Transport Access Control

Transcription

1 BlackRidge Technology Inc. May 2010 Rev 12

2 Contents Introduction... 2 The Threat... 3 The Need... 4 Introduction to TAC... 4 TAC Value Proposition... 7 Summary... 8 Introduction Governments and business enterprises are under repeated cyberattack, often from highlevel adversaries including foreign nationstates. Attacks run the gamut from massive Denial of Service attacks designed to shut down systems all the way to stealthy efforts to enter networks undetected to steal your information and intellectual property. TAC offers the protection of a private network with the flexibility and cost of the public internet. Ray Owen, fmr VP General Dynamics The level of sophistication and dynamic methodologies employed in attacks today require an innovative approach that fits with existing network architectures and is seamless to the users. BlackRidge Technology s (TAC) provides innovative protection to Enterprises by disrupting the ability for attackers to perform reconnaissance of highvalue and mission critical network assets and denies the ability to operate anonymously. With TAC, an Enterprise stops unauthorized, anonymous traffic at the very first packet of the TCP/IP protocol, effectively disrupting an attacker s OODA (Observe, Orient, Decide, Attack) loop by only allowing authorized and authenticated inbound and outbound network sessions. TAC hides servers, critical assets and network applications from unauthorized users, attackers and malware. Using TAC s fine-grained access control, an Enterprise can reduce unwanted traffic on their networks. TAC can also be used for internal protection against data exfiltration, botnets and other malware. TAC s benefits include: Authenticate the first packet of a session Filter and control access to network resources while preserving existing investments in cyber security Blocks network scans (systems protected by TAC are cloaked from unauthorized users) Low, deterministic latency with highly scalable throughput TAC compliments existing cyber security technologies and can be combined with existing security investments. TAC enhances firewalls, intrusion protection systems and network access control in several key aspects: TAC does not rely on signatures to detect malicious behavior TAC does not rely on deep packet inspection TAC policy engines have low latency so they work well with all network applications including voice and video. rev 12 2

3 TAC policy engines can be load balanced for scalability and redundancy. Managing a modern Enterprise requires existing security technologies, like firewalls and intrusion detection systems, but it is also clear that even with these systems, Enterprises are being actively attacked and penetrated. Preventing attackers from anonymously gathering critical information, anonymously connecting to network resources and anonymously removing critical information and intellectual property requires TAC. The Threat Cyberattacks are no longer just a government problem; no longer just a defense contractor problem; and no longer just a military problem. Cyberattacks are everyone s problem. Active cyberattacks on business and Government interests are succeeding at alarming rates, a recent study estimates the cost of data theft exceeded one trillion dollars in In a survey by McAfee, IT Executives who said their vulnerability to cyberattacks had increased over the past year outnumbered those who said their vulnerability had decreased by nearly two to one. The classic prevent and detect cybersecurity techniques do not effectively counter the modern day cyberattacks. Today s cyberattackers can; Easily defeat normal defenses. Successfully evade anti-malware software, network intrusion detection and underequipped incident responders. Use sophisticated techniques to conceal their presence: hiding malware on their target s own hosts and exfiltrating data while remaining hidden within an Enterprise s own network traffic. The motivation of a cyberattaker to steal information is part of a larger objective; to achieve an economic, political or business strategic advantage. Governments are realizing cyberattacks provide significant threats to their interests, second only to the threat of direct attacks like attacks of 9/11. There have been countless, successful cyber attacks against high priority targets, including nearly all Government agencies, each of the major defense contractors and even Presidential political campaigns. The impacts of cyber threats also extend to the nation s economy, where banking institutions, investment houses and ecommerce companies are all being probed, disrupted and remain at extreme risk. These attacks, are a tax on these companies and institutions, reducing the total output of the U.S. economy. Most of these attacks are not one time events; once a cyberattacker gains access to an Enterprise they also establish themselves in the environment, to repeatedly and persistently gain access to an Enterprise s presumed confidential information and discussions. As bleak as this situation is, the reality may be even direr. The rate at which cyberattacks are advancing is outstripping all estimates; our adversaries are progressing much faster in their ability to successfully attack our cyber infrastructure than has been forecast and faster than we are prepared to defend ourselves using today s approaches and technologies. Tier 1 adversaries, both state and non-state actors, have become very sophisticated in their attacks. They exploit every possible attack vector, data breaches are common and high value data is routinely being stolen. Cyber war has started. rev 12 3

