Monday, December 21, 2009

PCI compliance in the cloud (Part B)

First published here on 12/14/2009:

In Part A, I discussed the functional requirements for a virtual firewall. Now let's take a look at the technologies required to make this work.

Traffic segmentation

Firewalls segment traffic. That's obvious, but think about this in the cloud. For this to work, there must be a method to assure that all traffic to/from a tenant is available for inspection and the application of access controls by the firewall. This means the virtualization host must support at least one of the following:

  1. Routing traffic to/from a tenant system through the virtual firewall at the network layer, this is how "bump-in-the-wire" devices work. This is a poor solution in virtual environments.
  2. Routing traffic to/from a tenant system through the virtual firewall at the hypervisor layer. This is a more efficient technique because it reduces latency and the number of CPU cycles needed to inspect packets.
  3. Other novel techniques enabled by virtualization -- Magic. I call this "Magic" because it is now possible to create intelligence around which packets need to be inspected or filtered by the firewall.

Configuration management

Virtual firewalls must include configuration management capabilities. Why? Because it is much easier to reconfigure ports and networks in the virtual environment, or even configure a virtual machine to bridge networks. This is a tricky situation in the cloud because this capability requires visibility and integration into the cloud provider’s management framework.

Dynamic policy enforcement

Virtual machines migrate. This requires policy enforcement capabilities that are independent of location and layer 2 and 3 connectivity. Segmentation and access controls must transparently follow virtual machines as they migrate or are copied between virtualization hosts, data centers, or cloud providers.

Cloud management

Unless cloud providers wish to assume all of the responsibility for correct configuration of their customer's virtual firewalls, the provider must give their customers control of the firewall policies while at the same time preventing one customer from inappropriately blocking traffic to another customer.

Can anyone name a cloud provider who makes this all possible?



PCI compliance in the cloud (Part A)

First posted here on 12/07/2009:

The new cloud (or if you prefer hosted computing services, or IAAS) rests on top of virtualization. If we’re going to take the cloud seriously, it will have to be compliant. One of the more stringent compliance frameworks is PCI DSS. Let’s look at requirement one and start building a solution for the cloud.

PCI DSS 1.2.1, test procedure 1.1: Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete.

Deploying virtual firewalls is insufficient, as the virtual firewall must share the support structure with the virtual machines, virtual switches, and hypervisor. Technical controls must also be deployed to validate the configuration of a virtual firewall and to detect and alert if tampering occurs.

Physical firewalls are insufficient unless every virtual machine is on a unique VLAN, VLAN hopping is mitigated, and all traffic must flow through the physical firewall. Further, virtual machine mobility must be constrained and virtual machines must be subjected to the same firewall policy regardless of physical location or layer 2 connectivity.

While sufficient, the physical solution may be impractical due to the constraints it places on deployment, consolidation, and high availability.

The optimal solution will be one that allows deployment of a best practice virtualization architecture for security, integrity, and availability, which also maximizes consolidation and the virtualization return on investment.
This requires a virtualized firewall deployment with the following characteristics:

  1. Assurance of integrity for the security management framework
  2. Enforcement of separation of duties for server, network, and security operations
  3. Enforcement of least privilege
  4. Dynamic network segmentation that is independent of location, IP address, or layer 2 connectivity
  5. Integrated auditing and configuration management for virtualization layers

If that sounds like more than a firewall, you’re right.


Thursday, August 13, 2009

Missing Russian Ship

Right out of a Tom Clancy novel, a 4,000 tonne cargo ship is missing. Reportedly, this ship had nothing worth hijacking. There are not a lot of facts about this available but there are some interesting bits:
  1. 10 armed men boarded the ship about a week before it disappeared. They left 12 hours later.
  2. The ship spent two weeks in Kaliningrad before beginning its voyage.
  3. The Russians are searching for the ship with all available resources.
As reported here, the Russians have battlefield nuclear weapons in Kaliningrad.

I wish the Russians good luck in their search and I hope the NATO forces provide all available resources to assist.

Thursday, April 23, 2009

Data Protection for Virtualized Servers

I am recording a webcast live next Wednesday. It's free and only requires a short pre-registration.

Data Protection for Virtualized Servers

Friday, April 10, 2009

How many manhole covers are in San Jose, CA?

From the Mercury News:
John Britton, a spokesman for AT&T, said it appears somebody opened a manhole in South San Jose, climbed down eight to 10 feet and cut four or five fiber-optic cables. Britton also said there was a report of underground cables being cut in San Carlos.
AT&T's contract with the Communication Workers of America expired at 11:59 p.m. Saturday, but Britton said "we have a really good relationship with the union" and that negotiations continue between the two sides.
It's my understanding that a single cut in one location would not cause the outage we recently experienced. There would need to be two or more cuts at strategic locations to cause an outage to cell phone, land line, and emergency services.

Knowing which manhole covers to open would require very specific knowledge of the Bay Area fiber infrastructure.

Tuesday, March 31, 2009

Securing the Dynamic Data Center

I am recording a webcast live today. It's free and only requires a short pre-registration.

Securing the Dynamic Data Center

Monday, March 30, 2009

Conficker and April 1

Well, here’s the Wikipedia entries that got me thinking:
As a countermeasure, ICANN and several TLD registrars began in February 2009 a coordinated barring of transfers and registrations for these domains”

Variant C contains code to sidestep these countermeasures by generating an expanded daily list of 50000 domains across 110 TLDs. This new pull mechanism, however, is disabled until April 1

I’ve also been following the work at SRI regarding this threat.

Even 1 million Variant C infections results in potentially 50 billion whois queries.

I think Wednesday is going to be a slow day on the Internet.

Tuesday, February 3, 2009

Heartland Breach

  • Level 1 credit card processor fails to prevent data loss effecting hundreds of millions of transactions.
  • Attacker installed tools on Heartland server, inside the PCI trust path network
  • Tools “sniffed” transactions and sent data to system(s) outside North America
“Heartland has said intruders broke into its systems sometime last year and planted malware that they used to steal the card data. The number of compromised cards still isn't known. But Heartland processes more than 100 million transactions per month.”
- Banks, customers feel the fallout of the Heartland breach. 2/2/2009. Jalkumar Vijayan, Computer World, Security.

Breach analysis:

Root cause includes but is not limited to the following:
  • Failure of host based intrusion prevention system (HIPS)
  • Failure of network based intrusion prevention systems (IDP)
  • Failure of configuration management, to detect changes to host and network configuration
  • Failure of separation of duties and detection of abuse or escalation of privilege
  • Failure to segment the processor network and enforce a zone of trust

In summary, Heartland failed to properly implement and enforce defense-in-depth, network segmentation and separation of duties. Remember, Heartland is a level 1 PCI processor and was required by regulation to get this right. This means Heartland's auditors failed.


Catbird directly addresses all of the above, except for HIPS. HIPS requires an agent on every end-point, this is not a component of our architecture, which is agent-less by design. Our customers are able to implement and enforce defense-in-depth using Catbird TrustZones™ security policies, virtual infrastructure configuration management and virtual machine tracking technologies. These technologies include but are not limited to:
  • Policy and detection templates for IDP, to monitor and control network flows between zones and intra-machine flows inside a trust zone
  • Policy based configuration monitoring and enforcement using session blocking and quarantine, including quarantine of virtual machines
  • Monitoring of virtual administrator activities and enforcement of dual controls for virtual machine connection to network zones
  • Catbird TrustZones monitor and enforce network segmentation within and between machines on any network, VLAN or port group

In summary, proper deployment of Catbird TrustZones technology would have detected and prevented a data breach like the one that occurred at Heartland.