symantec considerations on middleboxes · digital service providers 20 csp communication service...

SYMANTEC CONSIDERATIONS ON MIDDLEBOXES

12th OF JUNE 2018

@ETSI SECURITY WEEK 2018

SYMANTEC AGENDA TODAY

WHICH MODEL FOR SECURITY AND PRIVACY?

IS A CONSENSUS REACHABLE? LET’s BE “PATIENT”

PRACTICAL CONSIDERATIONS FOR THE ICT?

12

ANNEX

WHICH MODEL FORSECURITY AND PRIVACY?

Copyright © 2018 Symantec Corporation

SECURITY AND PRIVACY

4

USER DEVICE OR THING

IMPLICIT OR EXPLICITDIGITAL PERSONA

EXPERIENCE / APP / CAPABILITY

« NETWORK INFRASTRUCTURE » « CLOUD » / « INTERNET »

USER EXPERIENCE

« SESSIONS » SERVICE

DATALAKES


THE INTERCEPTION LANDSCAPE

5



SECURITY ATTACKS (DEVICE /

IDENTITY / BROWSER /

APP / NETWORK /

INFORMATIONetc.)



USER EXPERIENCE


DATALAKES

VAST MISMATCH BETWEEN

USER CONSENTUNDERSTANDING

vs DIGITAL PERSONA CONSENT REALITY

SOCIAL ENGINEERING

ATTACKS

LAWFULINTERCEPTION

MAN IN THE MIDDLE INTERCEPTION ATTACK

BACKDOORS

MASSSURVEILLANCE /

CENSORSHIP

DATA BREACHESSECURITY BREACHES

BACKDOORS

BUSINESSINTERCEPTION

REGULATORY FRAMEWORK(e.g. GDPR)

END POINT AND INFORMATION PROTECTION

DIGITAL PERSONA PROTECTION CLOUD SECURITY

OTHERMIDDLEBOXES

FUNCTIONS


« PROTOCOLS » WE MISS

6





USER EXPERIENCE


DATALAKES

MIDDLEBOX COLLABORATION

PROTOCOL

N-WAY RESPECTFUL INTERCEPTION PROTOCOL

OFF BOUND UNIFIED SECURITY HUB PROTOCOL

A REAL PROTOCOL FOR PRIVACY

A REAL DIGITAL HUMANITIES

« PROTOCOL »


CONCLUSION 1

• LET’s BE REAL WE MISS A LOT IN THE LONG TERM• WAY BEYOND « JUST » AN N-WAY PROTOCOL

7

HOW TO REACH A CONSENSUS?LET’s BE ”PATIENT”


Half of All Web ConnectionsAre Now Encrypted

( 2017 )


Half of All Web.... Attacks....Are Now Encrypted

( 2017 )


Alice Bob

Eve

CLASSIC SECURITY & PRIVACY MODEL


EQUALLY COMMON• BOB IS IN THE CLOUD• CAN I TRUST THIS SITE

• IT MIGHT BE COMPROMISED• STILL I WANT OR NEED TO WORK WITH IT

• THE REMOTE SITE MIGHT• HELP ME• HACK ME• PROFILE AND TRACK ME

• AND MY ENDPOINT MY NOT HAVE ENOUGH PROTECTION


How?

Protection

Al or Alice

Middlebox terminates & initiates independent TLS sessions.

M.B.G.

Most Middleboxes negotiate weaker “least Common Denominator” Crypto.

Endpoint doesn’t know.

“The Security Impact of HTTPS Interception,”

Durumeric, Ma, Springall, Barnes, Sullivan, Bursztein,

Bailey, Halderman, Paxson, in Network and Distributed

System Security Symposium (NDSS 2017)

Classic Approach


How?

ProtectionAlternative Approach

Al or AliceAl or Alice delegate protection

(most commonly to more powerful devices) by sending ephemeral or symmetric keys

M.B.G.

Naylor, Li, Gkantsidis, Karagiannis, & Steenkiste propose to leverage SGX to help make this safer.

References in speaker notes…


!What? MITM?? Isn’t that dangerous ?!?

Classic• Middleboxes (MB) often negotiate

weaker crypto• No end2end integrity protection• MB could get hacked• Risk decryption to block attacks+

• No cryptographic attestation of MB identity, policies, etc.

• Endpoint completely lacks visibility into upstream MB

What Could Possibly Go Wrong?What goes

wrong today?

Current Alternative

• Still lacks end2end integrity• MB could still get hacked• Risk decryption to block attacks+

• No cryptographic attestation of MB identity, policies, etc.

+ Of course, such decryption is crucial not only for blocking attacks in real-time, but also for post-facto forensic investigation and remediation of successful attacks, along with regulatory compliance verification, and much more.


!Classic• Middleboxes (MB) often negotiate

weaker crypto• No end2end integrity protection• MB could get hacked• Risk decryption to block attacks• No cryptographic attestation of MB

identity, policies, etc.• Endpoint completely lacks visibility into

upstream MB

What Could Possibly Go Wrong?

Current Alternative

• Still lacks end2end integrity• MB could still get hacked• Risk decryption to block attacks• No cryptographic attestation of

MB identity, policies, etc.

A good protocol

could address these

+ Of course, such decryption is crucial not only for blocking attacks in real-time, but also for post-facto forensic investigation and remediation of successful attacks, along with regulatory compliance verification, and much more.


