automating secure server baselines with puppet
TRANSCRIPT
© 2012 CloudPassage Inc. 1
Automating Secure Server Baselines with
Puppet
a.k.a. “Making Fixing Stupid Stuff Easy”
Andrew [email protected]
@andrewsmhay | @cloudpassage
#puppetconf - #CloudSec
© 2012 CloudPassage Inc. 2
Topics for today
Why the cloud makes security hard
Why secure the OS?
What is a baseline?
How Puppet can be used to create secure and repeatable server and application baselines
© 2012 CloudPassage Inc. 3
Who are you?• Andrew Hay, Chief Evangelist, CloudPassage
• Former– Industry Analyst @ 451 Research– Security Analyst @ UofL and bank in Bermuda– Product, Program and Engineering Manager @ Q1 Labs– Linux guy at a few ISPs
© 2012 CloudPassage Inc. 4
Goals ofmoving tocloud failto meshwithsecurity
Moving to Cloud
Reduce CostsIncrease Agility
Reduce Risk- Legal & Regulatory
- Business Continuity
- Brand Protection
✔✔
?
© 2012 CloudPassage Inc. 5
Creating servers takes almost zero time
Server location can change frequently
Physical access to architecture no longer an option
www-7www-6
Cloud radically changes IT Ops
Public Cloud Private Datacenter
www-5www-4www-3www-2www-1
www-1 www-2 www-3www-4 www-5 www-6 www-7
GoldMaster
© 2012 CloudPassage Inc. 6
www-1
Cloud security is newprivate datacenter
public cloud
www-1
!www-2 www-3 www-4www-2
!www-3
!www-4
!
© 2012 CloudPassage Inc. 7
www-4
!
www-1
!www-2
!www-3
!www-4
!
Cloud security is differentprivate datacenter
public cloud
www-4
© 2012 CloudPassage Inc. 8
Cloud security is complex
Cloud Provider A
Cloud Provider B
Private Datacenter
www-1
!www-2
!www-3
!www-4
!
www-4
!www-
5
!www-
6
!www-
7
!www-
8
!www-
9
!www-10
!
www-7
!www-
8
!www-
9
!www-10
!
© 2012 CloudPassage Inc. 9
Security products aren’t adapting
Cloud Provider A
Cloud Provider B
Private Datacenter
www-1
!www-2
!www-3
!www-4
!
www-4
!www-
5
!www-
6
!www-
7
!www-
8
!www-
9
!www-10
!
www-7
!www-
8
!www-
9
!www-10
!No Network Access
Temporary & Elastic Deployments
Multiple CloudEnvironments
© 2012 CloudPassage Inc. 10
dmz dmz
corecore
Firewall
Firewall
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
We used to rely on perimeter defenses
© 2012 CloudPassage Inc. 11
DB
Load Balancer
App Server
App Server
But where is the perimeter in cloud?
Auth Server
DB
Load Balancer
DB
public cloud
© 2012 CloudPassage Inc. 12
public cloud
The server is adjacent to the perimeter
Load Balancer
App Server
App Server
DB Master
!
!
© 2012 CloudPassage Inc. 13
Why secure the OS?• A hardened OS often is the last line
of defense in the event of a security compromise.
• It is important to note that hardening is not a panacea for security. – It is just another layer in a good security
model.
• By definition, any machine that is accessible on a network and running services is potentially insecure.– (i.e. pretty much any server)
REDUCE ATT
ACK
SURFACE A
REA
© 2012 CloudPassage Inc. 14
“Andrew’s Law of Servers”• There are 3 kinds of servers:
1) Secure servers
2) Insecure servers
3) Servers that you think are secure…
server
server
!
server
?
© 2012 CloudPassage Inc. 15
Servers are vulnerable• National Vulnerability Database search of CVE and CCE
vulnerabilities:– Ubuntu
• Last 3 years: 788 matching records• Last 3 months: 100 matching records
– RedHat• Last 3 years: 1,910 matching records• Last 3 months: 288 matching records
– Microsoft Windows (server)• …
• NVD reported 3532 vulnerabilities in 2011.
• This means that last year about ten new security vulnerabilities were discovered each day.
© 2012 CloudPassage Inc. 16
What is a baseline?• base·line /ˈbāsˌlīn/
– A minimum or starting point used for comparisons.
• Think of it as the ‘bare minimum’ configuration for:– Server settings– Application configurations– Running services– Etc.
• Ask yourself:– “What do I want of my servers?”
© 2012 CloudPassage Inc. 17
What if I only secure one or two things?
© 2012 CloudPassage Inc. 18
www
Running with baselines…
Gold Master
www wwwwww
!www
!
If your baseline is not secure…
Your servers built off of that baseline are also insecure
www
!
© 2012 CloudPassage Inc. 19
www
?www
?www
!www
!
Pushing out a ‘Better Master’ might solve a lot of problems
But It will eventually fail you
Running with baselines…
www
?www
?Better Master
www
?www
?www
?www
?
