Protecting Network Equipment

Slides:



Advertisements
Similar presentations
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Advertisements

Vpn-info.com.
1 Trusted Systems in Networking Infrastructure Rafael Mantilla Montalvo Cisco Systems June 2013.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Trusted Disk Loading in the Emulab Network Testbed Cody Cutler, Mike Hibler, Eric Eide, Rob Ricci 1.
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.
Trusted Computing Initiative Beyond trustworthy. Trusted Computing  Five Key Concepts >Endorsement Key >Secure Input and Output >Memory Curtain / Protected.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Three.
Trusted Computing Platform Alliance – Introduction and Technical Overview – Joe Pato HP Labs MIT 6.805/ October 2002.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
CCNA 2 v3.1 Module 2.
Operating Systems Operating System
Hands-On Microsoft Windows Server 2008
Patterns for Secure Boot and Secure Storage in Computer Systems By: Hans L¨ohr, Ahmad-Reza Sadeghi, Marcel Winandy Horst G¨ortz Institute for IT Security,
Trusted Computing BY: Sam Ranjbari Billy J. Garcia.
An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko
Trusted Computing Or How I Learned to Stop Worrying and Love the MPAA.
Cosc 4765 Trusted Platform Module. What is TPM The TPM hardware along with its supporting software and firmware provides the platform root of trust. –It.
An Introduction to Trusted Platform Technology Siani Pearson Hewlett Packard Laboratories, UK
Security fundamentals Topic 2 Establishing and maintaining baseline security.
Trusted Infrastructure Xiaolong Wang, Xinming Ou Based on Dr. Andrew Martin’s slides from TIW 2013.
Trusted Platform Module as Security Enabler for Cloud Infrastructure as a Service (IaaS). Gregory T. Hoffer CS7323 – Research Seminar (Dr. Qi Tian)
Trusted Computing and the Trusted Platform Module Bruce Maggs (with some slides from Bryan Parno)
Understand Encryption LESSON 2.5_A Security Fundamentals.
1 Information Security – Theory vs. Reality , Winter Lecture 12: Trusted computing architecture (cont.), Eran Tromer Slides credit:
TCS Internal Security. 2 TCS Internal Objective Objective :  Android Platform Security Architecture.
What is BitLocker and How Does It Work? Steve Lamb IT Pro Evangelist, Microsoft Ltd
Computer Security module October 2008 Mark D. Ryan HP Labs, Bristol University of Birmingham Trusted Platform Module (TPM) introduction.
Computer Security module October 2009 Mark D. Ryan University of Birmingham Trusted Platform Module (TPM) introduction.
Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources 1.
Security Issues in Information Technology
Trusted? 05/4/2016 Charles Sheehe, CCSDS Security Working Group GRC POC All information covered is from public sources.
VMware ESX and ESXi Module 3.
Web Applications Security Cryptography 1
Trusted Computing and the Trusted Platform Module
Trusted Infrastructure
Hardware security: The use of a Trusted Platform Module
TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES NAMED AFTER MUHAMMAD AL-KHWARIZMI THE SMART HOME IS A BASIC OF SMART CITIES: SECURITY AND METHODS OF.
Protect Your Hardware from Hacking and Theft
Trusted Computing and the Trusted Platform Module
Security and Encryption
Outline What does the OS protect? Authentication for operating systems
Outline What does the OS protect? Authentication for operating systems
Introduction to Computers
TCG’s Embedded System and IoT Focus
Using SSL – Secure Socket Layer
TERRA Authored by: Garfinkel, Pfaff, Chow, Rosenblum, and Boneh
Nessus Vulnerability Scanning
Building hardware-based security with a Trusted Platform Module (TPM)
Mumtaz Ali Rajput +92 – INFORMATION SECURITY – WEEK 5 Mumtaz Ali Rajput +92 – 301-
Starting the computer. Every day we are using an operating system and most specifically a Windows operating system but most of us are not aware of the.
LINUX SECURITY Dongmei Wu ID: /25/00.
Assignment #7 – Solutions
Protect Your Hardware from Hacking and Theft
Modern PC operating systems
Module 2 OBJECTIVE 14: Compare various security mechanisms.
Slalom: Fast, Verifiable and Private Execution of Neural Networks in Trusted Hardware Kriti shreshtha.
Intel Active Management Technology
Lecture9: Embedded Network Operating System: cisco IOS
TPM, UEFI, Trusted Boot, Secure Boot
Aimee Coughlin, Greg Cusack, Jack Wampler, Eric Keller, Eric Wustrow
The Italian Academic Community’s Electronic Voting System
Erica Burch Jesse Forrest
Operating System Concepts
Bruce Maggs (with some slides from Bryan Parno)
Bruce Maggs (with some slides from Bryan Parno)
Lecture9: Embedded Network Operating System: cisco IOS
Lecture 36.
Lecture 36.
Presentation transcript:

Protecting Network Equipment Guy C Fedorkow, Juniper Networks May 3, 2017 ESC Minneapolis

Agenda What is the Trusted Computing Group? What’s the threat? The importance of locking down firmware Networking applications for TCG Technology References

Who is the Trusted Computing Group? You know TCG for our technical specs & guidance such as: Trusted Platform Module (TPM 2.0) Self Encrypting Drive (SED) Trusted Network Connect (TNC) The Trusted Computing Group (TCG) is an international industry standards group focused on Trusted Computing since its founding in 2003. ISO/ IEC

TCG = Open Standards for Trusted Computing TCG is the only group focused on trusted computing standards TPM specification implemented in more than a billion devices Chips integrated into PCs, servers, printers, kiosks, industrial systems, and many embedded systems

The Threat Networked Equipment has become critical infrastructure Threats include Unauthorized devices that can gain access to networked data Unauthorized code that can interfere with safe operation Firmware implants that can render attacks invisible and unremovable E.g: Ukraine Power System Attack Coordinated attacks on controllers, embedded gear and even the call center Some networking equipment permanently disabled https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power- grid/ http://www.nerc.com/pa/CI/ESISAC/Documents/E- ISAC_SANS_Ukraine_DUC_18Mar2016.pdf E.g. Dyn DNS Attack Hundreds of thousands of IoT devices pirated to attack Dyn’s DNS servers https://en.wikipedia.org/wiki/2016_Dyn_cyberattack

Securing Infrastructure Today’s Scope: Embedded systems like routers, firewalls, switches, industrial controllers It’s important to consider security at all levels But particularly Firmware and Identity Part One – securing firmware Part Two – Using the TPM

Secure Boot Defined Secure Boot(*) is a process that ensures that the device boots an unmodified, authorized image. Secure Boot is achieved by providing an unbroken “chain of trust” from the first instruction executed after Reset through to the OS prompt. BIOS checks Loader Signature before handoff Loader checks Kernel Signatures before handoff Start BIOS Initialize hardware Check Loader Signature Run Loader Locate OS Image Check Kernel Signatures Kernel Start OS (eg Linux) Check and run Daemons *aka Verified Boot Core Root of Trust

Firmware Attacks Why so much focus on firmware attacks? It’s the first link in the chain of trust If you skip a link in the chain, that invalidates the rest Firmware Hacks are usually persistent Firmware is not usually updated or examined Good for stealthy attacks Hacks can be un-removable* The BIOS updates the BIOS So if it doesn’t want to, it won’t  *Without a hardware programmer

Securing Firmware Two Simple Steps: Make sure that the OS cannot modify firmware This usually needs some kind of hardware help to lock boot flash memory Make sure that the BIOS (or uBoot or whatever) won’t update itself without checking a signature on the new image.

