Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Both the Service Provider and End User
Bill Balmer, May 11, 2016
© 2016 ADVA Optical Networking. All rights reserved. Confidential.2
Scary Slide - Municipal Attacks
• Industries• 63% of healthcare companies breached last year (RSA 2016)• 76% of energy utilities breached in past year (Dark Reading 2016)
• Municipal attacks• Cyber attack NY Dam
• 2013 Bowman Avenue Dam used for flood control• Unauthorized access to the city’s computer system
• Smart grids• 2012 – Televent Canada (Schneider Electric)• Breached firewall
• San Francisco • 2015 - 40 fiber breaches
• FBI - attackers posed as service provider employees• The purpose of the breaches has not been determined
© 2016 ADVA Optical Networking. All rights reserved. Confidential.3
Polymorphic Attacks
• Polymorphism means “change the appearance of”• Mutation engines are bundled with Trojans and other types of malware• Usually hidden in encrypted payloads• Constantly mutates to avoid pattern recognition
• Polymorphic attacks are the new standard with DDoS attacks used to cover the data breach. (North America and EMEA: The Continual Threat to Digital Brands for 2015)
• Criminals are learning from government projects like the Stuxnet worm used in Iran nuclear plant and NSA man-in-the-middle attacks exposure through Snowden
• Rogue nations are hiring CaaS (Criminals-as-a-Service)
© 2016 ADVA Optical Networking. All rights reserved. Confidential.4
The Key to Getting In• Stealing credentials is the point of most attacks
• Vendors• Exploit • Target through HAVAC
• Employees• Poor password control• Bribes
• Exploits in security• IPSec aggressive mode• Force changes in passwords make users simplify passwords• Poorly configured servers
• Physical intrusion – man-in-the-middle• Fiber bending• Wiring closets
© 2016 ADVA Optical Networking. All rights reserved. Confidential.5
Basic Cryptographic Goals
Confidentiality (privacy) - "Encryption" Man-in-the-middle cannot understand message from Alice.Diffie-Hellman key agreement/exchange is arbitrated in the background.Man-in-the-middle could try to manipulate key exchange to Bob. Solution: authenticity - “authentication" Alice and Bob can be sure that they are really connected.
© 2016 ADVA Optical Networking. All rights reserved. Confidential.6
Man-in-the-Middle Attacks
© 2016 ADVA Optical Networking. All rights reserved. Confidential.7
• Distributed networks instead of a single entry point
• Complex setup based on exception rules
• Susceptible to DDoS attacks overloading the processor
• Becomes a tool for polymorphic attacks
• Firewalls are becoming the police tape around a crime scene – CISO AT&T*
Firewall Limitations
*Carrier Network Security Strategies – Heavy Reading Dec 2 2015
© 2016 ADVA Optical Networking. All rights reserved. Confidential.8
Next Generation Firewalls Will Be Dynamic
© 2016 ADVA Optical Networking. All rights reserved. Confidential.9
Data Analytics
• Number of days before breach is recognized: Verizon 288 days and Microsoft 244 days*
• Data analytics can**• Shorten discovery period• Help enforce policies
• Through detection• Reduce staff
• Through automation
*Carrier Network Security Strategies – Heavy Reading Dec 2, 2015** TechForum Security Conference March 24, 2016
© 2016 ADVA Optical Networking. All rights reserved. Confidential.10
What To Do?
• Amit Yoran, RSA president, said no fancy, expensive product can guarantee an organization’s safety: “There are no silver bullets in security.”
• “The shift from volumetric towards application-layer attacks and from single vector to polymorphic attacks is bound to accelerate –and service provider defenses need to evolve in line with that.”
• Each layer of transport for data in motion has its own challenges
© 2016 ADVA Optical Networking. All rights reserved. Confidential.11
Encryption Options
Securing Data in Motion
PhysicalPHY
Data linkMAC
Network layerIP/MPLS
Transport layerTCP, UDP
Application, presentation,session layer
Bits
Frames
Packets
Segments
Data
1
2
3
4
765
OS
I lay
er
IPSec
TLS, SSH
In-flight Encryption
MACsec
© 2016 ADVA Optical Networking. All rights reserved. Confidential.12
Secure Network Infrastructure ModelSecurity on Every Network Layer
• FSP 3000 family
• Infrastructure encryption
• Optical point to point
• Cloud computing
• Data center connectivity
• Over 200 networks
IP L
ayer
Ethe
rnet
Laye
rOp
tical
La
yer Physical connectivity
Virtual connectivity
Virtual connectivity
BSI approval
R&D & NVF activities
Solution available
© 2016 ADVA Optical Networking. All rights reserved. Confidential.13
Examples of Fiber Tapping
Joshe Ruppe Security Researcher
Techtarget: Optical network security: Inside a fiber-optic hack
© 2016 ADVA Optical Networking. All rights reserved. Confidential.14
Secure Data Center Interconnection
Innovation for high-performance cloud data center interconnect
Application
Technology
• Highest performance• Lowest latency• Maximum security
Benefits
Solution
FSP 3000
© 2016 ADVA Optical Networking. All rights reserved. Confidential.15
Encryption using G.709 / OTH Link Protocol
1 …….…. 14 15 ….… 16 17 ………………………………. 3824 3825 .… 40801234
Column number
OTU/ ODUoverheadR
OW OPU
overhead Encryption FECareaEncrypted Payload
