don't mind the gap by galen emery
TRANSCRIPT
Don’t Mind the GapDoing DevOps in an Air-gapped World
Galen EmeryFederal Solutions Architect3/8/2017
Who am I?I work with the Federal Government and IntegratorsDoD, Civilian, or IC? Yes.I help users understand how to build and structure their infrastructure (using Chef) to solve their problemsFormer Windows Server AdminBeen with Chef since March 2014Born and raised in Seattle (Nathen, you’re wrong about Seattle crab)
What we coverWhat is “air-gapped”?What issues do we encounter?AssumptionsHow to solve it (technical)How to solve it (process)What about … ?Food for Thought
What is air-gapped?air-gappedadjective(of a computer) having no direct connection to the Internet or to any other computer that is connected to the Internet, for security reasons."a USB drive or other hardware approach would be required to infect the air-gapped machine"
What about mitm?• Corporate man-in-the-middle• Terminates SSL sessions and re-initiates• Often includes packet inspection• Requires you to trust its generated certificates• May still include a firewall blocking access to sites
Maybe its just a firewall• Restricts access to:• Github or gist.github.com• slack• Pastebin• Rubygems.org / some other artifact repository• etc
No restrictions?• Congratulations!• You might still have a
firewall/proxy, its just permissive
• Do you trust those systems will be up when you need them?
Issues
Getting stuff into production• How do we “cross the gap”?• How do we distribute it?• How do we ensure its integrity?
Process?!You want to talk about PROCESS? You kidding me?!
I just hope we can make one change!
VelocityHow do we achieve velocity if we burn a DVD for every change?Or if a proxy is inspecting all of our packets, every time we download a package?
Okay, I’m not air-gapped but…• I have a firewall between my systems and the internet• I have a proxy that inspects all traffic and slows me down• I don’t have {level of access necessary} to make changes• Tool {X} does not understand authenticating proxies
Ground Rules
You know that I know that you know…• How you get code into your high-side environment
Everything is code• If its source code, it goes into SCM• If it is an artifact, it goes into artifact store, and has a checksum• We can (and do) write tests• We build a pipeline
Solution (High-Level)
Go from Low to High
Assume you don’t have internet• Even if you do• Build this into your pipeline• Test this on the low side• Your systems should NOT assume internet access• Most tooling by default assumes it does
Do this work on the low-sideBuild your pipeline in a way that removes internet access for your systems, they must grab their code and artifacts locallyIf you can build your infrastructure without internet access in Dev, you can absolutely do it in Prod
Protect the Data, not the InfraThe data is sensitive, not the infrastructure itself. Keep the data in the high-side, but ensure that you build your infrastructure with the same code in Dev and Prod
WorkstationThis is your “loading dock” for the rest of the infrastructureEverything comes through hereIt needs:• A way to serve files (directly or indirectly)• A way to create artifacts (zip, tar, etc)• built programmatically
WorkstationUse the workstation to:• Stand up your artifact repo• Stand up your configuration management infra• Publish your artifacts• Run tests
Workstation (Chef Example)Bring in to the workstation a zip/tar with the following• ChefDK• A FTP/SSH/SCP Server binary (if it doesn’t already exist on your box)• Your cookbooks• Any extra gems necessary• Chef packages (client, server)
Use Chef Zero to stand up your FTP Server, populate it with the artifacts and prepare it for use in the rest of the process
What about dependencies?I could download, transfer, attempt to install, download, transfer, attempt to install..
I could skip using the gem and instead write it myself
I can create a full gem mirror of all 80,000+ gems on rubygems.org
I can install what I need into a directory, and then move that directory over as an artifact
Simplest is to create an artifactI used “gem install –i $PATH $GEM” && tar cf $PATHIts not pretty but it worksBenefit is: I have a moment-in-time artifact of the gems I’m usingIdeally you’d create this at the end of your development pipeline
You should be using an artifact repo• Use something that can store and manage your artifacts• You can version your artifacts• Often supports the correct dependency structure for your artifacts
Once you have Workstation + Artifact• You can setup your configuration management• Use a tool, running from your workstation to setup the infrastructure
you need
• Example• Chef Provisioning SSH• Doesn’t require internet access• Can bootstrap Chef from a FTP or SCP server
Everything is set, right?• Have workstation, Config Mgmt + Artifact store
• But I haven’t told any of my infrastructure that it shouldn’t reach out to the internet for X, Y or Z
Tell your systems to stay inside• Remove unreachable Satellite repositories• If using ruby, remove rubygems from your sources. Add your artifact
store• If using Chef, update berksfile to an internal supermarket• If using X, update Y to Z
• Don’t do this manually, do it with code and test it on the low side!
What if I have a proxy instead?Most of the tooling supports HTTP_PROXY and HTTPS_PROXYSome of it does notIt is often easier to design the system to assume no network access than to keep fighting proxiesThat said, if you can poke holes out to slack, rubygems, github, chef, etc you’ll be much happier (unless they go down)
Changing the Process
Do this in Dev• Do not wait for Prod to test your systems without internet access• Along these lines, harden your Dev systems to the same standards
as Prod
Create and Use• CI/CD Pipelines• Unit and Integration Tests
Identify where you assume risk• If you let users ssh/rdp into production, that is where the risk lies• If you only let users make changes to production through a pipeline,
that’s where the risk lies• If the risk lies in a pipeline and someone else has to approve code
changes, the risk of any single change/actor is much lower
Imagine This Scenario• Nobody can ever log into Production• All changes flow through a pipeline that tracks who committed,
reviewed and shipped the change• All changes are tested through Dev, QA, etc before deploying to Prod• We build a new Prod every time we make a change
What About … ?
My laptop can’t reach X• If you can’t reach GitHub, or Slack, etc ever; not just in Production
that’s an issue
Security won’t let me!
• Work with them. They are a vital component of your business (or should be)
• Identify where the risk is. The risk is with the data, not with the user.
• Consume Risk in Dev, not in Prod (Fail Fast)• Progress is coming
How often do we update our packages?
Where are the gates?
What are the metrics?Velocity: How fast we shipEfficiency: How good we are at shippingRisk: How long does it take us to fix
Food for Thought
Alaskan King Crab• Biggest crab, legs alone can be a meal• Served steamed or chilled with drawn butter and lemon• Fishing Season:• October• January
Dungeness Crab• Similar size to blue crab, hard shell• Served steamed or chilled with drawn butter and lemon• Fishing Season:• Starts in November• Ends in June/July
Blue Crab• #CrabFeast• Old Bay• Fishing Season:• Starts In April
Proof of Concept codewww.github.com/galenemery/chef-mreWant a USB Key with it?
Google “stuxnet” or “vault 7”If you asked for a USB Key, please let me know who holds your clearance so we can have it revoked
ACKNOWLEDGEMENTSRobb KiddChefConf 2014: Mind the Gap: Deployments with Chef in unforgiving Environments
ACKNOWLEDGEMENTsThank you JOKES ON YOU, THERES NOTHING HERE
Thank you DevOpsDays Baltimore