How vulnerable are your systems after the first line of defense? Do attackers get a stronger foothold after each compromise? How valuable is the data your systems can leak?
“Death Star” security describes a system that relies entirely on an outermost security layer and fails catastrophically when breached. As services multiply, they shouldn’t all run in a single, trusted virtual private cloud. Sharing secrets doesn’t scale either, as systems multiply and partners integrate with your product and users.
David Strauss explores security methods strong enough to cross the public Internet, flexible enough to allow new services without altering existing systems, and robust enough to avoid single points of failure. David covers the basics of public key infrastructure (PKI), explaining how PKI uniquely supports security and high availability, and demonstrates how to deploy mutual authentication and encryption across a heterogeneous infrastructure, use capability-based security, and use federated identity to provide a uniform frontend experience while still avoiding monolithic backends. David also explores JSON Web Tokens as a solution to session woes, distributing user data and trust without sharing backend persistence.
A good written summary of the key talking points: https://www.infoq.com/news/2016/04/oreilysacon-day-one
7. We’re not here to talk about basics or your edge
● Layer 2 or 3 Firewalls
● Web Application
Firewalls
● OWASP Top 10
● DDoS Controls
● Applying updates quicklyFor the purposes of this presentation:
Your first line of defense is gone!
8. Where Do Attackers Go Next?
● Collecting authentication data
● Using the foothold behind the firewall
○ Attacking other internal systems
○ Exploiting the assumption of trust
● Collecting sensitive user, payment, and patient data
● Phishing attacks from privileged email accounts
18. Challenge: Ambient Authority and Confused Deputies
Set a course for
Alderaan.
Governor Tarkin
How it’s
supposed
to work:
Setting course,
Governor.
Helm/Weapons
How it
can fail: Set a course for
Coruscant.
Imposter Tarkin
Setting course,
Governor.
Helm/Weapons
AlderaanBOOM!
CoruscantBOOM!
19. Pattern: Capability-Based Security
Set a course for
ef28bc28 (signed
token for Alderaan).
Governor Tarkin
How it’s
supposed
to work:
Setting course,
Governor.
Helm/Weapons
Attemptedh
ack:
Code
validation
Set a course for, um,
3a2eb45a
(invalid token).
Imposter Tarkin
Sorry, that code isn’t
working in my helm
system, Governor.
Helm/Weapons
AlderaanBOOM!
Code
validation
20. Pattern: Mandatory access control (MAC), like selinux
Set a course for
Alderaan.
Governor Tarkin
How it’s
supposed
to work:
Setting course,
Governor.
Helm/Weapons
May
target
Rebel
Set a course for
Coruscant.
Imposter Tarkin
Setting course,
Governor.
Helm/Weapons
Coruscant
[Label: Imperial]
Alderaan
[Label: Rebel]BOOM!
May
target
Rebel DENIED
Attemptedh
ack:
24. Pattern: Delegated Handling of Sensitive Data
Payments Marketing
User
Agent
Your ApplicationHTTP GET
HTTP POST
External Service Sensitive
Data
25. Pattern: Black Hole APIs
● Don’t simply divide
permissions into read
versus read+write.
● The ability to just write
allows one side to
irretrievably rid itself
of access to sensitive
information.
32. Pattern: Systems Isolation
Web-Facing Systems Intranet Systems
Load
Balancer
Application
Server
Database
Server
Cache
Server
Active
Directory
Exchange
File
Shares
HR Records
FirewallorMore
33. Challenge: Shared Secrets (Including Passwords)
DatabaseApp
Password or Key
Compromise
Point #1
Compromise
Point #2
34. Anti-pattern: Security Through Obscurity
“An analysis of the plans
found in their insecure
git repository has
demonstrated a weakness
in the battle station.”
35. Pattern: Public Key Infrastructure
Admin
Firewall
CDN nginxHTTPS MySQL
Solr
HTTPS
File System
NFS or Similar
SSH Jump or VPNTunnel
Server
Key
SSH
Key
User HTTPS
Server
Certificate MariaDB
PHP-FPM
+ Drupal
Client
Certificate
Server
Certificate
Client
Certificate
Client
Certificate
Client
Certificate
Server
Certificate
Server
Certificate
Server
Certificate
36. Creating a Local Certificate Authority (CA)
● Once: Create a certificate authority (CA):
○ Create a private key for the CA.
○ Create the certificate for the CA.
○ Distribute the certificate to your servers.
● Every time: Follow the normal certificate-creation steps:
○ Create a private key.
○ Create a certificate signing request (CSR).
○ Sign the certificate on the CA.
○ Deploy the certificate alongside the private key.
37. MySQL PKI: Server Side
[mysqld]
ssl-ca=ca.crt
ssl-cert=server.crt
ssl-key=server.key
CREATE USER 'backups'@'backup-host'
REQUIRE SUBJECT '/C=US/ST=California/L=San Francisco/
O=Pantheon/
CN=backups.pantheon.io/emailAddress=hosting@pantheon.io';
Supports rolling secret rotation for multiple clients!