4 The Need In today s cybersecurity environment, relying only on existing security technologies to defend an Enterprise is proven not to stop a determined, sophisticated attacker. Here is why- Network reconnaissance, a key step in cyber attacks, uses vulnerability scanners to probe networks and the devices attached to them. Vulnerability scanners, also known as port scanners, operate by attempting to establish TCP/IP connections to various network ports at various network addresses. Network attached devices reveal information about their characteristics by responding to these TCP/IP connection requests. The current state-of-the-art for securing network-connected devices includes the use of firewalls, VPNs, IPS/IDS s and encryption. While each of these technologies accomplishes a specific mission within the security regime, the demarcation point at each security layer exposes information about the services and network applications provided when the communications protocols are not specifically designed to prevent such information leakage. The TCP protocol leaks information The specific information being leaked, even in the presence of firewalls, is the presence and the identity of servers and network applications. This information is exposed because each network-connected device must establish a TCP/IP connection before performing any client authentication. It is this property or design flaw of TCP/IP that enables vulnerability scanning tools to identify what network applications are present and in many cases; develop signatures of the network connected device that includes the operating system, network applications present, and their release and patch levels. This information can then be used to develop strategies to attack the network-connected device. Authenticating before establishing a TCP/IP connection closes this security hole and denies attackers important information. Introduction to TAC authenticates users and client applications on first packet receipt in a TCP/IP session. First Packet Authentication protects data and network applications by concealing network applications from port scans, network reconnaissance and intrusion, while allowing authenticated users to use network applications normally. A second feature of TAC, Bidirectional Authentication, insures against imposter servers and phishing attacks. TAC can be deployed to provide external and internal facing protection. Facing externally, TAC protects against unauthorized access, port scans and network reconnaissance. Facing internally, TAC prevents viruses, malware and rogue applications from calling home or contaminating adjacent networks. TAC is network address translation and port address translation tolerant and is designed to operate transparently, without introducing its own port or network translation complexity. TAC works with mobile devices and devices which use dynamic addresses without requiring administrative updates to the TAC policy engine. All TAC activities are logged, enabling IT and security personnel to quickly identify and respond to rogue applications and hosts that attempt to infiltrate their networks. rev 12 4

5 A TAC deployment is composed of TAC clients and TAC policy engines. A TAC client inserts a TAC Identity token into a TCP/IP connection request. A TAC policy engine extracts, authenticates and applies policy to the received TCP/IP connection requests. TAC works by generating single-use TAC Identity tokens for each TCP/IP session. The TAC Identity tokens are cryptographically generated and are the mechanism that communicates authentication information between a TAC client and a TAC policy engine. A TAC client then uses a steganographic overlay to insert the token into first packet of a TCP/IP connection request. When a TAC policy engine receives the connection request, it extracts and authenticates the inserted TAC Identity token and then applies a security policy (forward, redirect, discard) for the connection request based on the received TAC Identity. TCP/IP session establishment does not allow for the sending of any user (non-protocol) data, including authentication information. By using a steganographic overlay, TAC can be used during TCP/IP session establishment to provide First Packet Authentication. Additionally, the size of the TCP/IP headers is not increased, enabling TAC to function without consuming any network bandwidth. Each TAC Identity token is individually generated, cannot be re-used and expires after a short period of time. Unlike conventional IPS systems, TAC does not use or require deep packet inspection and signature catalogs to differentiate between safe and malicious network activity. These deep packet inspection based systems are vulnerable to false positives (a valid user is excluded from the system) and false negatives (malicious activity goes unnoticed) and cyber attackers are increasingly able to circumvent them. As the number of threats (TAC) Client Server TCP Session setup First Packet Authentication occurs before packets have been acknowledged Data Conventional application layer authentication occurs after packets have been acknowledged TCP Packets time rev 12 5

6 increase, the number of signatures and rules to protect against all threat variants increases exponentially. Because TAC does not use signatures, it is not vulnerable to these types of threats. Nor does TAC require updates to the signature catalogues which ails firewall and IPS systems. TAC protects privacy by not requiring or using payload data. This eliminates the need to inspect traffic payloads, eliminating the payload decryption process and the corresponding encryption key management issues. TAC does not require the sharing of payload encryption keys, thus preserving the privacy of the encrypted payload. TAC uses an innovative identity token cache to provide high scalability and low, deterministic latency. This token cache is tolerant of packet loss and enables TAC deployments in low bandwidth and high packet loss environments. The algorithms used in TAC are highly parallelizable, enabling high scalability to take advantage of today's multi-core and multi-processor systems. TAC clients and policy engines can be hosted on a wide variety of platforms, including network appliances, router blades, security blades, laptops, end point payment systems, PDAs and cell phones. TAC is designed to work in a variety of network architectures including client/server, server/server, cloud and mesh networks. TAC works with both IPv4 and IPv6. TAC is designed to easily integrate smoothly with existing key management systems, and requires no modification to existing network applications or servers. TAC is compatible with and complimentary to existing security and authentication technologies, including IPsec, SSL/TLS and firewalls, providing additional protection not found in these solutions. TAC Protection Levels has two protection levels. These enable systems administrators, network and security architects to deploy TAC security solutions with minimal impact on the end users application experience. The protection levels are: TAC Level 1: Sender Authentication TAC Level 2: Sender + Application Authentication TAC Level 1: Sender Authentication TAC level 1 uses the sender identity to make TAC policy decisions. This makes TAC level 1 well suited for providing secured isolation of access where network resources are being shared amongst multiple constituencies. The isolation provided by TAC Level 1 prevents unauthorized users from accessing protected resources or scanning the network. TAC level 1 does not require an inventory of applications being used. The lack of an application inventory prevents the accidental disenfranchisement of applications. Because no knowledge of application usage is needed for TAC level 1, TAC level 1 is also well suited for initial TAC deployments for customers that will eventually migrate to TAC level 2. TAC Level 2: Sender + Application Authentication TAC level 2 uses the sender identity and the requesting application to make TAC policy decisions. This provides the TAC policy engine with fined grain control over both the network clients and the services requesting network resources. The finer grained control enables a TAC level 2 policy engine to prevent unauthorized users and unauthorized services from accessing protected resources or scanning the network. This makes TAC level 2 ideally suited for protecting network resources from unauthorized access, while more clearly identifying unauthenticated, rev 12 6

