All posts by Bob Doud

About Bob Doud

Bob Doud is Senior Director of Marketing at Mellanox Technologies, responsible for security applications as well as driving adoption of the new BlueField family of ARM processor enabled networking devices. Bob joined Mellanox in Feb 2016 from Tilera / EZchip where he managed the TILE multicore processors family. Previously, he had over 20 years of experience in the security field at companies such as SafeNet, NetOctave and Hifn. His technical background spans encryption and security, processor architectures, telecom and enterprise hardware and software.

Foreshadow CPU vulnerability threatens host-based security model

Foreshadowing the Future of Security Meltdowns and the Spectre of a Breach

Here we go again… Only 8 months after the Spectre and Meltdown CPU vulnerabilities were disclosed, researchers have published Foreshadow, another related attack vector that exploits “Speculative Execution”. This one goes after the “SGX” (Software Guard Extensions) secure enclave feature built into newer Intel processors since the Skylake series. This is very serious, as it strikes at the very feature that is designed to protect highly sensitive data and security code. It’s yet another reason to consider ameliorating host-based security vulnerabilities using SmartNICs and distributed security.

Researchers will be presenting their Foreshadow exploit paper this month (Aug 2018) at the Usenix Security conference. A notable excerpt from their abstract: “We present Foreshadow, a practical software-only microarchitectural attack that decisively dismantles the security objectives of current SGX implementations”.

SGX was designed to allow user-level programs to create secure enclaves on the x86 processor with protected memory regions for executing security-related functions and storing crypto keys and other secret information. To date, it has been used for Digital Rights Management (DRM), secure web browsing, at least one password manager tool and remote computation applications related to cloud computing.

So far SGX has been able to resist Spectre and Meltdown attacks, but the Foreshadow attack can access SGX-protected memory in the L1 cache. Even worse, it can expose the secret, cryptographic attestation keys used by SGX for checking the integrity of each SGX memory enclave. Once an attestation key is compromised, Foreshadow can copy the memory enclave to a non-protected area or even create fake enclaves that appear legitimate to applications even though they are running outside the SGX enclave.

There will be much “gnashing of teeth” by business and users alike while we wait for the patches to roll out and to learn about the costs incurred.

Threat chart compares Meltdown, Spectre and Foreshadow CPU security vulnerabilities

These latest 3 security vulnerabilities, combined with previous Intel processor security flaws disclosed in 2017, give any serious security professional good reason to consider whether they can rely on the protections offered by their server processor.

 

Fighting Attackers with a SmartNIC-Based True Enclave

We’ve previously highlighted the risks with hosting all of your security measures on the same system as you are trying to protect. This is just a bad idea. For over 30 years, high-security Department of Defense (DoD) systems have employed “red-black separation” where secure information is carefully segregated – physically and electrically – from the non-secure domain. Obviously, Intel’s attempts at separation of functions in a single processor domain have been spectacularly unsuccessful, suggesting that the security nerds were probably right all along in insisting on physical domain separation for the best security.

It’s time to re-think the approach to server security and return to the fundamentals… Create a barrier between the server processor – which often runs both trusted and untrusted applications – and the enclave where security functions can run in a protected environment. The perfect opportunity is presented with the new generation of “SmartNIC” network adapters. They create a physically isolated security domain separate from the main CPU and allow a distributed security model, instead of concentrating all security and normal functions in the main CPU.

SmartNIC isolates an execution domain from the main CPU and enables distributed security

The Mellanox BlueField SmartNIC incorporates a powerful RISC CPU running Linux and is equipped with a variety of security features that make it ideal for hosting trusted functions to protect the server environment. Examples of security services include:

  • Stateful Next Gen Firewall (NGFW)
  • IPsec, SSL/TLS, Data-at-Rest encryption protocols
  • Intrusion detection and prevention (IDS/IPS)
  • Host “introspection” – scans the server for authorized applications and detects malware

With the co-mingling of users and applications in enterprise and cloud servers, the older model where attacks are assumed to all originate from “out there”–on the other side of the firewall—s breaking down. We now see that a significant percentage of threats originate inside the data center so the model of protection has to change as well. Using SmartNICs protecting each server at its network port, threats can be stopped before they even enter the server, and the SmartNIC provides a trusted island from which to monitor applications and network transactions.

