an open source code project for a software defined perimeter to
TRANSCRIPT
CSA SDP Working Group
CSA Conference - BerlinNovember 2015
An Open Source Code Project for a Software Defined Perimeter to Defend Cloud Applications from DDoS
DHS Problem
Open Source Software-
Defined Perimeter
Addressing the Changing Perimeter
Addressing Mitigation & Resilience
Addressing Monitoring & Logging
2
Current Solutions are Workarounds ID Verification & Packet Inspection Does not scale
Current Solutions are Infrequent Not On-demand Compliance-driven
Current Mitigations are too Complex Multiple Point Products
Goals
Open Source Software-
Defined Perimeter
Allow medium-sized orgs. to withstand
1tbps DDoS
Information Sharing
Provide Metrics to Measure Performance
3
In SDP Control & ID Planes are separate Redundant components in the cloud DDoS Signatures
Monitoring Service & Logging is part of the specification -‐ Volume of Data Pushed -‐ Connec4on close events -‐ Number of open connec4ons
over a given 4me interval -‐ Messages per second being
handled -‐ Message queue sizes -‐ Etc. Supports Compliance
CSA & SDP Working Group OWASP Working Groups
SDP – What’s Different
Standardiza4on of "Need-‐to-‐know" access model • Deployed with DoD for many years but rarely seen in the commercial world
Device aGesta4on before authen4ca4on • First published by NSA a decade ago but never commercialized
Mutual TLS (Transport Layer Security) • A great idea & standard but not being adopted
Single Packet AuthorizationSPA can use RFC 4226 (HOTP) Single Packet Authoriza4on (SPA) is used to ini4ate any and all communica4on Benefits: ● “Blackens” the server: The server will not respond to any connec4ons from any clients un4l they have provided an authen4c SPA. ● Mi1gates Denial of Service a7acks on TLS: Internet-‐facing servers running the hGps protocol are highly suscep4ble to Denial-‐of-‐Service (DoS) aGacks. SPA mi4gates these aGacks because it allows the server to discard the TLS DoS aGempts before entering the TLS handshake. ● A7ack detec1on: The first packet to an AH from any other host must be an SPA. If an AH receives any other packet, it should be viewed as an aGack. Therefore, the SPA enables the SDP to determine an aGack based on a single malicious packet.
Mutual Transport Layer Security Provides device authen4ca4on prior to enabling confiden4al communica4on over the Internet. Typical usage does not authen4cate clients to servers. Two-‐way cryptographic authen4ca4on. Benefits: ● Device Authen1ca1on: The connec4ons between all hosts must use TLS or Internet Key Exchange (IKE) with mutual authen4ca4on to validate the device as an authorized member of the SDP prior to further device valida4on and/or user authen4ca4on. ● Disallows forged cer1ficates: The root cer4ficate for both the TLS (IPsec) client and server will be pinned to a known valid root and should not consist of the hundreds of root cer4ficates trusted by most consumer browsers. This mi4gates impersona4on aGacks whereby an aGacker can forge a cer4ficate from a compromised cer4ficate authority. ● Disallows Man-‐in-‐the-‐middle a7acks: The TLS (IPsec) server shall use online cer4ficate status protocol (OCSP) response stapling as defined by the IETF working dra_ “X.509v3 Extension: OCSP stapling Required dra_-‐hallambaker-‐muststaple-‐00”, which references the stapling implementa4on in RFC 4366 “Transport Layer Security (TLS) Extensions”. OCSP response stapling mi4gates DoS aGacks on the OCSP responders and also mi4gates man-‐in-‐the-‐middle aGacks using obsolete OCSP responses before the server cer4ficate was revoked.
Open source SDP - Anti-DDoS Assumptions
• Easy to spoof millions of IP addresses• Not as easy to spoof millions of phone numbers
or authenticated devices• Stack multiple factors together to verify access
ABAC/Authorization Service
Geo Location Service
IdP AD/
Service
PKI/Authentication Service
SDP Controller
Trusted Client
Critical Servers
Internet-facing Servers
Cyber Command & Control Servers
Application Servers
Fingerprint Token Identity Verification Geo Location Verification
Mutual TLS
Mutual TLS
DATA
CONTROL
ACCESS
Use Case Benefits False creden1al – IRS (stealing tax refunds) If a hacker tried to impersonate a tax filer their device id would not match the filers name – thus no access would be granted.
Stolen creden1al – OPM (stealing employee files) If an aGacker stole a creden4al it would not work as the device id would be different. Hackers could try to re onboard themselves but their device id would be wrong – thus no access
APT – Titan Rain (device breach) SDP does not stop APT data the_ from device at network layer. However SDP could be used to ensure that encrypted data is only accessible on the users device (if the key management system was only accessible via a SDP).
All Internet facing servers of US government sites are hidden by SDP gateway. (ie. default drop all packets)
1
Internet users who desire access to a protected site would be on-‐boarded with a unique ID (eg. client CERT, encryp4on keys, etc.)
