Going Outside the ApplicationMatthew Saltzman, Security EngineerBlackboard Inc.

Securing the Environment for Blackboard Learn

ABOUT ME

Matthew SaltzmanSecurity EngineerBlackboard Inc.matthew.saltzman@blackboard.com

I have been at Blackboard for over 5 years, 4 of those in Blackboard Support

INTRODUCTION

• Blackboard contains Sensitive Information• Names• Addresses• Social Security Numbers

• Should be removed if present• Grade Information for Courses

• This data must be protected• Securing the application can only be one

component in securing this information• Also need to secure the environment it runs on

COMPONENTS TO SECURE

• Application• Network • Operating System• Database• 3rd Party components external to Blackboard• Institution Policies

SSL

• Protection against network monitoring tools• Traffic Sniffing

• Protection against Man in the Middle Attacks• Easy to configure Blackboard to use SSL

• Requires an SSL certificate from a signing authority (SA)

• Configure webserver to use SSL certificate• Turn on SSL

• Through the Application• Via SSL offloading

TYPES OF CERTIFICATES

Regular SSL Certificate • single site• up to 256-bit encryption

EV Certificate • single site• up to 256-bit encryption• Much stricter issuing criteria

Wildcard Certificate • multiple sites in the same domain

• up to 256-bit encryption

Intermediary Certificate • single site• Used in conjunction with a

Wildcard Certificate to validate the identity of the individual site

ALTERNATE CONTENT DOMAIN

• Purpose: XSS Prevention from files• Creates a single-use session for downloading

the file• Prevents session stealing from main Blackboard

session• Expires as soon as the file is downloaded

• Requires separate SSL certificate for alternate domain• Otherwise SSL errors will appear

CHANGES DUE TO ALTERNATE DOMAIN

Without Alternate Domain for serving content:

With Alternate Domain for serving content:

PATCHES AND UPGRADE SCHEDULE

• Application Vulnerabilities often fixed via patches• Released via bbpatch• Publish a Security Advisory to Behind the

Blackboard• Not all vulnerabilities fixed this way

• Too complex a fix• Fixed by a new security feature

• Capturing Security Events (SP12)• Secure User Password Storage (SP12)

• Keep Blackboard version up to date as well

FIREWALL

• Helps prevent unauthorized access to the server• Limits access to allowed ports• Blocks access from devices that should not

have access• Required Ports (Defaults):

80 - HTTP port                8011 - Collab HTTP Port

443 - SSL port 8443 - Collab SSL Port

8009 - Tomcat Port number 8006 - Collab Shutdown Port

8005 - Tomcat Shutdown Port 1521 - (Oracle DB) 1433 - (SQLServer)

8010 - Collab TCP Port 8016 - BBExec Service Port

61616 – ActiveMQ Port

DEMO

• How Firewalls help prevent network penetration• Demonstration of how port scanning works

IPTABLES CONFIGURATION

NETWORK SEGMENTING

• Different types of servers should be in different network zones• DMZ – perimeter network containing external

facing servers• Most vulnerable

• Any other network zone – Should not contain external servers

• Firewall present between DMZ and rest of network

• Application servers should be in the DMZ• Database should not

NETWORK DIAGRAM

TRAFFIC SHAPER

• Device that does “Rate Limiting” on network traffic to specific devices

• Packet Shaping• Helps prevent DoS attacks

• Slows rate of traffic hitting server• Requires statistics

• Expected Incoming Traffic • Acceptable incoming traffic Rates• Traffic rate too low causes performance issues for

end users• Traffic rate too high could allow DoS attack to

succeed• Could be done through Load Balancer

TRAFFIC SHAPER GRAPH

SSL OFFLOADING

• Can use either Load Balancer or specific offloading tool (SSL Accelerator)• Cuts down cost of encryption

• Tool (Load Balancer or otherwise) much faster at encryption then Application Server

• Allows Longer SSL encryption key• Thus, helps prevent DoS due to SSL

INTRUSION DETECTION/ PREVENTION SYSTEM

• Monitors network for malicious traffic• Can take various actions when discovered:

• Send an Alert• Log malicious traffic for review• Drop malicious traffic (Prevention only)

• Can be configured using custom rules• Different types

• Network Based – prevents network attacks• Host based – prevents OS level attacks

• Some examples (Open Source):• Snort (Network IPS)• OSSEC (Host IPS)• Suricata (Network IPS)

SNORT

OSSEC

SURICATA

ALTER PORTS, REMOVE BANNERS

• Port Scans• Tells scanner which ports are open• Reports any banners associated with open ports

