Puppetconf2013

BuildingaHyperSecureVPConAWS

withPuppet

TimNolet

ArchitectatXebia(theNetherlands)

Linux/Java/Cloud/Automation/Operations

tnolet@xebia.com

github.com/tnolet

nl.linkedin.com/in/tnolet

Holland=TheNetherlands

Image:xkcd.com

Itendtoramble...

TheAssignment

TheAssignment(1)

1. BuildageneralpurposeVPConAWS

2. Standardizeapplicationdeployment

3. Applycompanysecuritypolicies

TheAssignment(2)

1. DoitwithOpenSource

2. UseAWSstandards

3. Stayclosetoreferenceimplementations

AWSandsecurity

IAM,MFA,HSMSSL,SSH,VPNISO27001PCI-DSSPGP

..andprobablysomemoreacronyms

DesignPrinciples

AGridbasedon:

3xAvailabilityZone

3xTier:web,app,data

1xManagementsubnet

DesignPrinciples

Referencestacks

ImplementedinCloudFormation

Provision:

EC2instances

SecurityGroups

RDSinstances

ELBloadbalancers

RDSinstances

etc.

public_three_tier_stack_redundant_rds.template

AMIHardening

1. ApplyCISBenchmarkforRedHatLinux

2. Log+Alertonanydiscrepancies

3. MonitorYUMsecurityupdates

Benchmark:https://benchmarks.cisecurity.org/tools2/linux/CIS_Redhat_Linux_5_Benchmark_v2.0.0.pdf

CISBenchmarkModule

manifests/1_software.pp2_osservices.pp3_specialservices.pp4_network.pp5_logaudit.pp6_accessauth.pp7_user.pp8_banners.pp9_maintenance.ppinit.pp

=>

Coooode!

#1.6AdditionalProcessHardening

#1.6.1RestrictCoreDumps

file{"/etc/security/limits.conf":source=>"puppet:///modules/cis_baseline/limits.conf",ensure=>"present",group=>"0",mode=>"644",owner=>"0",}

#1.6.2ConfigureExecShieldfile_line{"Execshield":path=>"/etc/sysctl.conf",line=>"kernel.exec-shield=1",}

Hacking/etc/pam.d/su

Allowsonlyusersinthe`wheel`grouptouse`su`

#6.5RestrictAccesstothesuCommand

augeas{"pam.d/su":context=>"/files/etc/pam.d/su/",changes=>["ins01after*[module='pam_rootok.so'][control='sufficient'][type='auth'][last()]","set01/typeauth","set01/controlrequired","set01/modulepam_wheel.so","set01/argumentuse_uid",],onlyif=>"match*[type='auth'][control='required'][module='pam_wheel.so'][argument='use_uid']size==0",}

Taggingdependentmodules

IPtablesismanagedbyitownmoduleWecheckifitisincludedusingthe`tagged`function

#4.7EnableIPtables

#CISRule4.7shouldbeenforcedthroughtheiptables/firewallmodule.#Weonlynotifyifitisnotrunning

iftagged("firewall_base"){notice("CISrule4.7EnableIPtablesisinstalledandenabled")}else{alert{"CISrule4.7EnableIPtablesisnotinstalled":}}

Tags:orderisimportant

ActualIPoftheGraylog2hostisinHiera

CentralLogging

Rsyslog=>Graylog2

/etc/rsyslog.conf#Forwardalllogstocentralloggingserver*.*@<%=central_log_app_server%>#udpforwarding

SortingSearchingAlertingGraphing

...basicallyaSIEMonthecheap

Networktrafficlogging

Why?

AWSSecurityGroupsandNetworkACL'sdon'tloganything

Networktrafficlogging

How?

Puppet+IPtables+Rsyslog+Graylog2

Extendingthepuppetlabs_firewallmodulefromtheforgehttps://forge.puppetlabs.com/puppetlabs/firewall

Allow/Drop/Log

1. AlloworDropconnections2. Taginitialconnections,onbothdroppedandallowed3. Don'ttagestablishedandrelatedconnections4. LogtoGraylog2viarsyslog

LetRelatedandEstablishedpassthroughunharmed

Allow/Drop/Log

firewall{"000INPUTallowrelatedandestablished":state=>["RELATED","ESTABLISHED"],action=>"accept",chain=>"INPUT",proto=>"all",}

Allow/Drop/Log

firewallchain{'LOGNEW:filter:IPv4':ensure=>present,}

firewall{"100LogallNEWconnections":chain=>"LOGNEW",log_level=>"info",log_prefix=>"FIREWALLTCPINBOUND",jump=>"LOG",}

firewall{"101Accepttheconnection":chain=>"LOGNEW",action=>"accept",}

Createa"LOGNEW"chainforallNEWconnectionsTagthemwithaprefixandjumpthemtotheLOGtargetThenaccepttheconnections

JumpyourallowedtraffictotheLOGNEWchain

Allow/Drop/Log

firewall{"100allowssh":state=>["NEW"],dport=>"22",proto=>"tcp",jump=>"LOGNEW"}

Exceptions...

ProxiesDNSDatabaserunningnodesOtherbridgingtypenodes

CustomFactertotherescue!

IPrangesmatchtheGRID

AvailabilityzoneTier

Av.ZonecustomFact

defget_avzoneipaddress=Facter.value(:ipaddress)ifFacter.value(:tier)=="management"av_zone="zone_1b"elsifipaddress=~(/^.*\.*\.*\.([012345][0-9]|6[0-2])$/)avzone="zone_1a"elsifipaddress=~(/^.*\.*\.*\.(6[5-9]|[789][0-9]|1[0-1][0-9]|12[0-6])$/)avzone="zone_1b"elsifipaddress=~(/^.*\.*\.*\.(129|1[3-8][0-9]|190)$/)avzone="zone_1c"elseavzone="default"endend

Done!

Good/Bad/PlainUgly

Good

Community!

Good

Graylog2isgreatandextremelyflexible

Good

VPCisthewaytogoonAWS

CloudFormation'spowerisincredible

Bad

PerformanceoflargecatalogswithPuppet2.7

file{"/etc/somedirectory":recurse=>true,ignore=>["work","temp","log"],checksum=>none}

Hiera-GPGiscumbersometosaytheleast

Bad

JSONnotationofCloudFormationtemplates

...meh

Tip:CFNDSL=RubyDSLforCloudFormationtemplates

https://github.com/howech/cfndsl

Ugly

Unifiedstateandlifecyclemanagement

Ugly

Everythingisautomated,butusingit'sown:

1. DSL2. Authentication/Authorization3. Paradigms4. Versioning5. Younameit...

Ugly

Onesinglesourceoftruthfor:

1. Audittrail/logging2. Instancestatus3. Applicationstatus4. CRUDactionsonthewholeinfrastructure

Hope?!

RightScale,Scalr,Cloudifyandsimilar?AWSOpsWorks?

Hope?!

NotthirdpartyorapluginPartofthecoreNotSaaSonlyEnterprise

CloudProvisioning,ConfigurationManagementandApplicationDeployment

Rantover...

Questions?