Tempered Networks' presentation at the recent Rockwell Automation Fair 2016 helps viewers understand why it's so challenging and complex to connect and secure industrial IoT and SCADA systems. The future of networking and security must be based on 'host identity' not spoofable IP addresses.
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
A modern approach to safeguarding your ICS and SCADA systems
1. A Modern Approach to Safeguarding Your
Industrial Control Systems and Assets
INSTANTLY CONNECT, CLOAK, SEGMENT, PROTECT AND REVOKE ANY IP RESOURCE
Marc Kaplan
VP Solution Architecture
2. Cisco mid-year review take away, working it backwards
Complexity Makes Us All Less Secure
This landscape of increasing regulatory
complexity is challenging for commercial
enterprises to navigate. Ultimately,
complexity makes us all less secure, and
attackers can and will exploit division.
“Many organizations have reached a tipping point
with their Internet infrastructure.... This is their
moment to harden security, and enable visibility,
throughout their network—and help to reduce the
unconstrained time to operate that adversaries
currently enjoy.”
3.
4. Cisco Annual Alerts
A FALSE SENSE OF SECURITY ABOUT SECURE
CONNECTIONS
Secure connections, such as those created by HTTPS
connections and SSL certificates, are supposed to give
users a sense of security about their online activities.
However, a recent increase in vulnerability alerts involving
encryption
and authentication raises concerns that adversaries can
more easily compromise secure connections. The result:
connections of questionable security.
As shown in the Common Weakness Enumeration (CWE)
chart below (Figure 2), authentication issues and
cryptographic issues have been on the rise since 2014
and 2015.
7. How dangerous are the Tools
Most recently came the online dump of tools and files of the Equation Group—
aka the National Security Agency—by a group calling itself the
ShadowBrokers.
Experts say the auction of the files by ShadowBrokers is a fake, but the files
and tools are real, including tools from the NSA that hacked Cisco,
Fortinet, and Juniper firewalls.
Security experts say it’s no coincidence the data dump came in the wake of
the attacks on DNC, DCCC, and others, by Russia.
HOW BAD COULD IT BE
8. A plethora of API enabled attack tools
Router implants, from any vendor in the enterprise space, have been largely believed to be in use. Recent vendor advisories
indicate that these have been seen in the wild. Mandiant can confirm the existence of at least 14 such router implants spread
across four different countries: Ukraine, Philippines, Mexico, and India.
9. Easy to find, easy to hack
Cisco IOS Software Reverse SSH Denial of Service
Vulnerability
An unauthenticated, remote attacker could exploit this vulnerability by
attempting a reverse SSH login with a crafted username. Successful exploitation
of this vulnerability could allow an attacker to create a DoS condition by causing
the device to reload. Repeated exploits could create a sustained DoS condition.
OR… no security
11. BEFORE
TEMPERED
Ticket submitted to Network
IT for new resources addition
to corporate network.
Design for Routing, Firewall,
VPN, and Switching Policies
Design Submitted to InfoSec
for review and approval
Approval of Design
by InfoSec
Implementation of Design by
Network Ops
Implementation Review and
Sign-Off by InfoSec
GO LIVE!
Week 1
Week 2
Week 3
Week 4
Week 5
Week 6
Week 7
AFTER
TEMPERED
Ticket submitted to Network
team for new resource.
Day 1
Resource added with explicit
trust relationships, segmentation
and encryption. Verified by
InfoSec.
Secure
networking
time reduced by
97%
GO LIVE!
Reduce customers time to provision
12. IDN Value proposition
Simple. Fast. Effective. Secure.
25%
Improve time to
mitigation,
revocation, and
quarantine up to:
90%
Reduce attack
surface up to:
1 sec
Decrease failover
and disaster
recovery times to
as little as:
13. Flawed identity, only complexity. Unsustainable.
13
*Inspired by, “An Attack Surface Metric,” Dr. Pratyusa K. Manadhata, Member, IEEE, and Dr. Jeannette M. Wing, Fellow, IEEE, IEEE
Transactions on Software Engineering, 2010
Complex firewall and
networking rule sets
Routing policies,
VLANs and
ACLS overhead
… per networked “thing”
VPN access
controls for each
network
DNS and routing
updates for failover
100%
Network and Security Policies
USE IP ADDRESSES as IDENTITY
Use IP addresses as identity for policy–
This is the root cause of complexity,
network security vulnerabilities, poor segmentation,
and lack of mobility
(clients x resources) x (net & sec policy) x updates = complexity(c x r ) x p = y*
n in
14. R AP I D L Y C O N N E C T ,
D I S C O N N E C T & R E V O K E
M O V E AN Y G L O B AL I P R E S O U R C E
W I T H O UT D I S R U P T I O N
S E G M E N T E F F O R T L E S S L Y
( M I C R O , M AC R O , AN D C R O S S - B O U N D AR Y )
C L O AK E D AN D E N C R Y P T E D F AB R I C
M AK I N G R E S O U R C E S AN D D AT A I N V I S I B L E
I N S T AN T AN D
V E R I F I AB L E F AI L O V E R
What you get with Tempered Networks
Identity-Defined Networking: Unified platform for secure networking
15. IDN Fabric – The cure to IT complexity
• Automated orchestration reduces errors
• Rapid: 3-click network design
• Centralized governance; delegated
control
• GlobalIPAnywhere – Move any IP
address to any network
TM
16. Legacy Identifier & Locator
Identifier = who the client is
Locator = where client is attached to
the network
MAC address (00:1C:B3:09:85:15)
Host Identity Protocol (HIP) is an Identity Exchange mechanism that enables secure communications with tunneling protocols such as ESP. HIP provides a
method of separating the end-point identifier and locator roles of IP addresses. It introduces a new Host Identity (HI) name space, based on public keys, from which end-
point identifiers are taken. HIP uses existing IP addressing and forwarding for locators and packet delivery.
128-bit host identify tag (HIT) 2001:15:e156:8a78:3226:dbaa:f2ff:ed06
c6d90a4e31a12b297b00162e7ce87d4eac71f53e032a7088……...
bb7af53ff1a61b2186c468e1680d46084af340ee252cb4ce...........
Modulus , Signature..
IP Addresses (192.168.16.1)
Locator = where client is attached to
the network
IP Addresses (192.168.16.1)
IDENTITY – Legacy and HIP enabled IDN
17. Identity-Defined Networking (IDN) – the way forward Securely
network and orchestrate any thing, anywhere, anytime - instantly.
HIPservers
HIPswitch
Tempered Networks’ IDN Conductor
Control based on unique crypto-identity for every networked thing. Seamless deployment, simple policy
orchestration and enforcement based on identity. Securely connect, cloak, segment, revoke, move,
failover and revoke instantly within the IDN’s encrypted fabric.
Public / Corporate Network (No Identity. Untrusted. Unmanageable.)
IDN Fabric – Trusted. Cloaked. Segmented. Encrypted.
Applications
Databases
HIPchip
PoS / ATMs
IP cameras
Medical devices
Cloud workloads
Containers
HIPclients
18. Unique Identity-Defined Overlays (IDO) and Virtual Trust Segments (VTS):
Macro and micro-segmentation is based on unique host identity and every IDO is cloaked and hardened.
Allowed VTS connectivity and communication is explicit, non-traversal, encrypted and verifiable
18
Building
Automation
System
Applications
Building Automation
Vendor VTS
Databases
DBAs
Application-Database
ID Overlay
DBA Admin
VTSVendor / 3rd Party
ID Overlay
Managed Devices
Employee
ID Overlay
Remote Employee
ID Overlay
Managed Device VTS
Unmanaged
Network
Telemetry/Analytics VTS
Web Services
VTS
Cloud ID Overlay
U.S. DevOps
VTS
IoT Virtual Trust SegmentsIoT Admins
VTS
IoT ID Overlay
Public
Cloud-US
Public
Cloud–KR
EU DevOps VTS
Public
Cloud–DE
Corporate Network
Korea DevOps VTS
20. Trusted identity-based hardware
Serial-over-IP
• Secure Management of Routers and Switches
• No need to expose SSH / Telnet over the internet
• Enable IP on serial based devices such as SCADA or ATM
Cellular
• Remove the constraints of Ethernet connectivity
• Fallback functionality, flip from Ethernet to Cellular automatically
Wireless
• Move seamlessly between Ethernet and Wifi without reduction of security
• HIP over-Wifi, incredibly secure Wifi that can not be brute-forced
Secure by Default
• No local management
• Symmetric policy validation engine
• Hardened
• Secure High-Available Central Management
• Software Defined – RESTful API
• Identity Based HIP Networks
• Global IP Namespace
• Flexible IP transformation
Management
21. The Singular Root Defect
That affects all IP security and networking
IP Addresses are used as Network and Device Identity
• Hacker reconnaissance & fingerprinting via TCP/IP stack
• Listening TCP/UDP service ports
• All networking and security products use IP addresses for
policy
Large Attack Surface
• IP, TCP/UDP Attacks: every connected thing is an entry point
• East / West lateral movement