Trusted Platform Module: The Standard Hardware Root of Trust Trusted Platform Module (TPM) Self-contained security processor Inexpensive & small (~1 watt, ~$1) Connects to inexpensive processor buses TPM Provides: Secure storage of boot state (i.e. hashes of objects) Secure storage of cryptographic secrets (e.g. private keys) Cryptographic-quality Random Number Generator Includes resistance to physical attack, i.e., reverse- engineering, to keep private keys private Specified by Trusted Computing Group industry consortium

TCG Network Equipment Guidance TCG Guidance for Securing Network Equipment Document under development by TCG members including those involved in Networking Juniper, Cisco, Huawei, HP and others Intended to help equipment vendors use TCG technology to secure network infrastructure

Applications for TPM in Networked Gear Cryptographic Random Number Generator Sealing Secrets Cryptographic Device Identification Software Attestation / Health-Check … And many others

Random Number Generator - Essential for Secure Protocols Protocols like IPsec, SSH, SSL and TLS use cryptographic keys Keys are often generated within the embedded device itself Keys are like passwords: if you can guess the key, you can break the protocol Cryptographic keys are typically generated from random numbers Without hardware help, computer algorithms can only generate Pseudo-Random sequences, not truly random numbers. Most TPMs contain a physical source of randomness (aka entropy) which can be used to generate reliable keys.

Sealing Secrets - Ensure that secrets remain secret! The TPM can be used to protect secrets like: VPN shared-secret keys Disk Encryption keys Program the TPM so it will only decrypt the secrets for use when the platform is in a specified state, e.g. Known, unmodified OS And/or specific platform configuration And/or user password

IEEE802.1AR Device Identity - Proves Which Device is Which Many embedded devices are ‘remote’ and difficult to protect or even identify reliably. The TPM can be programmed with a unique cryptographic identifier based on device serial number Based on IEEE spec 802.1AR Public Key Cryptography allows the TPM to assert its identity And then prove possession of a difficult-to-steal private key stored inside the TPM

How Would a DevID be Used? Inventory – Ensure the devices you put in place are still there VPN login – Use DevID for remote login, so only authorized devices are allowed on your network Zero-Touch Configuration – Ensure that only authorized devices can call in to obtain configuration Software licensing and feature activation – ensure that only authorized devices can run value-add features

Attestation and Measured Boot - Proves What Software was Launched on your Device Secure Boot works well for deterministic early stages of boot But multi-core processors tend to be less predictable once the OS layer starts up The TPM can be used to record “measurements” of each executable run The TPM can then return those measurements to a management station later, signed by a key that only the TPM can know “Attestation” provides cryptographic assurance of which executables actually were run.

What Can You Do? Lock down your firmware Use a cryptographic Random Number Generator Use DevID to identify embedded devices See NetEq Synopsis for more on securing network equipment http://www.trustedcomputinggroup.org/wp- content/uploads/NetEq-Synopsis_1_0r3.pdf Join TCG to go deep into the topic Contribute to the work!

More Info TCG: www.trustedcomputinggroup.org NetEQ docs: http://trustedcomputinggroup.org/work-groups/embedded- systems/ TPM docs: http://trustedcomputinggroup.org/work-groups/trusted-platform- module/ http://forums.juniper.net/t5/Security-Now/What-is-a-Trusted-Platform-Module- TPM/ba-p/281128 http://forums.juniper.net/t5/Security-Now/What-s-the-Difference-between- Secure-Boot-and-Measured-Boot/ba-p/281251 TPM & secure boot: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/tpm-recommendations https://msdn.microsoft.com/en- us/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview

Thank You! Questions? @ESC_Conf ESC Minneapolis

Contacting Trusted Computing Group www.trustedcomputinggroup.org admin@trustedcomputinggroup.org LinkedIn Trusted Computing Group: https://www.linkedin.com/groups/4555624 Twitter: @TrustedComputin YouTube channel: https://www.youtube.com/user/TCGadmin BrightTalk webcasts (free): www.brighttalk.com, search “trusted computing” for library of demonstrations and presentations