CONCLUSION 2

• THE PATH FOR A CONSENSUS IS VERY NARROW BUT NOT NULL• PATIENT =• PROTECTION AGAINST• ATTACKS• TUNNELING• IN• ENCRYPTED• TRAFFIC

• STATUS = • SYMANTEC WORKING ON AN AWARENESS CAMPAIGN FIRST PREPARING COMING BACK TO IETF

17

Thank You!

PRACTICAL ARCHITECTURAL CONSIDERATIONS FOR THE ICT


NOT ‘TELCOs’ AS DEFINED 20 YEARS AGO!

STRONG NEED FOR NEW DEFINITIONS

BEING DISCUSSED WITH ITU SG2

DIGITAL SERVICE PROVIDERS

20

CSPCommunication

Service Providers

NEPNetwork

Equipment Providers

GSIGlobal System

Integrators

OTTOver The Top

ASPApplication Service

Providers

ISPInfrastructure

Service Providers

MSPManaged Service

Providers

CSBCloud Service

Brokers

ENT SPEnterprise Service

Providers

ATT, Verizon, DT, BT, Orange, NTT, Airtel,

MVNOs, Tier1, Tier2, Tier3

Huawei, Ericsson, ZTE, Nokia,

Converse, etc.

HP, IBM, Fujitsu, Accenture, PwC, etc.

Google, Facebook, Apple, Microsoft, SFDC,

etc.

Amazon, Microsoft, Cyxtera, etc.

3’000 MSP in Germany, 1’000 in France, etc..

AppDirect, Netcracker (NEC), Infonova, etc.

HSBC, Credit Suisse, GM, Toyota, etc.

MASSIVE CO-COMPETITION

IOT IS EVERYWHERE


DIGITAL TRANSFORMATION FOR CSPsAND THIS IS THE EASY PART

Copyright © 2016 Symantec Corporation 21

SMBRES

ENT

CPE (BOX)

CPE (UTM)

CPE (MPLS)

END CUSTOMER “PREMISE”WIFI

RADIO

ACCESSNETWORK

CORENETWORK

DC1 DC2

DC3 DCN

INTERNETCLOUDS

COMMUNICATION SERVICE PROVIDER AND NEW SERVICE PROVIDERS

IoT

RES

ENT

CPE (BOX)

CPE (UTM)

CPE (MPLS)

END CUSTOMER “PREMISE”WIFI

RADIO

M2M, “BUS”LOW ENERGY

NETWORKSINTERNETCLOUDS

COMMUNICATION SERVICE PROVIDER AND NEW SERVICE PROVIDERS

SMBSP*

MANAGEMENT

TRANSPORT

CLOUDINFRASTRUCTURE

ACCESS APPLICATIONSDI

GITA

LISAT

ION

5G SDN

NFV


LET’S TAKE AN EXAMPLE WITH CSPsHOW TO MODEL DSPs?

22


SHOULD EVERY CAPABILITY BE A VF OR A VNF?

HOW TO MAP SECURITY IN THE NEAR FUTURE’

23

END CUSTOMERS

CRITICAL INFRASTRUCTURES

LARGE ENTERPRISES

MEDIUM BUSINESS

SMALL BUSINESS

CONSUMERS

IOTCUSTOMER

PREMISE EQUIPMENT

ACCESS NETWORK

CORE NETWORK

IT DATA CENTERS

INTER-CONNECT

AND BACKHAULS

DSP MANAGEMENT LAYER (OSS/BSS)AND CARRIER GRADE ENABLERS (AAA, etc.)

LEGACY INFRASTRUCTURE MOVING TO SDN/NFV

A WORLD OF LOCAL DATA LAKES

PEERINTER-

CONNECT AND

BACKHAULS "CLOUDs"

The Mass Market "barrier"

S S

S

S

S

S

LOCAL UNIFIED SECURITY HUB

CLOUD /"INTERNET"

DIGITAL SERVICE

PROVIDERSECOSYSTEM

SECURITY VF and VNFs

CARRIER GRADE POLICY MANAGER

CARRIER GRADE SECURITY AND

PRIVACY MIDDLEBOXES

MANAGED SERVICES SECURITY

AND PRIVACY

MIDDLEBOX

SECURE vCPE

SS7 MIDDLE-

BOX

S

"S" for security on premise whatever it is, not restricted

to endpoint security

=

CLOUD BASED

SECURITY

GLOBAL UNIFIED

SECURITY

Moving down the segment is not "a

straight line"

SDWAN

How could we safely do network based

protection against attacks tunneling in

encrypted network traffic, without

constraining end-to-end routing?

If each MB had a hardware-backed

Trusted Execution Environment (TEE),

then perhaps endpoints could choose to

Trust MB services dynamically migrating

from TEE to TEE as orchestrated by

Software Defined Networking (SDN), or

Network Function Virtualization (NFV).


BIG MISS – POTENTIAL FUTURE MB CAPABILITIES


CONCLUSION 3

• A LOT IS AT STAKE TO TRULY • MAKE THIS WORLD SAFER AND MORE PRIVATE• AND NOT• MAKE THIS WORLD MORE PRIVATE AND LESS SAFE

• DSPs ARE THE PLATFORM TO REACH TO ALL SEGMENTS• DSPs SHOULD ENGAGE MUCH MORE PROACTIVELY IN THE DEBATE

• BUT DO THEY RECOGNIZE THE PROBLEM AND THEIR OWN ROLE?

25

symantec considerations on middleboxes · digital service providers 20 csp communication service...

Documents