 

SmartNIC server security highlights:

  • Protects each server at its connection into the data center network
  • Distributed security scales as more servers are added… no appliance “choke points”
  • Enables per-node customized rules/filters based on the protected assets
  • “Secure Boot” of the SmartNIC uses digital signatures to authenticate the OS and all security applications running on the device.

With information security concerns ranking as one of the top concerns of CSOs and over 20% of companies reporting a breach of data or applications in 2017, it is more critical than ever to have confidence in the security tools protecting your data center. The Foreshadow vulnerability is yet another reminder that it’s dangerous to rely on software-based tools running on the computer you are trying to protect. BlueField SmartNICs close the gaps exposed with host-based security.

 

Additional Resources:

A New Treatment for Hospital Cybersecurity

Hospitals have become a major target for cyberattacks. A single medical record can fetch anywhere between $30 and $500 compared to just 10 to 15 cents for a credit card number. Employees at the Erie Country Medical Center in New York found this out the hard way when every screen in their 550-bed facility went blank. A ransomware message quickly followed, demanding over thirty thousand dollars in Bitcoin. According to news reports, hackers were able to slip in through the hospital’s main computers and onto their online backup system, taking down over 6000 computer systems of the level-one trauma center, making it the largest American hospital hacked this year. After 6 weeks, some computer systems were still being restored at the hospital.

The proliferation of connected devices in hospitals, as well as the increasing volume of data traveling in and out the network, have made traditional security measures dangerously inadequate. In fact, 93 healthcare organization were victims of cyberattacks last year – a striking 63 percent increase from the previous year and this trend is likely to continue until hospitals, and enterprises alike, update their cybersecurity strategy to directly address today’s threats.

There Are Always Side Effects

Hospitals are embracing emerging technologies including the Internet of Things (IoT). From X-ray machines to blood pressure monitors and connected medical devices, hospitals are creating new efficiencies while simultaneously generating more data than ever before. And if the sheer volume of the data wasn’t enough for healthcare IT professionals to deal with – the complexity of that data is also growing, especially as hospitals are connecting with each other and telemedicine gains momentum. Today, millions of patient records are stored in hospital datacenters – or in the cloud as is frequently becoming the case – and thousands of transactions from a variety of devices are taking place on the network every second, generating a virtual storm of sensitive data. And of course, this data must be treated with strict regard to privacy and authorized access as specified within the US Government HIPAA regulations. While this increase in data and data complexity can lead to improved patient care, it also provides more opportunities for data to be compromised at the endpoints and from within the network.

Cloud computing and shared cloud storage have also introduced a new entry point for hackers. The days of on premise datacenters are quickly coming to an end as organizations migrate their data to the more convenient and more cost-effective cloud. However, the cloud brings a vulnerability cost. Numerous organizations are sharing resources in public clouds, which offers hackers easier access to others within the same cloud via malware Trojans, given that they are already inside the network. Malware programs are also becoming more sophisticated with their ability to self-morph, making them very difficult to detect by conventional signature techniques. These Trojans can hide within the network and slowly steal data or even remain dormant until instructed to activate, like some of the recent Distributed Denial-of-Service (DDoS) attacks.

A Comprehensive Treatment Option

Traditional security models have focused on protecting only the perimeter of the network. But between the increased number of physical entry points within the connected hospital, and vulnerabilities presented by the cloud, this approach is far too simplistic for today’s complex, data-intensive world. Firewalls and other boundary-based security solutions fail to address threats from within a network. They also do not have the ability to detect malware that has managed to infiltrate the network nor can they effectively combat internal attacks once detected.

A modern hacker’s toolbox is sophisticated and there is no single “silver bullet” when it comes to cybersecurity, which is why Mellanox strongly encourages organizations to leverage a comprehensive security strategy.

First, a distributed security approach provides a multi-layered defense with protection at the perimeter and within the network, as well as at individual servers and devices connected to the network. Distributed security scales as the data center scales and doesn’t require expensive upgrades to perimeter security appliances when the network bandwidth grows.  While this approach to security may sound costly, it can actually be quite cost-effective and represents a drop in the bucket compared to the potential costs of a security breach.

