Software Defined Perimeter

So#ware Defined Perimeter Software Defined Perimeter A new approach to access control Junaid Islam, Co Chair

Before we start, two ideas we believe strongly Complexity is the primary reason security systems fail (Junaid said this) The ideal security solu?on should just work (what Bob wants) 2 Internet 2 Technology Exchange 2015

600+ U.S. Vic<ms of Chinese Cyber Espionage 3

Fundamental Problem: AOacks Server exploita?on Creden?al the# Connec?on hijacking Connec?on- oriented protocol DNS Client connects to server before authen?ca?on Vulnerability is unauthen?cated connec?vity & visibility IP addr of finance server? Alice p@ssw0rd Alice 10.0.0.1 Hello 10.0.0.1, I d like some data Who are you? Alice, p@ssw0rd You re authorized. 10.0.0.2 10.0.0.1 10.0.0.3 4

Connec<vity & Visibility: Not a New Problem Wall off the enterprise Hide the applica?ons Tightly manage the computers Enterprise Alice Internet Bob This worked in the Business model of the 1990 s 5

Business 2.0: The Perimeter Crumbled Phishing, BYOD, SaaS, IaaS, Contractors, subject maoer experts, outsourced so#ware and IT, channel partner, ERP professional Remove visibility Remove connec?vity Cloud & BYOD friendly Enterprise IaaS SaaS 479729cec9a2187c914df2b3078e320f Alice Bob The world needs a new security model!!! 6

How SDP Started: Big companies with BIG problems Connec?ng 200,000 users to data center- cloud apps Monitoring and upda?ng vehicle so#ware Enabling "customer controlled" services 7 Internet 2 Technology Exchange 2015

Current Connec<vity Model Connect to Application Provide Credentials Multifactor Token Denial of Service Creden@al TheA Server Exploita@on Connec@on Hijacking APT/Lateral Movement 8 Internet 2 Technology Exchange 2015

Solu<on Requirements Insider Threat Mobile Devices Cloud Migration No secrets Highly scalable Any infrastructure 9 Internet 2 Technology Exchange 2015

SoYware Defined Perimeter Mul?factor Token Provide Creden?als Connect to Applica?on 10 Internet 2 Technology Exchange 2015

SDP Architecture 0. One?me on- boarding Client root of trust Digital ar?facts & thin client 1. Device Authen?ca?on & Authoriza?on SPA: an? DDoS, defeats SSL aoacks mtls & fingerprint: an? creden?al the# Issuing CA Gateway Client Crypto IP s SDP Controller SAML IdP 2. User Authen?ca?on & Authoriza?on Enterprise iden?ty: separa?on of trust SAML IdP integrated with LDAP groups 3. Dynamically Provisioned Connec?ons Applica?ons isolated and protected Usability: portal page of applica?ons 3. Dynamic Connec<on SDP Gateways Hos<ng & IaaS SDP 3. Dynamic Connec<on DMZ & Data Center 11 Internet 2 Technology Exchange 2015

Key SDP Features 64 bit id is not secret (can be listed) SPA can carry payload for Auto/IoT applica?ons AOacks can be detected in the first packet 12 Internet 2 Technology Exchange 2015

Defea<ng A^acks on the Extended Enterprise Server Isola<on SPA, Dynamic FW Transparent MFA mtls, Fingerprint Encryp<on, Pinned Certs, No DNS Server exploita?on: constant aoacks Misconfigura?ons Vulnerabili?es Injec?ons Denial of Service Creden?al the#: ⅔ of Verizon DBIR Phishing Keyloggers Brute force Connec?on hijacking: stealthiest Man- in- the- Middle Cer?ficate forgery DNS poisoning User name Password Internet 2 Technology Exchange 2015

SDP Provides Real Time Threat Detec<on 14 Internet 2 Technology Exchange 2015

15 SDP Cryptography Profile ECDHE- RSA- AES256- GCM- SHA384 TLS suite ECDHE: Ellip?c Curve Diffie Hellman Ephemeral Ellip?c curve pre- master keys Generate the four symmetric keys of the TLS Ephemeral keys per session Perfect Forward Secrecy But not client or server authen?ca?on RSA: Public/private key pair with an X.509 cer?ficate Client and server authen?ca?on Vidder s implementa?on: Cer?ficates pinned to a trusted root cer?ficate Not the hundreds of (possibly compromised) roots browsers trust Employs OCSP stapling (RFC 6066) Forwards the OCSP response with TLS Server hello Reduces the load on the OCSP responder Mi?gates a DoS of the OCSP responder AES256- GCM: Advanced Encryp?on Standard (NIST FIPS 197) Symmetric key encryp?on 256 bit cipher block size Galois/Counter Mode Block cipher that simultaneously computes encryp?on and integrity PC s and servers implement GCM in hardware Negligible performance impact due to encryp?on of the data SHA384: Secure Hash Algorithms (and member of SHA- 2) Generates a 384 bit hash Verifies integrity of the clear text Client/Server handshake Single Packet Authoriza?on (SPA) History: Invented >10 years ago Commonly used for super user ssh access to servers Mi?gates aoacks by unauthorized users Algorithm Based on RFC 4226, "HOTP HMAC- based One- Time Password Used for hardware/so#ware one?me password tokens 128- bit random number seed 128- bit non- secret counter So#ware Defined Perimeter: SPA occurs before TLS (SSL) connec?on Mi?gates aoacks on TLS by unauthorized users See AOacks on SSL/TLS SPA = UID, OTP, CTR, GMAC UID = Universal ID of SDP Client OTP = HMAC[seed CTR] GMAC = E client private key [HMAC[UID OTP CTR]] Each client has an id, seed, and counter Counter is incremented, appended to seed, and hashed UID, OTP, CTR, & and the counter are sent as clear text. The counter is increment to mi?gate playback aoacks. The packet is also signed to provide integrity checking.

