Analysis of Security and Compliance using Sun UltraSPARC T-Series
Servers
Ramesh Nagappan, Principal Security Engineer
Cha...
Agenda


•  Oracle Security and Compliance Portfolio          <Insert Picture Here>

  –  Technologies Overview
•  Securit...
The Perfect Storm: IT Insecurity
     Security has taken unprecedented importance ….everywhere!

  Security is one of tod...
IT Security: Pre-judicial Barriers
  Security is often considered as an afterthought or a retrofit
   solution.
   o  Man...
Security & Compliance
Who is behind the scene
Security & Compliance Infrastructure
Security Components of a Oracle SPARC Enterprise T-Series Server
Exploring Security
Role and Relevance of Cryptography
        Adopting Cryptography for IT Security

  Cryptography plays a vital role in
  ...
Adopting Cryptography: Pain Points
  Common challenges and stumbling issues

  Cryptographic functions tends to be comput...
Applied Cryptography
  Common security applications using Crypto mechanisms

  SSL
   o  De-facto standard for securing H...
Security vs. Performance
   Understanding the overheads with Cryptography – SOA Scenario




        SSL using RSA-2048 an...
Anatomy of SSL
  Ciphers vs. Execution times




“Significant time” spent on cryptographic functions with specified cipher...
Effect of Cryptographic Acceleration
      Understanding the performance gains for an SSL scenario




Significant perform...
Cryptographic Acceleration
Using
Oracle SPARC Enterprise T-Series Servers
On-chip Crypto Accelerators: Evolution
        The UltraSPARC T-Series Processor Family


  UltraSPARC T1 – 8 Crypto Acce...
Cryptographic Capabilities and Algorithms
     T3 Processor




16
On-Chip Crypto Accelerators
   System Characteristics
  Crypto Accelerators operate in parallel with CPU speed
   deliver...
On-chip vs Off-chip Accelerators
Comparison with Commercial Accelerators
SPARC T-Series – Onchip Crypto
Comparison with Commercial Accelerators/HSMs


                                        6 Cr...
Accessing On-chip Crypto Accelerators
     Operational Characteristics

  Access to accelerators are
   managed using Sol...
Sun Cryptographic Accelerator 6000 – PCIe Card
  A full-fledged Hardware Security
   Module (HSM)
   o    Secure Key Stor...
SCA 6000 – Usage Scenarios




  Tested and Certified for use in FIPS and NON-FIPS modes
   o  Oracle Database Advanced S...
Enabling Cryptographic Acceleration

Applied Techniques and Usage Scenarios
Solaris Cryptographic Framework
  Common framework for
   performing /consuming / integrating
   cryptographic providers....
Solaris KSSL
  Facilitates an SSL Proxy service for applications and performs
   SSL operations right in the Solaris Kern...
Using KSSL for Transport-layer Security
     Applied Scenario




26
End-to-End Transaction Security
           Applied Use Cases


           HTTP

                           HTTP        HTT...
Performance Studies
Secure Performance
   With and Without Acceleration
                                   ^134h>96can#A*IC!
                 ...
Secure Performance
   With and Without Acceleration
                                   ^134h>96can#A*IC!
       4704 1234 ...
SPARC Enterprise T-Series
Only Enterprise Server with Built-in Crypto

                                          6 Crypto ...
Effect of Accelerated SSL vs No SSL
Weblogic SSL Performance on T3 : Using KSSL vs. JCE vs. No SSL
Oracle TDE performance using T3
•  T3 crypto speeds up query execution by 3-5x !!
Achieving Compliance
HIPAA-HITECH Compliance Scenario
       Rules of Thumb: Encrypt PHI – in transit, in situ




           HTTP
            ...
HIPAA-HITECH Options
       Rules of Thumb: Mitigation Strategies




                                                    ...
PCI-DSS Compliance Scenario
       Rules of Thumb: Especially in situ, Even Warehoused Data




