![Page 1: Network Field Day 11 - Skyport Systems Presentation](https://reader033.vdocuments.us/reader033/viewer/2022042707/58ef2c6b1a28abbc0c8b468b/html5/thumbnails/1.jpg)
Company Confidential1
Skyport SystemsNet Field Day 11
January 2016
![Page 2: Network Field Day 11 - Skyport Systems Presentation](https://reader033.vdocuments.us/reader033/viewer/2022042707/58ef2c6b1a28abbc0c8b468b/html5/thumbnails/2.jpg)
Company Confidential2
The Fallacy of Security Technology
“If you think technology can fix security, you don’t understand technology and you don’t understand security.” ~ Briankrebs.com
![Page 3: Network Field Day 11 - Skyport Systems Presentation](https://reader033.vdocuments.us/reader033/viewer/2022042707/58ef2c6b1a28abbc0c8b468b/html5/thumbnails/3.jpg)
Company Confidential3
A Platform Approach: Not a Product Approach
Software-Defined Perimeters that Operate at the
Application Layer
Protect Against Low-Level
Rootkits/Malware, BIOS, SSD Firmware, Physical Ports, IPMI
Forensics that cannot be modified or by employees or
third parties
![Page 4: Network Field Day 11 - Skyport Systems Presentation](https://reader033.vdocuments.us/reader033/viewer/2022042707/58ef2c6b1a28abbc0c8b468b/html5/thumbnails/4.jpg)
Company Confidential5
A High-Performance, Secure Enterprise Platform
Runs your application VMs
Trusted Hardware Platform
Hardened HW/SW stack
Security I/O Co-processor
Designed for hostile environments - Branch, remote location, Datacenter
Security is built-in and invisible - Protects platform, workloads, compliance
No special skills required- Plug and play, no integration or modifications
No performance compromise - Enforcement offloaded to co-processor
![Page 5: Network Field Day 11 - Skyport Systems Presentation](https://reader033.vdocuments.us/reader033/viewer/2022042707/58ef2c6b1a28abbc0c8b468b/html5/thumbnails/5.jpg)
Company Confidential7
• Secure Architecture that substantiates architectural integrity from the ground up
• Hardware-enforced security policy and forensic logging at application edge
• Abstracts security execution from application execution
SkySecure Enclave
x86 subsystem communicates only through I/O controller
SECURITY CO-PROCESSOR
x86 SYSTEM
![Page 6: Network Field Day 11 - Skyport Systems Presentation](https://reader033.vdocuments.us/reader033/viewer/2022042707/58ef2c6b1a28abbc0c8b468b/html5/thumbnails/6.jpg)
Company Confidential8
Software-Defined Perimeter: DMZ per VM
ShieldNET
ShieldID
ShieldFS
ShieldADMIN
ShieldWEB
File Systems and Content Filtering
Administrative Privileged Access
Identity Management Proxy
Web Applications and Crypto/Credential Proxy
Domain Name and Zone Based Access
![Page 7: Network Field Day 11 - Skyport Systems Presentation](https://reader033.vdocuments.us/reader033/viewer/2022042707/58ef2c6b1a28abbc0c8b468b/html5/thumbnails/7.jpg)
Company Confidential9
Private DMZ per VMTraditional Zone-BasedNetwork Security
SkySecure Per-VM DMZ
DMZ Network Zone
Security I/O Co-processor
DMZVM
DMZVM
DMZVM
• Protections limited to network perimeter
• No protection between systems in DMZ
• Complex integration and management
• Zero-trust architecture based on hardware
• Applications are always protected
• Defends workloads against compromise
![Page 8: Network Field Day 11 - Skyport Systems Presentation](https://reader033.vdocuments.us/reader033/viewer/2022042707/58ef2c6b1a28abbc0c8b468b/html5/thumbnails/8.jpg)
Company Confidential10
SkySecure Center
Secure Audit / Log
VM Mgmt
Traffic Intelligence
WebUI Service
Security Data Warehouse Real-time Data Service
Security Reporting
Real-time Analytics
Device Mgmt
Policy Mgmt
Key Mgmt
Remote Attestation
Authentication / Secure Enclave
HSM CredentialMgmt
![Page 9: Network Field Day 11 - Skyport Systems Presentation](https://reader033.vdocuments.us/reader033/viewer/2022042707/58ef2c6b1a28abbc0c8b468b/html5/thumbnails/9.jpg)
Company Confidential11
SkySecure Center: Traffic Intelligence
![Page 10: Network Field Day 11 - Skyport Systems Presentation](https://reader033.vdocuments.us/reader033/viewer/2022042707/58ef2c6b1a28abbc0c8b468b/html5/thumbnails/10.jpg)
Company Confidential12
Initial Deployment Use CasesExposed DMZ Applications
Critical IT Systems
Branch / Untrusted
Out-of-Compliance Applications
• Secure File Transfer
• Web / E-Commerce Applications
• Cloud/API gateways
• Web authentication servers
• Active Directory
• DNS / DHCP• Software
distribution• DevOps / SDN
Controllers
• Branch consolidation
• Trusted application deployment in hostile locations
• End-of-Support Applications and Operating Systems
• Windows XP / 2003 / 2008, RHEL4/5, etc
• Web servers with unpatched SSL vulnerabilities
![Page 11: Network Field Day 11 - Skyport Systems Presentation](https://reader033.vdocuments.us/reader033/viewer/2022042707/58ef2c6b1a28abbc0c8b468b/html5/thumbnails/11.jpg)
Company Confidential13
Win2012R2 - Unsecured
(truncated)
• No protection• Accepting HTTPS
connections
![Page 12: Network Field Day 11 - Skyport Systems Presentation](https://reader033.vdocuments.us/reader033/viewer/2022042707/58ef2c6b1a28abbc0c8b468b/html5/thumbnails/12.jpg)
Company Confidential14
Win2012R2 – Micro-segmented
(truncated)
• Firewall allowing HTTPS inbound
• Accepting HTTPS connections
![Page 13: Network Field Day 11 - Skyport Systems Presentation](https://reader033.vdocuments.us/reader033/viewer/2022042707/58ef2c6b1a28abbc0c8b468b/html5/thumbnails/13.jpg)
Company Confidential15
Win2012R2 - SkySecure
• “IP Forwarding” is only non-info plugin returning a result.• MS14-066 and MS15-034 critical MS vulnerabilities mitigated entirely
• ShieldWeb-In Enabled
• Accepting HTTPS connections
![Page 14: Network Field Day 11 - Skyport Systems Presentation](https://reader033.vdocuments.us/reader033/viewer/2022042707/58ef2c6b1a28abbc0c8b468b/html5/thumbnails/14.jpg)
Company Confidential16
Contrast: Point Product Approach to Security
HardenedHardware
HardenedFirmware
Network
HardenedVM Environment (Compartment)
TPM ManagementSecure IPMI/ILOTamper Detection
Signed BIOSUSB Disable/Monitor
PCAP Tooling, IPFIX/SFlow MonitorPassive Taps, Network Packet BrokerIDS/IPS
HypervisorMicro-segmentationWeb Application FirewallVirtual FirewallSW SigningKey Management
HardenedCtrl/Mgmt Plane
Operations ManagementJump Servers/SAWsSecure Logging/Analysis/SIEMSecure Backup
![Page 15: Network Field Day 11 - Skyport Systems Presentation](https://reader033.vdocuments.us/reader033/viewer/2022042707/58ef2c6b1a28abbc0c8b468b/html5/thumbnails/15.jpg)
Company Confidential17
Thank You