5G - Security

5G Security

Takeaways from various industry white papers (Mainly from Ericsson, Nokia and Huawei)

Current 4G(LTE) Security:

• Encryption up to the base station.
• Elaborate key management to protect data from physical break-ins.
• Traditional security that come from 3G such as
• Tamper resistant SIM card to protect subscribers from risk of fraud.
• Strong authentication of subscriber
• Strong binding to the charging.

Drivers for 5G Security

• Diverse Usage of 5G - 5G networks to service various industries  beyond mobiles.
• Industry to Industry communications.
• Unattended terminals connecting to 5G networks (Critical infrastructure)
• Health &  Public Safety industries (eg. IOT devices)
• Self Driving cars
• Non-Critical Services, but important business services  such as
• E-Commerce
• New Service delivery models -  Cloud & Virtualization technologies,  X-as-a-Service to reduce costs and deliver services faster.
• Exposing API Interfaces by telecom operators to users & third party services
• Location awareness services
• Caching
• Content adaptation etc..

 5G Security requirements:

• Network Slicing
• Problem statement :
• There are common security requirements across multiple usages. But some usages require additional security requirements and compliance requirements.  
• Safety-related car systems need to follow very comprehensive standards, such as ISO 26262 (Part 6 covers Software security requirements)
• Health care sector is governed by standards such as ISO 27799 and, in the US, the HIPAA (Health Insurance Portability and Accountability Act)
• For smart grids, compliance with standards from the IEEE (Institute of Electrical and Electronics Engineers), the IEC and the NIST (National Institute of Standards and Technology)
• Essentially, each use case its own security requirements.  It is not wise to burden by applying union of all security requirements on all kinds of usages.  It is cost prohibitive,
• Solution: 
•  Network slicing. By having each slice for different usages,  security and associated compliance certifications can be localized to the slices.  Compute, storage and network virtualization play an important role in providing isolation for various slices in cost effective fashion.
• Wherever possible, data security needs to be pushed to the edge nodes (even terminals) to keep the majority of  5G network out of client data security boundary.
• Open Identity Management
• Problem Statement : 
• So far,  the identity in 4G  is limited to usage of SIM cards.  This is good enough in 4G as the usage is limited to mobiles and special M2M communications.  With 5G being thought to be ubiquitous network,  there is a need to support Enterprise ID management systems. 
• Solution:  Support for various ID management systems such as LDAP,  SAML, PKI based authentication systems where terminals can authenticate with 5G network without having to have SIM card in every terminal.
• Radio Access Network Security:
• Problem statement:  PDCP layer in 4G currently supports only encryption of the data between terminal and base stations. Thought it protects from data being eaves dropped, it does not protect from the MITM to replay the traffic and insert new traffic.  
• Solution:  5G networks are expected to mandate not only encryption, but also the data origin authentication & integrity.
• Dynamic security architecture (Security as a service)
• Problem statement :  Current network using physical security functions are neither slice-able nor flexible enough to add new security functions.  Also, they are not flexible to address traffic explosion as they may require revamping the security hardware. 
• Solution:  Cloud & Virtualization technologies associated with SFC (Service Function Chaining)  allow insertion of security services to slices,  order the security functions, auto scale-out by bringing up more VNFCs and ensure that all security functions are applied on the traffic classes.  
• New trust boundaries - Data Confidentiality:
• Problem statement:  Cloud, SDN & Virtualization technologies introduce new attack surfaces. Also, it introduces ability for cloud operators to see the client traffic that goes across security functions. Cloud operators would like to be out of the client TCB as well as clients would like their traffic be secured from eaves-dropping by anybody.
• Solution :  All the traffic leaving every node of the slice to be encrypted and tunneled. 
• Low delay Security :
• Problem statement:  Traffic related to critical services such as "Self Driving cars"  should not be delayed.  Addition of security functions, especially on user plane, should not lead to massive delays.  
• Soluton statement :  Wherever possible, user plane traffic needs to be isolated from the control plane traffic. Also, it should be processed using fast path solutions such as FPGA and network processors.  One needs to ensure that the accelerators used are trusted and made available to virtualized security functions. 
• Key Security :
• Problem statement:  Network slices (eg. base stations) can be extended to third party providers.   Keys used to encrypt the data and keys used for authentication are not expected to be exposed in clear either in dynamic memory or persistent storage. Also, keys are expected to be controlled by the mobile operator.  
• Solution statement:  Key security using network HSM and secure crypto execution at each node are thought to be method to use where keys are secured and security performance is not impacted.
• Other security considerations
• Energy efficient security
• Trusted Compute pools and attestation of Cloud software.