           HTTP
          ...
PCI-DSS Options
       Rules of Thumb: Mitigation Strategies




                                                         ...
Summary
The cost of security
  Better TCO with T3 crypto




                             }
Twice server capacity = half
       th...
Program Agenda Example


•  Our understanding of XYZ         <Insert Picture Here>

•  Capabilities and value drivers
•  B...
Q&A

Chad Prucha, albert.prucha@oracle.com
Ramesh Nagappan, ramesh.nagappan@oracle.com
Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emphasis on Hardware Assisted Cryptography
Upcoming SlideShare
Loading in...5
×

Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emphasis on Hardware Assisted Cryptography

2,641

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,641
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
68
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Analysis of Security and Compliance using Oracle SPARC T-Series Servers: Emphasis on Hardware Assisted Cryptography

  1. 1. Analysis of Security and Compliance using Sun UltraSPARC T-Series Servers Ramesh Nagappan, Principal Security Engineer Chad Prucha, Principal Solutions Manager
  2. 2. Agenda •  Oracle Security and Compliance Portfolio <Insert Picture Here> –  Technologies Overview •  Security using Oracle T-Series Servers –  Enabling On-chip Cryptographic Acceleration –  Role of Solaris Crypto Framework –  Applied scenarios in Oracle Database and Middleware –  Role of Sun Crypto Accelerator 6000 •  Performance Characteristics •  Achieving Compliance Goals –  HIPPA, PCI-DSS…. •  Summary
  3. 3. The Perfect Storm: IT Insecurity Security has taken unprecedented importance ….everywhere!   Security is one of today’s most critical IT business challenges. o  Cyber threats, attacks and associated data exposures are the fastest growing crimes ! o  Greater business impacts due to increasing threats and exploits.   Regulatory statutes enforce organizations act proactively to secure information lifecycle. o  PCI DSS, SOX, HIPAA, FISMA, EU Data Protection and more. o  Mandates organizations to enforce data confidentiality, integrity and compliance in critical business processes and Web applications.   Stronger demand for high-performance security in applications, data, communications and networks.   Encryption is becoming crucial to IT Security   Deliver predictable scalability, end-to-end latencies and response times including security, virtualization and QoS characteristics.
  4. 4. IT Security: Pre-judicial Barriers   Security is often considered as an afterthought or a retrofit solution. o  Many of them late to realize…..“NO ROLLBACK” for a security breach. o  After a breach…all post-mortem reactive measures hardly recover any damage. o  Ignorance and blind assumptions often leads to underestimating security risks.   Security options are commonly ignored as “Performance Overheads”. o  Performance benchmarks usually do not include real-world application characteristics o  Cryptographic operations, access control & authentication schemes, non-deterministic payloads, content-encoding schemes burdens CPU & Network. •  2X+ slowdowns are widely common after going secure ! •  Crypto overheads vary by content/usage scenario – tuning don’t make sense! o  Lack of understanding to security technologies   Growing IT costs and complexity to identify and defend applications against known risks and vulnerabilities. o  Higher costs hindering adoption of security technologies
  5. 5. Security & Compliance Who is behind the scene
  6. 6. Security & Compliance Infrastructure Security Components of a Oracle SPARC Enterprise T-Series Server
  7. 7. Exploring Security
