SYMANTEC CONSIDERATIONS ON MIDDLEBOXES

Transcription

1 SYMANTEC CONSIDERATIONS ON MIDDLEBOXES 12 th OF JUNE SECURITY WEEK 2018

2 SYMANTEC AGENDA TODAY 1 2 WHICH MODEL FOR SECURITY AND PRIVACY? IS A CONSENSUS REACHABLE? LET s BE PATIENT ANNEX PRACTICAL CONSIDERATIONS FOR THE ICT?

3 WHICH MODEL FOR SECURITY AND PRIVACY?

4 SECURITY AND PRIVACY IMPLICIT OR EXPLICIT DIGITAL PERSONA EXPERIENCE / APP / CAPABILITY USER EXPERIENCE «SESSIONS» SERVICE DATA LAKES USER DEVICE OR THING «NETWORK INFRASTRUCTURE» «CLOUD» / «INTERNET» 4

5 THE INTERCEPTION LANDSCAPE END POINT AND INFORMATION PROTECTION DIGITAL PERSONA PROTECTION BUSINESS INTERCEPTION OTHER MIDDLEBOXES FUNCTIONS REGULATORY FRAMEWORK (e.g. GDPR) CLOUD SECURITY IMPLICIT OR EXPLICIT DIGITAL PERSONA EXPERIENCE / APP / CAPABILITY USER EXPERIENCE «SESSIONS» SERVICE DATA LAKES USER DEVICE OR THING «NETWORK INFRASTRUCTURE» «CLOUD» / «INTERNET» SOCIAL ENGINEERING ATTACKS VAST MISMATCH BETWEEN USER CONSENT UNDERSTANDING vs DIGITAL PERSONA CONSENT REALITY SECURITY ATTACKS (DEVICE / IDENTITY / BROWSER / APP / NETWORK / INFORMATION etc.) MAN IN THE MIDDLE INTERCEPTION ATTACK BACKDOORS LAWFUL INTERCEPTION MASS SURVEILLANCE / CENSORSHIP DATA BREACHES SECURITY BREACHES BACKDOORS 5

6 «PROTOCOLS» WE MISS A REAL PROTOCOL FOR PRIVACY N-WAY RESPECTFUL INTERCEPTION PROTOCOL IMPLICIT OR EXPLICIT DIGITAL PERSONA EXPERIENCE / APP / CAPABILITY MIDDLEBOX COLLABORATION PROTOCOL USER EXPERIENCE «SESSIONS» SERVICE DATA LAKES USER A REAL DIGITAL HUMANITIES «PROTOCOL» DEVICE OR THING «NETWORK INFRASTRUCTURE» «CLOUD» / «INTERNET» OFF BOUND UNIFIED SECURITY HUB PROTOCOL 6

7 CONCLUSION 1 LET s BE REAL WE MISS A LOT IN THE LONG TERM WAY BEYOND «JUST» AN N-WAY PROTOCOL 7

8 HOW TO REACH A CONSENSUS? LET s BE PATIENT

9 Half of All Web Connections Are Now Encrypted ( 2017 )

10 Half of All Web... Attacks... Are Now Encrypted ( 2017 )

11 CLASSIC SECURITY & PRIVACY MODEL Eve Alice Bob

12 EQUALLY COMMON BOB IS IN THE CLOUD CAN I TRUST THIS SITE IT MIGHT BE COMPROMISED STILL I WANT OR NEED TO WORK WITH IT THE REMOTE SITE MIGHT HELP ME HACK ME PROFILE AND TRACK ME AND MY ENDPOINT MY NOT HAVE ENOUGH PROTECTION

13 How? The Security Impact of HTTPS Interception, Durumeric, Ma, Springall, Barnes, Sullivan, Bursztein, Bailey, Halderman, Paxson, in Network and Distributed System Security Symposium (NDSS 2017) Classic Approach Protection Most Middleboxes negotiate weaker least Common Denominator Crypto. Endpoint doesn t know. Al or Alice Middlebox terminates & initiates independent TLS sessions. M.B.G.

14 How? Protection Naylor, Li, Gkantsidis, Karagiannis, & Steenkiste propose to leverage SGX to help make this safer. Alternative Approach Al or Alice References in speaker notes Al or Alice delegate protection (most commonly to more powerful devices) by sending ephemeral or symmetric keys M.B.G.

15 What Could Possibly Go Wrong? What? MITM?? Isn t that dangerous?!?! Classic Middleboxes (MB) often negotiate weaker crypto No end2end integrity protection MB could get hacked Risk decryption to block attacks + No cryptographic attestation of MB identity, policies, etc. Endpoint completely lacks visibility into upstream MB Current Alternative Still lacks end2end integrity MB could still get hacked What goes wrong today? Risk decryption to block attacks + No cryptographic attestation of MB identity, policies, etc. + Of course, such decryption is crucial not only for blocking attacks in real-time, but also for post-facto forensic investigation and remediation of successful attacks, along with regulatory compliance verification, and much more.

16 What Could Possibly Go Wrong?! Middleboxes (MB) often negotiate A good protocol could address these Classic weaker crypto No end2end integrity protection MB could get hacked Risk decryption to block attacks No cryptographic attestation of MB identity, policies, etc. Endpoint completely lacks visibility into upstream MB Current Alternative Still lacks end2end integrity MB could still get hacked Risk decryption to block attacks No cryptographic attestation of MB identity, policies, etc. + Of course, such decryption is crucial not only for blocking attacks in real-time, but also for post-facto forensic investigation and remediation of successful attacks, along with regulatory compliance verification, and much more.

