Is Your Server Infrastructure Secure? · PDF fileIs Your Server Infrastructure Secure? Mukund...
-
Upload
vuonghuong -
Category
Documents
-
view
241 -
download
7
Transcript of Is Your Server Infrastructure Secure? · PDF fileIs Your Server Infrastructure Secure? Mukund...
Is Your Server Infrastructure Secure?
Mukund KhatriSr. Distinguished Engineer, Server Solutions
Rick HallSr. Product Planning Manager, Server Solutions
2 Dell - Internal Use - Confidential
Server Management Tech Track SessionsSession Title Code Times LocationsDell EMC PowerEdge Server Systems Management Overview Server.02 Monday 4:30 PM
Wednesday 1:30 PMDelfino 4001APalazzo K
Server Management Simplicity Series (Part 1): Deploying & Monitoring Dell EMC PowerEdge Servers
Server.03 Monday 8:30 AMWednesday 8:30 AM
Palazzo IMarcello 4401A
Server Management Simplicity Series (Part 2): Reducing Maintenance Through Systems Management Best Practices
Server.04 Monday 1:30 PMWednesday 12:00 PM
Delfino 4001APalazzo K
Server Management Simplicity Series (Part 3): Toward A Single Pane Of Glass - Management Consoles & Integrations
Server.05 Tuesday 3:00 PMThursday 11:30 AM
Marcello 4403Palazzo L
Is Your Server Infrastructure Secure? Server.07 Monday 12:00 PM Wednesday 1:30 PM
Lando 4203Lido 3001A
Utilizing Mobile Devices in The Datacenter Server.08 Tuesday 8:30 AMThursday 10:00 AM
Palazzo JLando 4203
3 Dell - Internal Use - Confidential
Major trends are impacting IT infrastructure and security… in a compounding fashion
Compliance
!ThreatsInnovation
Dell - Internal Use - Confidential4
M O D E R N I T I N F R A S T R U C T U R E
Traditional and Emerging
Workloads
Comprehensiveand Enduring Security
Flexible Cost Structure
SERVER
Expanded Role of Server, beyond Compute
4
Dell - Internal Use - Confidential5
HOW TO BUILD A
Modern IT Infrastructure
ADAPT AND SCALE to dynamic business needs
AUTOMATEto sustain and grow
PROTECT your customers and your business
5
6 Dell - Internal Use - Confidential
Infrastructure is Under Attack!
Hacker Claims To Push Malicious Firmware Update to 3.2 Million Home Routers
New PC malware loads before Windows, is virtually impossible to detect
Apple deleted server supplier after finding infected firmware in servers
Hacker Holes in Server Management System Allow ‘Almost-Physical’ Access
“Nemesis” malware hijacks PC’s boot process to gain stealth, persistence
7 Dell - Internal Use - Confidential
Common Myths of Infrastructure Security
• We have strong perimeter “air-gap” protection, and that is sufficient for my enterprise
• Firmware exploits are very difficult to pull off and require physical access
• Security is a specialized function handled by our centralized security team and not a worry for my IT team
• Default passwords are OK for management interfaces since they are isolated on a separate network
• Every OEM’s servers have pretty much the same security features
8 Dell - Internal Use - Confidential
Holistic Security Must Comprehend Server InfrastructureServer Platform Design is as Critical as OS and Applications
Firmware (BIOS, BMC, HDD, etc)
Hardware design
Hypervisor / OS
Applications
Cloud
Areas getting most of the security focus and $$$
The often overlooked server infrastructure : Persistent & Stealthy
Firewall
9 Dell - Internal Use - Confidential
“We predict in 2017 that advanced adversaries will continue to look for vulnerabilities
in hardware and firmware that they can exploit. We believe that they possess the
ability to exploit systems whose firmware is based on legacy BIOS or (U)EFI as well as
firmware of other types of devices such as solid-state drives, network cards, and Wi-Fi
devices.” – McAfee Labs 2017 Threats Predictions
10 Dell - Internal Use - Confidential
Aspects in Server Design to Consider for Security
