2. DISCLAIMER
The views expressed here are my own, though I may draw examples from my past
and present professional experiences.
3. AGENDA
Scope
B2B - Vendors selling to enterprises
"Devices in your network"
Not in scope
Not about specific security solutions
Devices in your Network
4. COMPLIANCE ALPHABET SOUP
FIPS
140-2
Common
Criteria ICSA NSS
PCI DSS HIPPA SOX ISO
27002 FIPS200 GLBA FISMA NERC
IT Security &
Compliance
Product
Security &
Compliance
Homologat
ion
FCC, UL,
CB/CE DVTTCG –
TPM
Export
Complian
ce
Hardware
Security &
Compliance
6. A BRIEF HISTORY
Then Now
Centralized+
Distributed
Programmable
VNFs /Service
chaining
Network
Virtualization
Tightly
Coupled
Rigid
Monolithic
Custom
hardware
7. A BRIEF HISTORY
Then Now
Hypervisor
IaaS Clouds
Virtual
Physical
Orchestration
Courtesy: Juniper SRX 5600
Courtesy: Silver Peak Systems Inc.
8. WHOSE ‘OS’ IS IT ANYWAY?
Applications
Management and Orchestration
Malware analysis
Analytics
SIEMs
Anti-Virus
DLP
Embedded Systems
SDN Controllers
Firewall
Routers
Switches
WAN optimization
Web Application Firewalls
Load balancers
Secure Web gateways
VPN devices
IPS
Embedded
Systems
Cloud
Apps
(Iaas)
Applications
Cloud Apps
(Saas/Paas)
9. A BRIEF HISTORY
Then Now
Service Chaining SD-WAN and Firewall VNFs
Courtesy: Silver Peak Systems Inc.
10. A BRIEF HISTORY
Then Now
Centralized Orchestrator, Distributed Devices
Courtesy: Silver Peak Systems Inc.
12. • FIPS boundaries - hardware vs. software only
• TPM for virtual
• Common Criteria – Evolving => Assurance levels to Protection Profiles
• IPSec/SSL encryption – commodity hardware, AES NI instructions
Compliance Considerations
14. New Threat Vectors & Considerations
•Programmability
• DDoS on REST APIs
• Authentication
• Distributed Data Plane – Backward & Forward compatibility
•‘Outside the Box’ - Secure communications
15. RISING OPEN
SOURCE USAGE
Copy-left vs. Permissive licenses
Vendors
Publish ALL 3rd party licenses
Publish source code for modified copy-left
licenses
Maintain tabs on Bill of Materials
Provide trickle-down SLAs for open source
vulnerabilities
Courtesy: Blackduck Software
16. “SHARE MY PIE”
Vendors Enterprises
Vulnerability Assessment
• OWASP top 10
• SANS 25
• TCP/IP attacks
Penetration Testing
• Privilege escalations
• Availability
• Security Posture
17. DEVOPS AND HOSTED CLOUD APPLICATIONS
The release is dead, long live the release!
Network vendors with physical, virtual,
IaaS products
Follow (Agile) software release cycles
Enterprises with cloud or web services
Saas/Paas products
Devops model
Risks
Availability, Stability, DDoS
Courtesy: http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
18. SUMMARY
Enterprise networks are adapting to network virtualization and cloud applications
Programmable, hardware agnostic products introduce new threat vectors
Vendor compliance standards help in enterprise IT security & compliance
Vendor best practices for open source usage & vulnerability assessment
Alphabet soup of IT security
What applies to vendors - FIPS, ICSA, Common Criteria, NSS
FIPS - crypto implementation, key management, random bit generation, X.509 certificates =>no weak protocols, physical security in level 2 and above
CC - secure Communication channel (data in transit), RBAC, Audit logs, System services, protect stored keys (data at rest), ICSA, and NSS are firewall, network security certifications
ICSA – basic firewall, NSS – effectiveness, price, performance
Common requirements
Encrypt data at rest, in transit – make sure crypto is right, RBAC, Audit logs, change management, Business Continuity, disaster recovery , NTP time sync, Firewall/IPS implementation is right - ICSA
Hardware
CB - safety of electrical and electronic components, CE for EU
UL – independent 3rd party testing
FCC – radiation
DVT – very product centric. Includes functional, performance, environmental, mechanical, MTBF, electro magnetic tests after prototyping
TPM, export compliance
What doesn't apply to us, but what we design for - Industry-level certifications - PCI, HIPPA, SOX, FedRAMP, FISMA, ISO2700x, NERC, GLBA
SOX – publicly traded company GLBA – bank, insurance, fin serv FISMA – govt, govt contractors, PCI – credit card merchants
NERC – electric generator, provider etc.tc.
FIPS: Vendor dilemma, should I certify h/w or s/w – physical, virtual, cloud, should I pay my FIPS lab 3 times (expensive)
TPM virtual – commodity h/w, not for virtual, how do I secure private keys in virtual?
Encryption has changed – no h/w accelerators, though they are not going away. Intel processors have AES NI instructions. So AES encryption is now more popular than 3DES.
Hypervisor security Ex: lockdown on host OS, ensures that you enforce guest OS user access
Can I copy and paste between VM consoles
CPU, memory, storage are shared. Can one VM over-ride the other – have to restrict
Container – set of namespaces or resource groups, without the overhead of a virtual/guest OS
Containers with root privileges – privilege escalation , unintended
Most networking vendors have Containers in their roadmap
Container – 2016 survey – 16% of orgs already using containers in production – mostly for development, testing, 30% have headaches about security, isolation (Cloud Foundry survey – Leading paas platform, pivotal built on top, GE Predix cloud is built over it)
Answers: Right now, onus is on enterprises, not on vendors for IAAS, virtual products.
“Many moving parts”- Centralized orchestrator, multiple devices in the network. TLS/Ipsec between each control/data connection ?
A permissive licence is as it says, and allows the user to copy, repackage, sell, or change the code in any way the user likes, as long as some form of attribution is given.
A copyleft licence, such as the GPL, gives similar rights but ensures reciprocity by obliging those who distribute the code to pass on the same rights to others
How it affects end user organizations –
Opensource is a product security issue – it affects IP rights, right to commercially buy and sell a product
Google has aimed to remove all GPLed software from Android's userland, and Apple won't allow GPLed software to be sold through its App Store,
Enterprise IT –” uncover all issues in my org, network and security posture”
Vendors – “are all my products vul free, opensource components patched in a timely manner”
Vendors leaning on vulnerability assessment vs. enterprises leaning towards pen test
Vul assess frameworks
OWASP top 10 – design for XSS, SQL inject, input-output vuln, session authentication, SANS 25
TCP/IP vulnerabilities – RFC compliance, FTP bounce attacks, IP smurf attacks, spoofed TCP resets
Started in 2009 with flickr – 10 deploys per day, model is do away with releases always develop on trunk, head of your code, so number of revisions doesn’t matter
Fix fast, deploying faster, one step build and deploy
Most web services, cloud apps
Network vendors still use release cycles- Agile, from waterfall, not entirely devops
Cloud apps are devops style
Fix fast, Patching quicker, Responsible software development – one step development, build and deploy