Transforming Security: Containers, Virtualization and Softwarization

SESSION ID:

#RSAC

Dennis R Moreau

Transforming Security: Containers, Virtualization and the Softwarization of Controls

ASD-W03

Senior Engineering ArchitectVMware Office of the CTSO@DoctorMoreau

#RSAC

The Security Problem

2

Security breach rates and losses continue to outpace security spend in “the year of the breach”.

IT Spend

Security Spend

Security Breaches

#RSAC

Complexity: Complex Attack Behavior

HW & FW

OS

Application

Operating

Application

MMUsSMMUEFIControllersSupply Chain…

OverflowsInsertionMalformation …

dll injectionSVC VulnsROP …

OS

Application

Recon & Lateral Movement

……… …

HW & FW

IaaS

SaaS

#RSAC

Complexity: Many Required Security Controls

Source: SANS 20 Critical Cyber Controls – Fall 2014https://www.sans.org/media/critical-security-controls/fall-2014-poster.pdf

!

#RSAC

Complexity: Many Security Control Standards

5https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf

NIST 800-53, ISO 27002, NSA Top 10,GCHQ 10 Steps, PCI DSS, HIPAA, NERC,CSA, FISMA, ITIL KPIs, …

#RSAC

Complexity: The Balkanization of Security

Security

Controls

Rules, Lang & Logic

Control Boundary

Object

Type

Consoles Agents

Placement Constraints

SNORT, FW 5-tuples, OWASP, YARA, XACML…

End Point, Network, VLAN, Domain, Process, OU …

User, Application, Data Class, Service, DB…

ConsolesLogs, Alerts, Rules, Workflow…

DB, App, OS, NAT, LB, L4, L3 …

#RSAC

Complexity: No Finish Line

Change!EvolvingStandards

Control

Technology

Growth Scale

Agility++

New Bus. Need

New Regulation

New Threats

New Governance

#RSAC

Complexity: IT Architecture

Highly Connected

Complex Service Protocols

EP controls with weak isolation

NW controls with weak context

EP <-> NW mismatch

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

…

App2App1 App3 App4

FW

IPS

#RSAC

Complexity is the Problem!

Misconfiguration is very common (Gartner: 95%* of FW breaches attributable to misconfiguration)

*Gartner, Inc. “One Brand of Firewall Is a Best Practice for Most Enterprises”. November 28, 2012.

*Gartner, Inc. “ …75 Percent of Mobile Security Breaches Will Be the Result of Mobile Application Misconfiguration” http://www.gartner.com/newsroom/id/2846017

We need architecturally simplified security provisioning, operation, response and analytics.

http://www.gartner.com/newsroom/id/2846017

#RSAC

Virtualization and the Softwarization of Security Controls: Enabling Policy Simplification

10

#RSAC

Visibility: Micro-segmentation and SW

• Understand Traffic

• Here, > 80% is East-West

• Largely uninspected and

unprotected

• Ops: Clearly not optimized

Source: Networking data from Arkin.net deployments

#RSAC

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

…

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

…

App2App1 App3 App4 App2App1 App3 App4

FW

IPS

FW

IPS

Enabled by: Network Virtualization

Containment & Protection

#RSAC

Network Virtualization

GuestvSwitch

GuestvSwitch

ComputeIsolation

NetworkIsolation

V Network Ctrl

V Server Ctrl

ProvisioningProtectionIntrospection …

IP Address SpaceRoutingFirewall …

#RSAC

Transport Network

Network Virtualization: Overlays

L2

L2

Tenant B

L2

L2

L2Tenant C

L2

L2

L2

VM

VM

VM

VM

VM

VM

VM

VM

L2 IP UDP VXLAN PayloadL2 IP

PayloadL2 IP

PayloadL2 IP

PayloadL2 IP

OverlaysController

#RSAC

Micro-segments: A new policy primitive

App/SvcSegment

GuestvSwitchGuest

vSwitch

Guest vSwitch

Aligned Isolation:• Routing• NAT• dFW

Policy Boundary Invariant

#RSAC

Simplify: Smaller more aligned policy

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

dFW

…

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

…


dFW dFW dFW

eFW eFW

Policy here crosses many apps … App1 – App4

Policy here can align onone App/Svc

Much smaller policy sets Much more coherent policy

Policy--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------…--------------------------------------------------

Policy------------------------------…--------------------

Policy----------------------------------------…--------------------

Policy------------------------------…--------------------

Policy------------------------------…--------------------

Policy------------------------------…--------------------

#RSAC

Simplify: Change with less side effect

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

FW

…

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

…


FW FW FW

FW FW

Policy change here is coupled across apps

Policy change here is far safer

Much simpler mitigation Much safer rule deletion

Policy------------------------------…--------------------

Policy----------------------------------------…--------------------

Policy------------------------------…--------------------

Policy------------------------------…--------------------

Policy------------------------------…--------------------

Policy--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------…--------------------------------------------------

