This session will explore how we can leverage containers, network/endpoint virtualization technologies and virtualized security instrumentation, concurrently, to transformationally improve security visibility, security analytics, system resilience and actionable context, greatly increasing our ability to attest that systems will be secure and compliant in any state into which they may be driven.
(Source: RSA USA 2016-San Francisco)
Transforming Security: Containers, Virtualization and Softwarization
1. SESSION ID:
#RSAC
Dennis R Moreau
Transforming Security:
Containers, Virtualization and
the Softwarization of Controls
ASD-W03
Senior Engineering Architect
VMware Office of the CTSO
@DoctorMoreau
2. #RSAC
The Security Problem
2
Security breach rates and losses continue to outpace security spend in “the year of the
breach”.
IT Spend
Security Spend
Security Breaches
3. #RSAC
Complexity: Complex Attack Behavior
HW & FW
OS
Application
Operatin
g
Applicati
on
MMUs
SMM
UEFI
Controllers
Supply Chain…
Overflows
Insertion
Malformation …
dll injection
SVC Vulns
ROP …
OS
Application
Recon & Lateral Movement
……… …
HW & FW
IaaS
SaaS
4. #RSAC
Complexity: Many Required Security Controls
Source: SANS 20 Critical Cyber Controls – Fall 2014
https://www.sans.org/media/critical-security-controls/fall-2014-poster.pdf
!
5. #RSAC
Complexity: Many Security Control Standards
5https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf
NIST 800-53, ISO 27002, NSA Top 10,
GCHQ 10 Steps, PCI DSS, HIPAA, NERC,
CSA, FISMA, ITIL KPIs, …
6. #RSAC
Complexity: The Balkanization of Security
Security
Controls
Rules,
Lang &
Logic
Control
Boundary
Object
Type
Consoles
Agents
Placement
Constraints
SNORT, FW 5-tuples,
OWASP, YARA, XACML…
End Point, Network,
VLAN, Domain, Process,
OU …
User, Application,
Data Class, Service, DB…
Consoles
Logs, Alerts,
Rules, Workflow…
DB, App, OS,
NAT, LB, L4, L3 …
7. #RSAC
Complexity: No Finish Line
Change!Evolving
Standards
Control
Technology
Growth
Scale
Agility++
New Bus.
Need
New
Regulation
New
Threats
New
Governance
8. #RSAC
Complexity: IT Architecture
Highly Connected
Complex Service Protocols
EP controls with weak isolation
NW controls with weak context
EP <-> NW mismatch
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4
FW
IPS
9. #RSAC
Complexity is the Problem!
Misconfiguration is very common (Gartner: 95%* of FW breaches
attributable to misconfiguration)
*Gartner, Inc. “One Brand of Firewall Is a Best Practice for Most
Enterprises”. November 28, 2012.
*Gartner, Inc. “ …75 Percent of Mobile Security Breaches Will Be the Result
of Mobile Application Misconfiguration”
http://www.gartner.com/newsroom/id/2846017
We need architecturally simplified security provisioning, operation,
response and analytics.
14. #RSAC
Transport Network
Network Virtualization: Overlays
L2
L2
Tenant B
L2
L2
L2
Tenant C
L2
L2
L2
VM
VM
VM
VM
VM
VM
VM
VM
L2 IP UDP VXLAN PayloadL2 IP
PayloadL2 IP
PayloadL2 IP
PayloadL2 IP
Overlays
Controller
16. #RSAC
Simplify: Smaller more aligned policy
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
dFW
…
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4 App2App1 App3 App4
dFW dFW dFW
eFW eFW
Policy here crosses many
apps … App1 – App4
Policy here can align on
one App/Svc
Much smaller policy sets
Much more coherent policy
Policy
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
…
----------
----------
----------
----------
----------
Policy
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
…
----------
----------
17. #RSAC
Simplify: Change with less side effect
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
FW
…
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4 App2App1 App3 App4
FW FW FW
FW FW
Policy change here is coupled
across apps
Policy change here is far safer
Much simpler mitigation
Much safer rule deletion
Policy
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
…
----------
----------
Policy
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----------
…
----------
----------
----------
----------
----------
18. #RSAC
Simplify: Policy that follows the workload
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
dFW
…
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4 App2App1 App3 App4
dFW dFW dFW
eFW eFW
Only traffic steering determines
protection/visibility
Classification (SG) determines
