VFW, vendors and Issues
Virtualized Security for the CloudHimani SinghFeb 2017
Data Center ConcernsCloud security can be divided into four categories
Cloud data protectionCloud Data GovernanceCloud access policy and intelligenceCloud workload Security audit and ManagementCloud Application security concernsCloud access policy and intelligenceCloud Data protectionCloud Data GovernanceSecurity area and Vendors: CASB
Data Center security concernsEast -West trafficData Centers are virtualized and SDN is in use.Gap1: CASB doesnt address workload security!Gap2: CASB doesnt protect the infrastructure!
Public, Private and Hybrid cloud Public CloudCloud services such as computing, storage, networking and hosting are provided in a virtualized environment, that is constructed by many physical resources, and can be accessed through internet.Always-available, scalable, instant provisioning to expand with business needs.Multi-tenant.A cloud-provider provides security for infrastructure but application and webserver security is your responsibilityExamples AWS, AZURE, IBM SoftLayer, GooglePrivate cloudIt is same as public cloud in terms of self-service, scalability, automatic provisioning on demand except is it for one organization and mostly on premises.Some in-house IT staff is needed.It can support multi-tenancy for the same organizations but different departments.Examples- MS private cloud, VMware vCloud, OpenStack, Apache CloudStackSome public clouds such as AWS allow to create a private cloud. It is called as VPCHybrid cloudCompanies prefer to keep some data online but critical data on their premises. In most of the cases a tunnel will be made between public and private cloud to sync the data.
Typical DeploymentsPublic Cloud
Private CloudVFWs are shares same hypervisor with another serverApproach is same as a physical data centerWith SDN and virtualization when workloads (VMs) are dynamically created, moved between hypervisorsWe need a differed security solutionHybrid CloudCompany site + AWS VPC, NGFW can be acquiredfrom market placeLB
VNGFWServer LB App Web ServerDBServer
Security issues in the data center
Monitoring east-to-west trafficOnce a breach is inside the data center, it is very hard to detectMonitor the traffic in-between and in-and-out of workloads (VMs)L4 and L7 rules should be applied Workload VMs are dynamically created, moved or destroyedTracking and protecting a new instance of VMs and applications on itFW session is lostFor Elasticity, another VFW instance is created (to handle extra traffic) and automatically destroyed when traffic is lessBut when instance of V(NG)FW is destroyed the session instance history is lost tooIn case of attack, breach the evidence is lostDrawback: Useful data lost for breach detection and analysis
Security issue in the data center...Contd.Traditional solutionsVFW will miss itSIEMs will have too much data to processSolutions like AlertLogic will only have alerts not actionSolutions like Crowdstrike have endpoint protection
A typical kill chain will be EXTERNAL RECON Weaponries -> attack to less secure host ->internal reconn-> later movement ->installation ->data staging -> exfilteration
Current solutions are not adequateThe physical FWs are not usefulFW and security solutions are installed on the edge of the datacenter Most DCs are moving towards SDN so it is hard to keep track of dynamically changing workloadsVirtual (NG)FWIt is based on Physical FW that has the same functionalityThe performance will be different depending on CPU VFWs has many flavorsVFW vendors like PAN, Checkpoint and Fortinet, have released based on public or private cloud provider.
Shortcomings in current solutionsMost security vendors still depend on VMwares NSX for creating the new VFW instance when a workload is movedNSX has 650 throughput limit for VMNSX security posture is really basic
Multi-layer security solutionSome solutionsbring VM for each services like Fortinet as Fortimail, FortiWeb, FortiADC, FortiAuth, FortigateOthers have one product for all security services like checkpoint secure cloudAll the vendors have different flavor for AWS, Azur, ESXi, NSX , KVM, ZEN, HyperV, XenIt would be nice to have one software manage all!
In a typical kill chain will include lateral and horizontal move SIEMs will have too much data to processCompanies like Alterlogic will only have alerts not action Companies like crowdstrike have endpoint protectionVFW will miss it
Shortcomings ofcurrent solutions ...Contd.