#RSAC

Simplify: Policy that follows the workload

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

dFW

…

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

…


dFW dFW dFW

eFW eFW

Only traffic steering determines protection/visibility

Classification (SG) determines protection & visibility

Protection scales with hypervisors

#RSAC

Simplify: Default deny posture

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

dFW

…

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

…


dFW dFW dFW

eFW eFW

Default deny policy here is blunt, coupled across apps, partial and weakly scale-able

Default deny policy here is precise,efficient, scale-able, …

Recon and lateral in the DCis much more visible and difficult

#RSAC

Simplify: Intrinsic E/W visibility/control

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

dFW

…

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

…


dFW dFW dFW

eFW eFW

E/W traffic hair-pinned for visibility at the DC edge

All E/W traffic is visible and filtered according to policy

Complete E/W visibility & control No hairpin management

#RSAC

Control Placement and Segments

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

FW

SC

…

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

…


FW

SC

FW

SC

FW

SC

FW

SC

FW

SC

Enabled by: Network Virtualization +Sofwarization of Security Controls

#RSAC

Virtualization and the Softwarization of Security Controls: Improved Alignment

22

#RSAC

≢

Align: NW/EP Control Aligned on Segments

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

FW

IPS

…

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

…


FW

IPS

FW

IPS

FW

IPS

FW

IPS

FW

IPS

EPEP EP

EPEP EP EPEP EP

EPEP EP

EP EP

EP EP

EPEP EP EPEP EP EP EP

EPEP EP EPEP EP EP EP

NW Policy(IF, Subnet, DHCP Scope, …)

EP Policy(Asset, HostID, SID, Svr Role, TPM…)EP IdentifiersEP Boundaries

NW IdentifiersNW Boundaries

App Seg

EP IdentifiersEP Boundaries

NW IdentifiersNW Boundaries

≡

≡

EP

MS

NW

VMIDMSID

EP

NW

NW

P1(MSID)

PN(MSID)

…

#RSAC

Align: Coordinated Controls

24

Segment dFW WAF

DetectHere

OWASP Rules

vFW

BlockHere

FW Rules

Then …

Expensivedetection, so …

#RSAC

Align: Coordinated Controls

25

Segment dFW WAF

OWASP Rules

vFW

FW Rules

IPS

SNORT Rules

Rule N+1Rule N+2…Emergent

Vulnerability

ObservedAnomaly

#RSAC

Align: Controls Context

26

Segment dFW WAF IPS AA

OWASPRules

SNORTRules

vFW

FW Rules

ProtocolDefn

Resultant Protection Policy

AccessRules

Order Matters: So topological context is required for many security use cases.

Visibility &Semantics

here …

… depends onpolicy and filtering

here

#RSAC

Containers and Operationally Plausible Default Deny Policy

27

#RSAC

Sources of Plausible Micro-segment Policy

1. Provenance, Manifests & Provisioning Information

2. Application Network Behavior

3. Infrastructure Services (or Micro-services) Connectivity & Dynamics

#RSAC

Namespace

Volume Service

Containers: App/Svc Focused Context

29

Ex. Authoritative Context

App Configuration & Resources

Resource Sharing Across Apps

Colocation of Containers

Service Components

Services within a Namespace

Network Dynamics (LB, HA, …)

Example Contextual Structure

RC

Volume Service

Pod

Container

App Env

App

Pod

Container

App Env

App

…

LB

#RSAC

Containers: EP Compliance

30

Compliance scan of Docker imageUsage: docker-oscap image IMAGE_NAME [OSCAP_ARGUMENTS]

Compliance scan of Docker containerUsage: docker-oscap container CONTAINER_NAME [OSCAP_ARGUMENTS]

"Vulnerability scan of Docker image"Usage: docker\-oscap image\-cve IMAGE_NAME [--results oval-results-

file.xml [--report report.html]]"Vulnerability scap of Docker container"

Usage: oscap-docker container-cve CONTAINER_NAME [--results oval-results-file.xml [--report report.html]]Ref: https://github.com/OpenSCAP/container-compliance

https://github.com/OpenSCAP/container-compliance

#RSAC

Alignment: Network Context

Hosted Protection

Premise

Protection

LB

SVC

SVC SVC

SVC

SVC SVC

Web Service

Web Cont Web Cart

SAP MT

SAP

DB DB

Control placement determines:• Meaning of Log and Alert signals• Up/Down stream interference• Affected assets• Mitigation options

#RSAC

But “containers don’t contain”

32

Provider

Attest: ----- ----- -----

Tenant Tenant Tenant

Audit: ----- ----- ----

Docker Engine

Operating System instance

App 1

Bins/Libs

App 2

Bins/Libs

App 2

Bins/Libs

Shared: IDs, filesystem, services, resources …

Process and Name Space Isolation

Audit: ----- ----- ----

Process/Namespace Isolation

… but could be much better

Better IsolationIsolated Controls (independent)Mature Security Mgmt (Gartner)Normalized Policy Locus

Between WL and Hosting(hybrid/multi-cloud)

Mis-alignmenthttps://opensource.com/business/14/7/docker-security-selinux

http://www.projectatomic.io/blog/2014/09/yet-another-reason-containers-don-t-contain-kernel-keyrings/

http://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/

Gartner: Security Properties of Containers Managed by Docker

https://opensource.com/business/14/7/docker-security-selinux

http://www.projectatomic.io/blog/2014/09/yet-another-reason-containers-don-t-contain-kernel-keyrings/

http://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/

#RSAC

Directional: Containers + Virtualization

FW (app)IPS (app)WAF (app)NGFW (app)…

WAFIPSNGFWFW

LogsAlertsBehavior

Analytics

Where else might this behavior be expressed?...

