analysis of security and compliance using oracle sparc t-series servers: emphasis on hardware...
TRANSCRIPT
Analysis of Security and Compliance using Sun UltraSPARC T-Series Servers Ramesh Nagappan, Principal Security Engineer Chad Prucha, Principal Solutions Manager
<Insert Picture Here>
Agenda
• Oracle Security and Compliance Portfolio – Technologies Overview
• Security using Oracle T-Series Servers – Enabling On-chip Cryptographic Acceleration – Role of Solaris Crypto Framework – Applied scenarios in Oracle Database and Middleware – Role of Sun Crypto Accelerator 6000
• Performance Characteristics • Achieving Compliance Goals – HIPPA, PCI-DSS….
• Summary
The Perfect Storm: IT Insecurity Security has taken unprecedented importance ….everywhere!
Security is one of today’s most critical IT business challenges. o Cyber threats, attacks and associated data exposures are the fastest
growing crimes ! o Greater business impacts due to increasing threats and exploits.
Regulatory statutes enforce organizations act proactively to secure information lifecycle. o PCI DSS, SOX, HIPAA, FISMA, EU Data Protection and more. o Mandates organizations to enforce data confidentiality, integrity and
compliance in critical business processes and Web applications.
Stronger demand for high-performance security in applications, data, communications and networks.
Encryption is becoming crucial to IT Security Deliver predictable scalability, end-to-end latencies and response
times including security, virtualization and QoS characteristics.
IT Security: Pre-judicial Barriers Security is often considered as an afterthought or a retrofit
solution. o Many of them late to realize…..“NO ROLLBACK” for a security breach. o After a breach…all post-mortem reactive measures hardly recover any damage. o Ignorance and blind assumptions often leads to underestimating security risks.
Security options are commonly ignored as “Performance Overheads”. o Performance benchmarks usually do not include real-world application characteristics o Cryptographic operations, access control & authentication schemes, non-deterministic
payloads, content-encoding schemes burdens CPU & Network. • 2X+ slowdowns are widely common after going secure ! • Crypto overheads vary by content/usage scenario – tuning don’t make sense!
o Lack of understanding to security technologies Growing IT costs and complexity to identify and defend
applications against known risks and vulnerabilities. o Higher costs hindering adoption of security technologies
Security & Compliance Who is behind the scene
Security & Compliance Infrastructure Security Components of a Oracle SPARC Enterprise T-Series Server
Exploring Security
Role and Relevance of Cryptography Adopting Cryptography for IT Security
Cryptography plays a vital role in IT Security. o Securing the Network, Applications,
Communications and Data • Confidentiality and Integrity of data and
communication • Non-repudiation of transactions • Access control and Availability
o Data privacy and regulatory compliance
Cryptographic algorithms and operations contributes to all levels of application security. o Network-layer Security o Transport-level Security o Message-level security o Application-layer security
Adopting Cryptography: Pain Points
Cryptographic functions tends to be computationally-intensive and requires lot of CPU and Network bandwidth. o Applications slowdown while performing cryptographic operations
How to avoid performance degradation using cryptographic accelerators or Hardware Security Modules (HSM). o Eliminate performance overheads associated with cryptographic functions.
How to enable applications to incorporate cryptographic functions for application-level security.
May use non-invasive mechanisms (ex. using PKCS11) … or go intrusive with tight integration of proprietary frameworks.
Understanding the usage of relevant cryptographic algorithms and its application scenarios. o There is no silver bullet – It is critical to know the applied scenario and how the crypto
mechanism is being used.
Common challenges and stumbling issues
Applied Cryptography
SSL o De-facto standard for securing HTTP in Web applications and Browser based VPNs o Based on public-key algorithms
IPSec o Widely used in enabling Site-to-Site/Host-to-Host VPN o Based on symmetric-key encryption and message digest algorithms
SSH Remote authentication to hosts using a secure channel using public-key encrption.
WS-Security OASIS Standard for securing XML Web Services and SOA applications XML Encryption and Signature use Public-key Cryptography
PKI based Applications. o Identity Management and Assurance, Telco (3G/4G/WiMAX), Digital signature based
DRM, Smartcards and Biometrics
Common security applications using Crypto mechanisms
Security vs. Performance Understanding the overheads with Cryptography – SOA Scenario
SSL using RSA-2048 and WS-SecurityPolicy using Basic128Sha256Rsa15 (Algorithm suite).
Significant performance slowdown occurs after using SSL and WS-Security.
Anatomy of SSL Ciphers vs. Execution times
“Significant time” spent on cryptographic functions with specified ciphers.
Effect of Cryptographic Acceleration Understanding the performance gains for an SSL scenario
Significant performance GAINS can be achieved only using Hardware SSL accelerator.
