Mais conteúdo relacionado Mais de CloudPassage (18) Automating secure server baselines with Puppet1. Automating Secure Server
Baselines with Puppet
a.k.a. “Making Fixing Stupid Stuff Easy”
Andrew Hay
andrew@cloudpassage.com
@andrewsmhay | @cloudpassage
#puppetconf - #CloudSec
© 2012 CloudPassage Inc. 1
2. Topics for today
Why the cloud makes security hard
Why secure the OS?
What is a baseline?
How Puppet can be used to create
secure and repeatable server and
application baselines
© 2012 CloudPassage Inc. 2
3. Who are you?
• Andrew Hay, Chief Evangelist, CloudPassage
• Former
– Industry Analyst @ 451 Research
– Security Analyst @ UofL and bank in Bermuda
– Product, Program and Engineering Manager @ Q1 Labs
– Linux guy at a few ISPs
© 2012 CloudPassage Inc. 3
5. Cloud radically changes IT Ops
Gold
www-1
www-2
www-3
www-4
www-5
www-6
www-7
Master
www-4 www-5 www-6 www-7
www-1 www-2 www-3
Public Cloud Private Datacenter
Creating servers takes almost zero time
Server location can change frequently
Physical access to architecture no longer an option
© 2012 CloudPassage Inc. 5
6. Cloud security is new
private datacenter
www-1 www-2 www-3 www-4
! ! ! !
public cloud
© 2012 CloudPassage Inc. 6
7. Cloud security is different
private datacenter
www-1 www-2 www-3 www-4
! ! ! !
www-4
!
public cloud
© 2012 CloudPassage Inc. 7
8. Cloud security is complex
www- www- www- www-10
7 8 9
! ! ! !
www-
4
www-
5
www-
6
Cloud Provider B
! ! !
www- www- www- www-10
7 8 9
! ! ! !
Cloud Provider A www-1 www-2 www-3 www-4
! ! ! !
Private Datacenter
© 2012 CloudPassage Inc. 8
9. Security products aren‟t adapting
No Network Access
www-
7
www-
8
www-
9
www-10
! ! ! !
www-
4
www-
5
www-
6
Cloud Provider B
! ! !
Temporary &
www- www- www- www-10
Elastic Deployments
! ! ! !
7 8 9
Cloud Provider A www-1 www-2 www-3 www-4
! Multiple Cloud
! ! !
Environments
Private Datacenter
© 2012 CloudPassage Inc. 9
10. We used to rely on perimeter defenses
Auth DB DB DB
Server
core core
Firewal
l
Load App Load App
Balancer Server Balancer Server
dmz dmz
Firewal
l
© 2012 CloudPassage Inc. 10
11. But where is the perimeter in cloud?
Auth DB DB DB
Server
Load App Load App
Balancer Server Balancer Server
public cloud
© 2012 CloudPassage Inc. 11
12. The server is adjacent to the perimeter
Load
Balancer
App App
Server Server
!
DB
Master
!
public cloud
© 2012 CloudPassage Inc. 12
13. Why secure the OS?
• A hardened OS often is the last line of
defense in the event of a security
compromise.
• It is important to note that hardening is
not a panacea for security.
– It is just another layer in a good security
model.
• By definition, any machine that is
accessible on a network and running
services is potentially insecure.
– (i.e. pretty much any server)
© 2012 CloudPassage Inc. 13
14. “Andrew‟s Law of Servers”
• There are 3 kinds of servers:
server
1) Secure servers
server
2) Insecure servers
!
server
3) Servers that you think are secure…
?
© 2012 CloudPassage Inc. 14
15. Servers are vulnerable
• National Vulnerability Database search of CVE and CCE vulnerabilities:
– Ubuntu
• Last 3 years: 788 matching records
• Last 3 months: 100 matching records
– RedHat
• Last 3 years: 1,910 matching records
• Last 3 months: 288 matching records
– Microsoft Windows (server)
• …
• NVD reported 3532 vulnerabilities in 2011.
• This means that last year about ten new security vulnerabilities were
discovered each day.
© 2012 CloudPassage Inc. 15
16. What is a baseline?
• base·line /ˈbāsˈlīn/
– A minimum or starting point used for comparisons.
• Think of it as the „bare minimum‟ configuration for:
– Server settings
– Application configurations
– Running services
– Etc.
• Ask yourself:
– “What do I want of my servers?”
© 2012 CloudPassage Inc. 16
17. What if I only secure one or two things?
© 2012 CloudPassage Inc. 17
18. Running with baselines…
www www
www
! !
!
Gold Master
If your baseline is not secure…
Your servers built off of that baseline are also insecure
© 2012 CloudPassage Inc. 18
19. Running with baselines…
www www www www
www
! ? ! ?
?
Better Master
Pushing out a „Better Master‟ might solve a lot of
problems
But It will eventually fail you
© 2012 CloudPassage Inc. 19
20. Running with baselines…
www www www www
www
! ? ! ?
