© 2012 CloudPassage Inc. 1

Automating Secure Server Baselines with

Puppet

a.k.a. “Making Fixing Stupid Stuff Easy”

Andrew Hayandrew@cloudpassage.com

@andrewsmhay | @cloudpassage

#puppetconf - #CloudSec

© 2012 CloudPassage Inc. 2

Topics for today

Why the cloud makes security hard

Why secure the OS?

What is a baseline?

How Puppet can be used to create secure and repeatable server and application baselines

© 2012 CloudPassage Inc. 3

Who are you?• Andrew Hay, Chief Evangelist, CloudPassage

• Former– Industry Analyst @ 451 Research– Security Analyst @ UofL and bank in Bermuda– Product, Program and Engineering Manager @ Q1 Labs– Linux guy at a few ISPs

© 2012 CloudPassage Inc. 4

Goals ofmoving tocloud failto meshwithsecurity

Moving to Cloud

Reduce CostsIncrease Agility

Reduce Risk- Legal & Regulatory

- Business Continuity

- Brand Protection

✔✔

?

© 2012 CloudPassage Inc. 5

Creating servers takes almost zero time

Server location can change frequently

Physical access to architecture no longer an option

www-7www-6

Cloud radically changes IT Ops

Public Cloud Private Datacenter

www-5www-4www-3www-2www-1

www-1 www-2 www-3www-4 www-5 www-6 www-7

GoldMaster

© 2012 CloudPassage Inc. 6

www-1

Cloud security is newprivate datacenter

public cloud

www-1

!www-2 www-3 www-4www-2

!www-3

!www-4

!

© 2012 CloudPassage Inc. 7

www-4

!

www-1

!www-2

!www-3

!www-4

!

Cloud security is differentprivate datacenter

public cloud

www-4

© 2012 CloudPassage Inc. 8

Cloud security is complex

Cloud Provider A

Cloud Provider B

Private Datacenter

www-1

!www-2

!www-3

!www-4

!

www-4

!www-

5

!www-

6

!www-

7

!www-

8

!www-

9

!www-10

!

www-7

!www-

8

!www-

9

!www-10

!

© 2012 CloudPassage Inc. 9

Security products aren’t adapting

Cloud Provider A

Cloud Provider B

Private Datacenter

www-1

!www-2

!www-3

!www-4

!

www-4

!www-

5

!www-

6

!www-

7

!www-

8

!www-

9

!www-10

!

www-7

!www-

8

!www-

9

!www-10

!No Network Access

Temporary & Elastic Deployments

Multiple CloudEnvironments

© 2012 CloudPassage Inc. 10

dmz dmz

corecore

Firewall

Firewall

DB

Load Balancer

Auth Server

App Server

DB

Load Balancer

App Server

DB

We used to rely on perimeter defenses

© 2012 CloudPassage Inc. 11

DB

Load Balancer

App Server

App Server

But where is the perimeter in cloud?

Auth Server

DB

Load Balancer

DB

public cloud

© 2012 CloudPassage Inc. 12

public cloud

The server is adjacent to the perimeter

Load Balancer

App Server

App Server

DB Master

!

!

© 2012 CloudPassage Inc. 13

Why secure the OS?• A hardened OS often is the last line

of defense in the event of a security compromise.

• It is important to note that hardening is not a panacea for security. – It is just another layer in a good security

model.

• By definition, any machine that is accessible on a network and running services is potentially insecure.– (i.e. pretty much any server)

REDUCE ATT

ACK

SURFACE A

REA

© 2012 CloudPassage Inc. 14

“Andrew’s Law of Servers”• There are 3 kinds of servers:

1) Secure servers

2) Insecure servers

3) Servers that you think are secure…

server

server

!

server

?

© 2012 CloudPassage Inc. 15

Servers are vulnerable• National Vulnerability Database search of CVE and CCE

vulnerabilities:– Ubuntu

• Last 3 years: 788 matching records• Last 3 months: 100 matching records

– RedHat• Last 3 years: 1,910 matching records• Last 3 months: 288 matching records

– Microsoft Windows (server)• …

• NVD reported 3532 vulnerabilities in 2011.

• This means that last year about ten new security vulnerabilities were discovered each day.

© 2012 CloudPassage Inc. 16

What is a baseline?• base·line /ˈbāsˌlīn/

– A minimum or starting point used for comparisons.

• Think of it as the ‘bare minimum’ configuration for:– Server settings– Application configurations– Running services– Etc.

• Ask yourself:– “What do I want of my servers?”

© 2012 CloudPassage Inc. 17

What if I only secure one or two things?

© 2012 CloudPassage Inc. 18

www

Running with baselines…

Gold Master

www wwwwww

!www

!

If your baseline is not secure…

Your servers built off of that baseline are also insecure

www

!

© 2012 CloudPassage Inc. 19

www

?www

?www

!www

!

Pushing out a ‘Better Master’ might solve a lot of problems

But It will eventually fail you

Running with baselines…

www

?www

?Better Master

www

?www

?www

?www

?

