Dynamic Datacenter Security Solidex, November 2009
Deep Security: Securing the New Server Cloud Virtualized Physical Servers in the open Servers virtual and in motion Servers under attack 2 11/9/09 2
Dynamic virtual machines Dynamic: Reverted Paused Restarted Cloned Moved Security challenges Achieve and maintain consistent security Propagation of vulnerabilities and configuration errors Maintaining an auditable record of the security state 3 Third Briga
Virtual Machines Need Specialized Protection 1. Same threats in virtualized servers as physical: OS & Application vulnerabilities and Configuration errors allow Malware to attack & infect 2. Plus Dynamics of virtualization causes some new challenges: Dormant VMs Resource contention VM Sprawl Inter-VM traffic vmotion 4
Virtualization Challenge: Securing dormant VMs Dormant VM Dormant VM Active VM Active VM Active VM AV App AV App AV App AV App AV App ESX Server Dormant VMs are unprotected These include VM templates and VM backups Dormant VMs cannot run scan agents yet still can get infected Dormant VMs have problem of stale AV signatures 7/7/2009 5
Virtualization Challenge: Full System Scans Scan 3:00AM Scan 3:00AM Scan 3:00AM Scan 3:00AM Scan 3:00AM Scan 3:00AM AV App AV App AV App AV App AV App AV App Typical AV Console ESX Server Resource Contention with Full System Scans Existing AV solutions are not VM aware Simultaneous full AV scans on same host causes severe performance degradation No isolation between malware and anti-malware 7/7/2009 6
Virtualization Challenge: VM sprawl Dormant VM Dormant VM Active VM Active VM Active VM Newly deployed VMs Sec App Sec App Sec App Sec App Sec App Sec App AV App AV App Sec App ESX Server Infrastructure Managing VM Sprawl New VMs are just a click away, security weaknesses replicate quickly Security provisioning creates bottlenecks in VM deployment or VMs emerge without adequate security Lack of visibility into or integration with virtualization console increases management complexity 7/7/2009 7
Virtualization Challenge: Inter-VM traffic AV App AV App AV App AV App Inter-VM traffic Network IDS/IPS vswitch ESX Server vswitch ESX Server Inter-VM traffic Network IDS/IPS solutions cannot see VM to VM traffic within an ESX server First-generation security VMs require intrusive vswitch changes 7/7/2009 8
Virtualization Challenge: VM Mobility AV App AV App vmotion AV App AV App Network IDS/IPS vswitch ESX Server vswitch ESX Server Mobility of VMs (vmotion & vcloud) Existing solutions need reconfiguration and are cumbersome to manage Can result in VMs of different sensitivities landing on same server Deployment of VMs in cloud (IaaS) environments are unprotected 7/7/2009 9
Perimeter is cracking De-Militarized Zone (DMZ) Encrypted attacks NIPS Firewall NIPS Cloud computing Mission Critical Servers Business Servers / Endpoints Insiders Virtualization WLAN Third Brigade, Inc. 10
Deep Security Server & Application Protection for the Dynamic Data Center
What is Deep Security? Server & application protection for: PHYSICAL VIRTUAL CLOUD IDS / IPS Deep Packet Inspection Web App. Protection Application Control Firewall Integrity Monitoring Log Inspection 12
Retreat To The Server (VM)! De-Militarized Zone (DMZ) IDS/IPS Firewall IDS/IPS Gateway (Malware) Firewall & IDS/IPS File Integrity Monitoring & Log Inspection Anti-Malware Mission Critical Servers Business Servers / Endpoints 5/28/2009 13 13
Deep Security Modules Firewall Centralized management of server firewall policy Pre-defined templates for common enterprise server types Fine-grained filtering: IP & MAC addresses, Ports Coverage of all IP-based protocols: TCP, UDP, ICMP, IGMP Deep Packet Inspection Enables IDS / IPS, Web App Protection, Application Control Examines incoming & outgoing traffic for: Protocol deviations Content that signals an attack Policy violations. Integrity Monitoring Monitors critical files, systems and registry for changes Critical OS and application files (files, directories, registry keys and values) Flexible, practical monitoring through includes/excludes Auditable reports Log Inspection Collects & analyzes operating system and application logs for security events. Rules optimize the identification of important security events buried in multiple log entries. 11/9/09 14