A^acks on SSL/TLS Name Date A^ack Unauthorized Authorized Users SSLstrip Feb 2009 hop to hops SPA No hop DigiNotar Sept 2011 MitM forged certs SPA Pinned certs BEAST Apr 2012 Java Applet oracle SPA Client- based CRIME Sept 2012 MitM SPDY compressing oracle SPA No compression Lucky 13 Feb 2013 MitM CBC padding oracle SPA GCM TIME Mar 2013 Browser JavaScript?ming oracle SPA Client- based RC4 biases Mar 2013 MitM RC4 oracle SPA No cypher nego?a?on BREACH Aug 2013 Website redirect, compression SPA No redirect or compression goto fail Feb 2014 MitM counterfeit key via coding error SPA Pinned dedicated cert Triple Handshake Mar 2014 Server MitM on client cert SPA Pinned dedicated cert Heartbleed Apr 2014 OpenSSL bug SPA Not single- ended SSL BERserk Sept 2014 MitM PKCS#1.5 padding SPA Not Mozilla NSS Poodle Oct 2014 MitM SSLv3 oracle SPA No cypher nego?a?on Poodle++ Dec 2014 MitM JavaScript?ming oracle SPA Client- based FREAK Mar 2015 MitM nego?a?on 512 bit key SPA No key nego?a?on Bar- mitzvah Mar 2015 View RC4 SPA No RC4 logjam May 2015 MitM downgrade to 512 bit key SPA No suite nego?a?on 16

Current SDP Workgroup Ac<vi<es Suppor?ng DHS contract for Terabit scale DDoS solu?on Coordina?ng development efforts of commercial partners Beginning efforts of Version 2 looking for volunteers!!! 17 Internet 2 Technology Exchange 2015

Typical Denial of Service (DoS) A^acks Applica?on layer SQL statements that DoS the database Many false posi?ves punish legi?mate users PrecisionAccess defeats this with no false posi?ves User name/password Compromise or DoS each user Cannot be stopped with tradi?onal tools PrecisionAccess defeats this with no users compromised SSL nego?a?on Single laptop can DoS a server Very expensive to stop with tradi?onal tools PrecisionAccess defeats this with very liole effort Bandwidth consump?on > 100 s Gbps Cannot be stopped by do it yourself tools SDP scale out at AWS mi?gates Tbps DIY: WAF & Load Balancer DoS Protec?on Service PA 18

Na<onal Cyber Security Framework Device Attacks Internet Attacks Server Attacks File & Memory Protection Software Defined Perimeter Behavior Profiling Server FW+VPN Data Theft RAM Scraping Credential Theft Connection Hijacking Denial of Service Insider Threats Server Exploits 19 SDP Workshop Tuesday Sept 29 2015

Global Beverage Company Business Objec<ve: Minimize opera?onal costs and maximize flexibility Vidder SDP Solu<on: ü Secures partner employee access to the required apps ü Protects against DDOS and server vulnerability aoacks ü Brings visibility into which individuals are accessing which applica?ons, from where, and when ü Mi?gates creden?al the# and eases password management with transparent MFA ü Delivers a single solu?on for both web- based and fat applica?ons SDP Controller AWS SDP Gateway ERP Apps (SAP) Browser Supply Chain Partners Data Center SDP Workshop Tuesday Sept 29 2015

Chip Design Company Business Objec<ve: Accelerate chip design process by leveraging public clouds Vidder SDP Solu<on: ü Secures design engineers access to cloud- based environment at customer sites ü Single tenant SDP federates to each IAM ü Customer VPC enclaves not reachable from Internet ü Flexible SDP deployment enables dynamic customer use SDP Controller AWS VPC Enclave C VPC Enclave B Browser App App SDP Gateway Company B Company A VPC Enclave A Company C 21 SDP Workshop Tuesday Sept 29 2015

Global Automo<ve Company Business Objec<ve: Enable in field vehicle upgrades to retain customers and "sell" new features Vidder SDP Solu<on: ü Vehicle status delivered in a single SPA packet ü Provides a common access plaorm for apps regardless of where they are deployed: in internal data center or (mul?ple) cloud sites ü Op?mizes packet path to op?mize user experience SDPController AWS SDPGateway SDP Gateway SDP Workshop Tuesday Sept 29 2015

Closing comments SDP is really simple SDP supports a wide range of applica?ons SDP is a collabora?ve effort so join the team! 23 Internet 2 Technology Exchange 2015

Contact Informa<on Junaid Islam CTO Vidder junaid@vidder.com 24