Data Center Networks & Cloud Computing SecurityLecture 6

Securing Data Center Networks

Pavel Moravec

2

Data Center Security

3

General Security ConceptsNetwork Security Objectives

Not everybody does all needed to keep data savee.g. weak passwords (Ostrava) are used

User is compromised/unauthorized individual gains access to data, applications, or devices for which they should not have access

→ the security of the network may still fail as a resultCosts to keep security, added issues of virtualized HWCommon terms (explained already in other subjects):

Confidentality/Integrity/Avalability (CIA)Asset/Vulnerability/Threat/Risk/Countermeasure

4

Classifying Assets (Czech: informační aktiva)

Classification of assetsUS Government: Unclassified, Sensitive but unclassified (SBU), Confidential, Secret, and Top secretPrivate sector: Public, Sensitive, Private, and Confidential

Classification criteria/roles:Criteria: Value, Age, Replacement cost, Useful lifetimeRoles: Owner, Custodian, User

5

US CERT Traffic Light Protocol (TLP)Classification levels

Red (TLP:RED) – cannot be acted by additional parties, recipients cannot share this information.Amber – information requires support to be effectively acted upon, but carries risks if shared. Recipients may share it inside of organization on a need-to-know basis.Green – information useful for the awareness of all partic. organizations and peers within a broader community or sector. Recipients may share information within their sector or community, but not via publicly accessible channels.White – information has minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. It may be distributed without restriction, subject to copyright.

6

Typical VulnerabilitiesHuman factorsMisconfiguration

Operation under Default settings (e.g. default user/pass)Design errorsIncorrect implementationHardware vulnerabilitiesSoftware vulnerabilitiesProtocol weaknessesPolicy flawsPhysical access to network resourcesMalicious software

7

Countermeasures – ControlsAdministrative controls – written policies, procedures, guidelines, and standards, e.g. acceptable use policy mentioned earlier in lectures, change control process (when making changes to the network), background checks for users, …Physical controls – physical security for the DC infrastructure, equipment and network servers, including a redundant system, UPSes, … Logical/Technical controls – passwords, firewalls, intrusion prevention systems, access lists, VPN tunnels, …

8

Most Common Threats to Data CentersInterruption of service / Denial of ServiceAdvanced persistent threats – Targeted attacks including Nation-based AttacksUnauthorized accessBreach of confidential informationData alteration (modification) or theftData lossUnauthorized use of Computational resourcesIdentify theft

Virtualization-specific concerns

9

Networking Security Devices

10

Integrated Solutions for DC SecurityFirewalls

Stateless packet filtering by access control listsAdaptive Security Appliance (ASA) – CISCO Adaptive Security Virtual Appliance (ASAv) – CISCO

Supports traditional and next-generation software-defined networkIntrusion Detection System (IDS)Intrusion Prevention System (IPS)

Next-Generation Intrusion Prevention System (NGIPS) Advanced Malware Protection (AMP) – more for other parts of the network

11

FirewallsA firewall can be implemented by a single device, a group of devices, or even as a software running on a device, e.g. L3 router or an L2 switch separating VLAN traffic without routingA firewall must be resistant to attacks, including DoSTraffic between networks must be forced through the firewallThe firewall enforces the access control policy of the organization

12

Firewall methodologiesPacket filtering – just based on individual packets on L3/L4Stateful inspection firewalls – record information in stateful database

Application Inspection – analyses and verifies protocols to L7, no proxyProxy servers, also known as application layer gateway (ALG) – L3 and higher up to L7 Transparent firewalls – no IP address necessary, acts “on L2” behaving like a bridge but behaves like a L3 firewallNext-generation context and application-aware firewalls – more comprehensive protection from known and advanced threats

13

Zone-Based Firewalls (ZBF)Interfaces are placed into zones, created by the network administrator using a reasonable naming convention ZBF major features include

Stateful inspectionApplication inspectionPacket filteringURL filteringTransparent firewalling (how it is implemented)Support for virtual routing and forwarding (VRF).

A policy map is created for traffic classificationActions: inspect (stateful inspection), permit, drop, log.