Now, Practically Speaking Firewall Enables: Comprehensive control over inbound and outbound traffic Incident containment Location awareness of resources in virtualized environments Deep Packet Inspection Enables: Vulnerability specific protection (i.e. Microsoft Tuesday) Application-layer control Prevents: Zero-day attacks on known and unknown vulnerability Web application attacks including SQL Injection and Cross Site Scripting (XSS) Attacks hidden in encrypted data Integrity Monitoring Enables: Near real-time detection* of potentially malicious changes Extensive file property checking, including attributes (PCI 10.5.5) Alerting on errors signaling attack Golden host to compare changes against a predefined baseline and manage acceptable change * Log Inspection Enables: Optimized collection of security events across the datacenter, multiple server types Based on the OSSEC rule syntax, widely deployed HIDS Saves bandwidth in log collection from servers 11/9/09 15
Architecture PHYSICAL VIRTUAL CLOUD Deep Security Agent Security Profiles Deep Security Manager Alerts IT Infrastructure Integration vcenter SIEM Active Directory Log correlation Web services Security Center Reports Security Updates 16
Deep Security Manager Centralized, web-based management system Manage security profiles Multiple & delegated admin Detailed reporting Recommendation scan Customizable dashboard Automation through scheduled tasks Web services API Software and security updates Integration (VMware vcenter, SIEM, Active Directory) Scalable infrastructure (multiple nodes) 11/9/09 17
Firewall Decreases the attack surface of physical and virtual servers Centralized management of server firewall policy Pre-defined templates for common enterprise server types Virtual machine isolation Fine-grained filtering IP & MAC addresses, Ports Coverage of all IP-based protocols TCP, UDP, ICMP, Coverage of all frame types (IP, ARP, ) Prevents Denial of Service (DoS) attacks Design policies per network interface Detection of reconnaissance scans 11/9/09 18
Deep Packet Inspection IDS/IPS Vulnerability rules: shield known vulnerabilities from unknown attacks Exploit rules: stop known attacks Smart rules: Zero-day protection from unknown exploits against an unknown vulnerability Microsoft Tuesday protection is delivered in synch with public vulnerability announcements. On the host/server (HIPS) Web Application Protection Enables compliance with PCI DSS 6.6 Shield vulnerabilities in custom web applications, until code fixes can be completed Shield legacy applications that cannot be fixed Prevent SQL injection, cross-site scripting (XSS) Application Control Detect suspicious inbound/outbound traffic such as allowed protocols over non-standard ports Restrict which applications are allowed network access Detect and block malicious software from network access 11/9/ 09 19
Integrity Monitoring Monitors files, systems and registry for changes Critical OS and application files (files, directories, registry keys and values, etc.) On-demand or scheduled detection Extensive file property checking, including attributes (PCI 10.5.5) Monitor specific directories Flexible, practical monitoring through includes/excludes Auditable reports Useful for: Meeting PCI compliance Alerting on errors that could signal an attack Alerting on critical system changes 11/9/09 20
Log Inspection Getting visibility into important security events buried in log files Collects & analyzes operating system and application logs for security events. Rules optimize the identification of important security events buried in multiple log entries. Events are forwarded to a SIEM or centralized logging server for correlation, reporting and archiving. Useful for: Suspicious behavior detection Collection of security-related administrative actions Optimized collection of security events across your datacenter Advanced rule creation using OSSEC rule syntax 11/9/09 21
Security Center: Dedicated Team of Security Experts Track global vulnerabilities 100+ sources of information (public, private, govt): SANS, CERT, Bugtraq, VulnWatch, PacketStorm, and Securiteam Member of Microsoft Active Protections Program Respond to new vulnerabilities and threats Advisories & Security updates Six-step, rapid response process supported by automated tools On-going research to improve overall protection mechanisms 11/9/09 22
Virtualization & cloud computing create new security challenges Inter-VM attacks PCI Mobility Cloud Computing Hypervisor 11/9/09 23
Coordinated approach Virtual Appliance Firewall IDS/IPS/AV PCI 11/9/09 24