Gold Master
Using our new „Gold Master‟ we can trust our server‟s
security
Letting us focus on other, more pressing tasks
© 2012 CloudPassage Inc. 20
21. Running with baselines…
www www www www
www
! !
!
Gold Master
Gold Master updates can be rolled out incrementally
Keeping your operational state…operational
© 2012 CloudPassage Inc. 21
23. Top 5 easy things to start building
your secure baseline
1. Disable unnecessary services
2. Remove unneeded packages
3. Restrict access to sensitive files & directories
4. Remove insecure/default configurations
5. Allow administrative access ONLY from trusted
servers/clients
© 2012 CloudPassage Inc. 23
24. Disable unnecessary services
• Only what is needed…is needed
• Shutdown and disable
unnecessary services
– e.g. telnet, r-services, ftpd, etc.
• Take a look at:
– http://www.puppetcookbook.com/posts/ensure-service-
stopped-on-boot.html
– http://www.puppetcookbook.com/posts/ensure-service-is-
stopped.html
– http://docs.puppetlabs.com/references/latest/type.html#service
© 2012 CloudPassage Inc. 24
25. Remove unneeded packages
• If it isn‟t being used…why keep it?
• If the server doesn‟t need to
serve web pages
– Remove PHP, Apache/nginx
• If it‟s not a database server
– Remove MySQL/PostgreSQL
• Take a look at:
– http://www.puppetcookbook.com/posts/remove-package.html
– http://docs.puppetlabs.com/references/latest/type.html#packag
e
© 2012 CloudPassage Inc. 25
26. Restrict access to sensitive files & directories
• Protect what‟s important from prying/malicious eyes
• Ensure file permissions restrict access to
sensitive files and directories
– E.g. /etc/shadow, /etc/ssh/sshd_config,
– E.g. /var/tmp/, /tmp/
• Take a look at:
– http://docs.puppetlabs.com/references/latest/type.html#file
– http://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_
v4.2.pdf
© 2012 CloudPassage Inc. 26
27. Remove insecure/default configurations
• Disable password authentication for SSH
– Force public key authentication
– Also, disable empty passwords for users
• SSH
– Ensure only v2 protocol connections are allowed
• Apache
– Minimize loadable modules
– Disable ServerTokens and ServerSignature directives
• Take a look at:
– http://forge.puppetlabs.com/saz/sudo
– http://forge.puppetlabs.com/jonhadfield/wordpress
– http://forge.puppetlabs.com/attachmentgenie/ssh
© 2012 CloudPassage Inc. 27
28. Allow administrative access ONLY from trusted
servers/clients
• Leverage the firewall and other tools
– Source of corporate network / admin
network range
– 3rd-party tools like fail2ban
• Don‟t allow „server hopping‟
• Take a look at:
– http://forge.puppetlabs.com/attachmentgenie/ufw
– http://forge.puppetlabs.com/example42/firewall
– http://forge.puppetlabs.com/puppetlabs/denyhosts
© 2012 CloudPassage Inc. 28
29. If only we had more time…
• More documentation to review:
– NIST SP800-123: Guide to General Server Security
• http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
– Halo Configuration Policy Rule Checks
• http://support.cloudpassage.com/entries/22033142-configuration-policy-rule-
checks
– CIS Red Hat Enterprise Linux 6 Benchmark v1.1.0
• http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.rhel6.110
– NSA Security Configuration Guides
• http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operatin
g_systems.shtml#linux2
© 2012 CloudPassage Inc. 29
31. Moral of the Story
Security of your cloud servers is your
responsibility
Security risk in the cloud are real (just
check your ssh/RDP logs)
Security baselining isn‟t just a
best/better practice, it makes your life
easier…
…and isn‟t that why we started
automating in the first place?
© 2012 CloudPassage Inc. 31
32. What does CloudPassage do?
Security for virtual servers running
in public and private clouds
Firewall Automation File Integrity
Monitoring
Multi-Factor Account
Authentication Management
Configuration Security Event
Security Alerting
Vulnerability API Automation
Scanning
© 2012 CloudPassage Inc. 32
33. The End
• Ask questions!
– Lots more info: community.cloudpassage.com
– Small bits of info: @cloudpassage
• Tell me what you think!
– Email: andrew@cloudpassage.com
– Twitter: @andrewsmhay
BTW,
• We‟re hiring! We‟re
DevOps, Rails, UX, SecOps, etc… Hiring!
– Email: jobs@cloudpassage.com
© 2012 CloudPassage Inc. 33
34. The End++
• Expect a webinar!
– We plan on presenting a webinar on securely
automating cloud server deployment
– Follow our Twitter account for details: @cloudpassage
• Community Puppet Code for Halo
– https://github.com/mrpatrick/puppet-cloudpassage
– https://github.com/rkhatibi/puppet-cloudpassage
© 2012 CloudPassage Inc. 34
35. Thank You!
Andrew Hay
andrew@cloudpassage.com
@andrewsmhay
@cloudpassage
#puppetconf - #CloudSec
© 2012 CloudPassage Inc. 35