Resilient Firmware Architecture – built-in
Authentication for Boot & Updates
Audit Logging & Alerting
Role-based Access Control
Conformance to TCG, UEFI, NIST, other Standards
Physical Access• Locking bezels• Intrusion detection
Secure Decommissioning of Server & Data
Data Protection : Data-at-Rest, Data-in-flight
Robust Security Development Lifecycle
Centralized Vulnerability Management & Patch
Management
Hardware AcceleratorSupport
Security Needs to be Built-in, Not Bolted-on
11 Dell - Internal Use - Confidential
“How” they’re designed …• …beyond the security features supported
• High Assurance & Cyber Resiliency attributes in Product designso Effective Protection, Reliable Detection, Rapid Recovery – to thwart Advanced Persistent Threats
• Development Model : Process & Peopleo Broad and Robust adherence to Security Development Lifecycle by engineering teamso Includes Code analysis, Threat modelling, Penetration Testing, Internal / External Audits & Reviews
• Centralized Vulnerability Reporting & Responseo Co-operative engagements w/ researchers and industry partners for expedited mitigations
• Active participation across key Industry Standards organizationso TCG, USWG, DMTF, NIST amongst others
12 Dell - Internal Use - Confidential
Firmware is an Attractive Target for Malicious Attacks
• Stealthy: typically undetectable by today’s AV scanners
• Persistent: malicious firmware simply reloads after rebooting or power cycling
• Pre-OS control: BIOS-level malware is especially powerful since it can control low-level server operation before & after OS is loaded
• Not up to date: Software patching for OS security issues is frequent; firmware not as much typically
• Multiple points of attack: typical server platform has multiple distinct types of device firmware
PSUs
Storage Drives
FC HBAs
BMC BIOS
StorageController
CPLD
Typical Server Firmware
NICs
13 Dell - Internal Use - Confidential
Key Requirements for Firmware “Protection”
• Authenticated Firmware Updates– Authentication via digital signatures ensures that
firmware update code comes from the genuine source– Self Updates or Assisted Updates
• Firmware Locking– Ability to hide or write-protect the firmware from
modification by any unauthorized agent
• Non-Bypassability– There should not be backdoors to bypass or circumvent
authenticated firmware updates
• Conformance to NIST SP800-147B– Guidelines for Secure BIOS Update
14 Dell - Internal Use - Confidential
Servers Designed to be Cyber-ResilientEffective Protection
• Immutable Hardware Root of Trust for E2E Verified Boot• Cryptographic integrity check of BIOS/iDRAC before boot• Protected & Authenticated Firmware Updates• iDRAC: SELinux, AD/LDAP, MFA, Redfish• Isolation of Host and Management domains• System Lockdown to prevent unauthorized changes
Reliable Detection • Drift Detection for Firmware and Configuration Data • Enhanced UEFI Secure boot• TCG Secure Boot, NIST SP800-155, Intel TXT• Supply Chain Assurance for Critical Firmwares• SHA256 Hash for every Payload to Verify Integrity
Audit Logging Rapid Recovery
• Automated Recovery for iDRAC Firmware• Primary OS Remediation from Built-in Protected Backup• Cyber-Resilient BIOS Recovery• Built-in Full Power Cycle• On Demand Recovery of BIOS/iDRAC Firmware• EasyRestore for Security Configuration
• Holistic log inclusive of System Events, User Actions• Persistent - only erasable on retirement• Granularity - every event is logged• Alerting : Redfish/SNMPv3 & Integration into Consoles• Includes Recommended Actions – beyond reporting event• Seamless Integration of OS logs into LifeCycle log
Security Features in PowerEdge Servers
16 Dell - Internal Use - Confidential
Which of the following technology initiatives is your IT organization prioritizing over the next 12 months?