OCH Overhead Och payload FEC data
Optical channel frame structure
5TCE link protocol• Supports
• OTU-2• OTU-2e • OTU-2f
AES 256 encryptedOPU2 payload
Automatickey exchangeusing DH
Key Exchange
© 2016 ADVA Optical Networking. All rights reserved. Confidential.16
Media Transport Network - Solution
Metro
Core
Event site
Event siteEvent site
TV studio A TV studio BMetro
© 2016 ADVA Optical Networking. All rights reserved. Confidential.17
Optical Security Suite
Encryption
Security-hardened software
Physical layer monitoringPower tracking and intrusion detectionTime-domain reflectometer (OTDR/cable integrity)Access line monitoring (ALM)Continuity check messages (CCM)
RADIUSSecure shellSNMPv3
AES-256AuthenticationDiffie-Hellman
A complete and integrated solution leveraging advanced technology
122842636
© 2016 ADVA Optical Networking. All rights reserved. Confidential.18
Secure Network Infrastructure ModelSecurity on Every Network Layer
• FSP 150 family• 1.75 million deployed
• Infrastructure encryption• ProNID™• ProVM™
• Enterprise encryption• MacSec Plus • Certes CryptoFlow™ NFV
• Who?• Service providers • Local government• Branch offices – small count• Cloud providers
IP la
yer
Ethe
rnet
laye
rOp
tical
la
yer Physical connectivity
Virtual connectivity
Virtual connectivity
BSI approval
R&D & NFV activities
Solution available
© 2016 ADVA Optical Networking. All rights reserved. Confidential.19
• Highest flexibility• Minimum overhead• Maximum security
Secure Access in Virtual Networks
Innovation for flexible cloud access in fixed and mobile applications
Application
Technology
Benefits
Solution
FSP 150
© 2016 ADVA Optical Networking. All rights reserved. Confidential.20
IPsec Challenges – Technical Aspects
• Delay is measured in msec instead of µsec
Latency• Up to 50% addi-
tional bandwidth overhead
Efficiency• No wire-speed
performance up to 100Gbit/s
Scalability
• Exposed sender/reciever
Confidentiality• Only works for
IP traffic
Compatibility• Issues scale
linearly with links and endpoints
Complexity
© 2016 ADVA Optical Networking. All rights reserved. Confidential.21
Flexible MACsec Data Encryption and Integrity
• L2 secure connectivity using standard MACsec format with VLAN bypass• Works with MEF E-Line (EPL and EVPL)• Supports point-to-point and hub-and-spoke secure connectivity
• Encryption directly at the Ethernet layer – line rate• State of the art symmetric encryption algorithms: AES 128, AES 256• Low latency, bandwidth efficiency
• Dynamic and secure key exchange• Password-authenticated Diffie-Hellman algorithm • Intrusion proof key storage
ConnectGuardTM Ethernet – flexibility and data security altogether
© 2016 ADVA Optical Networking. All rights reserved. Confidential.22
MACsec+ No Need for SP Switch Decrypt
Site ALAN
LANSite B
© 2016 ADVA Optical Networking. All rights reserved. Confidential.23
XG210CXG210CXG210C
Clinic
Regional hospital
Satellite hospital
Regional hospitalRegional hospital
ProVM-C
ProNID-C
Case Study – WellSpan Healthcare
© 2016 ADVA Optical Networking. All rights reserved. Confidential.24
Secure Network Infrastructure ModelSecurity on Every Network Layer
• Enterprise encryption• ProVM™• FSP 150 vSE• Certes CryptoFlow™
• Layer 3 and 7• Cloud applications• Key management
• Who?• Big box companies• Branch offices• Universities• Local government
IP la
yer
Ethe
rnet
laye
rOp
tical
la
yer Physical connectivity
Virtual connectivity
Virtual connectivity
BSI approval
R&D & NFV activities
Solution available
© 2016 ADVA Optical Networking. All rights reserved. Confidential.25
Future Proofing Security through Virtualization
• Firewalls – future• Interactive updates from security centers
• Matching patterns of attacks• Updates to combat new threats
• Data analytics• Remote probes
• Live monitoring• Filters / traps
• Application security• Micro-segmentation to limit damage• Policy management
© 2016 ADVA Optical Networking. All rights reserved. Confidential.26
VNF Versus Assured VNFExample: Encryption
Encryption as VNF
OVS
Storage NetworkCompute
IPsec
Encryption as an assured VNF
OVS
Storage NetworkCompute
Latency
Cost @ 1Gbit/s
Cost @ 10Mbit/s
Resource consumption
© 2016 ADVA Optical Networking. All rights reserved. Confidential.27
A1
A2Physical test, monitoring, enforcement
L2/L3 low latency, sync, MACSEC
Hardware data plane
The Assured ModelMulticore x86 server
Flexible L3/4/7service creation
Network interface
Compute hostinfrastructure
VM-1 VM-2
VNF VNF
VM-2 VM-2
VNF VNF
N1
Hardware equivalent
OVS
ovs
© 2016 ADVA Optical Networking. All rights reserved. Confidential.28
IP Layer ProVM/Security NFV
© 2016 ADVA Optical Networking. All rights reserved. Confidential.29
IP Layer ProVM/Security NFV
© 2016 ADVA Optical Networking. All rights reserved. Confidential.30
• How we travel• Get ticket online or at the airport
• Prove who you are• Go through security checkpoint
• Get into terminal• Boarding checks
• Do you belong on the flight?
Security Is a Fact of Life
How data should travel
Thank You
IMPORTANT NOTICEThe content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.
The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.
Copyright © for the entire content of this presentation: ADVA Optical Networking.