Good information on 5G Security:

http://www.ericsson.com/res/docs/whitepapers/wp-5g-security.pdf

http://www.3gpp.org/DynaReport/33916.htm

http://dwaterson.com/2015/03/09/security-implications-of-5g/

http://networks.nokia.com/sites/default/files/document/conference_paper__towards_5g_security_.pdf

http://www.huawei.com/minisite/5g/img/5G_Security_Whitepaper_en.pdf

http://www.5gensure.eu/

https://www.ngmn.org/fileadmin/ngmn/content/downloads/Technical/2015/NGMN_5G_White_Paper_V1_0.pdf

https://5g-ppp.eu/

Security in Hybrid Cloud sans Private Cloud

Check this link :  http://blogs.barrons.com/techtraderdaily/2015/10/21/vmware-plunges-16-business-eaten-alive-by-the-public-cloud-says-street/?mod=yahoobarrons&ru=yahoo

Few predictions made before are becoming reality.  Pure private clouds are disappearing slowly. Enterprises are increasingly using public clouds for may workloads and going for very small private clouds for critical workloads.  Combination of public cloud hosting with private cloud is called hybrid cloud.

I believe that hybrid cloud market as defined today (Private + Public combination) would decline over time and would become niche market.  But another other kind of hybrid cloud market, where Enterprises use multiple public clouds, would increase in future.

Security considerations :  In my view,  Enterprises need to  embed security in their workloads and not depend on generic security solutions provided by cloud operators.  Few reasons on why this is required.

• Enterprises may need to host their services in various countries, where there may not be stringent laws on data protection,  data security.   
• Enterprises may not like to depend on the integrity of administrators of Cloud operators.
• Enterprises may not like Cloud operators to share the data & security keys to governments without their consent 

What it means is that :

• Enterprises would need to consider hypervisor domain as insecure, at least for data.

What is it Enterprises would do in future :

• Security will be built within the workloads (VMs)
• Threat Security such as firewall, IPS, WAF.
• Transport level data security such as SSL/TLS.
• Network Level Security such as Ipsec, OpenVPN
• Visibility would be built into the virtual machines for 
• Performance visibility
• Traffic visibility
• Flow visibility

Essentially, virtual machines would have all necessary security and visibility agents built into them. Centralized management systems, controlled by Enterprises,  will now configure these agents from a central location to make the configuration & management simpler.

There is a concern that if security is built into the VMs, then attacker exploiting the applications in the VMs may be able to disable the built-in security functions, falsify the data or send wrong information to analytic engines. 

That is a valid concern.  I believe that containers would help in mitigating those concerns.

• Run all security functions in the root container of  the VM.
• Run applications in non-root containers within the VM

Isolation provided by containers can mitigate the challenges associated with combining security with the applications.

Service Chaining :  Traditionally, multiple security services are applied by middle virtual appliances. If the traffic is encrypted end-to-end,  these middle virtual appliances will not be able to do good job. Yes, that is true.  This can be solved by Cloud-SFC (SFFs within the virtual machines) where VM SFF itself steer the traffic to various middle appliances or container services within the VM.  More later on this...

I believe that with increasing popularity, flexibility, scale-out, performance provided by CSPs,  it is just matter of time where private clouds would disappear or decline dramatically.  Cloud users (Enterprises) would go for inbuilt security within VMs to host them in public clouds and security/visibility companies would have to address this trend. In  my view only those security/visibility companies would survive.  May be dramatic?  What do you think?

SDN Controller - What to look for?

Introduction

ONF is making Openflow specification as one of the standards enabling non-proprietary communication between central control plane entity & distribute data plane entities. SDN Controllers are the ones which implement control plane for various data path entities.  OVS, being part of the Linux distributions,  is becoming a defacto virtual switch entity in data centers and service provider market segments.  OVS virtual switch, sitting in the Linux host acts as a switch (data path entity) between virtual machines on the Linux host and  rest of the network.

As with virtualization of compute and storage,  networks are also being virtualized. VLAN used to be the one of the techniques  to realize virtual networks. With the limitations of number of VLANs and inability of extending virtual networks using VLANs over L3 networks,  overlay based virtual network technology is replacing VLAN technology.   VxLAN overlay protocol is becoming a choice of virtual network technology.  Today virtual switches (such as OVS) are supporting VxLAN and becoming defactor overlay protocol in data center and service provider networks.

Another important technology that is becoming popular is Openstack.  Openstack is virtual resource orchestration technology to manage virtualization of compute, storage and network resources.  Neutron component of openstack takes care of configuration & management of virtual networks,  network services such as router,  DHCP, Firewall, IPSec VPN and Load balancers.  Neutron provides API to configure these network resources.  Horizon, which is GUI of openstack provides user interface for these services.

Network Nodes (A term used by Openstack community) are the ones which normally sit at the edge of the data centers. They provide firewall capability between Internet & data center networks,  IPSec capability to terminate IPSec tunnels with the  peer networks, SSL offload capability and load balancing capability to distribute the incoming connections to various servers.  Network nodes also acts as routers between external networks & internal virtual networks.  In today networks,  network nodes are self-contained devices.  They have both control plane and data plane  in each node.  Increasingly, it is being felt that SDN concepts can be used to separate out control plane & normal path software from data plane & fast path software.

Network nodes are also being used as routers across virtual networks within data centers for east-west traffic.  Some even  use them as firewall and load balancers for east-west traffic.  Increasingly,  it is being realized that network nodes should not be burdened with the east-west traffic and rather use virtual switches within each compute node to do this job.  That is, virtual switches are being thought to be used as distributed router, firewall and load balancer for east-west traffic.

