Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2018/
Deadline is 30th June 2018!

<< previous next >>

Using SmartNICs to Provide Better Data Center Security

Ofir Arkin

1 vote(s)

Data-center security has been forced to reinvent itself as software complexity increases, networking capabilities grow more agile, and attack complexity turns unmanageable. With this change, the need for security policy enforcement to be handled at the edge has pushed functionality onto host compute systems, resulting in inherent performance loss and security weakness due to consolidation of resources.

In the first part of the talk we will be presenting a SmartNIC-based model for data-center security that solves both the performance problem and the security problems of edge-centric policy models. The model features a more robust isolation of responsibilities, superior offload capabilities, significantly better scaling of policy, and unique visibility opportunities.

To illustrate this, we present a SmartNIC-based reference architecture for network layout, as well as examples of SmartNIC security controls and their resulting threat models.

The second part of the talk will unveil a new innovative technique for tamper proof host introspection as SmartNICs are in a unique position to analyze and inspect the memory of the host to which it is attached. Normally, this functionality is reserved for a hypervisor, where it is known as ‘guest introspection’ or ‘virtual-machine introspection’. With host introspection, security controls no longer live in the hypervisor, but on the SmartNIC itself, on a separate trust domain. In this way, the visibility normally achieved with guest introspection can be performed for the entire host memory in an isolated and secure area. In order for host introspection to be work in the same way as guest introspection, memory is DMA transferred in bursts over the PCI-e bus that attaches the SmartNIC to the host. As this method can be subverted to hide unwanted software, we will demonstrate a novel approach to tamper proof the acquisition of memory and for performing live introspection.

Host introspection complements the network controls implemented using the SmartNIC by enabling the measurement of the integrity and the behavior of workloads (virtual machines, containers, bare metal servers) to identify possible indicators of compromise. The visibility and context gained also enhances the granularity of network controls. Together they provide with better security for the data center compared to traditional software-only based controls.

===

Ofir Arkin is the Vice President of Security at Mellanox Technologies where he is responsible for creating, driving and coordinating the overall vision and product strategy for security across all products.

Prior to his tenure at Mellanox Technologies, Ofir served as Vice President and Chief Architect at Intel Security (McAfee) where he was responsible for driving and coordinating the overall architectural vision across Intel Security products.

Prior to his role as Chief Architect, Ofir served as CTO for the Security Management Business, and was responsible for driving the vision and product strategy for McAfee’s security management business unit.

Joining McAfee as part of the acquisition of Insightix, Ofir pioneered the use of messaging in the field of security to share information in real-time, between different security products and solutions through the use of a single API, to enable an adaptive security infrastructure (also known as the Data Exchange Layer). Ofir led cross-functional teams on the architecture, strategy and execution of this adaptive security infrastructure. His work in this area created the design and accelerated the development of DXL, culminating in the release of McAfee Threat Intelligence Exchange, the first technology fully leveraging DXL.

Prior to his tenure at McAfee, he founded Insightix, an innovator of real-time security intelligence and control solutions where he served as CTO. He has also authored numerous research papers, patents, patent applications, advisories and influential articles covering adaptive security, information warfare, network visibility, access control, VoIP security and remote OS fingerprinting.