Cryptographic Acceleration Using Oracle SPARC Enterprise T-Series Servers
On-chip Crypto Accelerators: Evolution
UltraSPARC T1 – 8 Crypto Accelerators o 8 Cores with One accelerator per core o Introduced industry-first on-chip cryptographic accelerators o Cryptographic accelerators run in parallel with clock-speed o Introduced “Public-key Encryption” algorithms (ex. RSA)
UltraSPARC T2/T2+ – 8 Crypto Accelerators o 8 Cores with One accelerator per core o Introduced support for Bulk-encryption (AES,3DES/DES, RC4)
and Message digests (MD5, SHA-1, SHA-2) o Introduced support for Elliptic-curve Cryptography (ECC)
UltraSPARC T3 – 16 Crypto Accelerators o 16 cores with One accelerator per core o Additional algorithms for Message digests (SHA-512) o Introduced support for Kasumi algorithm.
The UltraSPARC T-Series Processor Family
16
Cryptographic Capabilities and Algorithms T3 Processor
On-Chip Crypto Accelerators
Crypto Accelerators operate in parallel with CPU speed delivering encryption and decryption
Accelerators are shared by all the core’s strands T1/T2/T2+/T3 provide light-weight accelerator drivers for
Solaris o /dev/ncp0
o Handles Public-key Encryption Algorithms o /dev/n2cp0
o Handles Bulk Encryption and Hash algorithms
o /dev/n2rng0 o Handles Random Number Generation
o Communicates via Memory-based Word Queue o Stateless communication, just fire and forget. o Consumer is informed when the operation is complete
Access to accelerators are controlled using Solaris Cryptographic Framework and Kernel Modules o Using PKCS#11 standard interfaces and Solaris Kernel modules
System Characteristics
On-chip vs Off-chip Accelerators Comparison with Commercial Accelerators
19
SPARC T-Series – Onchip Crypto Comparison with Commercial Accelerators/HSMs
SPARC Enterprise T3-1
+ = 6 Crypto Unit Up to Six Virtual
Machines with Full Crypto Capability
Six card slots filled (maximum)
= 16 Crypto Units
Up to 16 Virtual Machines with Full
Crypto
All card slots available 2x Capacity
Accessing On-chip Crypto Accelerators Operational Characteristics
Access to accelerators are managed using Solaris Cryptographic Framework (SCF). o SCF acts as an intermediary gateway
between applications and cryptographic providers.
o Applications use Sun PKCS#11 Provider to access accelerator
o Java Sun-PKCS#11 o OpenSSL PKCS#11 Engine o NSS/JSS APIs using PKCS11
Solaris Kernel Modules can directly access accelerators. o Kernel SSL (KSSL) o IPSec
Sun Cryptographic Accelerator 6000 – PCIe Card
A full-fledged Hardware Security Module (HSM) o Secure Key Storage (Escrow and Recovery) o High-performance cryptographic accelerator o FIPS-140-3 Compliant o Supports Solaris SPARC/X64 and Linux
NIST approved cryptographic algorithms
RSA, DSA, DH, ECC AES, DES, 3DES MD5, SHA-1, SHA-512
Intended for Financial and Government applications where Secure Key Storage is critical. o Oracle Advanced Security, Financials, etc. o PIN and Card Verification Functions
SCA 6000 – Usage Scenarios
Tested and Certified for use in FIPS and NON-FIPS modes o Oracle Database Advanced Security Scenarios
o TDE Master Key Management o TDE Network Encryption and Acceleration
o Oracle Fusion Middleware (SOA and XML Web Services Security) o Oracle Web Services Manager (SSL and WS-Security scenarios) o Oracle WebLogic (SSL and WS-Security scenarios)
Enabling Cryptographic Acceleration
Applied Techniques and Usage Scenarios
Solaris Cryptographic Framework Common framework for
performing /consuming / integrating cryptographic providers. o Hardware or Software. o Kernel or Userland. o Extensible in order to permit custom functions o Facilitates PKCS#11 for consumer and
providers
By default, supports major NIST approved algorithms o Encryption: AES, Blowfish, RC4, DES, 3DES,
RSA. o Digests: MD5, SHA-1, SHA-256, SHA-384,
SHA-512. o MAC: DES MAC, MD5 HMAC, SHA1 HMAC,
SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC
o Optimized for SPARC, Intel and AMD
Solaris KSSL Facilitates an SSL Proxy service for applications and performs
SSL operations right in the Solaris Kernel. o Integrates Solaris Cryptographic Framework and its supporting ciphers.
Makes use of underlying Hardware based Cryptographic accelerators and Hardware Security Modules (HSM). o Automatically makes use of cryptographic accelerators for SSL operations, no additional
configuration. o Use PKCS#11 for supporting HSMs for private key storage.
Non-intrusive SSL configuration, independent of relying applications. o Managed via Solaris Service Management Facility (SMF)
Can act as SSL proxy for Non-SSL aware applications that does not provide PKCS#11 support.
