building a hyper secure vpc on aws with puppet
DESCRIPTION
This presentation was given at PuppetConf 2013. It addresses a set of security concerns on AWS VPC and how we used Puppet to address these concerns.TRANSCRIPT
Puppetconf2013
BuildingaHyperSecureVPConAWS
withPuppet
TimNolet
ArchitectatXebia(theNetherlands)
Linux/Java/Cloud/Automation/Operations
github.com/tnolet
nl.linkedin.com/in/tnolet
Holland=TheNetherlands
Image:xkcd.com
Itendtoramble...
TheAssignment
TheAssignment(1)
1. BuildageneralpurposeVPConAWS
2. Standardizeapplicationdeployment
3. Applycompanysecuritypolicies
TheAssignment(2)
1. DoitwithOpenSource
2. UseAWSstandards
3. Stayclosetoreferenceimplementations
AWSandsecurity
IAM,MFA,HSMSSL,SSH,VPNISO27001PCI-DSSPGP
..andprobablysomemoreacronyms
DesignPrinciples
AGridbasedon:
3xAvailabilityZone
3xTier:web,app,data
1xManagementsubnet
DesignPrinciples
Referencestacks
ImplementedinCloudFormation
Provision:
EC2instances
SecurityGroups
RDSinstances
ELBloadbalancers
RDSinstances
etc.
public_three_tier_stack_redundant_rds.template
AMIHardening
1. ApplyCISBenchmarkforRedHatLinux
2. Log+Alertonanydiscrepancies
3. MonitorYUMsecurityupdates
Benchmark:https://benchmarks.cisecurity.org/tools2/linux/CIS_Redhat_Linux_5_Benchmark_v2.0.0.pdf
CISBenchmarkModule
manifests/1_software.pp2_osservices.pp3_specialservices.pp4_network.pp5_logaudit.pp6_accessauth.pp7_user.pp8_banners.pp9_maintenance.ppinit.pp
=>
Coooode!
#1.6AdditionalProcessHardening
#1.6.1RestrictCoreDumps
file{"/etc/security/limits.conf":source=>"puppet:///modules/cis_baseline/limits.conf",ensure=>"present",group=>"0",mode=>"644",owner=>"0",}
#1.6.2ConfigureExecShieldfile_line{"Execshield":path=>"/etc/sysctl.conf",line=>"kernel.exec-shield=1",}
Hacking/etc/pam.d/su
Allowsonlyusersinthe`wheel`grouptouse`su`
#6.5RestrictAccesstothesuCommand
augeas{"pam.d/su":context=>"/files/etc/pam.d/su/",changes=>["ins01after*[module='pam_rootok.so'][control='sufficient'][type='auth'][last()]","set01/typeauth","set01/controlrequired","set01/modulepam_wheel.so","set01/argumentuse_uid",],onlyif=>"match*[type='auth'][control='required'][module='pam_wheel.so'][argument='use_uid']size==0",}
Taggingdependentmodules
IPtablesismanagedbyitownmoduleWecheckifitisincludedusingthe`tagged`function
#4.7EnableIPtables
#CISRule4.7shouldbeenforcedthroughtheiptables/firewallmodule.#Weonlynotifyifitisnotrunning
iftagged("firewall_base"){notice("CISrule4.7EnableIPtablesisinstalledandenabled")}else{alert{"CISrule4.7EnableIPtablesisnotinstalled":}}
Tags:orderisimportant
ActualIPoftheGraylog2hostisinHiera
CentralLogging
Rsyslog=>Graylog2
/etc/rsyslog.conf#Forwardalllogstocentralloggingserver*.*@<%=central_log_app_server%>#udpforwarding
SortingSearchingAlertingGraphing
...basicallyaSIEMonthecheap
Networktrafficlogging
Why?
AWSSecurityGroupsandNetworkACL'sdon'tloganything
Networktrafficlogging
How?
Puppet+IPtables+Rsyslog+Graylog2
Extendingthepuppetlabs_firewallmodulefromtheforgehttps://forge.puppetlabs.com/puppetlabs/firewall
Allow/Drop/Log
1. AlloworDropconnections2. Taginitialconnections,onbothdroppedandallowed3. Don'ttagestablishedandrelatedconnections4. LogtoGraylog2viarsyslog
LetRelatedandEstablishedpassthroughunharmed
Allow/Drop/Log
firewall{"000INPUTallowrelatedandestablished":state=>["RELATED","ESTABLISHED"],action=>"accept",chain=>"INPUT",proto=>"all",}
Allow/Drop/Log
firewallchain{'LOGNEW:filter:IPv4':ensure=>present,}
firewall{"100LogallNEWconnections":chain=>"LOGNEW",log_level=>"info",log_prefix=>"FIREWALLTCPINBOUND",jump=>"LOG",}
firewall{"101Accepttheconnection":chain=>"LOGNEW",action=>"accept",}
Createa"LOGNEW"chainforallNEWconnectionsTagthemwithaprefixandjumpthemtotheLOGtargetThenaccepttheconnections
JumpyourallowedtraffictotheLOGNEWchain
Allow/Drop/Log
firewall{"100allowssh":state=>["NEW"],dport=>"22",proto=>"tcp",jump=>"LOGNEW"}
Exceptions...
ProxiesDNSDatabaserunningnodesOtherbridgingtypenodes
CustomFactertotherescue!
IPrangesmatchtheGRID
AvailabilityzoneTier
Av.ZonecustomFact
defget_avzoneipaddress=Facter.value(:ipaddress)ifFacter.value(:tier)=="management"av_zone="zone_1b"elsifipaddress=~(/^.*\.*\.*\.([012345][0-9]|6[0-2])$/)avzone="zone_1a"elsifipaddress=~(/^.*\.*\.*\.(6[5-9]|[789][0-9]|1[0-1][0-9]|12[0-6])$/)avzone="zone_1b"elsifipaddress=~(/^.*\.*\.*\.(129|1[3-8][0-9]|190)$/)avzone="zone_1c"elseavzone="default"endend
Done!
Good/Bad/PlainUgly
Good
Community!
Good
Graylog2isgreatandextremelyflexible
Good
VPCisthewaytogoonAWS
CloudFormation'spowerisincredible
Bad
PerformanceoflargecatalogswithPuppet2.7
file{"/etc/somedirectory":recurse=>true,ignore=>["work","temp","log"],checksum=>none}
Hiera-GPGiscumbersometosaytheleast
Bad
JSONnotationofCloudFormationtemplates
...meh
Tip:CFNDSL=RubyDSLforCloudFormationtemplates
https://github.com/howech/cfndsl
Ugly
Unifiedstateandlifecyclemanagement
Ugly
Everythingisautomated,butusingit'sown:
1. DSL2. Authentication/Authorization3. Paradigms4. Versioning5. Younameit...
Ugly
Onesinglesourceoftruthfor:
1. Audittrail/logging2. Instancestatus3. Applicationstatus4. CRUDactionsonthewholeinfrastructure
Hope?!
RightScale,Scalr,Cloudifyandsimilar?AWSOpsWorks?
Hope?!
NotthirdpartyorapluginPartofthecoreNotSaaSonlyEnterprise
CloudProvisioning,ConfigurationManagementandApplicationDeployment
Rantover...
Questions?