Second, encrypting data both in flight and at rest – even inside a hospital firewall – has become imperative. The thousands of transactions taking place per second and the magnitude of data moving around within the network at any given time means security measures that only protect data at the disc are putting an enormous amount of data at risk. Healthcare data should be encrypted whenever it is in transit as well as when it is stored, with strong key management to enforce authorized access.

Finally, authorization is a hyper-important step in protecting data. This is especially vital in hospitals where multiple healthcare professionals and members of the administrative staff, each with specific needs, require access to patient records. Such a variety of users presents more opportunities for a data breach, intentional or otherwise. Hospitals and other organizations handling highly sensitive information need to consider authorization that goes beyond mere usernames and passwords, and should include certificates and digital signatures, as well as 2-factor authentication.

Beating the Odds

Readers may feel overwhelmed at the prospect of such a comprehensive, multi-layered approach. You may be saying to yourself, “That all sounds great in theory, but implementing all those security measures would grind my network to a halt.” And this is a natural concern of course. In fact, worries about loss of performance or network availability is often the primary reason – not cost – why organizations choose not to deploy adequate security.

Typical software-only approaches suffer from three shortcomings:

  • Loss of performance – Inability for general-purpose CPUs to deliver line-rate processing at smaller packet sizes and with low latency and jitter
  • Over-consumption of server resources – burning CPU cycles on networking and security functions, rather than the true application workloads
  • Inadequate protection from insider threats – Malicious applications could reside in an adjacent Virtual Machine running on the same server.

Despair not!

Mellanox overcomes any performance concerns resulting from robust security measures by increasing network speeds and performing security processing within each network node. Hardware-based security can prevent malware from getting onto the network or crossing between server nodes with Mellanox SmartNICs acting like security guard posts on individual servers. In addition to implementing normal security functions, these adapter cards can monitor traffic and provide telemetry metadata to a centralized workstation. If an issue is identified, any specific traffic flow or server can be shut down before it impacts the entire network. As a bonus, this highly-distributed security scales far better than traditional security appliances at the network edge.

Finally, hospitals – or any organization for that matter – should be exploring the potential that Artificial Intelligence (AI) may hold for security. AI security uses heuristic learning methods, moving away from simple malware signature detection or rigid security policies that are nearly impossible to scale. AI-based system watch the network behavior under normal conditions, learning what a healthy network looks like and if an anomaly arises, quickly flag abnormalities. It can be seen that having distributed hardware security “agents” throughout the data center offers broad visibility to such AI-based tools and also affords the trusted mechanisms to shut off attack traffic at individual nodes.

This may all sound daunting, but security breaches are becoming more frequent and more costly for everyone involved. With all of the highly sensitive data that has the potential to be stolen, hospitals should reevaluate their security measures today. Otherwise, they risk becoming the next Erie Country Medical Center or Equifax and spending millions of dollars – not to mention the lost customer confidence – trying to recover from what could have been a preventable breach.

Supporting Resources:

Fighting Distributed Attacks (DDoS) with Distributed Defense

Part 1: The DDoS Threat and Changing Landscape of Protection

Distributed Denial of Service (DDoS) attacks have been around for quite a while and their profile was raised again last month when Dyn Inc., one of the largest DNS provider sites, was hit with a very large scale (tens of millions of zombie agents) attack that affected more than 65 key Internet sites on the East coast of the U.S., including Twitter, Reddit, and the NY Times. This attack was unique in its scale, and also in the fact that the perpetrators apparently leveraged a botnet based on millions of compromised IoT devices such as IP cameras, baby monitors, and residential gateways.

What is a DDoS Attack?

A Denial of Service (DoS) attack is one that prevents legitimate users from accessing a network resource. A Distributed Denial of Service (DDoS) attack is a variant that uses multiple network entities to attack the target. By utilizing many network devices to mount the assault, the traffic is amplified over what a single attacker could reasonably generate. In addition, the use of many attacker nodes can help conceal the identity of the attacker and complicate the task of mitigation since it can be difficult to separate the normal “good” traffic from the attack traffic.

