AltSecCon, March 2011

Winston Morton
Topics of Discussion
The Definition of the Cloud
Cloud Computing and Risk Mitigation
Traditional Intrusion Prevention
Virtualized Intrusion Prevention
Intrusion Prevention in Cloud Computing
Industry Trends
Questions
What is the The Cloud
 What does “To the cloud” mean?

 Why do they always spin something to get to the cloud?

Definition of the Cloud
 About 432 definitions out there
 A shared computing resource with the ability to be
delivered via Internet from multiple locations to multiple
locations
 Public Cloud - Delivered to Multiple Customers
 Private Cloud - Delivered to one Customer
 Virtual Private Cloud – An isolated subset of the public
cloud with dedicated network and computing resources to
one customer.

And yes….IBM did this 20 years ago before the brief period of
customer owned client/server technologies…….(of course
the Internet as we know it didn’t exist back then)
Why has the risk model changed?
 Private cloud deployments have virtualized natural
network aggregation points use for Network Security
 Public cloud providers control critical elements of a
comprehensive security program
 Cloud provider evaluation criteria (Gartner)
 Privileged user access
 Regulatory compliance
 Data location
 Data segregation
 Recovery
 Investigative support Microsoft BPOS cloud service hit with data breach
A 'small number' of Offline Address Book users had some of
 Long-term viability their data accessed
By Andreas Udo de Haes, Webwereld Netherlands
December 22, 2010 11:39 AM ET
The Ownership of Risk
 The Ownership of risk hasn’t changed but Controls have.
 The ownership of the data clearly stays with the customer
 In many cases when outsourcing you have less ancillary access
to data (in transit or at rest)
 Intrusion prevention sometimes relies on ancillary data
 The cloud service provider generally does not take ownership
or risk of loss of data beyond the cost of the service
 Your risk tolerance needs to match the cloud delivery
model (this generally comes down to a financial decision)
 In the SME market risk may go down rather than up with a
cloud model
 You can’t outsource accountability!
Amazon Web Services (AWS)
 Section 11. Limitations of Liability.
WE AND OUR AFFILIATES OR LICENSORS WILL NOT BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES (INCLUDING DAMAGES FOR LOSS OF
PROFITS, GOODWILL, USE, OR DATA), EVEN IF A PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. FURTHER, NEITHER WE NOR ANY OF OUR AFFILIATES OR LICENSORS WILL BE RESPONSIBLE FOR
ANY COMPENSATION, REIMBURSEMENT, OR DAMAGES ARISING IN CONNECTION WITH:
(A) YOUR INABILITY TO USE THE SERVICES, INCLUDING AS A RESULT OF ANY (I) TERMINATION OR
SUSPENSION OF THIS AGREEMENT OR YOUR USE OF OR ACCESS TO THE SERVICE OFFERINGS, (II) OUR
DISCONTINUATION OF ANY OR ALL OF THE SERVICE OFFERINGS, OR, (III) WITHOUT LIMITING ANY
OBLIGATIONS UNDER THE SLAS, ANY UNANTICIPATED OR UNSCHEDULED DOWNTIME OF ALL OR A
PORTION OF THE SERVICES FOR ANY REASON, INCLUDING AS A RESULT OF POWER OUTAGES, SYSTEM
FAILURES OR OTHER INTERRUPTIONS;
(B) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
(C) ANY INVESTMENTS, EXPENDITURES, OR COMMITMENTS BY YOU IN CONNECTION WITH THIS
AGREEMENT OR YOUR USE OF OR ACCESS TO THE SERVICE OFFERINGS; OR
(D) ANY UNAUTHORIZED ACCESS TO, ALTERATION OF, OR THE DELETION, DESTRUCTION, DAMAGE, LOSS OR
FAILURE TO STORE ANY OF YOUR CONTENT OR OTHER DATA. IN ANY CASE, OUR AND OUR AFFILIATES’
AND LICENSORS’ AGGREGATE LIABILITY UNDER THIS AGREEMENT WILL BE LIMITED TO THE AMOUNT