VFW for public cloud Through put limitation based on CPU, RAM or shared resourcesIn case of vSEC(checkpoint) when one services is busy, the whole system s resources are at 80% and a new instance is created To cover more, we need more LBs before security devices
Issue with VMware NSXVMware NSX provides NFV and layer 2-4 security. It automatically keeps track of workload creation and moves.NSX solutionProvide security tagging for workloads inside the data-center Automatically tracks the workload creation, movement and deletionLayer2-4 security policies are inbuiltLayer7 security such as stateful FW, NGFW, DLP, IDS are provided by external vendors such as PAN, Fortinet, Juniper and CheckpointThe VM is created and associated with a group of VMsWhen any new member is added to that security group, those policies is applied automatically.Any FW deployed on NSX has the maximum throughput of 650 Mbps
What would be good to haveAn ideal solution should havePreventionAutomation of security profile when new workload is provisioned Layer4 to Layer7 security Focused approach to filter out unnecessary alertsSignature-based solution issuesBehavior based learningSignature based on service, workload or locationSecurity service scalability based on traffic load
Functions of the "Ideal Solution"PreventionReduce the potential attack surface:Firewall policies, IPS, user segmentation, patch management, and infrastructure designPatch management includes the new signatureUpdate blacklist of host, IPs and URLsApply the policies inside the data center between workloads based on security tagsAutomation of security profile when new workload is provisionedDynamic Security profile creation when workloads are moved, created or deletedAlthough VMware NSX, AWS and Azure provide that solution they have limitations.NSX Security control is divided:NSX itself only provides layer2-4 securityFor layer-7 security it depends on other vendors(PAN, Checkpoint, Fortinet) and throughputare limitedAWSHas inbuilt security for only infrastructure not the workloadsMarketplace is used to buy security solutions for workloadsSingle vendor security solution for correlation between eventsIt would be nice to have one vendor who can protect from layer4 to layer7 for the workloads
Functions of the IdealSolution ...contd.Signature-based solution issuesMost of layer7 security solutions are signature based Issue: one can miss the zero-day attackBehavior based learningFocused approach to filter out unnecessary alertsIssue:A huge number of alerts are issued based on anomalies or policy violation. Even if we filter out for high-priority attacks, still these are too many to attend to in a timely manner.Solution:Filter out the message that are on the last level. For example, to breach a database, hacker first compromises the public facing server and the application, using recon, mapping and finally exploiting the vulnerabilities or misconfigurations.Need to identify the behavior anomaly or normal looking traffic to/from internal server.
Functions of the IdealSolution ...contd.Only required signatures are loaded in memory to make search faster anduseless memoryBased on the workload and OSFor example, if the webserver is Apache based then in that case loading the IIS based vulnerabilities is uselessSolution: Identify the end-serverand application to protect and upload only necessary signatures as IPS, antivirus and all have a huge number of signatures.Based on the service Load signatures based on the service such as FTP, HTTP or RSTPBased on the GeolocationLoad signatures based on the Geo location
Scalability-based on modules (security rules) not based on VMsScenario:Suppose one selects IPS, AV, DLP and NGFW as layer-7 security. Some modules takes more computing (eg.DLP) resources than others and createaperformance barrier.Even if one modules CPU is at 90% of its capacity and other are 50%, automatic provisioning will create a new instance of VM.We may end up in a situation when we have 4 VMs in which all DLP modules are running at 90% of its capacity and others are only consuming 30%
Solution:In place of provisioning whole new VMs, we can only create a new instance of modules. In that scenario, a VM can have one instance of NGFW but two instance of DLP and three of AntiVirus. As we all know, the NGFW throughput is much higher than DLP or AntiVirus.
Other Ideal Solution RequirementsIndependentMaintain one flavor for Virtual Security solution rather than vIPS, vNGFW, vMAILSolution that is independent of underlying technology such as ESXi , Rackspace, KVM... WorkloadWorks for all kind of workload such as webserver, http serverOnly relevant functionality should be unzip and active
DETECT IDS, WAF, anomaly detection, NIDS, HIDS,
RESPOND report and communication to stack holders by email, alert, textImmediate Isolation of the workload
PREDICTRegular scans, penetration testingDynamically and continuously change the policyUpdating the methods
Smart solution micro segmentationA software that sits on top of HypervisorProvide the monitoring, security control and loggingDeeper level security module based on workload, i.e. if workload is Linux/https the only w