© 2012 CloudPassage Inc. 20
www
?www
?www
!www
!
Using our new ‘Gold Master’ we can trust our server’s security
Letting us focus on other, more pressing tasks
Running with baselines…
wwwwwwwwwwwwwww
Gold Master
© 2012 CloudPassage Inc. 21
Running with baselines…
Gold Master
Gold Master updates can be rolled out incrementally
Keeping your operational state…operational
www
!www
!www wwwwww
wwwwwwwwwwww
www
www
!www
© 2012 CloudPassage Inc. 2222
How Puppet Can Help
© 2012 CloudPassage Inc. 23
Top 5 easy things to start building your secure baseline1. Disable unnecessary services
2. Remove unneeded packages
3. Restrict access to sensitive files & directories
4. Remove insecure/default configurations
5. Allow administrative access ONLY from trusted servers/clients
© 2012 CloudPassage Inc. 24
Disable unnecessary services• Only what is needed…is needed
• Shutdown and disable unnecessary services– e.g. telnet, r-services, ftpd, etc.
• Take a look at:– http://www.puppetcookbook.com/posts/ensure-service-
stopped-on-boot.html
– http://www.puppetcookbook.com/posts/ensure-service-is-stopped.html
– http://docs.puppetlabs.com/references/latest/type.html#service
© 2012 CloudPassage Inc. 25
Remove unneeded packages• If it isn’t being used…why keep it?
• If the server doesn’t need to serve web pages– Remove PHP, Apache/nginx
• If it’s not a database server– Remove MySQL/PostgreSQL
• Take a look at:– http://www.puppetcookbook.com/posts/remove-
package.html– http://docs.puppetlabs.com/references/latest/type.html
#package
© 2012 CloudPassage Inc. 26
Restrict access to sensitive files & directories• Protect what’s important from
prying/malicious eyes
• Ensure file permissions restrict access to sensitive files and directories– E.g. /etc/shadow, /etc/ssh/sshd_config, – E.g. /var/tmp/, /tmp/
• Take a look at:– http
://docs.puppetlabs.com/references/latest/type.html#file
– http://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf
© 2012 CloudPassage Inc. 27
Remove insecure/default configurations• Disable password authentication for SSH
– Force public key authentication– Also, disable empty passwords for users
• SSH– Ensure only v2 protocol connections are allowed
• Apache– Minimize loadable modules– Disable ServerTokens and ServerSignature directives
• Take a look at:– http://forge.puppetlabs.com/saz/sudo– http://forge.puppetlabs.com/jonhadfield/wordpress– http://forge.puppetlabs.com/attachmentgenie/ssh
© 2012 CloudPassage Inc. 28
Allow administrative access ONLY from trusted servers/clients• Leverage the firewall and other tools
– Source of corporate network / admin network range
– 3rd-party tools like fail2ban
• Don’t allow ‘server hopping’
• Take a look at:– http://forge.puppetlabs.com/attachmentgenie/ufw– http://forge.puppetlabs.com/example42/firewall– http://forge.puppetlabs.com/puppetlabs/denyhosts
© 2012 CloudPassage Inc. 29
If only we had more time…• More documentation to review:
– NIST SP800-123: Guide to General Server Security• http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
– Halo Configuration Policy Rule Checks• http://support.cloudpassage.com/entries/22033142-configuration-policy-rule-
checks– CIS Red Hat Enterprise Linux 6 Benchmark v1.1.0
• http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.rhel6.110– NSA Security Configuration Guides
• http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml#linux2
© 2012 CloudPassage Inc. 3030
In Closing
© 2012 CloudPassage Inc. 31
Moral of the Story
Security of your cloud servers is your responsibility
Security risk in the cloud are real (just check your ssh/RDP logs)
Security baselining isn’t just a best/better practice, it makes your life easier…
…and isn’t that why we started automating in the first place?
© 2012 CloudPassage Inc. 32
What does CloudPassage do?
Firewall Automation
Multi-Factor Authentication
Account Management
Security Event Alerting
ConfigurationSecurity
Vulnerability Scanning
Security for virtual servers running in public and private
cloudsFile Integrity Monitoring
API Automation
© 2012 CloudPassage Inc. 33
The End
• Ask questions!– Lots more info:
community.cloudpassage.com– Small bits of info: @cloudpassage
• Tell me what you think!– Email: [email protected]– Twitter: @andrewsmhay
• We’re hiring!DevOps, Rails, UX, SecOps, etc…
– Email: [email protected]
BTW, We’re Hiring
!
© 2012 CloudPassage Inc. 34
The End++
• Expect a webinar!– We plan on presenting a webinar on securely
automating cloud server deployment– Follow our Twitter account for details:
@cloudpassage
• Community Puppet Code for Halo– https://github.com/mrpatrick/puppet-
cloudpassage– https://github.com/rkhatibi/puppet-cloudpassage
© 2012 CloudPassage Inc. 35
Thank You!Andrew Hay
[email protected]@andrewsmhay
@cloudpassage#puppetconf - #CloudSec