Deep Security Virtual Appliance Coordinated Security Approach Agent Agent Disappears (removed / reverted / to previous to snapshot) Virtual Appliance auto-protects VM Deep Security Virtual Appliance VMware vcenter VMware vsphere 4 25
Deep Security: Platforms protected Windows 2000 Windows XP, 2003 (32 & 64 bit) Vista (32 & 64 bit) Windows Server 2008 (32 & 64 bit) 8, 9, 10 on SPARC 10 on x86 (64 bit) Red Hat 3 Red Hat 4, 5 (32 & 64 bit) SuSE 9, 10 VMware ESX/ESXi Server (guest OS) VMware Server (host & guest OS) Integrity Monitoring & Log Inspection modules 11/9/09 HP-UX 11i v2 AIX 5.3 26 26
Certifications Common Criteria Evaluation Assurance Level 3 Augmented (EAL 3+) Achieved certification across more platforms (Windows, Solaris, Linux) than any other host-based intrusion prevention product. Higher certification than any other HIPS vendor Validated against US National Security Agency defined profile for IDS NSS Labs Third Brigade Deep Security is the first product to pass NSS Labs PCI Suitability testing for Host Intrusion Prevention Systems (HIPS). Across Windows, Solaris and Linux 27
Addresses PCI Requirements Key Deep Security features & capabilities Network segmentation Firewall Virtual patching Web application firewall File integrity monitoring IDS / IPS 28
Deep Security: Key benefits Shield vulnerabilities in web apps, enterprise apps OSs Detect & block suspicious activity Internal policies PCI & other requirements Detailed reports document prevented attacks & compliance status Prioritize secure coding efforts Manage unscheduled patching 29 Provides security necessary to realize virtualization savings Increased value from SIEM investments
Addressing PCI DSS Req 1-2 Req 3-4 Req 5-6 Req 7-9 Req 10-11 Req 12 Build & maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Mgmt Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Req. 1.0 Req. 1.2 - Reduce audit scope with network segmentation - Install & Maintain a firewall configuration Req. 1.3.9 - Install personal firewall software on any mobile and employee owned computers w/ direct connectivity to the Internet Req. 2.2 - Develop configuration standards for addressing known security vulnerabilities
Addressing PCI DSS Req 1-2 Req 3-4 Req 5-6 Req 7-9 Req 10-11 Req 12 Build & maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Mgmt Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Req. 6.1 - Ensure that all system components and software have the latest vendor supplied security patches installed. Install relevant security patches within one month of release.
Addressing PCI DSS Req 1-2 Req 3-4 Req 5-6 Req 7-9 Req 10-11 Req 12 Build & maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Mgmt Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Req. 6.6 - Ensure that all web-facing applications are protected against known attacks by applying either of the following methods: a) Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security b) Installing an application layer firewall in front of web-facing applications
Addressing PCI DSS Req 1-2 Req 3-4 Req 5-6 Req 7-9 Req 10-11 Req 12 Build & maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Mgmt Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Req. 7.1 - Limit access to computing resources and cardholder information only to those individuals whose job requires such access.
Addressing PCI DSS Req 1-2 Req 3-4 Req 5-6 Req 7-9 Req 10-11 Req 12 Build & maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Mgmt Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Req. 10.5 - Secure audit trails so they cannot be altered Req. 10.5.5 Use File Integrity Monitoring and change detection software on logs to ensure existing log data cannot be changed without generating alerts Req. 10.6 Review logs for all system components at least daily Req. 10.7 Retain audit trail history for at least one year, w/ a minimum of three months online availability
Addressing PCI DSS Req 1-2 Req 3-4 Req 5-6 Req 7-9 Req 10-11 Req 12 Build & maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Mgmt Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Req. 11.4 - Use network intrusion detection systems, HIPS to monitor all network traffic and alert personnel to suspected compromises. Req. 11.5 Deploy file integrity monitoring software to alert personnel to unauthorized modifications of critical system or content files
Endpoints Datacenters Every network-connected host must be able to defend itself from attacks. Data Enterprise Protection To be the primary security agent on servers. 11/9/09 36
Questions? Thank you