protection & visibility
Protection scales with hypervisors
19. #RSAC
Simplify: Default deny posture
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
dFW
…
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4 App2App1 App3 App4
dFW dFW dFW
eFW eFW
Default deny policy here is blunt,
coupled across apps, partial and
weakly scale-able
Default deny policy here is precise,
efficient, scale-able, …
Recon and lateral in the DC
is much more visible and difficult
20. #RSAC
Simplify: Intrinsic E/W visibility/control
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
dFW
…
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4 App2App1 App3 App4
dFW dFW dFW
eFW eFW
E/W traffic hair-pinned for
visibility at the DC edge
All E/W traffic is visible and
filtered according to policy
Complete E/W visibility & control
No hairpin management
21. #RSAC
Control Placement and Segments
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
FW
SC
…
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4 App2App1 App3 App4
FW
SC
FW
SC
FW
SC
FW
SC
FW
SC
Enabled by:
Network Virtualization +
Sofwarization of Security Controls
23. #RSAC
≢
Align: NW/EP Control Aligned on Segments
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
FW
IPS
…
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
V
M
…
App2App1 App3 App4 App2App1 App3 App4
FW
IPS
FW
IPS
FW
IPS
FW
IPS
FW
IPS
EPEP EP
EPEP EP EPEP EP
EPEP EP
EP EP
EP EP
EPEP EP EPEP EP EP EP
EPEP EP EPEP EP EP EP
NW Policy(IF, Subnet, DHCP Scope, …)
EP Policy(Asset, HostID, SID, Svr Role, TPM…)EP Identifiers
EP Boundaries
NW Identifiers
NW Boundaries
App
Seg
EP Identifiers
EP Boundaries
NW Identifiers
NW Boundaries
≡
≡
EP
MS
NW
VMID
MSID
EP
NW
NW
P1(MSID)
PN(MSID)
…
26. #RSAC
Align: Controls Context
26
Segment dFW WAF IPS AA
OWASP
Rules
SNORT
Rules
vFW
FW
Rules
Protocol
Defn
Resultant Protection Policy
Access
Rules
Order Matters: So topological context is required for many security use cases.
Visibility &
Semantics
here …
… depends on
policy and filtering
here
29. #RSAC
Namespace
Volume Service
Containers: App/Svc Focused Context
29
Ex. Authoritative Context
App Configuration & Resources
Resource Sharing Across Apps
Colocation of Containers
Service Components
Services within a Namespace
Network Dynamics (LB, HA, …)
Example Contextual Structure
RC
Volume Service
Pod
Container
App Env
App
Pod
Container
App Env
App
…
LB
41. #RSAC
Micro-Segmentation: Model & Secure
• Model apps, app tiers, regulatory
scopes, network, org boundaries,
etc.
• Default Deny: Only allow what’s
necessary, Deny everything else.
Source: Arkin.net Screenshot
42. #RSAC
Micro-Segmentation in Action: Modeling Security Groups
Source: Arkin.net Screenshot
Segment by applications, app
tiers, security zones, L2/L3
network boundaries, virtual-
physical boundaries,
organizational levels, etc
43. #RSAC
Micro-Segmentation in Action: Modeling Security Policies
Source: Arkin.net Screenshot
Inter and Intra Segment (VM to
VM) Communication
Some services require internet
access.
“Deny All” to these segments
(…and confirm it)
Allowed access to shared services
44. #RSAC
Micro-Segmentation in Action: Validate Compliance
Source: Arkin.net Screenshot
Runtime Effective Policy between
any two points in the Datacenter
46. #RSAC
Summary
46
Complexity is at the heart of today’s security challenge
Virtualization and Softwarization allows app focused placement
and policy alignment
Containerization provides the essential context for realizing an
operationally plausible default deny policy
This resulting in transformationally simpler policy and more
effective protection.
47. #RSAC
Apply: Assess
47
When you return to work:
Evaluate your current policy complexity
Policy set size
Policy testing workflow
Estimate its effect on security policy management
Latency in security policy updates
Estimate the degree of your “default deny” posture
Identify related instances of policy misconfiguration
48. #RSAC
Apply: Dev Ops
48
As move forward in DevOps:
For selected applications determine
Operationally plausible default deny posture by observed logs
Application policy requirements from container
blueprints/manifests
Application component dynamics: continuity, scaling, …
For important and cross application cutting services
Document discovery, election, failover, … protocol dynamics