Advanced network services, which do deep inspection of packets and data, such as Intrusion Prevention,  Web application firewalls,  SSL offload are being deployed in L2 transparent mode to avoid reconfiguration of networks and also to enable vmotion easily.  When deployed as virtual appliances, it also provides agility and scale-out functions.  It requires traffic steering capability to steer the traffic across required virtual appliances.  Though most of the network services are required for north-south traffic, some of them (such as IPS) are equally needed for east-west traffic.

Requirements

As one see from above introduction,  operators would like to see following supported by centralized control plane entity (SDN Controllers)

• Realization of virtual networks
• Control plane for network nodes 
• Normal path software for network nodes.
• Traffic Steering capability to steer the traffic across advanced network services
• Distributed routing, firewall & Load balancing capability for east-west traffic.
• Integration with Openstack Neutron

At no time, centralized entity should  become a bottleneck, hence following additional requirements come in play.

• Scale-out of control plane entity (Clustered Controllers) - Controller Manager.
• Performance of each control plane entity.
• Capacity of each control plane entity.
• Security of control plane entity

Let us dig through each one of the above.

Realization of Virtual Networks:

SDN Controller  is expected to provide following:

Functionality

• Ability to program the virtual switches in compute nodes.
• No special agent in compute nodes.
• Ability to use OVS  using Openflow 1.3+ 
• Ability to realize VxLAN based virtual networks using flow  based tunneling mechanism provided by OVS.
• Ability to realize broadcast & unicast traffic using OF groups.
• Ability to  integrate with Openstack to come to know about VM MAC addresses and the compute nodes on which they are present.
• Ability to use above repository to program the flow entries in virtual switches without resorting broadcasting the traffic to all peer compute nodes.
• Ability to auto-learn VTEP entries.
• Ability to avoid multiple data path entities in a compute nodes - One single data path for each compute node.
• Ability to honor security groups configured in Openstack Nova. That is, ability to program flows based on security groups configuration without using 'IP tables" in the compute node. 
• Ability to use 'Connection tracking" feature to enable stateful firewall functionality.
• Ability to support IPSec in virtual networks across compute nodes.

Capacity: 

Capacity is entirely based on deployment scenario.  Based on best of my knowledge, I believe these parameters are realistic from deployment perspective and also based on capability of hardware.

• Ability to support 256 compute nodes by one controller entity.  if there are more  256 compute nodes, then more controllers in the cluster should be able to take care of rest.
• Ability to support multiple controllers - Ability to distribute controllers across the virtual switches.
• Support for 16K Virtual networks.
• Support for 128K Virtual ports
• Support for 256K VTEP entries.
• Support for 16K IPSec transport mode tunnels

 Performance

• 100K Connections/sec per SDN Controller node (Due to firewall being taken care in the controllers).  With new feature, that is being thought in ONF, called connection template,  this requirement of 100K connections/sec can go down dramatically.  I think 50K connections/sec or connection templates/sec would be good enough.
• 512 IPSec tunnels/sec.

Control Plane & Normal Path software for network nodes

Functionality such as router control plane,  Firewall normal path,  Load balancer normal path & control plane for IPSec (IKE) are the requirements to implement control plane for network nodes.

Functionality

• Ability to integrate with Neutron configuration of routers,  firewalls,  load balancers & IPSec.
• Support for IPv4 & IPv6 unicast routing protocols - OSPF, BGP, RIP and IS-IS.
• Support for IPv4 & IPv6 Multicast routing protocols - PIM-SM
• Support for IP-tables kind of firewall normal path software.
• Support for IKE with public key based authentication.
• Support for LVS kind of L4 load balancing software.
• Ability to support multiple routes, firewall, load balancer instances.
• Ability to support multiple Openflow switches that implement datapath/fastpath functionality of network nodes.
• Ability to receive exception packets from Openflow switches, process them through control plane/normal-path software & programming the resulting flows in openflow switches.
• Ability to support various extensions to Openflow specifications such as
• Bind Objects 
• To bind client-to-server & Server-to-client flows.
• To realize IPSec SAs
• To bind multiple flow together for easy revalidation in case of firewalls.
• Multiple actions/instructions to support:
• IPSec outbound/inbound SA processing.
• Attack checks - Sequence number checks.
• TCP sequence number NAT with delta history table.
• Generation of ICMP error messages.
• Big Metadata
• LPM table support
• IP Fragmentation
• IP Reassembly on per table basis.
• Ability to go back to the tables whose ID is less than the current table ID.
• Ability to receive all pipe line fields via packet-in and sending them back via packet-out.
• Ability for controller to set the starting table ID along with the packet-out.
• Ability to define actions when the flow is created or bind object is created.
• Ability to define actions when the flow is  being deleted or bind object is being deleted.
• Connection template support to auto-create the flows within the virtual switches.

