More Related Content Similar to Automating secure server baselines with Chef (20) More from Chef Software, Inc. (20) Automating secure server baselines with Chef1. © 2013 CloudPassage Inc.! 1!
Automating Secure Server
Baselines with Chef
a.k.a. “Making Fixing Stupid Stuff Easy”
!
Andrew Hay!
andrew@cloudpassage.com!
@andrewsmhay | @cloudpassage!
#ChefConf / #CloudSec
2. © 2013 CloudPassage Inc.! 2!
Topics for today
Why the cloud makes security hard
Why secure the OS?
What is a baseline?
How Chef can be used to create
secure and repeatable server and
application baselines
4. © 2013 CloudPassage Inc.! 4!
Who are you?
• Andrew Hay, Director of Applied Security
Research at CloudPassage, Inc.!
• Former!
– Senior Industry Analyst @ 451 Research
– Security Analyst @ UofL and a bank in Bermuda
– Product, Program and Engineering Manager @ Q1 Labs
6. © 2013 CloudPassage Inc.! 6!
dmz dmz
corecore
Firewall
Firewall
DB
Load
Balancer
Auth
Server
App
Server
DB
Load
Balancer
App
Server
DB
We used to rely on perimeter defenses
7. © 2013 CloudPassage Inc.! 7!
DB
Load
Balancer
App
Server
App
Server
But where is the perimeter in cloud?
Auth
Server
DB
Load
Balancer
DB
public cloud
8. © 2013 CloudPassage Inc.! 8!
public cloud
The server is adjacent to the perimeter
Load
Balancer
App
Server
App
Server
DB
Master
!�
!�
9. © 2013 CloudPassage Inc.! 9!
Why secure the OS?
• A hardened OS often is the last line of
defense in the event of a security
compromise.!
• It is important to note that hardening is
not a panacea for security. !
– It is just another layer in a good security
model.
• By definition, any machine that is
accessible on a network and running
services is potentially insecure.!
– (i.e. pretty much any server)
10. © 2013 CloudPassage Inc.! 10!
Why secure the OS?
• A hardened OS often is the last line of
defense in the event of a security
compromise.!
• It is important to note that hardening is
not a panacea for security. !
– It is just another layer in a good security
model.
• By definition, any machine that is
accessible on a network and running
services is potentially insecure.!
– (i.e. pretty much any server)
11. © 2013 CloudPassage Inc.! 11!
“Andrew’s Law of Servers”
• There are 3 kinds of servers:!
1) Secure servers
2) Insecure servers
3) Servers that you think are secure…
server
server
!�
server
?
12. © 2013 CloudPassage Inc.! 12!
Servers are vulnerable
• National Vulnerability Database search of CVE and CCE
vulnerabilities:!
– Ubuntu
• Last 3 years: 1,015 matching records!
• Last 3 months: 145 matching records!
– Red Hat Enterprise Linux
• Last 3 years: 50 matching records!
• Last 3 months: 23 matching records!
– Microsoft Windows (server)
• Last 3 years: 319 matching records!
• Last 3 months: 48 matching records!
• NVD reported 5, 715 vulnerabilities in 2012.!
• This means that last year about 16 new security vulnerabilities were
discovered each day. !
13. © 2013 CloudPassage Inc.! 13!
What is a baseline?
• base·line /ˈbāsˌlīn/!
– A minimum or starting point used for comparisons.
• Think of it as the ‘bare minimum’ configuration
for:!
– Server settings
– Application configurations
– Running services
– Etc.
• Ask yourself:!
– “What do I want of my servers?”
16. © 2013 CloudPassage Inc.! 16!
www
Running with baselines…
Gold Master
www wwwwww
!�
www
!�
If your baseline is not secure…
Your servers built off of that baseline are also insecure
www
!�
17. © 2013 CloudPassage Inc.! 17!
www
?
www
?
www
!�
www
!�
Pushing out a ‘Better Master’ might solve a lot of
problems
But it may (will) eventually fail you
Running with baselines…
www
?
www
?
Better Master
www
?
www
?
www
?
www
?
18. © 2013 CloudPassage Inc.! 18!
www
?
www
?
www
!�
www
!�
Using our new ‘Gold Master’ we can trust our server’s
security
Letting us focus on other, more pressing tasks
Running with baselines…
wwwwwwwwwwwwwww
Gold Master
19. © 2013 CloudPassage Inc.! 19!
Running with baselines…
Gold Master
Gold Master updates can be rolled out incrementally
Keeping your operational state…operational
www
!�
www
!�
www wwwwww
?�
wwwwwwwwwwww
www
www
!�
www
21. © 2013 CloudPassage Inc.! 21!
Top 5 easy things to start building
your secure baseline
1. Disable unnecessary services!
2. Remove unneeded packages!
3. Restrict access to sensitive files & directories!
4. Remove insecure/default configurations!
5. Allow administrative access ONLY from trusted
servers/clients!
22. © 2013 CloudPassage Inc.! 22!