• Default ports describe which application is running• Therefore, do not use default ports

• Exceptions: ports 80 and 443 • Banners on ports explain what non-default

ports do• Therefore, remove any descriptions of the ports

as well

PORT SCANNER

PROTECT ANY OPERATING SYSTEM

• Keep Operating System up to Date• OS Patches• Application/Service Packs

• Dedicate Servers to specific tasks• Prevents vulnerabilities in one application or

task from affecting others• Use domain accounts for users

• Allows for simpler auditing of user activity• Require strong passwords for all accounts

• Helps prevent unwanted access to servers

DEMO

• Why dedicating servers to specific tasks is a good idea• Insecure tool running on same server as

Blackboard

INSECURE SERVER CODE

AUDITING OS ACTIVITY

• OS should be configured for auditing• Account with activity• Action this account took• Time the action was taken

AUDIT LOG RECOMMENDATIONS

• Archive and Clear audit log daily• Prevents performance issues• Easier to read and locate problems• Easier to notice tampering with the audit log

• Alerts on suspicious activity• Authentication Problems• Altering system settings• Accessing Sensitive Data

BAD AUDIT LOG

SECURING LINUX SERVERS

• Require SSH instead of Telnet• Telnet is insecure• Traffic sniffing Telnet session is possible

• Use public/private key authentication • Private Key file never leaves the client machine• Private key cannot be computed from public key

• Add a strong passphrase to the private key file• Prevents a user from using a stolen private key

PUBLIC KEY SSH AUTHENTICATION

APACHE2

• All Linux application servers should run Apache2• Added security, as is current version• Can keep up-to-date with patches and new

versions• Does not require Blackboard intervention

• Can add MOD_SECURITY • Application firewall

• Can prevent some application vulnerabilities • Not easy in Blackboard Apache, if even possible• Allows for audit logging of HTTP

• Information about potential malicious activity within the application

MOD_SECURITY FLOW DIAGRAM

RENDERED MOD_SECURITY LOG

SECURING WINDOWS SERVERS

• Group Policy• Strong password Requirements• Require password changes often• Audit log (covered earlier)

• IIS Settings• IIS User with minimal permissions to everything

except application• MOD_SECURITY for IIS possible

• SCW (Security Configuration Wizard)• Wizard for setting security configuration

UNIQUE DATABASE CONCERNS

• Contains all data from the application• Need to configure OS Security

• Access to the OS means access to the DB, usually

• Also need database specific security• DB is meant to be accessed remotely

DATABASE USER SECURITY

• Strong Database Passwords• Should not match OS

Passwords• Each Password

should be Unique• Users should not use

system accounts• sa, root, master, etc. • Allows for auditing of

individual users’ activity

DATABASE SECURITY MEASURES

• Limit DB permissions to bare minimum• Helps prevent database privilege escalation

• Limit login by IP Address• Prohibits access to Database by unauthorized

machines• Potential Solution:

• Encrypt traffic to and from Database• Please performance test this first, may not

perform well

REDIS

• 3rd Party Caching Database• Blackboard Developed

B2 to replace server caches

• See Nori’s presentation on performance impact: • 8:30 – 9:15 AM

Tuesday in Murano 3301B

REDIS SECURITY FEATURES

• Should never manually log into Redis cache• Password should be far more complex than

normal• Stored in a properties file

• Block Unused Redis commands• Prevent users who gain access from affecting

Redis in unauthorized ways• Keep Redis Application up to date

OTHER 3RD PARTY APPLICATIONS

• Understand scope of server• What needs to access it• Expected network traffic• Expected paths to and from

server• Size the application properly• Utilize all security features of

the application• Secure the server itself

INSTITUTION POLICIES

• Policies meant to encourage secure behavior by all personnel

• Help to prevent privileged user mistakes• Such as sharing security information at a bar

PASSWORD POLICIES

• Strong passwords should be encouraged• Require minimum password strength• Require users to change passwords often• Do not re-use passwords• Do not share passwords

• Can prevent malicious user from accessing privileged account• Privileged accounts can bypass most security• Renders all previous actions essentially moot

DOMAIN USER POLICIES

• Each user has a domain account• Each account has a set of associated roles

• Defines level of access• Administration• IIS/Apache• Etc.

• Limit Access to servers or admin features by role• Prevents unauthorized or unexpected access

THANK YOU!

Matthew SaltzmanSecurity EngineerBlackboard Inc.matthew.saltzman@blackboard.com