YOU ACTUALLY PAY US UNDER THIS AGREEMENT FOR THE SERVICE THAT GAVE RISE TO THE CLAIM
DURING THE 12 MONTHS PRECEDING THE CLAIM.
Microsoft Online Services
 Section 8. Limitation of liability.
 Limitation on liability. Except as otherwise provided in this Section, to the extent permitted by applicable law, the
liability of Microsoft and of Microsoft’s contractors to Customer arising under this agreement is limited to direct
damages up to the amount Customer paid Microsoft for the Online Service and/or Client Software giving rise to that
liability during the (1) Term or (2) twelve months prior to the filing of the claim, whichever is less. These limitations
apply regardless of whether the liability is based on breach of contract, tort (including negligence), strict liability,
breach of warranties, or any other legal theory. However, these monetary limitations will not apply to:
 Microsoft’s obligations under the Section titled "Defense of infringement and misappropriation claims";
 liability for damages awarded by a court of final adjudication for Microsoft’s or its employees’ or agents’ gross negligence
or willful misconduct;
 liabilities arising out of any breach by Microsoft of its obligations under the Section entitled "Confidentiality"; or
 liability for personal injury or death caused by Microsoft’s negligence or that of its employees or agents or for fraudulent
misrepresentation.
 EXCLUSION OF CERTAIN DAMAGES. TO THE EXTENT PERMITTED BY APPLICABLE LAW, WHATEVER THE LEGAL
BASIS FOR THE CLAIM, NEITHER PARTY, NOR ANY OF ITS AFFILIATES OR SUPPLIERS, WILL BE LIABLE FOR ANY
INDIRECT DAMAGES (INCLUDING, WITHOUT LIMITATION, CONSEQUENTIAL, SPECIAL OR INCIDENTAL
DAMAGES, DAMAGES FOR LOST PROFITS OR REVENUES, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS
INFORMATION) ARISING IN CONNECTION WITH THIS AGREEMENT, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES OR IF SUCH POSSIBILITY WAS REASONABLY FORESEEABLE. HOWEVER, THIS EXCLUSION
DOES NOT APPLY TO EITHER PARTY’S LIABILITY TO THE OTHER FOR VIOLATION OF ITS CONFIDENTIALITY
OBLIGATIONS OR OF THE OTHER PARTY’S INTELLECTUAL PROPERTY RIGHTS.
Concept of Intrusion Prevention
 Stop intrusions BEFORE they happen
 As opposed to Intrusion Detection
 Requires system to take action on potential risks
 In-line systems can drop malicious traffic before it gets to critical
infrastructure
 Automated or with human intervention
 Can be programmed with very different “personalities” depending on
location (i.e. In front of firewall, In Front of a Critical Server, etc)
 Modern IPS Systems have a real time database of threats
 Many of which may not apply to your environment
 Allows for Zero-Day detection of new threats and applies new rules
before your systems are compromised (Virtual Patching)
 IPS systems also provide an important audit trail
 In the case of a breach IPS events need to correlated with firewall logs,
user account logs, server access logs, virus scan logs, etc
Concept of Intrusion Prevention
 Traditional Intrusion Prevention Systems
 Client Based (Desktop)
 Generally proactive management of accounts and potential spyware,
rootkits, etc
 Watch incoming and outgoing connections for warning signs
 Host Based (Server)
 Very specific inspection of application requests and common exploit
techniques targeted at the host system
 Account abuse detection, time of day detection, etc
 Network Based
 Deep packet inspection
 Broad long term analysis (looking for “low and slow” attacks)
 Denial of service, network scanning/mapping attempts
 Exploits of know vulnerabilities
Concept of Intrusion Prevention
 Traditional Enterprise Approach