A (single) service policy is applied to a zone pair unidirectionallyA “self” zone represents the router itself

14

Example: Cisco ASA Features and Services Packet filtering – ACLs from basic computer networks courseStateful filtering Application inspection/awareness – processing application layer information, listening to conversations

e.g. making the FTP work in active mode (who needs it today?)Router functions: routing, NAT/PAT, DHCP, VPN support, AAA supportNormal or transparent firewalling(Network) Object groups – 1 or more address ranges including single hosts combined together for a single ACL entryNext-generation firewalling (NGFW)

Botnet traffic filtering, Advanced malware protection (AMP):Includes advanced persistent threats (APT) & targeted attacks

High availability – fail-over between firewalls

15

Intrusion Detection vs. Intrusion PreventionIDS/IPS is a sensors – a device that looks at the traffic on the network and then makes a decision based on a set of rules to classify whether that traffic is okay or malicious

IDS just receives a copy of the packets in promiscuous modeIPS forwards packets between its interfaces or drops them

Inline modeMalfunctioning IPS may drop all traffic, maybe use fail-open policy?

TerminologyTrue positive – normal & optimal operation, real attack is detectedFalse positive – normal traffic is detected as an attackTrue negative – attack is not detected and treated as normal trafficFalse negative – failure to detect the attack even if it should be detected due to IDS/IPS malfunction

16

IDS/IPS TypesSignature-based IPS/IDS – a set of rules looking for some specific pattern or characteristic in a packet or a stream of them

Often provided by IDS/IPS manufacturer on subscription basisMost common (and fastest) method

Policy-based IPS/IDS – based on company has security policye.g. no SSH from outside to a segment with client stations

Anomaly-based IPS/IDS – anomalies in computer network not seen during normal operation

e.g. many (> 30, > 100) half-open connection (SYN flooding)Reputation-based IPS/IDS – collects input from systems all over the planet that are participating in global correlation.

e.g. indicates URLs, domain names, IP addresses based on reporting or actual attacks to other networks

17

IPS Trafic Analysis MethodsPacket Header Matching – anomalous L2-L4 packet headersPacket Content Matching – packet payloads for each packet are matched against signaturesStateful Content Matching – reassembling L4 sessions. Defeats attacks using fragmentation/segmentationProtocol decoding – parsing L7 protocol from a reassembled byte stream. Reduces false positives by providing context in which the sensor looks for suspicious or malicious patternsTraffic Correlation – sensor correlates packets from different conversations to build a “global view”. Before a threshold is reached, packet are still forwarded.Rate Analysis – rate of packets of a particular protocol, esp. for stateless protocols such as UDP (>150 packets/s)

18

IPS Advanced Trafic Analysis MethodsStatistical Modeling – sensor builds a statistical model describing traffic properties. Examples are traffic patterns, traffic rates, traffic composition, traffic intervals, etc. Sensor then detect any known or yet-unknown attacks that violate the learned “normal” behavior (but a false positive may be generated instead).

Event Correlation – multiple detected events are correlated to present a higher-level, consolidated information which is useful for detecting composite attacks more reliably. However, this requires quite a lot of computational power and may lead to performance degradation and is not efficient against “slow” attacks

19

IDS/IPS Best PracticesImplement an IPS so that you can analyze traffic going to your critical servers and other mission-critical devices

Software-based module or appliance may be used as wellUsage of global correlation to improves resistance against attacks that may be targeting more targets inside your organization or globally. Ideally use multiple sensors in your net.Use a risk-based approach, where countermeasures occur based on the calculated risk rating as opposed to manually assigning countermeasures to individual signatures.Use automated signature updates when possible.Tune the IPS/IDS infrastructure as traffic flows and network devices and topologies change. IPS tuning is mostly done on a brand new implementation but is never 100% complete.

20

IPS in a Data CentreHigh-speed, highly available connectivity of DC must be preserved, so it is important to ensure that network IPS sensors do not impact these functions and integrate well with the rest of the network.Logical VLAN interfaces on sensors adds flexibilityPerformance must be well-scaledTuning and deploying of IDS/IPS for a normal DC may be easier because of specific traffic patterns, but more complex for distributed data centers.

21

Network Protection

Basic Network Protection GuidelinesRule of least privilege – minimal access is provided to the required network resources, and not any more than thatDefense in depth – security is implemented on nearly every point depth of network.

e.g. packet filtering at a perimeter router + firewall + IDS/IPSs analyzing traffic before it reaches servers + host-based security precautions at the servers.authentication and authorization mechanisms, web and e-mail security, content security, application inspection monitoring, traffic monitoring, and malware protection.