The attacker will typically have access to a very large number of Internet-connected computer systems – referred to as the zombie agents or a botnet – that can be controlled centrally to send out the desired attack traffic. In most cases, these zombie machines are simply computers or other devices that have been hijacked for this purpose, often without the owners realizing it.

DDoSAttack_1

The attacks are designed to have the biggest possible impact on the target’s network, servers, and resources (e.g. consuming a large portion of the compute and/or memory resources to reduce the server’s ability to respond to legitimate users). Volumetric attacks are the most commonly seen and they rely on an approach of flooding the target servers with an overwhelming number of packets. Various attack vectors fall into this category, including SYN flood or ICMP attacks, the latter of which for example might involve a PING flood sending a huge number of ICMP Echo Requests to the attack target. Application Layer attacks (the type used in the recent DNS DDoS event) can be more effective as they cause specific applications running on the server to expend resources and therefore compromise the system’s ability to respond to legitimate traffic.

As with many security threats, the problems are compounding as skilled hackers are posting easy-to-use tools used to mount DDoS attacks, enabling a wide field of potential less skilled adversaries.

The Challenges with Existing Protection Measures

There are various approaches to defending against DDoS attacks, including cloud services that filter traffic through a DDoS-screen before the packets are forwarded to the application servers or appliance solutions that can be positioned at the edges of a network. The appliance solutions include custom DDoS-mitigation devices, firewalls or Intrusion Prevention Systems. In some cases IT operators use server configuration tools to help limit the attack surface by allowing the servers to ignore certain sources of traffic or types of messages.

However, many of the old DDoS protection methods do not stand up in the face of the massive scale of recent attacks (note that the DNS one used tens of millions of IP addresses in the “zombie bot-net” to initiate the attack.) These types of attack are likely to increase with time as the proliferation of Internet-connected devices continues. IoT devices are particularly vulnerable to being compromised as unwitting “zombies” since they are often not designed with strong security features and whatever features ARE installed by the factory may not be updated in the field as new threats appear.

Furthermore, with the co-mingling of users and applications in the cloud, the older model where DDoS attacks originate from “out there” is breaking down. In cloud-based deployments, threats can originate inside the data center and so the model of protection has to change as well. An externally-hosted DDoS scrubbing web service will not protect against the internally-sourced threats.

Fighting the Attackers with Multi-Layered Defense

A hybrid DDoS protection approach is proving to be the answer to the evolving threat landscape. Externally sourced volumetric attacks can be mitigated through Cloud DDoS offerings – powered either by large numbers of servers capable of absorbing and filtering the attack or by very high performance DDoS networking appliances.

To address sophisticated application layer attacks – as well as threats originating on the inside – a distributed defense within the datacenter is called for. This means, having DDoS protection in front of, and within the network and switching fabric as well as at the servers themselves.

DDoSAttackPrevention_2

This approach has the following advantages:

  • Protects against attacks originating from inside as well as outside the data center
  • Enables per-node customized rules/filters based on the protected assets
  • Scales naturally as the datacenter grows
  • Is a cost-effective solution

With a distributed deployment, an SDN (Software-Defined Networking) model can be followed. Monitoring and telemetry on the network activity is done at many nodes throughout the data center and reported back to centralized DDoS controllers. The controllers then respond to attacks by programming filtering rules into the distributed DDoS protection agents located throughout the data center. Decoupling the control and data-planes has been shown to have numerous benefits in the switching and routing arena and those same advantages also apply to security services.

_________________________________________________________________

In the next blog in this series, we’ll explore ways in which Mellanox technology can be utilized to implement next generation DDoS protection solutions.

  • Mellanox high-performance NPS Network Processors are being used by leading vendors to provide DDoS protection on millions of flows at 100’s of Gigabits/sec and apply traffic shaping policies for mitigation
  • ConnectX intelligent adapters allow servers to handle considerably more network traffic than standard NICs and offer flow-based switching and packet discard techniques to mitigate flood attacks
  • Mellanox Innova network adapters offer a programmable FPGA as a front-end to allow programming a wire-speed anti-DDoS engine.

banner

Please also sign-up for our webinar to be held on this topic on Dec 13th at 10:00am PST.