Registry

Labels, Provenance,

Testing

Containers

Docker Daemon

Images

Policy

Same App IDsSame BoundariesShared Context…Aligned:

AppsServerNetwork

More actionable context, so responseis more efficient & accurate, reduced dwell time

#RSAC

Containers + Virtualization

34VMworld 2015: NET6639 - Next Horizon for Cloud Networking and Security:

https://www.youtube.com/watch?v=RBJ-KoAM-OQ&feature=youtu.be

Provider

Attest: ----- ----- -----

Tenant Tenant Tenant

Audit: ----- ----- ---- Consistent boundary X Stack

Same identifier (msid, vmid)Alignment … in any state Independent verificationAuthoritative context (OOB)

Control Boundary &Controls Alignment

VM vServer & vSwitch

Docker Engine

Operating System instance

App 1

Bins/Libs

App 2

Bins/Libs

App 2

Bins/Libs

vSwitch vSwitch vSwitchAudit: ----- ----- ----

Audit: ----- ----- ----

https://www.youtube.com/watch?v=RBJ-KoAM-OQ&feature=youtu.be

#RSAC

Application Blueprint Example - vRealize

35

Application structure and external connectivity are completely exposed to inform operationally plausible security policy

#RSAC

Enterprise Infrastructure & Containers

36

Infrastructural Context

Leveraging of PBS, PBN, Infrastructural Services

Legacy apps to cloud native apps, on the same infrastructure

Integration of governance, CJA, context (for logs, alerts, response RCA, …)

…

ESXPhoton OS

ESXPhoton OS

ESXPhoton OS

KubernetesMESOS

Photon Cont 1

Photon Cont 2

Photon Cont 3

CreateGet pods

Create Kubernetes Cluster

PhotonMachine

#RSAC

App Behavior Analysis: Arkin Example

37

Insight into application network behavior drives 1st order operationally plausible default deny posture.

#RSAC

Container

38

Intrinsically Captures Application Structure, Provenance, and Classification (pre-launch)

Always Current Configuration (immutability)

No “intended” vs. “actual” gap

Operations & Security perspectives

Immutability accommodates “moving target” defense techniques

Expose implicit network requirements in App context context.

Expose implicit app deployment requirements

Level of req’d awareness of virtual network topology

Req’d SVCs

#RSAC

Refining Micro-Segmentation Using Analytics

39

#RSAC

Sources of Plausible Micro-segment Policy




#RSAC

Micro-Segmentation: Model & Secure

• Model apps, app tiers, regulatory

scopes, network, org boundaries,

etc.

• Default Deny: Only allow what’s

necessary, Deny everything else.

Source: Arkin.net Screenshot

#RSAC

Micro-Segmentation in Action: Modeling Security Groups


Segment by applications, app tiers, security zones, L2/L3 network boundaries, virtual-physical boundaries, organizational levels, etc

#RSAC

Micro-Segmentation in Action: Modeling Security Policies


Inter and Intra Segment (VM to VM) Communication

Some services require internet access.

“Deny All” to these segments (…and confirm it)

Allowed access to shared services

#RSAC

Micro-Segmentation in Action: Validate Compliance


Runtime Effective Policy between any two points in the Datacenter

#RSAC

Summary

45

#RSAC

Summary

46

Complexity is at the heart of today’s security challenge

Virtualization and Softwarization allows app focused placement and policy alignment

Containerization provides the essential context for realizing an operationally plausible default deny policy

This resulting in transformationally simpler policy and more effective protection.

#RSAC

Apply: Assess

47

When you return to work:

Evaluate your current policy complexity

Policy set size

Policy testing workflow

Estimate its effect on security policy management

Latency in security policy updates

Estimate the degree of your “default deny” posture

Identify related instances of policy misconfiguration

#RSAC

Apply: Dev Ops

48

As move forward in DevOps:

For selected applications determine

Operationally plausible default deny posture by observed logs

Application policy requirements from container blueprints/manifests

Application component dynamics: continuity, scaling, …

For important and cross application cutting services

Document discovery, election, failover, … protocol dynamics

#RSAC

Apply: Plausible Micro-segment Policy

Plausible Policy Information Sources




#RSAC

Thank You!

Questions?Dennis R Moreau: [email protected]

Documents

Transforming Security: Containers, Virtualization and Softwarization