  8. 8. Role and Relevance of Cryptography Adopting Cryptography for IT Security   Cryptography plays a vital role in IT Security. o  Securing the Network, Applications, Communications and Data •  Confidentiality and Integrity of data and communication •  Non-repudiation of transactions •  Access control and Availability o  Data privacy and regulatory compliance   Cryptographic algorithms and operations contributes to all levels of application security. o  Network-layer Security o  Transport-level Security o  Message-level security o  Application-layer security
  9. 9. Adopting Cryptography: Pain Points Common challenges and stumbling issues   Cryptographic functions tends to be computationally- intensive and requires lot of CPU and Network bandwidth. o  Applications slowdown while performing cryptographic operations   How to avoid performance degradation using cryptographic accelerators or Hardware Security Modules (HSM). o  Eliminate performance overheads associated with cryptographic functions.   How to enable applications to incorporate cryptographic functions for application-level security.   May use non-invasive mechanisms (ex. using PKCS11) … or go intrusive with tight integration of proprietary frameworks.   Understanding the usage of relevant cryptographic algorithms and its application scenarios. o  There is no silver bullet – It is critical to know the applied scenario and how the crypto mechanism is being used.
  10. 10. Applied Cryptography Common security applications using Crypto mechanisms   SSL o  De-facto standard for securing HTTP in Web applications and Browser based VPNs o  Based on public-key algorithms   IPSec o  Widely used in enabling Site-to-Site/Host-to-Host VPN o  Based on symmetric-key encryption and message digest algorithms   SSH   Remote authentication to hosts using a secure channel using public-key encrption.   WS-Security   OASIS Standard for securing XML Web Services and SOA applications   XML Encryption and Signature use Public-key Cryptography   PKI based Applications. o  Identity Management and Assurance, Telco (3G/4G/WiMAX), Digital signature based DRM, Smartcards and Biometrics
  11. 11. Security vs. Performance Understanding the overheads with Cryptography – SOA Scenario SSL using RSA-2048 and WS-SecurityPolicy using Basic128Sha256Rsa15 (Algorithm suite). Significant performance slowdown occurs after using SSL and WS-Security.
  12. 12. Anatomy of SSL Ciphers vs. Execution times “Significant time” spent on cryptographic functions with specified ciphers.
  13. 13. Effect of Cryptographic Acceleration Understanding the performance gains for an SSL scenario Significant performance GAINS can be achieved only using Hardware SSL accelerator.
  14. 14. Cryptographic Acceleration Using Oracle SPARC Enterprise T-Series Servers
  15. 15. On-chip Crypto Accelerators: Evolution The UltraSPARC T-Series Processor Family   UltraSPARC T1 – 8 Crypto Accelerators o  8 Cores with One accelerator per core o  Introduced industry-first on-chip cryptographic accelerators o  Cryptographic accelerators run in parallel with clock-speed o  Introduced “Public-key Encryption” algorithms (ex. RSA)   UltraSPARC T2/T2+ – 8 Crypto Accelerators o  8 Cores with One accelerator per core o  Introduced support for Bulk-encryption (AES,3DES/DES, RC4) and Message digests (MD5, SHA-1, SHA-2) o  Introduced support for Elliptic-curve Cryptography (ECC)   UltraSPARC T3 – 16 Crypto Accelerators o  16 cores with One accelerator per core o  Additional algorithms for Message digests (SHA-512) o  Introduced support for Kasumi algorithm.
  16. 16. Cryptographic Capabilities and Algorithms T3 Processor 16