© 2012 CloudPassage Inc. 20

www

?www

?www

!www

!

Using our new ‘Gold Master’ we can trust our server’s security

Letting us focus on other, more pressing tasks

Running with baselines…

wwwwwwwwwwwwwww

Gold Master

© 2012 CloudPassage Inc. 21

Running with baselines…

Gold Master

Gold Master updates can be rolled out incrementally

Keeping your operational state…operational

www

!www

!www wwwwww

wwwwwwwwwwww

www

www

!www

© 2012 CloudPassage Inc. 2222

How Puppet Can Help

© 2012 CloudPassage Inc. 23

Top 5 easy things to start building your secure baseline1. Disable unnecessary services

2. Remove unneeded packages

3. Restrict access to sensitive files & directories

4. Remove insecure/default configurations

5. Allow administrative access ONLY from trusted servers/clients

© 2012 CloudPassage Inc. 24

Disable unnecessary services• Only what is needed…is needed

• Shutdown and disable unnecessary services– e.g. telnet, r-services, ftpd, etc.

• Take a look at:– http://www.puppetcookbook.com/posts/ensure-service-

stopped-on-boot.html

– http://www.puppetcookbook.com/posts/ensure-service-is-stopped.html

– http://docs.puppetlabs.com/references/latest/type.html#service

© 2012 CloudPassage Inc. 25

Remove unneeded packages• If it isn’t being used…why keep it?

• If the server doesn’t need to serve web pages– Remove PHP, Apache/nginx

• If it’s not a database server– Remove MySQL/PostgreSQL

• Take a look at:– http://www.puppetcookbook.com/posts/remove-

package.html– http://docs.puppetlabs.com/references/latest/type.html

#package

© 2012 CloudPassage Inc. 26

Restrict access to sensitive files & directories• Protect what’s important from

prying/malicious eyes

• Ensure file permissions restrict access to sensitive files and directories– E.g. /etc/shadow, /etc/ssh/sshd_config, – E.g. /var/tmp/, /tmp/

• Take a look at:– http

://docs.puppetlabs.com/references/latest/type.html#file

– http://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf

© 2012 CloudPassage Inc. 27

Remove insecure/default configurations• Disable password authentication for SSH

– Force public key authentication– Also, disable empty passwords for users

• SSH– Ensure only v2 protocol connections are allowed

• Apache– Minimize loadable modules– Disable ServerTokens and ServerSignature directives

• Take a look at:– http://forge.puppetlabs.com/saz/sudo– http://forge.puppetlabs.com/jonhadfield/wordpress– http://forge.puppetlabs.com/attachmentgenie/ssh

© 2012 CloudPassage Inc. 28

Allow administrative access ONLY from trusted servers/clients• Leverage the firewall and other tools

– Source of corporate network / admin network range

– 3rd-party tools like fail2ban

• Don’t allow ‘server hopping’

• Take a look at:– http://forge.puppetlabs.com/attachmentgenie/ufw– http://forge.puppetlabs.com/example42/firewall– http://forge.puppetlabs.com/puppetlabs/denyhosts

© 2012 CloudPassage Inc. 29

If only we had more time…• More documentation to review:

– NIST SP800-123: Guide to General Server Security• http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf

– Halo Configuration Policy Rule Checks• http://support.cloudpassage.com/entries/22033142-configuration-policy-rule-

checks– CIS Red Hat Enterprise Linux 6 Benchmark v1.1.0

• http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.rhel6.110– NSA Security Configuration Guides

• http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml#linux2

© 2012 CloudPassage Inc. 3030

In Closing

© 2012 CloudPassage Inc. 31

Moral of the Story

Security of your cloud servers is your responsibility

Security risk in the cloud are real (just check your ssh/RDP logs)

Security baselining isn’t just a best/better practice, it makes your life easier…

…and isn’t that why we started automating in the first place?

© 2012 CloudPassage Inc. 32

What does CloudPassage do?

Firewall Automation

Multi-Factor Authentication

Account Management

Security Event Alerting

ConfigurationSecurity

Vulnerability Scanning

Security for virtual servers running in public and private

cloudsFile Integrity Monitoring

API Automation

© 2012 CloudPassage Inc. 33

The End

• Ask questions!– Lots more info:

community.cloudpassage.com– Small bits of info: @cloudpassage

• Tell me what you think!– Email: andrew@cloudpassage.com– Twitter: @andrewsmhay

• We’re hiring!DevOps, Rails, UX, SecOps, etc…

– Email: jobs@cloudpassage.com

BTW, We’re Hiring

!

© 2012 CloudPassage Inc. 34

The End++

• Expect a webinar!– We plan on presenting a webinar on securely

automating cloud server deployment– Follow our Twitter account for details:

@cloudpassage

• Community Puppet Code for Halo– https://github.com/mrpatrick/puppet-

cloudpassage– https://github.com/rkhatibi/puppet-cloudpassage

© 2012 CloudPassage Inc. 35

Thank You!Andrew Hay

andrew@cloudpassage.com@andrewsmhay

@cloudpassage#puppetconf - #CloudSec