Delivers 25% - 35% faster SSL performance.
26
Using KSSL for Transport-layer Security Applied Scenario
27
End-to-End Transaction Security Applied Use Cases
HTTP Oracle Fusion
Middleware Web Server
HTTP
SSL SSL
HTTP
SOAP
HTTP
SSL / WS-Security
SSL
Oracle Database
SQLNET
SSL
Oracle Database
Server
Archive
Encrypt/ Decrypt
SSL / WS-Security
• SPARC T3 accelerates Oracle WebLogic SSL and Web Services Manager 11g (OWSM).
• SSL, WS-Security scenarios • SPARC T3 accelerates Oracle Transparent Data Encryption
(TDE) operations
Performance Studies
80%
CPU
70%
MEM
50%
CPU
25%
MEM
T3 Crypto Assist Enabled Without T3 Crypto Assist
29
Secure Performance With and Without Acceleration
^134h>96can#A*IC! Ajladsf0^HLh3f*&lJ *NHSD6%lk)+>kjh!1
3.5x Faster
4704 1234 5678 1594
80%
CPU
70%
MEM
40%
CPU
25%
MEM
T3 Crypto Assist Enabled Without T3 Crypto Assist
30
Secure Performance With and Without Acceleration
^134h>96can#A*IC! Ajladsf0^HLh3f*&lJ *NHSD6%lk)+>kjh!1
3.5x Faster
4704 1234 5678 1594
4704 1234 5678 1594
31
SPARC Enterprise T-Series Only Enterprise Server with Built-in Crypto
SPARC Enterprise T3-1
+ = 6 Crypto Unit Up to Six Virtual
Machines with Full Crypto Capability
Six card slots filled (maximum)
= 16 Crypto Units
Up to 16 Virtual Machines with Full
Crypto
All card slots available 2x Capacity
Effect of Accelerated SSL vs No SSL Weblogic SSL Performance on T3 : Using KSSL vs. JCE vs. No SSL
Oracle TDE performance using T3
• T3 crypto speeds up query execution by 3-5x !!
Achieving Compliance
35
HIPAA-HITECH Compliance Scenario Rules of Thumb: Encrypt PHI – in transit, in situ
SSL
HTTP Oracle Fusion
Middleware
WebLogic 11g Web Services Manager 11g
Web Server HTTP
SSL SSL
HTTP
SOAP
HTTP
SSL
SSL
Oracle Database
SQLNET
SSL
Oracle Database
Server
Archive
-50% -50% -30%
36
HIPAA-HITECH Options Rules of Thumb: Mitigation Strategies
SSL
HTTP Oracle Fusion
Middleware
WebLogic 11g Web Services Manager 11g
Web Server HTTP
SSL SSL
HTTP
SOAP
HTTP
SSL
SSL
Oracle Database
SQLNET
SSL
Oracle Database
Server
Archive
-50% -50% -30%
NLB
– S
SL A
ccel
erat
or
NLB
– S
SL A
ccel
erat
or
NLB
– S
SL A
ccel
erat
or
Add 6 RUs Add 50% Cooling Add 30% Power Add 30% Admin
Aftermarket Card
Afte
rmar
ket C
ard
37
PCI-DSS Compliance Scenario Rules of Thumb: Especially in situ, Even Warehoused Data
SSL
HTTP Oracle Fusion
Middleware
WebLogic 11g Web Services Manager 11g
Web Server HTTP
SSL SSL
HTTP
SOAP
HTTP
SSL
SSL
Oracle Database
SQLNET
SSL
Oracle Database
Server
Archive
-50% -50% -40%
38
PCI-DSS Options Rules of Thumb: Mitigation Strategies
SSL
HTTP Oracle Fusion
Middleware
WebLogic 11g Web Services Manager 11g
Web Server HTTP
SSL SSL
HTTP
SOAP
HTTP
SSL
SSL
Oracle Database
SQLNET
SSL
Oracle Database
Server
Archive
-50% -50% -30%
NLB
– S
SL A
ccel
erat
or
NLB
– S
SL A
ccel
erat
or
NLB
– S
SL A
ccel
erat
or
Add 12 RUs Add 50% Cooling Add 50% Power Add 30% Admin A
fterm
arke
t Car
d
Aftermarket Card
Summary
40
The cost of security Better TCO with T3 crypto
Twice server capacity = half the footprint
Crypto overhead reduced to 10% from 30%
CPU Latency reduced by 20X
No add-ons and introduction of complexity
Simple to administrate Faster to deploy
} Lower TCO
<Insert Picture Here>
Program Agenda Example
• Our understanding of XYZ • Capabilities and value drivers • Benefits and assessments • Oracle solutions • Oracle credentials • Appendix
Q & A
Chad Prucha, [email protected] Ramesh Nagappan, [email protected]