30%
33%
35%
37%
38%
35%
46%
45%
51%
58%
24%
24%
28%
28%
30%
31%
35%
36%
39%
48%
Implement a bring-your-own PC, smartphone, and/or…
Shift spending from core systems like accounting or…
Create a comprehensive mobile and tablet strategy
Create a comprehensive strategy and implementation…
Connect our product/assets to monitor and analyze…
Create a single view of the customer
Upgrade, rationalize or replace our legacy business…
Invest in customer experience technologies
Improve the use of data and analytics technology
Increase our security and privacy capabilities
SMB Enterprise
Source: Forrester Business Technographics Priorities & Journey 2016
Security is A Critical IT Initiative for Server Buyers
17 Dell - Internal Use - Confidential
PowerEdge Security Features
Signed Firmware Updates• SHA2 hashing
Secure Alerting• SNMP v3• WS-MAN or Redfish
eventing
Strong Authentication & Authorization• LDAP, Active
Directory, 2-factor
Secure Booting• Authenticated BIOS & iDRAC boot
process with chain of trust• UEFI Secure Boot with customized
certificates
Access Protection • Role-based access control• IP blocking/filtering• Detailed user access logging
Physical Access• Locking bezels• Intrusion detection
Server Repurposing or Retirement• Options for quick but secure
erasure of user data and logs
USB Control• Disable/enable USB
ports per datacenter policy
Data Protection• Encryption at rest
(SEDs & FIPS drives)
18 Dell - Internal Use - Confidential
PowerEdge Security Details
Server/BIOS• Modular TPM 1.2/2.0
• FIPS/Common Criteria– Common Criteria EAL4+ certified with RHEL– FIPS 140-2 and Common Criteria
Certification for TPM 1.2 & 2.0– FIPS 140-2 for SED drives
• Enhanced UEFI Secure Boot – Adds the option of using customized
certificates (signed by the company itself and not by Microsoft)
iDRAC • Internet Security
– TLS/SSL support (TLS 1.2 recommended)– HTTP/HTTPS– SSH with PKI authentication
• FIPS 140-2 for iDRAC and CMC
• Security-Enhanced LINUX (SELinux) Embedded OS
– Fine-grained protection via policy-driven access to resources and operations
19 Dell - Internal Use - Confidential
Innovative New Security Features in 14G
System Lockdown
• Virtual lock for preventing configuration or firmware changes
• Alerts when configuration or firmware deviates from baselines
System Erase
• Quickly and securely erase internal server storage devices including HDD, SSD, and NVMe drives
• Wipe all user configuration and log file information
• Prevents against inadvertent exposure of new iDRAC’s on unprotected networks
• Encourages stronger password policies (rather than the tendency to use generic default passwords)
Secure Default Password
****
Dynamic USB Port Enable
• Allows USB port disable for normal operation in secure environments
• Dynamically can be unlocked via iDRAC authentication when needed without rebooting the server
Hardware Root of Trust
OS Image Rapid Recovery
• Allows booting of a trusted backup OS image stored in hidden, protected storage
• An immutable silicon-based root of trust to securely boot iDRAC and BIOS firmware
• Rapid recovery to a trusted image when authentication fails
20 Dell - Internal Use - Confidential
Spotlight on System Erase• Our System Erase feature leverages a new capability in
storage devices call Instant Secure Erase (ISE)– Instant Secure Erase (also called Cryptographic Erase) is a recognized
method of data erasure on storage drives referred to in NIST Special Publication 800-88 “Guidelines for Media Sanitization”
• How does it work?– Drives with ISE continuously encrypt data on the low-level media using
an internal key not exposed outside the drive– To erase the drive, the encryption key is simply deleted resulting in
unintelligible data on the drive (and hence “instant erasure”)
• Advantages of ISE– Speed: far faster than data over-writing techniques like DoD 5220.22-M
(seconds versus hours and hours)– Effectiveness: ISE erases all the data on the drive including reserved
blocks (an issue with SSD drives for example)– Better TCO: storage devices can be reused instead of being crushed or
otherwise destroyed
21 Dell - Internal Use - Confidential
Automate Deployment of Server Security Policies with OpenManage• Our OpenManage tools and APIs help
automate the security policies for your server infrastructure
