upgrade your system’s security - making the jump from connext dds professional to connext dds...
TRANSCRIPT
Making the Jump to Connext DDS Secure The Industrial Internet of Things Connec<vity Company™
#RSAC
Niheer Patel
Niheer Patel, Product Manager, RTI, has over 11 years of experience in embedded soFware and distributed systems. Niheer has a Computer Science and Engineering degree from the University of California, San Diego and a Master of Business Administra<on degree from University of California, Berkeley.
#RSAC
Agenda
• Speaker Introduc<on • Industrial Internet and Security Frameworks • DDS Security Highlights • Connext DDS Secure Pre-‐Requisites & Configura<on • Connext DDS Secure Shapes Demo – Integrity – Confiden<ality
• Addi<onal Resources • Q&A
©2017 Real-‐Time Innova<ons, Inc.
#RSAC
Industrial Internet Consor<um: 250+ Companies, 25+ Countries IIC Founding and Contribu/ng Members
#RSAC
Industrial Internet Reference Architecture
• IIRA, recently released v1.8 • Comprehensive, high level architecture guidance • Standards based approach to Industrial IoT Systems.
h\p://www.iiconsor<um.org/IIRA.htm
#RSAC
Industrial Internet Connec<vity Framework
• IIRA defines the “layered databus architecture” • IICF defines proper<es for core connec<vity pla`orms
h\p://www.iiconsor<um.org/IICF.htm
#RSAC
Industrial Internet Security Framework
• Extends from IIRA • Guidance for security in the context of an IIoT system architecture • Reference for testbeds that provide con<nual feedback on security frameworks
h\p://www.iiconsor<um.org/IISF.htm
#RSAC
Industrial Internet Security Framework
#RSAC
Communica<ons and Connec<vity Protec<on
#RSAC
Securing System Boundaries
• System Boundary • Network Transport
– Media access (layer 2) – Network (layer 3) security – Session/Endpoint (layer 4/5) security
• Host – Machine/OS/Applica<ons/Files
• Data & Informa<on flows DDS Security
©2017 Real-‐Time Innova<ons, Inc.
#RSAC
Threats in a Pub/Sub System
• Unauthorized Subscrip<on • Unauthorized Publica<on • Tampering & Replay • Unauthorized access by infrastructure services
Alice Bob
Eve Trudy
Trent Mallory
Local machine is assumed to be trusted
©2017 Real-‐Time Innova<ons, Inc.
#RSAC
Connext DDS Secure • Based on DDS Security specifica<on • Access control without a broker or server
– Fine-‐grain, integrated and peer-‐to-‐peer • Far more scalable and efficient than TLS
– Fine grain control over over topics and message segments – Mul<cast support for efficient 1:many and many:many – TLS/DTLS support available for simple use cases
• Preserves Real-‐Time QoS – Not dependent on TCP
• Transport flexibility – Does not require IP – Secures data over any transport, including shared memory
• Add security with li\le or no change to exis<ng DDS apps • Plugin SDK allows for custom solu<on
©2017 Real-‐Time Innova<ons, Inc.
Connext DDS Library
Authen<ca<on
Access Control
Encryp<on
Logging
Applica<on
Any Transport (e.g., TCP, UDP, mul<cast,
shared memory…)
Data Tagging
#RSAC
Create Domain
Par<cipant
Create Endpoints
Discover remote
Endpoints
Send/Receive data
Discover remote DP
Authen<cate DP? Yes
Domain Par<cipant Create Fails
No
Plugins In Ac<on – What is really happening?
Access OK? Endpoint
Create Fails No
Authen<cate Remote DP?
Ignore Remote DP
No
Yes
Message security
Access OK? Ignore remote endpoint
No
DP = Domain Par<cipant Endpoint = Reader / Writer
©2017 Real-‐Time Innova<ons, Inc.
