symantec considerations on middleboxes · digital service providers 20 csp communication service...
TRANSCRIPT
SYMANTEC CONSIDERATIONS ON MIDDLEBOXES
12th OF JUNE 2018
@ETSI SECURITY WEEK 2018
SYMANTEC AGENDA TODAY
WHICH MODEL FOR SECURITY AND PRIVACY?
IS A CONSENSUS REACHABLE? LET’s BE “PATIENT”
PRACTICAL CONSIDERATIONS FOR THE ICT?
12
ANNEX
WHICH MODEL FORSECURITY AND PRIVACY?
Copyright © 2018 Symantec Corporation
SECURITY AND PRIVACY
4
USER DEVICE OR THING
IMPLICIT OR EXPLICITDIGITAL PERSONA
EXPERIENCE / APP / CAPABILITY
« NETWORK INFRASTRUCTURE » « CLOUD » / « INTERNET »
USER EXPERIENCE
« SESSIONS » SERVICE
DATALAKES
Copyright © 2018 Symantec Corporation
THE INTERCEPTION LANDSCAPE
5
IMPLICIT OR EXPLICITDIGITAL PERSONA
USER DEVICE OR THING
SECURITY ATTACKS (DEVICE /
IDENTITY / BROWSER /
APP / NETWORK /
INFORMATIONetc.)
EXPERIENCE / APP / CAPABILITY
« NETWORK INFRASTRUCTURE » « CLOUD » / « INTERNET »
USER EXPERIENCE
« SESSIONS » SERVICE
DATALAKES
VAST MISMATCH BETWEEN
USER CONSENTUNDERSTANDING
vs DIGITAL PERSONA CONSENT REALITY
SOCIAL ENGINEERING
ATTACKS
LAWFULINTERCEPTION
MAN IN THE MIDDLE INTERCEPTION ATTACK
BACKDOORS
MASSSURVEILLANCE /
CENSORSHIP
DATA BREACHESSECURITY BREACHES
BACKDOORS
BUSINESSINTERCEPTION
REGULATORY FRAMEWORK(e.g. GDPR)
END POINT AND INFORMATION PROTECTION
DIGITAL PERSONA PROTECTION CLOUD SECURITY
OTHERMIDDLEBOXES
FUNCTIONS
Copyright © 2018 Symantec Corporation
« PROTOCOLS » WE MISS
6
USER DEVICE OR THING
IMPLICIT OR EXPLICITDIGITAL PERSONA
EXPERIENCE / APP / CAPABILITY
« NETWORK INFRASTRUCTURE » « CLOUD » / « INTERNET »
USER EXPERIENCE
« SESSIONS » SERVICE
DATALAKES
MIDDLEBOX COLLABORATION
PROTOCOL
N-WAY RESPECTFUL INTERCEPTION PROTOCOL
OFF BOUND UNIFIED SECURITY HUB PROTOCOL
A REAL PROTOCOL FOR PRIVACY
A REAL DIGITAL HUMANITIES
« PROTOCOL »
Copyright © 2018 Symantec Corporation
CONCLUSION 1
• LET’s BE REAL WE MISS A LOT IN THE LONG TERM• WAY BEYOND « JUST » AN N-WAY PROTOCOL
7
HOW TO REACH A CONSENSUS?LET’s BE ”PATIENT”
Copyright © 2018 Symantec Corporation
Half of All Web ConnectionsAre Now Encrypted
( 2017 )
Copyright © 2018 Symantec Corporation
Half of All Web.... Attacks....Are Now Encrypted
( 2017 )
Copyright © 2018 Symantec Corporation
Alice Bob
Eve
CLASSIC SECURITY & PRIVACY MODEL
Copyright © 2018 Symantec Corporation
EQUALLY COMMON• BOB IS IN THE CLOUD• CAN I TRUST THIS SITE
• IT MIGHT BE COMPROMISED• STILL I WANT OR NEED TO WORK WITH IT
• THE REMOTE SITE MIGHT• HELP ME• HACK ME• PROFILE AND TRACK ME
• AND MY ENDPOINT MY NOT HAVE ENOUGH PROTECTION
Copyright © 2018 Symantec Corporation
How?