– Security policies that are not automated can result in manual errors and vulnerability exposures
– You can manage all aspects of the server lifecycle: deploy, update, monitor and maintain
• Choice of Automating Your Way!– Script to our powerful WS-MAN or RESTful
(Redfish) APIs via iDRAC with Lifecycle Controller– Use our OpenManage Essentials console for
comprehensive 1 X Many management – Use our deep integrations with consoles like
Microsoft System Center or VMware vCenter– Use Zero Touch automation that provides plug
and play provisioning
ScriptZero Touch Automation
GUI
iDRAC with Lifecycle Controller
>_
22 Dell - Internal Use - Confidential
Examples of Securing Server Operations
Access Control
• Employ LDAP or AD for user & role authorization
• Set up 2-Factor Authentication
• Customize the iDRAC log-on security notice
• Enforce stronger encryption
• Restrict users to a specific IP range
• Use a BIOS password
Monitor Update Maintain
• Alert for configuration or firmware changes
• Use SNMP v3 or Redfish eventing
• Monitor for chassis intrusion events
• Log mobile device IDs associated with Quick Sync 2 usage
• Monitor iDRAC logs for tracking suspicious user access behavior
• Dell EMC signed firmware updates
• Select HTTPS (instead of CIFS & NFS) for file transfers from update repositories
• Use System Lockdown to prevent unwanted or malicious changes to firmware
• Use the iDRAC Direct dedicated USB port to locally remediate server or OS issues
• Use HTML5 mode instead of Java for remote console
• Use System Erase to securely wipe all user data from drives and non-volatile memory
• Reset configurations to factory defaults
23 Dell - Internal Use - Confidential
Rapid Response to New CVE’s
• Common Vulnerabilities and Exposures (CVEs) are new attack vectors that compromise software and hardware products
– Timely response to CVEs are critical to most companies to assess their security exposure and take countermeasures
• CVEs can be due to new vulnerabilities identified in – Open source code such as OpenSSL– Browser and other Internet access software – Vendor product hardware and firmware– Operating systems and hypervisors
• Dell EMC works aggressively to quickly respond to new CVEs in our PowerEdge servers
– Which products are affected (software or embedded firmware)– What remediation steps may be taken– If needed, when updates will be available to address the CVE
24 Dell - Internal Use - Confidential
Best Practices for Server Security
• Make sure all firmware is signed and up to date– Keeping firmware updated ensures that critical security issues like new OpenSSL vulnerabilities
or recent encryption exploits are addressed– Use only Dell EMC firmware updates to ensure proper authenticity
• Always enforce strong password usage for your iDRAC management processor– 63%* of confirmed data breaches involve weak, default or stolen passwords– Use of generic default passwords leave open doors, a concern for even “protected” networks– Employ role-based authorization to limit access to what is needed for each person or team
• Move away from IPMI to more secure management APIs– WS-MAN and Redfish are far more secure, both for encrypted communications and credential
checking
• Keep your iDRAC’s isolated from the Internet– Use either dedicated management networks or shared with VLAN isolation
* Verizon, “2016 Data Breach Investigations Report,” 2016, http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016
25 Dell - Internal Use - Confidential
In Summary ..
Security of the Server Infrastructure Matters !
– While most malware attacks today focus on OS and applications, more are emerging that can target your server infrastructure
– Stay with the newest generation of PowerEdge Servers to leverage industry leading enhancements in hardware, firmware and OS’s security capabilities.
– Your server infrastructure is the bedrock of your data center. Dell EMC, as your trusted partner, provides the secure foundation for your enterprise
Dell - Internal Use - Confidential26
ACCELERATE YOUR BUSINESS ON
PowerEdgeAD AP T AN D S C AL E your dynamic business needs
by leveraging Scalable Business Architecture
F R E E U P S K I L L E D R E S O U R C E S
and focus on core business with Intelligent Automation
P R O T E C T Y O U R C U S TO M E R S
and your business robustly with Integrated Security
THE BEDROCK OF THE MODERN DATA CENTER