5G promises to bring broadband to hard to reach areas, connect enterprises to their customers in ways not previously possible, and unleash a new connected world of Internet of Things (IoT) devices. These promises are at risk if we can’t ensure that the underlying network and its components are safe from attack. Trust is the key. Network operators need to know that every component of their critical infrastructure hasn’t been compromised or otherwise “rooted” in a way that jeopardizes their customer data, service, and reputation. To achieve this level of security requires a new architectural approach—built from the inside out.
Carrier infrastructure is under threat, and essential services and customer data must be protected. Sophisticated actors are looking to silently gain access and compromise specific behavior in the network. These attackers are well-funded, persistent, and work to silently hijack network infrastructure components to establish a persistent foothold in the network. These attackers seek to take control of network assets to affect traffic flows or to enable surveillance by rerouting traffic or mirroring traffic to remote receivers. Once they have control, they might launch “man-in-the-middle” attacks to compromise critical services like DNS and TLS certificate issuance.
These attacks are no longer theoretical. The United States Computer Emergency Readiness Team (US-CERT) and other entities have seen increasing attempts and attacks on network infrastructure elements since 2015. Infrastructure attacks have been able to disrupt Internet traffic in Europe, Asia, Latin America, and the United States. You should assume that the attackers are motivated, and have access to “zero-day” vulnerabilities in existing network operating systems from all vendors. Although carriers already perform the required patching, secure operations, and recommended hardening, any infrastructure could potentially be under threat from unknown vulnerabilities or exposed interfaces, which can never be 100 percent covered. An innovative approach to protecting critical infrastructure is needed.
Today’s network backbones are the critical infrastructure for the successful operation and growth of a nation’s economy. Without access to high-speed connections and trusting that those connections are secure, business operations and transactions would halt. The only way to deliver a secure network is to establish trust in the core infrastructure. A trusted system is based on clear criteria, which can be measured, verified, reported, and audited.
A trusted network component must provide assurance that:
Software relies on its firmware and hardware and software reports back whatever it is told by that underlying architecture. Existing practices of verifying software through hashes and code signatures are an important part of establishing a trusted system, but software systems can be affected or compromised by the underlying architecture. For instance, a known-good application can’t be trusted if the underlying operating system doesn’t maintain effective protection and sandboxing of that process. Similarly, an operating system can be compromised through attacks based in the firmware or the underlying hardware.
Attacks on the underlying hardware or firmware of a system are commonly used to establish persistence in compromised systems after a breach. Often, they’re designed to persist even after an operating system has been reinstalled. Examples of these types of attacks include hypervisor-based attacks such as “Blue Pill”, which can invisibly compromise the running operating system (OS) kernel. And attacks such as “ThunderStrike” have already demonstrated persistent compromise through firmware.
Because software alone can’t prove its integrity, truly establishing trust can only be done in hardware, using a hardware-anchored root of trust. To be effective, this root of trust must be based on an immutable hardware component that establishes a chain of trust at boot-time. Each piece of code in the boot process measures and checks the signature of the next stage of the boot process before the software boots. Without a hardware root of trust, no amount of software signatures or secure software development can protect against a compromise of the underlying system.
Figure 1. Trusted network
Cisco leads the industry in building in the capabilities to establish, verify, and measure trust in our products and in the critical network infrastructures we support. We provide you with the infrastructure with embedded security features to provide a secure device identity that builds a trusted network. Cisco works with our partners to implement a comprehensive value chain security program to address supply chain risks. And we design our products with technologies like secure boot to verify the authenticity and integrity of your Cisco network.
Maintaining control over the hardware components and the underlying supply chain behind the hardware product lifecycle is key to establishing and maintaining a trusted networking device. Cisco has extensive controls and processes in its hardware supply chain management. These controls are designed to detect and prevent counterfeit hardware or unauthorized modifications to components within Cisco hardware products. Effective supply chain management answers the question: “How do I know this is authentic and trusted hardware?” and “How do I know that the hardware root-of-trust is authentic?”
Many Cisco service provider routers use signed images and hardware-anchored secure boot to prevent inauthentic or compromised code from booting. Anchoring the first code in the boot sequence in hardware establishes a chain-of-trust and is the foundation of the Cisco secure boot process.
Secure boot is already a familiar term in the world of x86 servers. It’s used to cryptographically verify the authenticity of the OS boot loader and the OS kernel as part of the boot process. Secure boot is commonly used to protect against BIOS rootkit attacks in server operating systems like Linux or Microsoft Windows Server. In traditional x86 server systems, this secure boot process begins in UEFI BIOS and doesn’t have a hardware trust anchor.