 Capacity

• Ability to support multiple network node switches - Minimum 32.
• Ability to support multiple routers -  256 per controller node,  that is, 256 name spaces per controller node.
• Ability to support 10K Firewall rules on per router.
• Ability to support 256 IPSec policy rules on per router.
• Ability to support 1K pools in LVS on per router basis.
• Ability to support 4M firewall/Load balancer sessions.
• Ability to support 100K IPSec SAs. (If you need to support mobile users coming in via from IPSec)

Performance

• 100K Connections or Connection templates/sec on per controller node basis.
• 10K IPSec SAs/sec on per controller node basis.

Traffic Steering 

Functionality

• Ability to support network service chains
• Ability to define multiple network services in a chain.
• Ability to define bypass rules - to bypass some services for various traffic types.
• Ability to associate multiple network service chains to a virtual network.
• Ability to define service chain selection rules - Select a service chain based on the the type of traffic.
• Ability to support multiple virtual networks.
• Ability to establish rules in virtual switches that are part of the chain.
• Ability to support scale-out of network services.

Capacity:

• Support for 4K virtual networks.
• Support for 8 network services in each chain.
• Support for 4K chains.
• Support for 32M flows.

Performance

• 256K Connections Or connection templates/sec.

Distributed Routing/Firewall/Load balancing for East-West traffic

As indicated before, virtual switches in the compute nodes should be used as data plane entity for these functions. As a controller, in addition to programming the flows to realize virtual networks and traffic steering capabilities,  it should also program flows to control the traffic based on firewall rules and direct the east-west traffic based on the routing information and load balancing decisions.

Functionality

• Ability to integrate with Openstack to get to know the routers, firewall & LB configurations.
• Ability to act as control plane/normal-path entity for firewall & LB (Similar to network node except that it programs the virtual switches of compute nodes).
• Ability to add routes in multiple virtual switches (Unlike in network node where the routes are added to only corresponding data plane switch).
• Ability to support many extensions (as specified in network node section).
• Ability to collect internal server load (For load balancing decisions).

 Capacity

•  Support for 512 virtual switches.
•  8M+ firewall/SLB entries.

 Performance

• 100K Connections/sec by one SDN controller node.

SDN Controller Manager

When there are multiple controller nodes in a cluster or multiple clusters of controllers,  I believe there is a need for a manager to manage these controller nodes.

Functionality

• Ability to on-board new clusters 
• Ability to on-board new controller nodes and assigning them to clusters.
• Ability to recognize virtual switches - Automatically wherever possible.  Where not possible, via on-boarding.
• Ability to associate virtual switches to controller nodes and ability  to inform controller nodes on the virtual switches that would be connected to it.
• Ability to schedule virtual switches to controller nodes based on controller node capabilities to take in more virtual switches.
• Ability to act as a bridge between Openstack Neutron & SDN controller nodes in synchronizing the resources & configuration of Neutron with all SDN controller nodes.  Configuration includes:
• Ports & Networks.
• Routers
• Firewall, SLB & IPSec VPN configuration.
• Ensuring that configuration in appropriate controller node is set to avoid any race conditions.
• Ability to set backup relations.

Securing the SDN Controller

Since SDN Controller is brain behind realization of virtual networks and network services, it is required that it is highly available and not prone to attacks. Some of the security features it should implement in my view are:

• Support SSL/TLS based OF connections.
• Accept connections only from authorized virtual switches.
• Always work with  backup controller.
• Synchronize state information with backup controller.
• DDOS Prevention 
• Enable Syn-Cookie mechanism.
• Enable host based Firewall
• Allow traffic that is of interest to SDN Controller. Drop all other traffic.
• Enable rate limiting of the traffic.
• Enable rate  limiting on the exception packets from virtual switches.
• Control number of flow setups/sec.
• Constant vulnerability asssesment.
• Running fragroute tools and isic tools to ensure that no known vulnerabilities are present.
• Always authenticate the configuration users.
• Provide higher priority to the configuration traffic.

Note: If one SDN controller node is implementing all the functions listed above,  it is required to combine all performance and capacity requirements.

Check SDN controller from Freescale consisting of comprehensive feature set,  takes advantage of multiple cores to provide very high performance system. Check the details here:  http://www.freescale.com/webapp/sps/site/prod_summary.jsp?code=VORTIQA_OND

Data Center Firewall features

What makes firewall a good data center firewall?

Before going further on what features are expected by data center IT/Security professionals, it is good to revisit the data centers. Data center providers are mainly hosting providers. They host their customer applications and machines. Some customers of data centers share a machine resource, some like to host their application in a virtual system and some like to host their applications in a dedicated machine(s)/blades. To provide availability and share the load, application servers are installed in multiple machines with "load balancers" distributing the load across the server farm. As we all know, HTTP/HTTPS servers by far the single most server application in data centers. Most of the times, services provided by hosted servers are meant for general public.

Increasingly, there is a trend by Enterprises offloading hosting of Intranet servers to external data center providers. Intranet servers are typically provide access to Employees and limited access to their partners. For example, many email services, sharepoint and wikis are being offloaded to data center providers by many small and medium Enterprises. Many of these services require user authentication. Enterprises don't like to duplicate the user databases in multiple machines/applications. So, you also see the trend of 'Central Authentication Database' across internal servers and servers hosted outside. Many web applications are providing SAML based authentication for federate identity. Since web services need to talk to outside identity providers, there can be outbound connections. Note that, traditionally, servers in data centers only see inbound connections.

