CSA SDP Working Group An Open Source Code Project for a Software Defined Perimeter to Defend Cloud Applications from DDoS CSA Conference - Berlin November 2015
DHS Problem Addressing the Changing Perimeter Addressing Monitoring & Logging Current Solutions are Workarounds ID Verification & Packet Inspection Does not scale Open Source Software- Defined Perimeter Current Solutions are Infrequent Not On-demand Compliance-driven Addressing Mitigation & Resilience Current Mitigations are too Complex Multiple Point Products 2
Goals Allow medium-sized orgs. to withstand 1tbps DDoS In SDP Control & ID Planes are separate Redundant components in the cloud DDoS Signatures Open Source Software- Defined Perimeter Information Sharing Provide Metrics to Measure Performance Monitoring Service & Logging is part of the specification - Volume of Data Pushed - Connec4on close events - Number of open connec4ons over a given 4me interval - Messages per second being handled - Message queue sizes - Etc. Supports Compliance CSA & SDP Working Group OWASP Working Groups 3
SDP What s Different Standardiza4on of "Need- to- know" access model Deployed with DoD for many years but rarely seen in the commercial world Device agesta4on before authen4ca4on First published by NSA a decade ago but never commercialized Mutual TLS (Transport Layer Security) A great idea & standard but not being adopted
Single Packet Authorization SPA can use RFC 4226 (HOTP) Single Packet Authoriza4on (SPA) is used to ini4ate any and all communica4on Benefits: Blackens the server: The server will not respond to any connec4ons from any clients un4l they have provided an authen4c SPA. Mi1gates Denial of Service a7acks on TLS: Internet- facing servers running the hgps protocol are highly suscep4ble to Denial- of- Service (DoS) agacks. SPA mi4gates these agacks because it allows the server to discard the TLS DoS agempts before entering the TLS handshake. A7ack detec1on: The first packet to an AH from any other host must be an SPA. If an AH receives any other packet, it should be viewed as an agack. Therefore, the SPA enables the SDP to determine an agack based on a single malicious packet.
Mutual Transport Layer Security Provides device authen4ca4on prior to enabling confiden4al communica4on over the Internet. Typical usage does not authen4cate clients to servers. Two- way cryptographic authen4ca4on. Benefits: Device Authen1ca1on: The connec4ons between all hosts must use TLS or Internet Key Exchange (IKE) with mutual authen4ca4on to validate the device as an authorized member of the SDP prior to further device valida4on and/or user authen4ca4on. Disallows forged cer1ficates: The root cer4ficate for both the TLS (IPsec) client and server will be pinned to a known valid root and should not consist of the hundreds of root cer4ficates trusted by most consumer browsers. This mi4gates impersona4on agacks whereby an agacker can forge a cer4ficate from a compromised cer4ficate authority. Disallows Man- in- the- middle a7acks: The TLS (IPsec) server shall use online cer4ficate status protocol (OCSP) response stapling as defined by the IETF working dra_ X.509v3 Extension: OCSP stapling Required dra_- hallambaker- muststaple- 00, which references the stapling implementa4on in RFC 4366 Transport Layer Security (TLS) Extensions. OCSP response stapling mi4gates DoS agacks on the OCSP responders and also mi4gates man- in- the- middle agacks using obsolete OCSP responses before the server cer4ficate was revoked.
Open source SDP - Anti-DDoS Assumptions Easy to spoof millions of IP addresses Not as easy to spoof millions of phone numbers or authenticated devices Stack multiple factors together to verify access
Use Case Benefits 1 All Internet facing servers of US government sites are hidden by SDP gateway. (ie. default drop all packets) 2 Internet users who desire access to a protected site would be on- boarded with a unique ID (eg. client CERT, encryp4on keys, etc.) PKI/ Authenticati on Service Mutual TLS CONTROL ABAC/ Authorizati on Service Geo Location Service SDP Controller ACCESS IdP AD/ Service Internet-facing Servers Application Servers False creden1al IRS (stealing tax refunds) If a hacker tried to impersonate a tax filer their device id would not match the filers name thus no access would be granted. Stolen creden1al OPM (stealing employee files) If an agacker stole a creden4al it would not work as the device id would be different. Hackers could try to re onboard themselves but their device id would be wrong thus no access Trusted Client Fingerprint Token Identity Verification Geo Location Verification Mutual TLS DATA Critical Servers Cyber Command & Control Servers APT Titan Rain (device breach) SDP does not stop APT data the_ from device at network layer. However SDP could be used to ensure that encrypted data is only accessible on the users device (if the key management system was only accessible via a SDP).
