Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Both the Service Provider and End User

Polymorphic Attacks on Data-in-Motion Require a New Security Approach From Both the Service Provider and End User

Bill Balmer, May 11, 2016

© 2016 ADVA Optical Networking. All rights reserved. Confidential.2

Scary Slide - Municipal Attacks

• Industries• 63% of healthcare companies breached last year (RSA 2016)• 76% of energy utilities breached in past year (Dark Reading 2016)

• Municipal attacks• Cyber attack NY Dam

• 2013 Bowman Avenue Dam used for flood control• Unauthorized access to the city’s computer system

• Smart grids• 2012 – Televent Canada (Schneider Electric)• Breached firewall

• San Francisco • 2015 - 40 fiber breaches

• FBI - attackers posed as service provider employees• The purpose of the breaches has not been determined


Polymorphic Attacks

• Polymorphism means “change the appearance of”• Mutation engines are bundled with Trojans and other types of malware• Usually hidden in encrypted payloads• Constantly mutates to avoid pattern recognition

• Polymorphic attacks are the new standard with DDoS attacks used to cover the data breach. (North America and EMEA: The Continual Threat to Digital Brands for 2015)

• Criminals are learning from government projects like the Stuxnet worm used in Iran nuclear plant and NSA man-in-the-middle attacks exposure through Snowden

• Rogue nations are hiring CaaS (Criminals-as-a-Service)


The Key to Getting In• Stealing credentials is the point of most attacks

• Vendors• Exploit • Target through HAVAC

• Employees• Poor password control• Bribes

• Exploits in security• IPSec aggressive mode• Force changes in passwords make users simplify passwords• Poorly configured servers

• Physical intrusion – man-in-the-middle• Fiber bending• Wiring closets


Basic Cryptographic Goals

Confidentiality (privacy) - "Encryption" Man-in-the-middle cannot understand message from Alice.Diffie-Hellman key agreement/exchange is arbitrated in the background.Man-in-the-middle could try to manipulate key exchange to Bob. Solution: authenticity - “authentication" Alice and Bob can be sure that they are really connected.


Man-in-the-Middle Attacks


• Distributed networks instead of a single entry point

• Complex setup based on exception rules

• Susceptible to DDoS attacks overloading the processor

• Becomes a tool for polymorphic attacks

• Firewalls are becoming the police tape around a crime scene – CISO AT&T*

Firewall Limitations

*Carrier Network Security Strategies – Heavy Reading Dec 2 2015


Next Generation Firewalls Will Be Dynamic


Data Analytics

• Number of days before breach is recognized: Verizon 288 days and Microsoft 244 days*

• Data analytics can**• Shorten discovery period• Help enforce policies

• Through detection• Reduce staff

• Through automation

*Carrier Network Security Strategies – Heavy Reading Dec 2, 2015** TechForum Security Conference March 24, 2016


What To Do?

• Amit Yoran, RSA president, said no fancy, expensive product can guarantee an organization’s safety: “There are no silver bullets in security.”

• “The shift from volumetric towards application-layer attacks and from single vector to polymorphic attacks is bound to accelerate –and service provider defenses need to evolve in line with that.”

• Each layer of transport for data in motion has its own challenges


Encryption Options

Securing Data in Motion

PhysicalPHY

Data linkMAC

Network layerIP/MPLS

Transport layerTCP, UDP

Application, presentation,session layer

Bits

Frames

Packets

Segments

Data

1

2

3

4

765

OS

I lay

er

IPSec

TLS, SSH

In-flight Encryption

MACsec


Secure Network Infrastructure ModelSecurity on Every Network Layer

• FSP 3000 family

• Infrastructure encryption

• Optical point to point

• Cloud computing

• Data center connectivity

• Over 200 networks

IP L

ayer

Ethe

rnet

Laye

rOp

tical

La

yer Physical connectivity

Virtual connectivity


BSI approval

R&D & NVF activities

Solution available


Examples of Fiber Tapping

Joshe Ruppe Security Researcher

Techtarget: Optical network security: Inside a fiber-optic hack


Secure Data Center Interconnection

Innovation for high-performance cloud data center interconnect

Application

Technology

• Highest performance• Lowest latency• Maximum security

Benefits

Solution

FSP 3000


Encryption using G.709 / OTH Link Protocol

1 …….…. 14 15 ….… 16 17 ………………………………. 3824 3825 .… 40801234

Column number

OTU/ ODUoverheadR

OW OPU

overhead Encryption FECareaEncrypted Payload

OCH Overhead Och payload FEC data

Optical channel frame structure

5TCE link protocol• Supports

• OTU-2• OTU-2e • OTU-2f

AES 256 encryptedOPU2 payload

Automatickey exchangeusing DH

Key Exchange


Media Transport Network - Solution

Metro

Core

Event site

Event siteEvent site

TV studio A TV studio BMetro


Optical Security Suite

Encryption

Security-hardened software

Physical layer monitoringPower tracking and intrusion detectionTime-domain reflectometer (OTDR/cable integrity)Access line monitoring (ALM)Continuity check messages (CCM)