17 CONCLUSION 2 THE PATH FOR A CONSENSUS IS VERY NARROW BUT NOT NULL PATIENT = PROTECTION AGAINST ATTACKS TUNNELING IN ENCRYPTED TRAFFIC STATUS = SYMANTEC WORKING ON AN AWARENESS CAMPAIGN FIRST PREPARING COMING BACK TO IETF 17

18 Thank You!

19 PRACTICAL ARCHITECTURAL CONSIDERATIONS FOR THE ICT

20 DIGITAL SERVICE PROVIDERS ATT, Verizon, DT, BT, Orange, NTT, Airtel, MVNOs, Tier1, Tier2, Tier3 NOT TELCOs AS DEFINED 20 YEARS AGO! STRONG NEED FOR NEW DEFINITIONS HSBC, Credit Suisse, GM, Toyota, etc. ENT SP Enterprise Service Providers CSP Communication Service Providers NEP Network Equipment Providers Huawei, Ericsson, ZTE, Nokia, Converse, etc. BEING DISCUSSED WITH ITU SG2 AppDirect, Netcracker (NEC), Infonova, etc. CSB Cloud Service Brokers MASSIVE CO- COMPETITION GSI Global System Integrators HP, IBM, Fujitsu, Accenture, PwC, etc MSP in Germany, in France, etc.. MSP Managed Service Providers ISP Infrastructure Service Providers OTT Over The Top ASP Application Service Providers Google, Facebook, Apple, Microsoft, SFDC, etc. Amazon, Microsoft, Cyxtera, etc. IOT IS EVERYWHERE 20

21 DIGITAL TRANSFORMATION FOR CSPs AND THIS IS THE EASY PART DIGITALISATION IoT M2M, BUS LOW ENERGY NETWORKS SP* ENT SMB RES END CUSTOMER PREMISE ENT SMB RES CPE (MPLS) CPE (UTM) CPE (BOX) RADIO WIFI 5G CPE (MPLS) CPE (UTM) CPE (BOX) RADIO ACCESS ACCESS NETWORK MANAGEMENT CLOUD INFRASTRUCTURE TRANSPORT DC1 APPLICATIONS COMMUNICATION SERVICE PROVIDER AND NEW SERVICE PROVIDERS SDN NFV CORE NETWORK DC2 INTERNET CLOUDS INTERNET CLOUDS END CUSTOMER PREMISE WIFI DC3 DCN Copyright 2016 Symantec Corporation COMMUNICATION SERVICE PROVIDER AND NEW SERVICE PROVIDERS 21

22 HOW TO MODEL DSPs? LET S TAKE AN EXAMPLE WITH CSPs 22

23 HOW TO MAP SECURITY IN THE NEAR FUTURE SHOULD EVERY CAPABILITY BE A VF OR A VNF? How could we safely do network based protection against attacks tunneling in encrypted network traffic, without constraining end-to-end routing? If each MB had a hardware-backed Trusted Execution Environment (TEE), then perhaps endpoints could choose to Trust MB services dynamically migrating from TEE to TEE as orchestrated by Software Defined Networking (SDN), or Network Function Virtualization (NFV). S IOT S = END CUSTOMERS S CRITICAL INFRASTRUCTURES LARGE ENTERPRISES S MEDIUM BUSINESS S SMALL BUSINESS CONSUMERS "S" for security on premise whatever it is, not restricted to endpoint security S S CUSTOMER PREMISE EQUIPMENT SECURE vcpe DSP MANAGEMENT CARRIER GRADE LAYER (OSS/BSS) AND CARRIER POLICY GRADE MANAGER ENABLERS (AAA, etc.) SDWAN ACCESS NETWORK DIGITAL SERVICE PROVIDERS ECOSYSTEM CORE NETWORK CARRIER GRADE SECURITY AND PRIVACY MIDDLEBOXES MANAGED SERVICES SECURITY AND PRIVACY MIDDLEBOX IT DATA CENTERS A LOCAL WORLD UNIFIED OF LOCAL SECURITY DATA LAKES HUB LEGACY INFRASTRUCTURE SECURITY VF and MOVING VNFs TO SDN/NFV INTER- CONNECT SS7 AND MIDDLE- BACKHAULS BOX PEER INTER- CONNECT AND BACKHAULS Moving down the segment is not "a straight line" CLOUD / "INTERNET" CLOUD BASED SECURITY "CLOUDs" GLOBAL UNIFIED SECURITY The Mass Market "barrier" 23

24 BIG MISS POTENTIAL FUTURE MB CAPABILITIES

25 CONCLUSION 3 A LOT IS AT STAKE TO TRULY MAKE THIS WORLD SAFER AND MORE PRIVATE AND NOT MAKE THIS WORLD MORE PRIVATE AND LESS SAFE DSPs ARE THE PLATFORM TO REACH TO ALL SEGMENTS DSPs SHOULD ENGAGE MUCH MORE PROACTIVELY IN THE DEBATE BUT DO THEY RECOGNIZE THE PROBLEM AND THEIR OWN ROLE? 25