Enterprise administrator also requires facilities to upload the content and do other administrative activities on hosted servers. Typically FTP, SSH are some of the services required by administrators. Some applications might have web interface running on Port 80/443 for administration. To provide added security beyond user authentication, data center providers likes to control admin access from particular network(s), typically Enterprise Networks.

With more and more services (both Intranet and Extranet) being hosted in external data centers, the need for securing them is high. Collaborative services/servers such as wikis, share point, CRMs and other work flow servers are typically used to be part of Enterprise networks and only accessible for local users. They are being hosted in external data centers for reasons such as providing access from anywhere for employees, partners, contractors etc.. and also reduce the administration headache. Since they are exposed to access from anywhere, they are open for attacks from attackers. So, need for detection and prevention of exploits becomes much more than what data centers are used to. Quick look at the vulnerabilities published by NIST indicates (nvd.nist.gov) that SQL/XSS/LFI/RFI injections are on rise. You can also see number of wikis, blogs and other collaborative applications are targets of attackers.

Intranet servers when placed in external hosting providers' network, Enterprises would like the communication channels to be secure to protect data from eaves dropping. HTTP over SSL/TLS is one common method used to achieve data confidentiality on the wire. For security devices, placed outside of these servers, to do better job of access control, intrusion detection and malicious injections, it is necessary for these devices to see the traffic in clear. To achieve this, security devices should have capability to decrypt the SSL and do traffic/data analysis and if required redo the SSL. By the way, Since security devices are expected to be kept right in front of the servers, there may not be any need for redoing SSL. But important take way is that the security device should have capability to terminate the SSL connections.

From last few years, many web applications are using SOA (Service Oriented Architecture) which is built upon XML standards. Traditional ways of plain POST requests, JSON and PHP Objects are fast becoming thing of past. Any security device doing intrusion and data analysis need to move beyond POST, JSON and PHP objects and start interpreting SOAP and XML.

Data center providers provide services to many customers. Each customer requirement from security perspective is different. One generic security policy does not fit in these environments. You could have as many firewalls as number of customers, but that is not scalable from cost, space and cooling perspective. Virtualization in firewall/security devices comes in handy. Virtualization with VMWare/Xen also does not scale well. Old traditional virtualization scales well and suites well for data center providers.

Since security device comes in the way of traffic, things like performance of security devices should be high to support traffic rate that can be processed by servers/services it is securing. Latency, stability, availability and failover capabilities are some more important factors data center providers consider while selecting the security devices.

With above background, it is very easy to map to the features expected by data center providers on security device protecting their application and server infrastructure.

• Access Control : As you see above, access control some times need to go beyond IP addresses and TCP/UDP ports. Some web applications provide administrator and normal user access via same TCP/UDP port. Hence it is not possible to distinguish administrator and normal users from IP addresses and ports. Since many data center providers don't like admin access to be given from any IP address (for providing better security), but from some specific networks, it is required that the access control go beyond to application level information such as URL, Query parameters etc..
  
• Intrusion Detection and Prevention at L3-L7: As explained above, typical traditional intrusion detection systems without web application intelligence will not be able to detect intrusions all the time. There are many evasions being employed by attackers. Some evasions are at the IP and TCP level and more evasions are at the HTTP protocol level. Hence protocol intelligence is required. In addition, with SOA based web services, intrusion detection systems need to have intelligence to extract data from SOAP/XML messages. In addition to web application intelligence, they also need to have intelligence of other common services provided by hosting providers such as DNS, FTP, SIP etc..
  
• SSL Proxy: Network device should be able to terminate the SSL for further analysis on the protocol data.
• Virtualization: One physical hardware box is expected to support multiple virtual instances to reduce number of security devices in the deployment. Each virtual instance would need to have its own security policy configuration. It should be as good as different physical firewall devices. I, personally don't prefer VMware/Xen/KVM based virtualization for these environments. I prefer Traditional virtualization where only configuration data and run time states are instantiated for every context.
• DDOS attack detection and prevention.
• Traffic Anomaly detection and traffic Control.
  
• Performance: To achieve multi gigabit speeds, look for hardware architecture which is scalable.
  
• Stateful failover and high availability
• Logging & Auditing capabilities
  
• Intuitive central Management system

Optional features: Though they are not required, some data centers might find them useful

• Server side NAC: Provide facility for user based access control. NAC does user authentication and provides control access to the different features of an application based on the URL and other fields in the protocol. It also helps in correlating user actions and might be useful in auditing.
  

My intent here is not to go into many details, but provide some ideas on the features security vendors would need to think while providing security device solutions to data center market.

OpenDNS - Domain filtering Cloud computing Service

I recently came across *opendns* service. Visit www.opendns.com to find out more details on this service. "opendns" name is a confusing name given the type of service they are providing. Initially, I thought it is some thing similar to dynamic DNS.

Operation:
OpenDNS mainly provides domain blocking capability. Domains are arranged in multiple categories. It provides facility for users to configure the categories which are to be blocked. It also provides facility for users to create white list and block lists of domain names.