Separation of duties – placing specific individuals into specific roles, checking implementation of security policies. May also include rotating individuals through different roles periodically to verify vulnerabilities are being addressed.Network device hardening, AAA, use of NetFlow, …

23

Infrastructure Device Access Best PracticesRestrict device accessibility – limit the accessible ports and restrict the permitted communicators and methods of access.Present legal notification – display legal notice developed in conjunction with company legal counsel for interactive sessions.Authenticate access – access is only granted to authenticated users, groups, and services.Authorize actions – actions and views permitted by any particular user, group, or service are restricted.Ensure the confidentiality of data – protect locally stored sensitive data from viewing and copying. Consider the vulnerability of data in transit over a communication channel.Log and account for all access – Record who accessed the device, when and what occurred, for auditing purposes.

24

Data Center Security Areas (Cisco SAFE)Isolation – provides 1st layer of security for the data center. Depending on the goals of the design it can be achieved through the use of firewalls, access lists, VLANs, virtualization, and physical separation. Special care must be used when working with virtualised DC Policy Enforcement – covers traffic flows, protocols, and ports required to operate within the data center, sourced from a variety of locations, including client to server requests, server responses to requests, server originated traffic, and server-to-server traffic. Requires a considerable amount of up-front planning. Visibility – DCs are becoming very fluid in the way they scale to accommodate new virtual machines and services. Movement of virtual machines causes traffic pattern change, which may be a challenge to security administrators to maintain visibility and ensure security policy enforcement.

DC Core & Aggregation Layer SuggestionsCore – routers redistribute IGP protocols (OSPF, EIGRP), Area 0

Incorrect peering may mean injection of incorrect routes, solved byRoute peer authenticationRoute filtering (incl. during redistribution) – e.g. by Not-So-Stubby Areas (NSSA) used to limit the amount of routes being propagated inside the data center.Logging neighbor changes – visibility of peering problems & alerting

Aggregation layer Routing in aggregation layer provides isolation, NSSAs are usedProvides an excellent filtering point and first layer of protection for the data center by deploying firewall services (ingress/egress tr.)

Typically configured in active-active design, which allows load sharingFirewall policy is based on organization's security policyMost requests for the DC will be sourced from the internal networkVirtual Contexts may be introduced → different forwarding paths and policy enforcement depending on the traffic type and destination

26

Access Layer SuggestionsAccess layer – works on 2nd layer of ISO-OSI model

Mainly concentrating on securing of Layer-2 flowsVLAN ACLs, private VLANsARP inspection, DHCP snooping, IP source guard (CISCO)

Virtual access layer – isolation of server traffic is more difficult to achieve

traffic can reach other VMs within the same server, not needing to pass through physical access switch, we use a virtual one insteadwho is responsible for networking and security policy?How to track flows inside a VM?

Encapsulated Remote Switched Port Analyzer (ERSPAN) may be deployed to forward traffic to IPS or IDS

27

Infrastructure Security SuggestionsLimiting device access – authentication and authorization via a remote AAA server (e.g. TACACS+). But local fallback is neededOut-of-Band Management Interface Hardening – define ACLs for OoB management networkEnable NetFlow and Syslog services for more detailed monitoringSynchronize device clocks by using Network Time Protocol

28

Services Layer SuggestionsServices layer – different combinations of security services based on the needsTypical components include:

Server Load Balancing via Application Control Engine (ACE)mask the servers real IP address and provide a single IP for clients to connect over a single or multiple protocols.e.g. SSL/TLS certificates stored locally, decrypting the traffic prior to forwarding it to the web application firewall

Web application firewall (WAF) – secures web applications from common attacks types (see e.g. OWASP TOP 10)

but what about more and more widespread HTTPS?Intrusion Prevention Systems (IPS) – deep packet and anomaly inspection, protection against common and complex embedded attacksFirewalls, Monitoring services

29

Secure DCNetwork security can be mapped & applied to both the physical and virtual DC networksZones may be used for data-centric security policy enforcementVM traffic is directed to Firewall ContextSegment pools of resources per ZoneSegment Network traffic within the Zone separating

System TrafficVM TrafficManagement Traffic

Lockdown elements within a ZoneUnique policies and traffic decisions can be applied to each zone creating very flexible designsCan be used as a foundation for secure private cloud