Protection
Al or Alice
Middlebox terminates & initiates independent TLS sessions.
M.B.G.
Most Middleboxes negotiate weaker “least Common Denominator” Crypto.
Endpoint doesn’t know.
“The Security Impact of HTTPS Interception,”
Durumeric, Ma, Springall, Barnes, Sullivan, Bursztein,
Bailey, Halderman, Paxson, in Network and Distributed
System Security Symposium (NDSS 2017)
Classic Approach
Copyright © 2018 Symantec Corporation
How?
ProtectionAlternative Approach
Al or AliceAl or Alice delegate protection
(most commonly to more powerful devices) by sending ephemeral or symmetric keys
M.B.G.
Naylor, Li, Gkantsidis, Karagiannis, & Steenkiste propose to leverage SGX to help make this safer.
References in speaker notes…
Copyright © 2018 Symantec Corporation
!What? MITM?? Isn’t that dangerous ?!?
Classic• Middleboxes (MB) often negotiate
weaker crypto• No end2end integrity protection• MB could get hacked• Risk decryption to block attacks+
• No cryptographic attestation of MB identity, policies, etc.
• Endpoint completely lacks visibility into upstream MB
What Could Possibly Go Wrong?What goes
wrong today?
Current Alternative
• Still lacks end2end integrity• MB could still get hacked• Risk decryption to block attacks+
• No cryptographic attestation of MB identity, policies, etc.
+ Of course, such decryption is crucial not only for blocking attacks in real-time, but also for post-facto forensic investigation and remediation of successful attacks, along with regulatory compliance verification, and much more.
Copyright © 2018 Symantec Corporation
!Classic• Middleboxes (MB) often negotiate
weaker crypto• No end2end integrity protection• MB could get hacked• Risk decryption to block attacks• No cryptographic attestation of MB
identity, policies, etc.• Endpoint completely lacks visibility into
upstream MB
What Could Possibly Go Wrong?
Current Alternative
• Still lacks end2end integrity• MB could still get hacked• Risk decryption to block attacks• No cryptographic attestation of
MB identity, policies, etc.
A good protocol
could address these
+ Of course, such decryption is crucial not only for blocking attacks in real-time, but also for post-facto forensic investigation and remediation of successful attacks, along with regulatory compliance verification, and much more.
Copyright © 2018 Symantec Corporation
CONCLUSION 2
• THE PATH FOR A CONSENSUS IS VERY NARROW BUT NOT NULL• PATIENT =• PROTECTION AGAINST• ATTACKS• TUNNELING• IN• ENCRYPTED• TRAFFIC
• STATUS = • SYMANTEC WORKING ON AN AWARENESS CAMPAIGN FIRST PREPARING COMING BACK TO IETF
17
Thank You!
PRACTICAL ARCHITECTURAL CONSIDERATIONS FOR THE ICT
Copyright © 2018 Symantec Corporation
NOT ‘TELCOs’ AS DEFINED 20 YEARS AGO!
STRONG NEED FOR NEW DEFINITIONS
BEING DISCUSSED WITH ITU SG2
DIGITAL SERVICE PROVIDERS
20
CSPCommunication
Service Providers
NEPNetwork
Equipment Providers
GSIGlobal System
Integrators
OTTOver The Top
ASPApplication Service
Providers
ISPInfrastructure
Service Providers
MSPManaged Service
Providers
CSBCloud Service
Brokers
ENT SPEnterprise Service
Providers
ATT, Verizon, DT, BT, Orange, NTT, Airtel,
MVNOs, Tier1, Tier2, Tier3
Huawei, Ericsson, ZTE, Nokia,
Converse, etc.
HP, IBM, Fujitsu, Accenture, PwC, etc.
Google, Facebook, Apple, Microsoft, SFDC,
etc.
Amazon, Microsoft, Cyxtera, etc.
3’000 MSP in Germany, 1’000 in France, etc..
AppDirect, Netcracker (NEC), Infonova, etc.