#RSAC
Domain Governance Document
Shared CA Cer<ficate
Permissions CA
Cer<ficate
P2 Iden<ty Cer<ficate
P2 Private Key
P2
P2 Permissions File
P1 Iden<ty Cer<ficate
P1 Private Key
P1
P1 Permissions File
• Keys. Each par<cipant has a pair of public & private keys used in authen<ca<on process. Public keys are embedded in the iden<ty cer<ficate of each par<cipant.
• Shared CA that has signed par<cipant public keys. Par<cipants need to have a copy of the CA cer<ficate as well.
• Permissions File specifies what domains/par<<ons the DP can join, what topics it can read/write, what tags are associate with the readers/writers
• Domain Governance specifies which domains should be secured and how • Permissions CA that has signed par<cipant permission file as well as the domain governance document.
Par<cipants need to have a copy of the permissions CA cer<ficate.
Configuring & Deploying DDS Security Signed by Permissions CA Signed by Shared CA
©2017 Real-‐Time Innova<ons, Inc.
#RSAC
QoS Configura<on: “SecureAllowAll”
/Applica<ons/r<_connext_dds-‐5.2.6/resource/xml/RTI_SHAPES_DEMO_QOS_PROFILES.xml
• QoS Elements encapsulated within the <property> tag.
©2017 Real-‐Time Innova<ons, Inc.
#RSAC
Permissions File
/Applica<ons/r<_connext_dds-‐5.2.6/resource/xml/RTI_SHAPES_DEMO_PERMISSIONS.xml
• Define individual par<cipant permissions rules
• “AllowAll” PERMISSIONS: • No restric<ons on what
can be published or subscribed
• “SecureDenyPubCircles” • No restric<ons except
that Circle topics cannot be published.
©2017 Real-‐Time Innova<ons, Inc.
#RSAC
Governance File
/Applica<ons/r<_connext_dds-‐5.2.6/resource/xml/RTI_SHAPES_DEMO_GOVERNANCE_MAX.xml
• Iden<fy ac<ons for discovery, liveliness, RTPS protec<on, etc.
• Define access control rules for topics using regular expressions
• GOVERNANCE_MAX.xml • All topics encrypted • Except Circles
©2017 Real-‐Time Innova<ons, Inc.
#RSAC
Upgrading Systems under Development Upgrade Steps Impact/Behavior
Rebuild applica/ons that require DDS APIs with Connext DDS Security Plugins.
No performance impact as security features are not yet enabled.
Enable authen/ca/on but configure domain to allow unauthen/cated par/cipants
Some impact to discovery behavior; Introduc/on signed governance files requires PKI & CA to be in place.
Enable protec/on (confiden/ality, authen/city, and integrity) of individual topics.
Performance impact during run/me due to introduc/on of encryp/on. Fine grained security now in place.
Enable protec/on of RTPS-‐level and Liveliness fields
Very liUle impact to system performance.
#RSAC
Upgrading Deployed Systems – Rou<ng Service
©2017 Real-‐Time Innova<ons, Inc.
Secure DDS Domain
Non-‐secure DDS Domain
Par<cipant Par<cipant
Par<cipant
Par<cipant
Par<cipant
Par<cipant
Par<cipant
Par<cipant
Security Demo
#RSAC
References • Industrial Internet Reference Architecture
– h\p://www.iiconsor<um.org/IIRA.htm • Industrial Internet Connec<vity Framework
– h\p://www.iiconsor<um.org/IICF.htm • Industrial Internet Security Framework
– h\p://www.iiconsor<um.org/IISF.htm • OMG DDS specifica<on
– h\p://www.omg.org/spec/DDS/1.4/PDF • OMG DDS Security specifica<on
– h\p://www.omg.org/spec/DDS-‐SECURITY/1.0/PDF • RTI Technology Whitepapers
– h\ps://www.r<.com/resources/whitepapers
#RSAC
Resources
h\ps://www.r<.com/gexngstarted h\p://community.r<.com h\ps://www.r<.com/connext-‐dds-‐seminar-‐sd-‐2017
Q&A
Thank you!