  17. 17. On-Chip Crypto Accelerators System Characteristics   Crypto Accelerators operate in parallel with CPU speed delivering encryption and decryption   Accelerators are shared by all the core’s strands   T1/T2/T2+/T3 provide light-weight accelerator drivers for Solaris o  /dev/ncp0 o  Handles Public-key Encryption Algorithms o  /dev/n2cp0 o  Handles Bulk Encryption and Hash algorithms o  /dev/n2rng0 o  Handles Random Number Generation o  Communicates via Memory-based Word Queue o  Stateless communication, just fire and forget. o  Consumer is informed when the operation is complete   Access to accelerators are controlled using Solaris Cryptographic Framework and Kernel Modules o  Using PKCS#11 standard interfaces and Solaris Kernel modules
  18. 18. On-chip vs Off-chip Accelerators Comparison with Commercial Accelerators
  19. 19. SPARC T-Series – Onchip Crypto Comparison with Commercial Accelerators/HSMs 6 Crypto Unit + = Up to Six Virtual Machines with Full Crypto Capability Six card slots filled (maximum) SPARC Enterprise T3-1 16 Crypto Units = Up to 16 Virtual Machines with Full Crypto All card slots available 2x Capacity 19
  20. 20. Accessing On-chip Crypto Accelerators Operational Characteristics   Access to accelerators are managed using Solaris Cryptographic Framework (SCF). o  SCF acts as an intermediary gateway between applications and cryptographic providers. o  Applications use Sun PKCS#11 Provider to access accelerator o  Java Sun-PKCS#11 o  OpenSSL PKCS#11 Engine o  NSS/JSS APIs using PKCS11   Solaris Kernel Modules can directly access accelerators. o  Kernel SSL (KSSL) o  IPSec
  21. 21. Sun Cryptographic Accelerator 6000 – PCIe Card   A full-fledged Hardware Security Module (HSM) o  Secure Key Storage (Escrow and Recovery) o  High-performance cryptographic accelerator o  FIPS-140-3 Compliant o  Supports Solaris SPARC/X64 and Linux   NIST approved cryptographic algorithms   RSA, DSA, DH, ECC   AES, DES, 3DES   MD5, SHA-1, SHA-512   Intended for Financial and Government applications where Secure Key Storage is critical. o  Oracle Advanced Security, Financials, etc. o  PIN and Card Verification Functions
  22. 22. SCA 6000 – Usage Scenarios   Tested and Certified for use in FIPS and NON-FIPS modes o  Oracle Database Advanced Security Scenarios o  TDE Master Key Management o  TDE Network Encryption and Acceleration o  Oracle Fusion Middleware (SOA and XML Web Services Security) o  Oracle Web Services Manager (SSL and WS-Security scenarios) o  Oracle WebLogic (SSL and WS-Security scenarios)
  23. 23. Enabling Cryptographic Acceleration Applied Techniques and Usage Scenarios
  24. 24. Solaris Cryptographic Framework   Common framework for performing /consuming / integrating cryptographic providers. o  Hardware or Software. o  Kernel or Userland. o  Extensible in order to permit custom functions o  Facilitates PKCS#11 for consumer and providers   By default, supports major NIST approved algorithms o  Encryption: AES, Blowfish, RC4, DES, 3DES, RSA. o  Digests: MD5, SHA-1, SHA-256, SHA-384, SHA-512. o  MAC: DES MAC, MD5 HMAC, SHA1 HMAC, SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC o  Optimized for SPARC, Intel and AMD
  25. 25. Solaris KSSL   Facilitates an SSL Proxy service for applications and performs SSL operations right in the Solaris Kernel. o  Integrates Solaris Cryptographic Framework and its supporting ciphers.   Makes use of underlying Hardware based Cryptographic accelerators and Hardware Security Modules (HSM). o  Automatically makes use of cryptographic accelerators for SSL operations, no additional configuration. o  Use PKCS#11 for supporting HSMs for private key storage.   Non-intrusive SSL configuration, independent of relying applications. o  Managed via Solaris Service Management Facility (SMF)   Can act as SSL proxy for Non-SSL aware applications that does not provide PKCS#11 support.   Delivers 25% - 35% faster SSL performance.