This service is using DNS protocol. It expects the user machines or routers to use their DNS Servers for domain name resolution. As part of DNS resolution, it appears to be extracting the domain name from DNS request packet, search in their local database, get the category and look in user preferences. If category is configured to be blocked or if domain is in the block list, then openDNS server seems to sending DNS response with its own IP address. Due to this, user browser session ends on this IP address. OpenDNS seems to be doing search on the domain name (Host field of HTTP request header) again to determine the category and it shows nice page indicating why it was blocked.

Comments:
This service is good for residential users and even for business users. Residential users get benefited by blocking adult sites for kids and also stop while visiting phishing sites. Businesses also benefit as it stop users going to phishing sites. Having said that, this works fine only when CPE devices work in conjunction with openDNS service. Before going into the capabilities required in CPE devices, let me list down some limitations/issues in using opendns service.

• Privacy issues: Some businesses find it difficult to trust opendns provider due to privacy issues where *openDNS* provider comes to know the sites business users visiting. Business may like to have facility for some users to bypass this service and for some mandate this service. Also, businesses like to have facility to bypass openDNS based Domain name resolutions for some specific domain names.
  
• User or group based white list/block lists/category selection: There are different types of employees in businesses. Also, there are different types of home users - kids, parents, visitors, teens etc.. OpenDNS provides only one profile for all users. This may not be sufficient for many businesses and residential users.
• Evasion: Kids can evade these filters if they use IP address in their browsers.
• Updating Dynamic Public IP address with the opendns account
  

How can CPEs help?

User/Group based lists: User/Group based lists support is only possible if openDNS updates its functionality. One possible way is to have special DNS request with added information such as GroupID. OpenDNS Service can rovide facility in openDNS portal to create category selection/blocklist/whitelist onper group basis. Since one can't expect all PCs to support this special enhancement in the DNS protocol, this kind of support is possible with CPEs implementing DNS proxy to convert DNS requests to add Group ID.

Privacy: CPE devices can help in mitigating privacy issues by providing support to create 'skip' lists - Source skip list and Domain skip list. If the source IP address of the DNS request packet from internal PCs matches the entry in 'Source Skip' list, then it bypasses openDNS based resolution. It can do this by sending the DNS request to one of ISP Domain Name Servers. 'Domain Skip list' is checked for domain names inside DNS request sent by local machines. If there is a match, then it bypasses the openDNS resolution.

Evasion: CPE devices can monitor HTTP requests and check the 'Host' header line. If the 'Host' header line does not have domain name, but IP address, then we can certainly say that domain name is not used while browsing the site. CPE devices can provide configuration on type of action to take. It can provide options like 'Inform' and 'Deny'. 'Inform' action informs parent in case of RG environment or admin in case of business environment. 'Deny' action drops the connection and might even present local HTML error page to the user. Here too, we should 'skip' lists to help scenarios where some sites are only reachable via IP addresses - for example Intranet sites or partner sites etc..

There is another kind of evasion possible too. Local users using their own DNS Server or some public DNS Servers. CPE can check all DNS requests and ensure that only specified DNS Servers are used. It could even do Destination NAT to the required DNS Server IP address.

Dynamic IP address update: Today it is expected that special program is run in the PCs behind CPE routers. It does not work well if we have many machines or machines which do not run the software provided by OpenDNS folks. CPE device can help in those matters where it updates the dynamic public IP in openDNS Servers. CPE devices are already equipped with updating dynamic public IP addresses in DYNDNS servers. They could do additional job of upating in openDNS Server too.

SME IPS and Cloud Computing

Cloud computing providers are betting on small and medium businesses flocking to them. Large number of SME businesses are already using email service provided by cloud computing providers. It appears that this trend is being spread to other services such as File Service, backup service and web application services.

Businesses offloading their intranet and extranet services to the providers would be left with desktops and some minimal servers in their network. I have my own doubts on merits of moving Intranet services to providers, but that discussion belongs to some other topic.

Desktops normally don't provide any services i.e they don't run any servers. May be printers and other networking equipment have some services, but they are limited to internal machines. Hence firewall protection allowing only internal machines is good enough.

Basically, the requirement of server side security function beyond firewall is going to be less in these environments. In addition, many hackers are now moving towards soft targets i.e desktops and applications running on desktops such as browsers, viewers etc..

Many IPS/IDS devices in the market today protect servers better than clients. Due to movement of services to providers and with increase of client side attacks, IDS/IPS vendors must support better client side detection to survive.

IDS/IPS vendors realized this and moving towards this, but not as fast as one would like to see. By Mid-2009, I believe that many IDS/IPS boxes in the market will have sophisticated engines to support client side attack detection and prevention.

Assurance of firewall availability for critical resources : TR-069 support

I guess I have been harping that network security devices are stateful in nature. Let me say that again here :-) They create session entries for 5 tuple connections. DDOS attacks can consume these resources. There are several techniques used to maximize firewall availability. Some of them I discussed before are - Session inactivity timeout functionality, TCP syn flood detection and Syn Cookie mechanism to prevent SYN floods and connection rate limiting.

