ssh product overview - venafi product overview ... no key rotation ... lab: configuring ssh work...

Download SSH Product Overview - Venafi  Product Overview ... No key rotation ... Lab: Configuring SSH Work SSH labs can be done with Agentless or Agent Based SSH

Post on 06-Mar-2018

223 views

Category:

Documents

6 download

Embed Size (px)

TRANSCRIPT

  • SSH Product Overview

  • SSH Product Overview

    Understanding SSH

    SSH Discovery and Remediation

    Agentless SSH

    Agent Based SSH

  • Where is SSH used?

    SSHTLS

    Customers

    Partners

    EmployeesAdmins with Root Access

    ApplicationOwners

    SystemAdmins

    SSH (SCP or SFTP)

    File Transfer & Remote Script

    Execution

    Jupiter

  • Where is SSH used?

    SSHTLS

    Customers

    Partners

    EmployeesAdmins with Root Access

    ApplicationOwners

    SystemAdmins

    SSH (SCP or SFTP)

    File Transfer & Remote Script

    Execution

    Jupiter

    Simple rule of thumb:

    If its not Windows or a Mainframe, SSH is

    probably used to login into it.

  • SSH Basics User Access

    Host Keys

    Server11

    User Keys

    AHost Keys

    Server11

    Server Keys

    1

    Server1

    Server2

    Alice

    Server Keys

    1Authorized Keys

    AliceA Server Keys

    2Authorized Keys

    AliceA

    User Keys

    AHost Keys

    Server11

    Server22

  • SSH Basics Server-to-Server Access

    Trusted Keys

    Server11

    Client Keys

    C

    Trusted Keys

    Server11

    Server1

    Server2

    Alice

    Server Keys

    1Authorized Keys

    AliceA Server Keys

    2Authorized Keys

    AliceA

    User Keys

    AHost Keys

    Server11

    Server22

    Server Keys

    1Authorized Keys

    AliceA

    Server22

    Server Keys

    2User Keys

    2Authorized Keys

    AliceAHost Keys

    Server11

  • The State of SSH in Most Organizations

    No inventory

    No key rotation

    Weak keys

    Terminated employees still have access

    Potential backdoor keys

    Pivoting opportunities for attackers

  • SSH Discovery and Remediation

    Venafi Products can discover and report back to Venafi server crucial details about SSH keys.

    Discovery is a critical part of identifying the status of your SSH key environment across all of your systems.

  • SSH Discovery and Remediation

    Identifying orphaned public keys and resolving them quickly can help to avoid potentially serious vulnerabilities, particularly when an orphaned key is found in a root or administrative account on a server.

    Venafi Products allow us to add/remove SSH keys.

  • Agentless SSH

    TPP server(s) will SSH to target systems to perform scans and remediation

    Work performed at the time of User UI action

    Discussed in detail in its own module

  • Agent Based SSH

    Requires installation of Agent software

    Supports wide range of OS types

    Can gather SSH Key Usage info

    Agents call home for work

    Discussed in detail in its own module

  • Agent vs. Agentless Considerations

    Network traffic direction

    Agent(+): Key usage logging

    Agentless(+): More platform independent (e.g., mainframe, etc.)

    Agentless(-): Credential management for our own agentless access

    Agent(+): Better support for intermittent systems (e.g., user laptops)

    Agent(+): Support for Windows

  • Review

    1. What are SSH Keys used for?

    2. What is the purpose of authorized_keys file?

    3. What is default expiration for a SSH key?

  • Agentless SSH

  • Agentless SSH Overview

    SSH discovery can find SSH keys on devices that do not have agents installed on them

    SSH Remediation can add and remove SSH keys

    TPP uses a remote SSH connection to connect to the systems or servers

    TPP will scan per configured work and create keysets in Aperture

  • Configuring Agentless SSH

    Create Credential Objects

    Create Device Objects

    Configure SSH Work

    Allow scheduled work to happen

    View Results in Aperture

  • Create Credential Objects

    Password (Aperture or WebAdmin)

    SSH Private Key (WebAdmin)

  • Create Device Objects

    Done in WebAdmin

    Supports sudo

    Set Temp Directory if using sudo

  • Device Objects

    Device Inventory See status of Devices Use filters Can be created using Network Discovery

  • View Device Objects

    Shows status info

    Test Connection

  • Edit Device Objects

  • Configure Agentless SSH Work

    Enable folders for Agentless

  • Configure Agentless SSH Work

    Create Group

    Agent Type = No Agent Installed

  • Configure Agentless SSH Work

    Hardcodes Membership Criteria

  • Configure Agentless SSH Work

    Work Types:

    SSH Discovery

    SSH Remediation

    Work explained in upcoming module

  • Run Agentless SSH Scan

    Runs per schedule

    Can be triggered on demand

  • Lab: Agentless SSH

    Lab coming up after next module

  • Review

    1. What are benefits of Agentless SSH?

    2. Can we mix and match Agent and Agentless SSH?

    3. Can Agentless SSH typically be used with Windows Servers?

  • Configuring SSH Work

  • Configuring SSH Work Overview

    SSH work can apply to Agents and Agentless SSH

    Done on the Group under Agents > Groups

    Specify what to scan

    Specify where to scan

    Specify when to scan

    Enable Remediation

  • Enabling SSH Discovery Work

    We can create a new group for SSH work only

    Discover SSH Work = Yes

  • SSH Discovery Work Settings

    Scan interval is similar to Agent check-in time options are:

    Daily

    Weekly

    Monthly

    Hourly

    On Receipt

    Every 30 Minutes

    Randomization to not over load VMs

  • SSH Discovery Work Settings

    Default scan paths for SSH server information and keys.

  • SSH Discovery Work Settings

    Specify folder where agent will look for: Host Keys

    User Keys

    Host Keys and User Keys

    Supports wildcards

    Specify where to not scan

  • SSH Discovery Work Settings

    Should the agent scan Network File System (NFS) mount points

    Minimize the impact of discovery

  • SSH Discovery Work Settings

    Select a file size threshold after which the agent should ignore files

    By setting this limit to 1mb, all keystore files larger than 1mb are ignored during SSH discovery.

  • SSH Discovery Work Settings

    Logging level detail

    Default is Info

    Written to System logs

  • SSH Remediation Work

    SSH Remediation > Remediate SSH Work = Yes

  • SSH Remediation Work

    How often Agents check for Remediation work

    Interval between Monthly and 1min

    Randomization Start time Agentless SSH

    performs work immediately

  • SSH Remediation Work

    Logging level detail

    Default is Info

    Agent Writes to:

    Syslog

    Event Logs

  • SSH Key Usage Work

    SSH Key Usage > Collect SSH Logs = Yes

  • SSH Key Usage Work

    How often Agents Deliver SSH Key Usage data

    Interval between daily and 1min

    Randomization

  • SSH Key Usage Work

    Cache size on Agent side

    Agent logging for SSH Key Usage

  • SSH Key Usage Agent side

    Only Venafi Agent can gather SSH Key Usage!

    Steps required on Venafi Agent side:

    https://support.venafi.com/hc/en-us/articles/215911487

    https://support.venafi.com/hc/en-us/articles/215911487

  • Lab: Configuring SSH Work

    SSH labs can be done with Agentless or Agent Based SSH.

    Configuring Agent SSH Work Lab

    Agent SSH configuration

    Enable Discovery and Remediation

    Configuring Agentless SSH Lab

    Agentless Based SSH configuration

    Enable Discovery and Remediation

  • Review

    1. Where are SSH Discovery results placed?

    2. How often will the Agents scan for SSH Keys?

    3. How often will Agentless SSH scan run?

    4. Where does the Agent log SSH discovery information?

  • Creating and Configuring

    SSH Policy

  • Working with SSH Key Policies

    Lock or suggest values*

    Settings inherited down the tree

    Agents represented in Policy structure

    Permission assignment

    Find policy violations

    *Unlike Certificate Policy, some locked values are just for reporting. For example multiple private key instances when locked to not allowed.

  • Configuring SSH Policy

    Done in Aperture

    Configuration > Policies

    Opens Policy tree view

    Click on folder icon to expand

  • SSH Policy - General

  • SSH Policy - General

  • SSH Policy - General

  • SSH Policy - General

    Let's you allow or deny user access to one or more remote IP addresses or host names

    Setting will be added to authorized_keys

  • SSH Policy - General

    Using forced commands, you can limit user accounts SSH access and usage

    Instead of the client's deciding which command will run, the Policy forces the command

  • SSH Policy - General

    Login options in authorized_keys for example:

    no-user-rc

    no-X11-forwarding

    no-agent-forwarding

    More found in documentation

  • SSH Policy Device Connection

  • Dashboard

  • Dashboard

  • SSH Keysets

    Inventory > SSH Keys

  • Orphan keys

    SSH Keys > Orphans

    Shows keysets where we dont know about the matching private or public key

    We can see that some one has root access to multiple systems

  • Ke

Recommended

View more >