2
ABAC/Authorization Service
Geo Location Service
IdP AD/
Service
PKI/Authentication Service
SDP Controller
Trusted Client
Critical Servers
Internet-facing Servers
Cyber Command & Control Servers
Application Servers
Fingerprint Token Identity Verification Geo Location Verification
Mutual TLS
Mutual TLS
DATA
CONTROL
ACCESS
Use Case BenefitsBandwidth Denial of Service SDP would make it impossible for foreign spies to conduct remote surveillance on systems. Foreign governments could do a APT aGack on a single user but their visibility would be limited to what the user could see.
3
Info in the unique SPA packet must match id of user. This is the key that opens the gateway to the client (ie. port on firewall)
4
When users wish to access a protected site they would click on the SDP client on their personal device
If the device and user iden4ty are valid the users will be granted access. (IP address can be verified to match the stored loca4on for dedicated clients)
5
System Layout
iptables ( DR
OP ALL ) fwknop
Linux Server (CentOS)
Panther Monitor
Apache (hos4ng
PantherGUI)
Events
Events
Server Cannot be Scanned
iptables ( DR
OP ALL ) fwknop
Linux Server (CentOS)
Panther Monitor
Apache (hos4ng
PantherGUI)
Events
Events
nmap port scan
Nmap scan report for x.x.x.x Host is up (0.033s latency). All 65535 scanned ports on x.x.x.x are filtered
Attempt to Reach Website
iptables ( DR
OP ALL ) fwknop
Linux Server (CentOS)
Panther Monitor
Apache (hos4ng
PantherGUI)
Events
Events
HTTPS Request (want to see PantherGUI site)
Website Unreachable
Website Unreachable
iptables ( DR
OP ALL ) fwknop
Linux Server (CentOS)
Panther Monitor
Apache (hos4ng
PantherGUI)
Events
Events
HTTPS Request (want to see PantherGUI site)
STOP
Lis4ng rules in fwknopd iptables chains... Chain FWKNOP_INPUT (1 references) num target prot opt source des4na4on
iptables has no rule to allow access to this machine
SPA – The Magic Word
iptables ( DR
OP ALL ) fwknop
Linux Server (CentOS)
Panther Monitor
Apache (hos4ng
PantherGUI)
Events
Events
SPA Packet
Single Packet Authoriza4on (SPA) • UDP • Encrypted • Cryptographically Signed
Lis4ng rules in fwknopd iptables chains... Chain FWKNOP_INPUT (1 references) num target prot opt source des4na4on
Gateway Answers the Door…
iptables ( DR
OP ALL ) fwknop
Linux Server (CentOS)
Panther Monitor
Apache (hos4ng
Panther GUI)
Events
Events
SPA Packet
fwknop adds a rule to iptables to allow only that machine and only on the desired port
Lis4ng rules in fwknopd iptables chains... Chain FWKNOP_INPUT (1 references) num target prot opt source des4na4on 1 ACCEPT tcp -‐-‐ X.X.X.X 0.0.0.0/0 tcp dpt:443 /* _exp_1446756830 */
Gateway Answers the Door…Quietly
iptables ( DR
OP ALL ) fwknop
Linux Server (CentOS)
Panther Monitor
Apache (hos4ng
PantherGUI)
Events
Events
SPA Packet
NOTE: The server does not send any response to the requestor.
Lis4ng rules in fwknopd iptables chains... Chain FWKNOP_INPUT (1 references) num target prot opt source des4na4on 1 ACCEPT tcp -‐-‐ X.X.X.X 0.0.0.0/0 tcp dpt:443 /* _exp_1446756830 */
Attempt to Reach Website Again
iptables ( DR
OP ALL ) fwknop
Linux Server (CentOS)
Panther Monitor
Apache (hos4ng
PantherGUI)
Events
Events
HTTPS Request (want to see PantherGUI site)
Lis4ng rules in fwknopd iptables chains... Chain FWKNOP_INPUT (1 references) num target prot opt source des4na4on 1 ACCEPT tcp -‐-‐ X.X.X.X 0.0.0.0/0 tcp dpt:443 /* _exp_1446756830 */
Mutual TLS Session Established
iptables ( DR
OP ALL ) fwknop
Linux Server (CentOS)
Panther Monitor
Apache (hos4ng
PantherGUI)
Events
Events
Apache is now reachable, BUT… Apache requires a client cer4ficate, making this a Mutual TLS (MTLS) session
Lis4ng rules in fwknopd iptables chains... Chain FWKNOP_INPUT (1 references) num target prot opt source des4na4on 1 ACCEPT tcp -‐-‐ X.X.X.X 0.0.0.0/0 tcp dpt:443 /* _exp_1446756830 */
Client Certificate Required
Mul4factor Authen4ca4on – client cer4ficate (something I have) combined with username and password (something I know)
Gateway Removes Expired Firewall Rule
iptables ( DR
OP ALL ) fwknop
Linux Server (CentOS)
Panther Monitor
Apache (hos4ng
PantherGUI)
Events
Events
• The firewall rule is removed seconds a_er it was created • The MTLS session persists while the firewall is dark once again
Lis4ng rules in fwknopd iptables chains... Chain FWKNOP_INPUT (1 references) num target prot opt source des4na4on
Hard Problems to Solve
-‐ Filtering -‐ need to drop packets fast -‐ APIs between Components -‐ Using exis4ng Open Source
Components
Identify, quantify, prioritize & know how to mitigate your dynamic cyber risk everyday.
Juanita Koilpillai571-246-6182