• ACLs and VLANs ≆ segmentation
Lack of Mobility and Instant Failover
• Policies tied to IP - creates inflexible mobility
• IP conflicts
• DNS TTL and Routing Convergence Delays
Networking and Security Costs
• Many distributed, complex VLAN, ACL, VPN,
firewall policies
• Controlling network routing
• IPsec VPN cert management, connection limitations,
failover issues
• Expense of “next-gen” firewalls deployed on interior
WAN / LAN
Remote Unmanaged Network Remote Site Managed Network
Corporate Network & Resources
Device 10 Device 11 Device 12
192.168.10.10 192.168.10.11 192.168.10.12
Device 20 Device 21
192.168.20.20 192.168.20.21
Device 30 Device 31 Device 32
192.168.30.30 192.168.30.31 192.168.30.32
192.168.10.1
192.168.20.1 192.168.30.1
Field Technicians
Remote Employees
22. How we do what we do
I D E N T I T Y - D E F I N E D
O V E R L AY S
H O S T - B AS E D
C R Y P T O G R AP H I C I D E N T IT I E S
S I M P L E P O L I C Y - B AS E D
O R C H E S T R AT I O N E N G I N E
H O S T I D E N T I T Y
N AM E S P AC E
S O F T W AR E - D E F I N E D
S E G M E N T AT I O N
F AS T , F L E X I B L E D E P L O Y M E N T O F
I D N E N D P O I N T S ( H I P S E R V I C E S )
E V E R Y W H E R E
V I R T U AL T R U S T
S E G M E N T S
23. A New Identity Networking Paradigm
Made Simple
WAN / LAN
Device 10 Device 11 Device 12
192.168.10.10 192.168.10.11 192.168.10.12
Device 20 Device 21
192.168.20.20 192.168.20.21 Device 30 Device 31 Device 32
192.168.30.30 192.168.30.31 192.168.30.32
192.168.10.1
192.168.20.1
192.168.30.1
CLOAKED, SEGMENTED & MOBILE
PROTECTED, SEGMENTED,
ENCRYPTED, & MOBILE
CLOAKED, SEGMENTED, & MOBILE
HIPswitch
192.168.10.100
192.168.30.100
Field Technicians
Remote Employees
HIPclient
10.0.9.2
Conductor
Remote Site Networks & Resources
Corporate Network & Resources
Unique Host Identity Approach
• Host Identity Protocol (HIP): IETF ratified April 2015
• True SDN overlay –little to no changes to network, security, or applications
• Unshackles IP from serving as identity - frees IT from complexity
• In production since 2006
Rapid Provisioning, Revocation, IP Mobility and Failover
• Effortless segmentation & cloaking
• One-click orchestration to connect, disconnect, move or failover any
“thing”
• Less than 1 second failover between any IDN endpoint
• Build ID overlays (IDOs) on-demand based on situation
Significantly Reduced Attack Surface
• No trust? No connectivity. No communication. No data.
• VLAN ”segmentation” traversal is now impossible.
• Based on explicit device trust- all systems are invisible
• 2048 bit Identity-Based connectivity, AES 256
encryption by default
Lower Costs, Simpler Environment
• CapEx and OpEx decrease
• Eliminate or reduce interior “next-gen” firewalls, VPNs,
complex policies, ACLs, VLAN complexity, cert mngt
24. Conductor’s “Visual Trust Map” – Instant Verification
Visualize trust relationships
between HIP Services and
whitelisted endpoints
25. Availability, Status, Configurations, Versioning – Know the State
HIP Services:
• Activity
• Models
• Versions
• Static or dynamic config
• Current IP address
• Gateway
• DNS server
• Custom routes
• Link status
• Port configuration [if
available]
Users may now check which HIP
associations (secure tunnels) exist on a
HIPswitch and check available
bandwidth as well for availability and
sizing understanding.
26. Reduce the Attack Surface
26
Up to:
90%
BEFORE TEMPERED AFTER TEMPERED
Because of cloaking,
identity-based
segmentation, non-
traversal, automatic
encryption, and instant
revocation.
Attack surface reduction allows greater security focus and depth on the other
areas Tempered Networks doesn’t address, like endpoint or code-level security.
27. Improve Time to Mitigate, Revoke, and
Quarantine
27
Time to mitigation,
revocation, and
quarantine is improved
with greater confidence.
By:
50%
• Revocation of any resource within the IDN fabric is one
click or an automated API call from a security analytics
system. It can happen instantly, is verifiable, and
permanent - until you say otherwise.
• Even if a user’s credentials were stolen and still valid, if
they’re not on an authorized device – no access.
• The alternative? Complexity. Check all VPNs, Firewall
rules, ACLs, and directory services. Analyze other policies
to ensure that system is in fact quarantined or revoked.
28. Decrease Failover and Disaster Recovery Time
28
Failover and Disaster
Recovery times
reduced to as little as
one second.
To as
little as:
1second
• Every IDN endpoint or HIP Service is based on
unique host identities, not an IP address or host
making IP-based failover ’mobile.’
• Failover can be applied from an entire
datacenter (represented as a unique host
identity), down to a container (represented as a
unique host identity).
• If one goes down in the IDN fabric, a simple
automated API call or one-click manual update
to the fabric will reconnect instantly to the
designated IDN failover endpoint.