Use Case Benefits Bandwidth Denial of Service 3 When users wish to access a protected site they would click on the SDP client on their personal device SDP would make it impossible for foreign spies to conduct remote surveillance on systems. Foreign governments could do a APT agack on a single user but their visibility would be limited to what the user could see. Trusted Client PKI/ Authenticati on Service Mutual TLS CONTROL ABAC/ Authorizati on Service Mutual TLS Geo Location Service SDP Controller ACCESS IdP AD/ Service Internet-facing Servers Application Servers 4 5 Info in the unique SPA packet must match id of user. This is the key that opens the gateway to the client (ie. port on firewall) If the device and user iden4ty are valid the users will be granted access. (IP address can be verified to match the stored loca4on for dedicated clients) Fingerprint Token Identity Verification Geo Location Verification DATA Critical Servers Cyber Command & Control Servers
System Layout iptables ( DROP ALL ) Linux Server (CentOS) fwknop Panther Monitor Apache (hos4ng PantherGUI)
Server Cannot be Scanned nmap port scan Nmap scan report for x.x.x.x Host is up (0.033s latency). All 65535 scanned ports on x.x.x.x are filtered iptables ( DROP ALL ) Linux Server (CentOS) fwknop Panther Monitor Apache (hos4ng PantherGUI)
Attempt to Reach Website HTTPS Request (want to see PantherGUI site) iptables ( DROP ALL ) Linux Server (CentOS) fwknop Panther Monitor Apache (hos4ng PantherGUI)
Website Unreachable
Website Unreachable iptables has no rule to allow access to this machine HTTPS Request (want to see PantherGUI site) Lis4ng rules in fwknopd iptables chains... Chain FWKNOP_INPUT (1 references) num target prot opt source des4na4on iptables ( DROP ALL ) STOP Linux Server (CentOS) fwknop Panther Monitor Apache (hos4ng PantherGUI)
SPA The Magic Word Single Packet Authoriza4on (SPA) UDP Encrypted Cryptographically Signed SPA Packet Lis4ng rules in fwknopd iptables chains... Chain FWKNOP_INPUT (1 references) num target prot opt source des4na4on iptables ( DROP ALL ) Linux Server (CentOS) fwknop Panther Monitor Apache (hos4ng PantherGUI)
Gateway Answers the Door fwknop adds a rule to iptables to allow only that machine and only on the desired port SPA Packet Lis4ng rules in fwknopd iptables chains... iptables ( DROP ALL ) Linux Server (CentOS) fwknop Panther Monitor Apache (hos4ng Panther GUI) Chain FWKNOP_INPUT (1 references) num target prot opt source des4na4on 1 ACCEPT tcp - - X.X.X.X 0.0.0.0/0 tcp dpt:443 /* _exp_1446756830 */
Gateway Answers the Door Quietly NOTE: The server does not send any response to the requestor. SPA Packet Lis4ng rules in fwknopd iptables chains... iptables ( DROP ALL ) Linux Server (CentOS) fwknop Panther Monitor Apache (hos4ng PantherGUI) Chain FWKNOP_INPUT (1 references) num target prot opt source des4na4on 1 ACCEPT tcp - - X.X.X.X 0.0.0.0/0 tcp dpt:443 /* _exp_1446756830 */
Attempt to Reach Website Again Linux Server (CentOS) HTTPS Request (want to see PantherGUI site) Lis4ng rules in fwknopd iptables chains... iptables ( DROP ALL ) fwknop Panther Monitor Apache (hos4ng PantherGUI) Chain FWKNOP_INPUT (1 references) num target prot opt source des4na4on 1 ACCEPT tcp - - X.X.X.X 0.0.0.0/0 tcp dpt:443 /* _exp_1446756830 */
Mutual TLS Session Established Apache is now reachable, BUT Apache requires a client cer4ficate, making this a Mutual TLS (MTLS) session Lis4ng rules in fwknopd iptables chains... iptables ( DROP ALL ) Linux Server (CentOS) fwknop Panther Monitor Apache (hos4ng PantherGUI) Chain FWKNOP_INPUT (1 references) num target prot opt source des4na4on 1 ACCEPT tcp - - X.X.X.X 0.0.0.0/0 tcp dpt:443 /* _exp_1446756830 */
Client Certificate Required Mul4factor Authen4ca4on client cer4ficate (something I have) combined with username and password (something I know)
Gateway Removes Expired Firewall Rule The firewall rule is removed seconds a_er it was created The MTLS session persists while the firewall is dark once again Lis4ng rules in fwknopd iptables chains... Chain FWKNOP_INPUT (1 references) num target prot opt source des4na4on iptables ( DROP ALL ) Linux Server (CentOS) fwknop Panther Monitor Apache (hos4ng PantherGUI)
Hard Problems to Solve - Filtering - need to drop packets fast - APIs between Components - Using exis4ng Open Source Components
Identify, quantify, prioritize & know how to mitigate your dynamic cyber risk everyday. Juanita Koilpillai 571-246-6182 jkoilpillai@waverleylabs.com