Host Based
Intrusion
Prevention
Enterprise
Internet

Network Based
Client Based Intrusion
Intrusion Prevention
Prevention Correlated Event
Management
Concept of Intrusion Prevention
 Virtual Intrusion Prevention
 Virtual machine embedded in hardware abstraction layer
(Between the Physical Hardware and the Guest Operating System)
 Can be software controlled and placed on same virtual
network as any virtual machine
 Creates a scalable method to monitor multiple virtual
environments
 Keep in mind intrusion prevention devices would normally be tuned
for specific Operating Systems and Applications they are protecting
 These deployments are highly reliant on multiple vendor
integration
 i.e. VMWare publishes API for provisioning Virtual Networks - IPS
Vendors have to conform to these specifications.
Traditional vs. Virtualized IPS
Host Based IPS
APPLICATION APP APP APP APP  Same as traditional server
Host Based IPS deployments
 Software Based OS OS OS OS
 Application Attack Vectors
 Host Based Ruleset

OPERATING SYSTEM
PHYSICAL SERVER
Network Based IPS
 Hardware Based
 Network Attack Vectors
 Network Based Ruleset
NETWORK
VIRTUAL IPS VIRTUAL IPS VIRTUAL IPS VIRTUAL IPS Virtual IPS
VIRTUAL SWITCH VIRTUAL SWITCH VIRTUAL SWITCH  Special Virtual Machines
 Vendor Specific API
(VMWARE/MICROSOFT HYPER-V/CISCO NEXUS)  Can be “bridged” software to
and virtual segment
PHYSICAL SERVER
Network Based IPS
 Can be “bridged” to VLAN
associated with Virtual Machine
VIRTUAL LAN VIRTUAL LAN VIRTUAL LAN VIRTUAL LAN  Most Enterprise IPS Vendors
support Multiple VLANs (802.1Q)
IPS Challenges in the Public Cloud
 A holistic view is important to determine real time risk
 What used to be physical and in our server room is now logical
and controlled by a 3rd party company
 We may be missing infrastructure events that would trigger a
potential security threat.
 Importance of event correlation
 Appearances of targeted probing before an event
 What happened before and after a security breach
 Common time and log management is critical to determining root cause
 Intrusion prevention is about recognizing potential security
threats and acting BEFORE a breach
 There are ways to work with outsourced infrastructure to manage
this reduced visibility
Cloud Computing Models
 Software as a Service (SaaS) SaaS Provider
 Remote secure access to one
Application
 Typically Web Based Service
 Typically accessible from anywhere
 Security Model Internet
 No access to SaaS network
 No access to SaaS Host OS
 User Based Intrusion Prevention
 User Authentication
 User Auditing (Application Dependant) Enterprise
Cloud Computing Models
 Platform as a Service (PaaS) PaaS Provider
 Remote secure access to one Platform
 Typically a Windows/Linux Server
 Typically Bundled with Storage
 “Bring your own” Application
 Multiple locations Internet
 Security Model
 No access to PaaS network

 Control over OS and Applications

 Host Based Intrusion Prevention

 User Based Intrusion Prevention Enterprise

Cloud Computing Models
 Virtual Private Cloud (VPC) VPC Provider
 Multiple platforms on one subnet inside
the cloud
 Platforms can communicate with each
other within the cloud
 Secure connection to enterprise
 Security Model Internet
 Typically no External Internet Access
 Limited access to VPC network
 Employ strong encryption between networks
 One compromised platform has access to all
devices on subnet
 Host based Intrusion Prevention Enterprise
 Network Based Intrusion Prevention (Enterprise
Side)
Industry Trends
 Enterprise IPS has rapidly matured in the past 3-5 years
 Public cloud computing solutions are still maturing to the
point they can be integrated with enterprise IPS Systems
 Without having direct access to the cloud provider network
we are missing some of the latest features of IPS systems.
 Virtual Security Patch
 Denial of Service Response
 Zero Day Attack Detection
 Competing standards for cloud providers and vendors
event management protocols
 Common Event Expression (CEE)
 Distributed Auditing Service (XDAS)
Industry Trends
 Most IPS Solutions are focused on private cloud deployments
(Virtualized Environments)
 Expect to see IPS as a key differentiator in the public cloud market
(Firewall and Authentication are commonly available today)

 A few of “Cloud Enabled” IPS Vendors

 SourceFire Virtual 3D Sensor  HP Secure Virtualization Framework

 http://www.sourcefire.com/security-technologies/cyber-  http://h17007.www1.hp.com/us/en/solutions/security/svf/
security-products/3d-system
 Juniper Networks Virtual Control
 IBM Virtual Server Protection for VMware  http://www.juniper.net/us/en/products/services/software/jun
 http://www-01.ibm.com/software/tivoli/products/virtualized- os-platform/junos-space/applications/virtual-control/
network-security/

 Cisco Nexus & Virtual Sensor

 http://www.cisco.com/en/US/products/ps9902/index.html
Questions?

Winston.Morton@GreenNeuron.com
902.406.6321