RADIUSSecure shellSNMPv3

AES-256AuthenticationDiffie-Hellman

A complete and integrated solution leveraging advanced technology

122842636



• FSP 150 family• 1.75 million deployed

• Infrastructure encryption• ProNID™• ProVM™

• Enterprise encryption• MacSec Plus • Certes CryptoFlow™ NFV

• Who?• Service providers • Local government• Branch offices – small count• Cloud providers

IP la

yer

Ethe

rnet

laye

rOp

tical

la




BSI approval

R&D & NFV activities

Solution available


• Highest flexibility• Minimum overhead• Maximum security

Secure Access in Virtual Networks

Innovation for flexible cloud access in fixed and mobile applications

Application

Technology

Benefits

Solution

FSP 150


IPsec Challenges – Technical Aspects

• Delay is measured in msec instead of µsec

Latency• Up to 50% addi-

tional bandwidth overhead

Efficiency• No wire-speed

performance up to 100Gbit/s

Scalability

• Exposed sender/reciever

Confidentiality• Only works for

IP traffic

Compatibility• Issues scale

linearly with links and endpoints

Complexity


Flexible MACsec Data Encryption and Integrity

• L2 secure connectivity using standard MACsec format with VLAN bypass• Works with MEF E-Line (EPL and EVPL)• Supports point-to-point and hub-and-spoke secure connectivity

• Encryption directly at the Ethernet layer – line rate• State of the art symmetric encryption algorithms: AES 128, AES 256• Low latency, bandwidth efficiency

• Dynamic and secure key exchange• Password-authenticated Diffie-Hellman algorithm • Intrusion proof key storage

ConnectGuardTM Ethernet – flexibility and data security altogether


MACsec+ No Need for SP Switch Decrypt

Site ALAN

LANSite B


XG210CXG210CXG210C

Clinic

Regional hospital

Satellite hospital

Regional hospitalRegional hospital

ProVM-C

ProNID-C

Case Study – WellSpan Healthcare



• Enterprise encryption• ProVM™• FSP 150 vSE• Certes CryptoFlow™

• Layer 3 and 7• Cloud applications• Key management

• Who?• Big box companies• Branch offices• Universities• Local government

IP la

yer

Ethe

rnet

laye

rOp

tical

la




BSI approval

R&D & NFV activities

Solution available


Future Proofing Security through Virtualization

• Firewalls – future• Interactive updates from security centers

• Matching patterns of attacks• Updates to combat new threats

• Data analytics• Remote probes

• Live monitoring• Filters / traps

• Application security• Micro-segmentation to limit damage• Policy management


VNF Versus Assured VNFExample: Encryption

Encryption as VNF

OVS

Storage NetworkCompute

IPsec

Encryption as an assured VNF

OVS

Storage NetworkCompute

Latency

Cost @ 1Gbit/s

Cost @ 10Mbit/s

Resource consumption


A1

A2Physical test, monitoring, enforcement

L2/L3 low latency, sync, MACSEC

Hardware data plane

The Assured ModelMulticore x86 server

Flexible L3/4/7service creation

Network interface

Compute hostinfrastructure

VM-1 VM-2

VNF VNF

VM-2 VM-2

VNF VNF

N1

Hardware equivalent

OVS

ovs


IP Layer ProVM/Security NFV


IP Layer ProVM/Security NFV


• How we travel• Get ticket online or at the airport

• Prove who you are• Go through security checkpoint

• Get into terminal• Boarding checks

• Do you belong on the flight?

Security Is a Fact of Life

How data should travel

Thank You

IMPORTANT NOTICEThe content of this presentation is strictly confidential. ADVA Optical Networking is the exclusive owner or licensee of the content, material, and information in this presentation. Any reproduction, publication or reprint, in whole or in part, is strictly prohibited.

The information in this presentation may not be accurate, complete or up to date, and is provided without warranties or representations of any kind, either express or implied. ADVA Optical Networking shall not be responsible for and disclaims any liability for any loss or damages, including without limitation, direct, indirect, incidental, consequential and special damages, alleged to have been caused by or in connection with using and/or relying on the information contained in this presentation.

Copyright © for the entire content of this presentation: ADVA Optical Networking.

http://www.linkedin.com/company/adva-optical-networking

http://twitter.com/ADVAOpticalNews

http://www.facebook.com/pages/ADVA-Optical-Networking/37630238931?ref=ts#!/pages/ADVA-Optical-Networking/37630238931?v=wall

http://www.youtube.com/user/ADVAOptical

http://advaopticalnews.tumblr.com/

http://www.slideshare.net/ADVAOpticalNetworking