Cisco IOS XR includes a more extensive boot process that is designed around a hardware trust anchor. This process begins before the CPU is allowed to boot and offers significant protections against hardware or firmware compromises. The Cisco secure boot process establishes an extensive chain of trust that begins in hardware. The hardware anchor implements self-measurement, followed by measurement and digital signature verification of the CPU microloader. It then verifies the signature of the bootloader and the OS kernel.
Cisco also uses a Trust Anchor module (TAm) which provides a secure unique device identity (SUDI) and other services. Within IOS XR, the TAm also provides critical cryptographic services such as:
Cisco leads the network industry in establishing trusted systems, but our approach isn’t unique because security is an industry-wide challenge. Other industry-leading infrastructure providers use a similar hardware-based approach to establish a root of trust for their own trusted computing hardware such as Google Titan and Microsoft Olympus.
Figure 2. Secure boot
“Trust but verify” isn’t just a proverb. Although it’s critical to verify hardware, firmware, and software components of a system at boot-time to establish trust, it’s equally important to provide visibility and audit capabilities for trusted systems. Secure boot processes can provide valuable protections against compromise of the OS or underlying components. Once it’s complete there needs to be an external reporting system that can prove a non-compromised environment. Trusted systems require effective measurement and trust posture reporting from external systems, where measured values from the system can be compared against “known-good values” (KGV) for that system.
Hardware root-of-trust is critical to establishing trust in a critical system. As an operator, you should require that networking devices include access to external mechanisms to securely record and store measurements taken during the boot process. Values measured at boot time in hardware should be securely recorded into configuration which can provide cryptographic proof that values have not been altered and accurately represent what was measured at boot time. Operators can enhance their value proposition to potential subscribers by leveraging their critical infrastructure with externally validated trust anchor measurements proving the integrity of their infrastructure systems.
In addition to recording these values at boot time, secure measurement can be extended to measuring individual processes within the OS at run-time. It’s important to extend trust measurement to the runtime environment as well to allow for comparison against baselines. IOS XR will be implementing advanced capabilities to measure processes and critical files at runtime, and compare these measurements against known-good values (KGVs) from Cisco’s IOS XR build process.
A trusted infrastructure needs an external service for comparing all measurements to known-good values (KGV) for boot integrity or individual process measurements. By providing secure measurement and reporting of measurements, a trusted system can enable remote attestation, or the ability to cryptographically prove that measured values are accurate, and compare these to known-good values on an external system. This approach is the most effective way to provide effective visibility, trust posture assessment, and auditing of trustworthy systems.
As establishing and maintaining trusted systems to power critical network infrastructure becomes a requirement in all carrier networks, it’s important to consider how network hardware and software vendors manage their supply chain and development process. No amount of hardware trust verification will help if malicious code is inserted into the network operating system as part of the software development process. It’s critical to examine how your vendors implement secure development practices as well as the secure management and build processes of the network operating system.
It’s important to consider how vendors balance the difficult task of maintaining secure software development and build practices, especially when custom production code is developed outside of secure facilities in distributed environments.
The Cisco Secure Development Lifecycle is a repeatable and measurable process designed to increase Cisco product resiliency and trustworthiness. The combination of tools, processes, and awareness training introduced throughout the development lifecycle enhances security, provides a holistic approach to product resiliency, and establishes a culture of security awareness.
Security is a core part of the Cisco development process and includes:
Although the topic of secure services built on a trusted network infrastructure is beyond the scope of this white paper, trusted systems also supply mechanisms for secure key management and key storage using the hardware root of trust. Key management and storage provide a secure foundation for other security services built on the network infrastructure.
As requirements for additional data plane encryption services such as MACsec or IPsec and stronger authentication for control plane routing protocols increase, the requirement to securely store key material in a way that can’t be compromised or extracted becomes increasingly important. As the proliferation of access devices in 4G and 5G mobile backhaul networks grows, larger number of access routers will be deployed in unsecured locations. This situation drives the need for secure automated provisioning tools as well as protection for keys against theft or compromise. Providing these secure services will require trusted platforms with hardware-rooted trust models and effective visibility and remote verification of trust.
In the current landscape of advanced, well-funded, and motivated adversaries, it’s not enough to simply keep up-to-date on OS patches and current best practices for hardening network devices. With attackers seeking long-term compromise in systems and using effective trade craft to compromise and silently persist within critical infrastructure devices, the next step to secure your infrastructure involves building on a foundation of trusted platforms. We believe that establishing, maintaining, and verifying trust within network infrastructure devices and throughout the IOS XR Network OS is the most effective strategy to deliver a trusted and secure 5G network infrastructure.