HSBC, Credit Suisse, GM, Toyota, etc.
MASSIVE CO-COMPETITION
IOT IS EVERYWHERE
Copyright © 2018 Symantec Corporation
DIGITAL TRANSFORMATION FOR CSPsAND THIS IS THE EASY PART
Copyright © 2016 Symantec Corporation 21
SMBRES
ENT
CPE (BOX)
CPE (UTM)
CPE (MPLS)
END CUSTOMER “PREMISE”WIFI
RADIO
ACCESSNETWORK
CORENETWORK
DC1 DC2
DC3 DCN
INTERNETCLOUDS
COMMUNICATION SERVICE PROVIDER AND NEW SERVICE PROVIDERS
IoT
RES
ENT
CPE (BOX)
CPE (UTM)
CPE (MPLS)
END CUSTOMER “PREMISE”WIFI
RADIO
M2M, “BUS”LOW ENERGY
NETWORKSINTERNETCLOUDS
COMMUNICATION SERVICE PROVIDER AND NEW SERVICE PROVIDERS
SMBSP*
MANAGEMENT
TRANSPORT
CLOUDINFRASTRUCTURE
ACCESS APPLICATIONSDI
GITA
LISAT
ION
5G SDN
NFV
Copyright © 2018 Symantec Corporation
LET’S TAKE AN EXAMPLE WITH CSPsHOW TO MODEL DSPs?
22
Copyright © 2018 Symantec Corporation
SHOULD EVERY CAPABILITY BE A VF OR A VNF?
HOW TO MAP SECURITY IN THE NEAR FUTURE’
23
END CUSTOMERS
CRITICAL INFRASTRUCTURES
LARGE ENTERPRISES
MEDIUM BUSINESS
SMALL BUSINESS
CONSUMERS
IOTCUSTOMER
PREMISE EQUIPMENT
ACCESS NETWORK
CORE NETWORK
IT DATA CENTERS
INTER-CONNECT
AND BACKHAULS
DSP MANAGEMENT LAYER (OSS/BSS)AND CARRIER GRADE ENABLERS (AAA, etc.)
LEGACY INFRASTRUCTURE MOVING TO SDN/NFV
A WORLD OF LOCAL DATA LAKES
PEERINTER-
CONNECT AND
BACKHAULS "CLOUDs"
The Mass Market "barrier"
S S
S
S
S
S
LOCAL UNIFIED SECURITY HUB
CLOUD /"INTERNET"
DIGITAL SERVICE
PROVIDERSECOSYSTEM
SECURITY VF and VNFs
CARRIER GRADE POLICY MANAGER
CARRIER GRADE SECURITY AND
PRIVACY MIDDLEBOXES
MANAGED SERVICES SECURITY
AND PRIVACY
MIDDLEBOX
SECURE vCPE
SS7 MIDDLE-
BOX
S
"S" for security on premise whatever it is, not restricted
to endpoint security
=
CLOUD BASED
SECURITY
GLOBAL UNIFIED
SECURITY
Moving down the segment is not "a
straight line"
SDWAN
How could we safely do network based
protection against attacks tunneling in
encrypted network traffic, without
constraining end-to-end routing?
If each MB had a hardware-backed
Trusted Execution Environment (TEE),
then perhaps endpoints could choose to
Trust MB services dynamically migrating
from TEE to TEE as orchestrated by
Software Defined Networking (SDN), or
Network Function Virtualization (NFV).
Copyright © 2018 Symantec Corporation
BIG MISS – POTENTIAL FUTURE MB CAPABILITIES
Copyright © 2018 Symantec Corporation
CONCLUSION 3
• A LOT IS AT STAKE TO TRULY • MAKE THIS WORLD SAFER AND MORE PRIVATE• AND NOT• MAKE THIS WORLD MORE PRIVATE AND LESS SAFE
• DSPs ARE THE PLATFORM TO REACH TO ALL SEGMENTS• DSPs SHOULD ENGAGE MUCH MORE PROACTIVELY IN THE DEBATE
• BUT DO THEY RECOGNIZE THE PROBLEM AND THEIR OWN ROLE?
25