7 identityless traffic. TAC level 1 and 2 can coexist and this provides a good migration strategy from TAC level 1 to TAC level 2. Unauthenticated Traffic Assessment In addition to enforcing policy for TAC authenticated traffic, the TAC policy engine can also provide an assessment of unauthenticated traffic, allowing unauthenticated traffic to be forwarded, redirected or discarded. These actions, like all actions performed by a TAC policy engine, occur starting with the first packet and are performed in real time giving downstream remediation, analytic and responsive systems the earliest possible access to live data streams. In addition to the features specific to each TAC Level, all TAC products feature integrated logging, integration with the TAC Management Console and integration with key management systems. TAC Value Proposition TAC provides significant value to an organization in several ways in addition to improved security, scalability and performance. These benefits include: Reduced Network Traffic Load Reduced System Cost Reduced Compliance Cost Reduced Network Traffic Load TAC is designed to be complementary to existing network and security topologies. It is lightweight, transparent and does not add significantly to system latency. Using TAC can remove % of unauthenticated TCP/IP traffic, which in some cases can comprise 70% or more of all sessions being processed by a firewall. TAC also reduces the load on information protection and detection systems by reducing the amount of data that these systems are required to process and store, while still maintaining log data for evidence gathering. Reduced System Cost TAC reduces equipment acquisition costs by reducing the use of deep packet inspection and the expensive hardware deep packet inspection requires. Securing the transport layer with TAC results in the reduction of unauthenticated traffic and adds an additional security layer against malware, DDoS attacks and unauthenticated users. The incremental cost of acquiring TAC is relatively efficient. Acquisition costs are offset by the savings in other equipment as the reduced load provided by TAC lowers the capacity requirements for downstream equipment. The TAC client software is licensed for free; the TAC policy engines are available as industry standard appliances or as licensed software. The security keys needed for TAC Identity token generation can be licensed on an as-needed basis, so annual operating expenses are low. Integration costs are minimal as the product is in line and requires no network topology changes. TAC can greatly reduce the spread of malware and, most importantly, prevent data exfiltration through perimeter protection. TAC adds an additional layer of security to protect mission critical and business critical data and intellectual property. Reduced Compliance Cost TAC provides the ability for organizations to have improved compliance. All requests are logged. These logs can provide the data needed to support regulatory requirements and requirements associated with internal compliance audits. TAC authentication can be transparently added to devices and network applications that do not have the ability to perform authentication. The ability rev 12 7

8 to add authentication and logging capabilities to legacy network applications enables corporations and agencies to meet their compliance and regulatory requirements. Legacy applications continue to operate as normal with TAC being transparently added to the security posture. Some compliance rules also require that complete packet traces of all suspect traffic be maintained for a period of time. By using first packet authentication security tagging, the amount of traffic being stored is greatly reduced, significantly reducing the storage costs of compliance. Summary Cyber war has started. The rate at which this advanced persistent threat is advancing is outstripping all estimates; our adversaries are progressing much faster in their ability to successfully attack our cyber infrastructure than has been forecast and faster than we are prepared to defend ourselves using today s approaches and technologies. Data breaches are common as state and non-state actors have become very sophisticated in their attacks and high value data is routinely being stolen. The current technology of firewalls, VPNs and encryption are not keeping up with the barrage of attacks that are being launched on a daily basis. Deep packet inspection based solutions employed by most firewalls require too much processing power to keep up with the advances in offensive network attack capabilities that are now available. Increases in network bandwidth only exacerbate this problem. Enterprises must raise their capabilities to match the cyberattackers capabilities. Enterprises must go beyond host-based and network-based information; and go far beyond simple anti-virus and network intrusion detection to stop reconnaissance and anonymous unauthorized connections. Enterprises must focus their expensive security resources to look inside the right packets, files, and instead of ineffectively mulling through all data streams, including anonymous and unauthorized traffic. (TAC) is a new cyber security technology that blocks network scans and other unauthenticated traffic. TAC performs First Packet Authentication and Bidirectional Authentication to prevent unauthorized access to your networks, servers and network applications without exposing potentially critical information to unauthorized applications or users. TAC also prevents data theft by blocking unauthorized users and applications from accessing the internet. TAC levels enable systems administrators, network and security architects to deploy TAC security solutions with minimal impact on the end users application experience. TAC compliments these security features with a strong value proposition that can reduce both capital and operational costs. For more information please contact: info@blackridge.us or sales@blackridge.us Copyright 2010 BlackRidge Technology Inc. All Rights Reserved. U.S. & International Patents Granted and Pending. rev 12 8