Disable unnecessary services
• Only what is needed…is needed!
• Shutdown and disable $ $ $
unnecessary/insecure services!
– e.g. telnet, r-services, ftpd, etc.
• Take a look at:!
– http://docs.opscode.com/resource_script.html
– http://docs.opscode.com/resource_execute.html
– http://docs.opscode.com/dsl_recipe_use_ruby.html
23. © 2013 CloudPassage Inc.! 23!
Remove unneeded packages
• If it isn’t being used…why keep it?!
• If the server doesn’t need to $ $ $ $
serve web pages!
– Remove PHP, Apache/nginx
• If it’s not a database server!
– Remove MySQL/PostgreSQL
• Take a look at:!
– http://docs.opscode.com/resource_package.html
– http://docs.opscode.com/resource_script.html
– http://docs.opscode.com/resource_execute.html
24. © 2013 CloudPassage Inc.! 24!
Remove unneeded packages
– apt_package
– chef_gem
– dpkg_package
– easy_install_package
– freebsd_package
– gem_package
– ips_package
– macports_package
– pacman_package
– portage_package
– rpm_package
– smartos_package
– solaris_package
– yum_package
http://docs.opscode.com/resource_package.html�
27. © 2013 CloudPassage Inc.! 27!
Restrict access to sensitive files & directories
• Protect what’s important from prying/malicious
eyes!
• Ensure file permissions restrict $ $
access to sensitive files and $ $
directories!
– e.g. /etc/ssh/sshd_config, /var/log/
– e.g. C:Windows,
C:Inetpub
28. © 2013 CloudPassage Inc.! 28!
Remove insecure/default configurations
• Disable password authentication for SSH!
– Force public key authentication
– Also, disable empty passwords for users
• SSH!
– Ensure only v2 protocol connections are allowed
• Apache!
– Minimize loadable modules
– Disable ServerTokens and ServerSignature directives
29. © 2013 CloudPassage Inc.! 29!
Remove insecure/default configurations
• Apache Example!
• Take a look at:!
– http://docs.opscode.com/
essentials_cookbook_attribute_files.html
– http://docs.opscode.com/essentials_roles.html
30. © 2013 CloudPassage Inc.! 30!
Allow administrative access ONLY from trusted
servers/clients
• Leverage the firewall and other tools!
– Source of corporate network / admin
network range
– 3rd-party tools like fail2ban
• Don’t allow (or at least restrict)$ $ $
‘server hopping’!
• Take a look at:!
– http://community.opscode.com/cookbooks/fail2ban
– http://community.opscode.com/cookbooks/firewall
– http://community.opscode.com/cookbooks/ssh_known_hosts
31. © 2013 CloudPassage Inc.! 31!
If only we had more time…
• More documentation to review:!
– NIST SP800-123: Guide to General Server Security
• http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf!
– Halo Configuration Policy Rule Checks
• http://support.cloudpassage.com/entries/22033142-configuration-policy-rule-
checks!
– Center for Internet Security (CIS) Benchmarks
• http://benchmarks.cisecurity.org/downloads/benchmarks/!
– Microsoft (yes, that Microsoft)
• http://www.microsoft.com/en-us/download/details.aspx?id=17606!
!
33. © 2013 CloudPassage Inc.! 33!
Moral of the Story
Security of your cloud servers is your
responsibility
Security risk in the cloud are real (just
check your ssh/RDP logs)
Security baselining isn’t just a best/
better practice, it makes your life
easier…
…and isn’t that why we started
automating in the first place?
34. © 2013 CloudPassage Inc.! 34!
What does CloudPassage do?
Firewall Automation
Multi-Factor
Authentication
Account
Management
Security Event
Alerting
Configuration
Security
Vulnerability
Scanning
Security for virtual servers running in
public and private clouds
File Integrity
Monitoring
API Automation
35. © 2013 CloudPassage Inc.! 35!
The End
• Ask questions!
– Lots more info:
community.cloudpassage.com
– Small bits of info: @cloudpassage
• Tell me what you think!
– Email:
andrew@cloudpassage.com
– Twitter:
@andrewsmhay
• We’re hiring!
Email:
jobs@cloudpassage.com
BTW,
We’re
Hiring!
36. © 2013 CloudPassage Inc.! 36!
The End+=1
• Expect a webinar!
– We plan on presenting a webinar on securely
automating cloud server deployment
– Follow our Twitter account for details: @cloudpassage
• Community Chef Code for Halo
– https://github.com/escapestudios/chef-cloudpassage
– http://community.opscode.com/cookbooks/
cloudpassage
37. © 2013 CloudPassage Inc.! 37!
The End+=umm…more
• GitHub
– http://github.com/cloudpassage
– http://github.com/andrewsmhay
38. © 2013 CloudPassage Inc.! 38!
Thank You!
Andrew Hay
andrew@cloudpassage.com
@andrewsmhay
@cloudpassage
#ChefConf / #CloudSec