Above techniques do not guarantee that legitimate connections are not dropped. Rate throttling feature does not distinguish from genuine connections to DDOS connections. But, some resources are very important and access to/from these resources must be made available all the time. That is, some assurance of firewall availability for these critical resources is required.

During DDOS attack and worms outbreak, systems in corporate network should have access to central virus database server to get newer virus updates. Even if some systems in corporate network are compromised and participating in DDOS attacks, other systems should continue to access critical resources while problem is being fixed. Similarly, access to corporate servers should be maximized during DDOS outbreak.

Though all issues can't be solved, enough facilities should be there for assurance of firewall availability for these critical accesses.

Many firewall today support feature called 'Session Reservation and Session Limits'. Using this feature, certain number of sessions can be reserved to individual machines/systems. This feature also limits the number of simultaneous sessions for some non-critical systems/machines.
One use case example: Let us say that a Medium Enterprise has 500 systems. Say that this company bought a UTM firewall with 50000 session entries. Administrator can reserve 20 sessions and limit 100 sessions for each PC. That is, 10000 entries are reserved. Rest of 40000 sessions are free for all. When all 40000 sessions are used up, then reserved sessions are available for PCs. Each PC can use its reserved 20 session entries. Thereby, when there is a DDOS attack, even after 40000 session entries are used, these PC continue to have access 20 more session entries. No other system can occupy these reserved sessions.

Session reservation database is set of rules. Each rule contains following information:

• Rule ID: Identification of the rule.
• Description: description of this record.
  
• IP Address information: IP addresses for which this rule applies. All the action information in this rule is specific to each IP address.
• Connection Direction: Outgoing or incoming. Indicates whether the sessions to be reserved for connections made by machines represented by 'IP addresses' or for connections terminated by these IP addresses. 'outgoing' indicates this rule is applied for connections originated and 'incoming' indicates whether this rule is applied for incoming connections.
• Zone : Indicates the zone ID. If 'Connection Direction' is outbound, then zone indicates the destination zone. If 'Connection Direction' is inbound, then zone indicates the source zone.
  
• ReserveCount: Number of sessions reserved for this rule.
  

Session Limits database also contains set of rules. Each rule contains following information:

• Rule ID: Identification of th rule.
• Description
• IP address Information: IP addresses for which this rule applies.
• Connection Direction: Outgoing or Incoming.
• Zone: Zone ID
• Limit Count: Number of maximum sessions for each of IP addresses.

TR-069 data profile:

• internetGatewayDevice.security.VirtualInstance.{i}.firewall.maxSessionReservationRules: R, unsigned Int
  
• internetGatewayDevice.security.VirtualInstance.{i}.firewall.maxSessionLimitRules R
  
• internetGatewayDevice.security.VirtualInstance.{i}.firewall.sessionReservations.{i} PC
• ruleID: RW, Unsinged Int, Value between 1 and maxSessionReservationRules.
• description: RW, String(128)
• ipAddressType: RW, String(32). It takes values such as 'immediate', 'ipobject'. Immediate indicates that IP addresses are given as values and 'ipobject' indicates the IP address information points to one of the IPObjects.
• ipAddresses: RW, String(64) - f the type is immediate, then it can be single IP address in dotted decimal form, subnet by providing network IP address and prefix in terms of number or range of IP addresses with '-' in between low and high values. If the type is 'ipobject', then it has one of ipobject names from internetGatewayDevice.security.VirtualInstance.{i}.NetworkObjects.IPValueObject.{i} table or internetGatewayDevice.security.VirtualInstance.{i}.NetworkObjects.IPFQDNObject.{i} table. 'any' is special value indicating all source IP values. Examples: 10.1.5.10 or 10.1.5.0/24 or 10.1.5.1-10.1.5.254
• connectionDirection: RW, String(16). It takes values 'outgoing', 'incoming'.
• zoneID: String(32), RW - One of the Zone IDs. It takes value of ZoneName from internetGatewayDevice.securityDomains.VirtualInstance.{i}.Zone.{i} table.
• reserveCount: RW, Unsigned Int.
• internetGatewayDevice.security.VirtualInstance.{i}.firewall.sessionLimits.{i} PC
• ruleID: RW, Unsinged Int, Value between 1 and maxSessionLimitRules.
• description: RW, String(128)
• ipAddressType: RW, String(32). It takes values such as 'immediate', 'ipobject'. Immediate indicates that IP addresses are given as values and 'ipobject' indicates the IP address information points to one of the IPObjects.
• ipAddresses: RW, String(64) - f the type is immediate, then it can be single IP address in dotted decimal form, subnet by providing network IP address and prefix in terms of number or range of IP addresses with '-' in between low and high values. If the type is 'ipobject', then it has one of ipobject names from internetGatewayDevice.security.VirtualInstance.{i}.NetworkObjects.IPValueObject.{i} table or internetGatewayDevice.security.VirtualInstance.{i}.NetworkObjects.IPFQDNObject.{i} table. 'any' is special value indicating all source IP values. Examples: 10.1.5.10 or 10.1.5.0/24 or 10.1.5.1-10.1.5.254
• connectionDirection: RW, String(16). It takes values 'outgoing', 'incoming'.
• zoneID: String(32), RW - One of the Zone IDs. It takes value of ZoneName from internetGatewayDevice.securityDomains.VirtualInstance.{i}.Zone.{i} table.
• limitCount: RW, Unsigned Int.

