in hardware abstraction layer (Between the Physical Hardware and the Guest Operating System)
Can be software controlled and placed on same virtual network as any virtual machine
Creates a scalable method to monitor multiple virtual environments Keep in mind intrusion prevention devices would normally be tuned
for specific Operating Systems and Applications they are protecting
These deployments are highly reliant on multiple vendor integration i.e. VMWare publishes API for provisioning Virtual Networks - IPS
Vendors have to conform to these specifications.
VIRTUAL SWITCH VIRTUAL SWITCH VIRTUAL SWITCH
VIRTUAL IPS VIRTUAL IPS VIRTUAL IPS VIRTUAL IPS
VIRTUAL LAN VIRTUAL LAN VIRTUAL LAN VIRTUAL LAN
NETWORK
Traditional vs. Virtualized IPS
PHYSICAL SERVER
(VMWARE/MICROSOFT HYPER-V/CISCO NEXUS)
OS
APP
OS
APP
OS
APP
OS
APP
PHYSICAL SERVER
OPERATING SYSTEM
APPLICATIONHost Based IPS Software Based Application Attack VectorsHost Based Ruleset
Network Based IPSHardware Based Network Attack VectorsNetwork Based Ruleset
Host Based IPS Same as traditional server deployments
Virtual IPS Special Virtual Machines Vendor Specific API Can be “bridged” software to and virtual segment
Network Based IPS Can be “bridged” to VLAN associated with Virtual Machine Most Enterprise IPS Vendors support Multiple VLANs (802.1Q)
IPS Challenges in the Public Cloud A holistic view is important to determine real time risk
What used to be physical and in our server room is now logical and controlled by a 3rd party company
We may be missing infrastructure events that would trigger a potential security threat. Importance of event correlation
Appearances of targeted probing before an event
What happened before and after a security breach
Common time and log management is critical to determining root cause
Intrusion prevention is about recognizing potential security threats and acting BEFORE a breach
There are ways to work with outsourced infrastructure to manage this reduced visibility
Cloud Computing Models Software as a Service (SaaS)
Remote secure access to one Application
Typically Web Based Service
Typically accessible from anywhere
Security Model
No access to SaaS network
No access to SaaS Host OS
User Based Intrusion Prevention
User Authentication
User Auditing (Application Dependant)
SaaS Provider
Internet
Enterprise
Cloud Computing Models Platform as a Service (PaaS)
Remote secure access to one Platform
Typically a Windows/Linux Server
Typically Bundled with Storage
“Bring your own” Application
Multiple locations
Security Model
No access to PaaS network
Control over OS and Applications
Host Based Intrusion Prevention
User Based Intrusion Prevention
PaaS Provider
Internet
Enterprise
Cloud Computing Models Virtual Private Cloud (VPC)
Multiple platforms on one subnet inside the cloud
Platforms can communicate with each other within the cloud
Secure connection to enterprise
Security Model Typically no External Internet Access
Limited access to VPC network
Employ strong encryption between networks
One compromised platform has access to all devices on subnet
Host based Intrusion Prevention
Network Based Intrusion Prevention (Enterprise Side)
VPC Provider
Internet
Enterprise
Industry Trends Enterprise IPS has rapidly matured in the past 3-5 years
Public cloud computing solutions are still maturing to the point they can be integrated with enterprise IPS Systems
Without having direct access to the cloud provider network we are missing some of the latest features of IPS systems. Virtual Security Patch
Denial of Service Response
Zero Day Attack Detection
Competing standards for cloud providers and vendors event management protocols
Common Event Expression (CEE)
Distributed Auditing Service (XDAS)
Industry Trends
SourceFire Virtual 3D Sensor http://www.sourcefire.com/security-technologies/cyber-
security-products/3d-system
IBM Virtual Server Protection for VMware http://www-01.ibm.com/software/tivoli/products/virtualized-
network-security/
Cisco Nexus & Virtual Sensor http://www.cisco.com/en/US/products/ps9902/index.html
HP Secure Virtualization Framework http://h17007.www1.hp.com/us/en/solutions/security/svf/
Juniper Networks Virtual Control http://www.juniper.net/us/en/products/services/software/jun
os-platform/junos-space/applications/virtual-control/
Most IPS Solutions are focused on private cloud deployments (Virtualized Environments)
Expect to see IPS as a key differentiator in the public cloud market (Firewall and Authentication are commonly available today)
A few of “Cloud Enabled” IPS Vendors