  26. 26. Using KSSL for Transport-layer Security Applied Scenario 26
  27. 27. End-to-End Transaction Security Applied Use Cases HTTP HTTP HTTP HTTP SQLNET SSL Oracle Oracle Web Server Fusion Database SSL SSL Middleware SSL Server SSL / WS-Security Encrypt/ SOAP Decrypt SSL / WS-Security Oracle Archive Database •  SPARC T3 accelerates Oracle WebLogic SSL and Web Services Manager 11g (OWSM). •  SSL, WS-Security scenarios •  SPARC T3 accelerates Oracle Transparent Data Encryption (TDE) operations 27
  28. 28. Performance Studies
  29. 29. Secure Performance With and Without Acceleration ^134h>96can#A*IC! Ajladsf0^HLh3f*&lJ 4704 1234 5678 1594 *NHSD6%lk)+>kjh!1 Without T3 Crypto Assist T3 Crypto Assist Enabled 3.5x Faster CPU MEM CPU MEM 80% 70% 50% 25% 29
  30. 30. Secure Performance With and Without Acceleration ^134h>96can#A*IC! 4704 1234 5678 1594 Ajladsf0^HLh3f*&lJ 4704 1234 5678 1594 *NHSD6%lk)+>kjh!1 Without T3 Crypto Assist T3 Crypto Assist Enabled 3.5x Faster CPU MEM CPU MEM 80% 70% 40% 25% 30
  31. 31. SPARC Enterprise T-Series Only Enterprise Server with Built-in Crypto 6 Crypto Unit + = Up to Six Virtual Machines with Full Crypto Capability Six card slots filled (maximum) SPARC Enterprise T3-1 16 Crypto Units = Up to 16 Virtual Machines with Full Crypto All card slots available 2x Capacity 31
  32. 32. Effect of Accelerated SSL vs No SSL Weblogic SSL Performance on T3 : Using KSSL vs. JCE vs. No SSL
  33. 33. Oracle TDE performance using T3 •  T3 crypto speeds up query execution by 3-5x !!
  34. 34. Achieving Compliance
  35. 35. HIPAA-HITECH Compliance Scenario Rules of Thumb: Encrypt PHI – in transit, in situ HTTP -50% -50% -30% HTTP HTTP HTTP SQLNET SSL Oracle Oracle Web Server Fusion Database SSL SSL SSL Middleware SSL Server WebLogic 11g SOAP Web Services Manager 11g SSL Oracle Archive Database 35
  36. 36. HIPAA-HITECH Options Rules of Thumb: Mitigation Strategies NLB – SSL Accelerator NLB – SSL Accelerator NLB – SSL Accelerator Aftermarket Card HTTP -50% -50% -30% HTTP HTTP HTTP SQLNET SSL Oracle Oracle Web Server Fusion Database SSL SSL SSL Middleware SSL Server WebLogic 11g SOAP Web Services Manager 11g SSL Oracle Archive   Add 6 RUs Aftermarket Card Database   Add 50% Cooling   Add 30% Power   Add 30% Admin 36
  37. 37. PCI-DSS Compliance Scenario Rules of Thumb: Especially in situ, Even Warehoused Data HTTP -50% -50% -40% HTTP HTTP HTTP SQLNET SSL Oracle Oracle Web Server Fusion Database SSL SSL SSL Middleware SSL Server WebLogic 11g SOAP Web Services Manager 11g SSL Oracle Archive Database 37
  38. 38. PCI-DSS Options Rules of Thumb: Mitigation Strategies NLB – SSL Accelerator NLB – SSL Accelerator NLB – SSL Accelerator HTTP -50% -50% -30% HTTP HTTP HTTP SQLNET SSL Oracle Oracle Web Server Fusion Database SSL SSL SSL Middleware SSL Server WebLogic 11g SOAP Web Services Manager 11g SSL Oracle Archive   Add 12 RUs Aftermarket Card Database   Add 50% Cooling Aftermarket Card   Add 50% Power   Add 30% Admin 38
  39. 39. Summary
  40. 40. The cost of security Better TCO with T3 crypto } Twice server capacity = half the footprint Crypto overhead reduced to 10% from 30% CPU Latency reduced by 20X No add-ons and introduction of complexity Lower TCO Simple to administrate Faster to deploy 40
  41. 41. Program Agenda Example •  Our understanding of XYZ <Insert Picture Here> •  Capabilities and value drivers •  Benefits and assessments •  Oracle solutions •  Oracle credentials •  Appendix
  42. 42. Q&A Chad Prucha, albert.prucha@oracle.com Ramesh Nagappan, ramesh.nagappan@oracle.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×