Cloud computing security is going to catch up.

Please see this article in information week.

Google and IBM are teaming up together to provide cloud services. Google is already providing email and storage services and they want to go beyond that.

One interesting thing that was mentioned in the article is
"With the exception of security requirements, "there's not that much difference between the enterprise cloud and the consumer cloud," Google CEO Eric Schmidt said earlier this month during an appearance in Los Angeles with IBM chief Sam Palmisano."

One more quote from the article:
"The cloud has higher value in business. That's the secret to our collaboration."

Another thing I observed in the article is their planned usage of Xen.

Combining all of them put together:

• Cloud computing requires security. Otherwise, Enterprises may not be able to offload their servers to cloud.
• Cloud computing makes use of Virtualization.

I was giving choices in my earlier blog on *Cloud computing and Security*. Though information week article is not giving enough information on how the security services are going to be offered, but they will start thinking soon.

I am beginning to think that both kinds of models which I suggested earlier would be used.

• Flexibility for Enterprises to put their preferred vendor security products as virtual appliances.
• Providing security using one mega security appliance.

My prediction is that mega security appliance is required to provide typical infrastructure security. Virtual appliance flexibility will be provided for specialized security.

Cloud Computing and security

Cloud computing has become popular term in recent past. Cloud computing providers have large number of cloud servers interconnected. They provide services to end users - Renting virtual server with CPU power required, Storage and some specialized services such as PHP, Java, Ruby-on-rail based servers etc..

Since these servers are outside of offices, it is required that you have very good internet connectivity. Cheap bandwidth and reliable connectivity favors the cloud computing model. From cloud computing provider perspective, this is becoming possible with very high speed, high density multi core processors and virtualisation with its inherent facility to provide isolation and running multiple services on a physical hardware.

Advantages of cloud computing for users (Enterprises) are same advantages you get with data centers such as

• Reduce system and network infrastructure administration burden.
• Save on Electricity cost by selecting data center with lower cost of electricity.
• Save on real estate.

Cloud computing provides additional advantages such as

• Handle peak loads by provisioning computing power with a click of a button.
• Isolation of application servers from physical machines.

There are some concerns which are not yet fully matured.

• Who is going to take care of security aspects of user applications? Is this cloud computing provider or is it the responsibility of users?
• Who monitors the vulnerabilities of different applications and takes care of patchoing them?
  
• Will there by any visibility provided of exploits and attacks to the user?
• Who takes responsibility of provisioning security infrastructure? Who takes responsibility of tuning IPS/IDS signatures?
• Who takes responsibility of complaint requirements such as PCIDSS etc..?
  
• Who takes responsibility of auditing systems, application etc..?
• If you have remote users that need access to these services, what kind of security on the wire required and who provides VPN Connectivity?
  

When cloud computing provider provides specialized services such as Email etc.., I feel that it is responsibility of cloud computing provider to check for vulnerabilities, hardening, patching, checking for spams and preventing from phishing attacks etc.. Do they do that today? What kind of guarantees provided?

When cloud computing providers provide generic services such as renting out virtual server, I have a feeling that responsibility of security them may fall on user s's shoulders. Now the questions arise such as:

- Do Cloud computing SPs provide *Cloud Security* service?
- Do SPs give flexibility for users to select their own security vendor?
- Do SPs expect security appliance is provisioned as Virtual service? If so, what kind of virtualization technology SPs provide?
- Do SPs provide network visibility for user to link the security service with application servers.


It is not possible for cloud computing providers to provide security for applications which they don't know. Many security problems are specific to each application. Typically Enterprises have their own applications in addition to standard applications. As you see in the questions, there is lot of tuning on security applications, such as adding new signatures in IPS, that happen over time. So, it makes sense for cloud computing providers to provide flexibility for users to create their own security environment. Enterprises also typically provide remote security connectivity for their employees to access critical services. Securing the Enterprise services not only involve exploit detection, tuning, hardening and patching, but also providing VPN service to employees.

I have a feeling that, Like the way computing services are provided in the cloud, security services will also be provided by cloud computing providers. Cloud Security Service provisioning not only involves security application, but also connectivity between security service and application servers. Even to provide complete security, it may involve multiple security services provisioning such as VPN Service, IPS Service, Firewall Service, Web application firewall service or it could be one UTM service.

If Service providers are going to provide flexibility for end users to provision their choice of security application, then SPs would provide choice of running Virtual security appliances.

Yet times, Service provider may not like to provide flexibility of security application and they may provide security as specialized service from them. In those case, SPs may go for mega security appliances supporting multiple instances with instance provisioned for one customer.

Let us see how this market turn out to be.

But, in both cases, need of computation power for security services is very high. Multi core processors are going to fill this gap.