Automating secure server baselines with Chef
-
Upload
chef-software-inc -
Category
Technology
-
view
3.811 -
download
1
description
Transcript of Automating secure server baselines with Chef
![Page 1: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/1.jpg)
© 2013 CloudPassage Inc.! 1!
Automating Secure Server Baselines with Chef
a.k.a. “Making Fixing Stupid Stuff Easy”
!
Andrew [email protected]!
@andrewsmhay | @cloudpassage!
#ChefConf / #CloudSec
![Page 2: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/2.jpg)
© 2013 CloudPassage Inc.! 2!
Topics for today
Why the cloud makes security hard
Why secure the OS?
What is a baseline?
How Chef can be used to create secure and repeatable server and application baselines
![Page 3: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/3.jpg)
© 2013 CloudPassage Inc.! 3!
Who are you? • My name is Andrew Hay, and I am a chef…!
![Page 4: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/4.jpg)
© 2013 CloudPassage Inc.! 4!
Who are you? • Andrew Hay, Director of Applied Security
Research at CloudPassage, Inc.!
• Former!– Senior Industry Analyst @ 451 Research – Security Analyst @ UofL and a bank in Bermuda – Product, Program and Engineering Manager @ Q1 Labs
![Page 5: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/5.jpg)
© 2013 CloudPassage Inc.! 5!
Goals of moving to cloud fail to mesh with security
✔ �✔ �
![Page 6: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/6.jpg)
© 2013 CloudPassage Inc.! 6!
dmz dmz
core core
Firewall
Firewall
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
We used to rely on perimeter defenses
![Page 7: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/7.jpg)
© 2013 CloudPassage Inc.! 7!
DB
Load Balancer
App Server
App Server
But where is the perimeter in cloud?
Auth Server
DB
Load Balancer
DB
public cloud
![Page 8: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/8.jpg)
© 2013 CloudPassage Inc.! 8!
public cloud
The server is adjacent to the perimeter
Load Balancer
App Server
App Server
DB Master
!�
!�
![Page 9: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/9.jpg)
© 2013 CloudPassage Inc.! 9!
Why secure the OS? • A hardened OS often is the last line of
defense in the event of a security compromise.!
• It is important to note that hardening is not a panacea for security. !– It is just another layer in a good security
model.
• By definition, any machine that is accessible on a network and running services is potentially insecure.!– (i.e. pretty much any server)
![Page 10: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/10.jpg)
© 2013 CloudPassage Inc.! 10!
Why secure the OS? • A hardened OS often is the last line of
defense in the event of a security compromise.!
• It is important to note that hardening is not a panacea for security. !– It is just another layer in a good security
model.
• By definition, any machine that is accessible on a network and running services is potentially insecure.!– (i.e. pretty much any server)
![Page 11: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/11.jpg)
© 2013 CloudPassage Inc.! 11!
“Andrew’s Law of Servers” • There are 3 kinds of servers:!
1) Secure servers
2) Insecure servers
3) Servers that you think are secure…
server
server
!�
server
?
![Page 12: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/12.jpg)
© 2013 CloudPassage Inc.! 12!
Servers are vulnerable • National Vulnerability Database search of CVE and CCE
vulnerabilities:!– Ubuntu
• Last 3 years: 1,015 matching records!• Last 3 months: 145 matching records!
– Red Hat Enterprise Linux • Last 3 years: 50 matching records!• Last 3 months: 23 matching records!
– Microsoft Windows (server) • Last 3 years: 319 matching records!• Last 3 months: 48 matching records!
• NVD reported 5, 715 vulnerabilities in 2012.!
• This means that last year about 16 new security vulnerabilities were discovered each day. !
![Page 13: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/13.jpg)
© 2013 CloudPassage Inc.! 13!
What is a baseline? • base·line /ˈbāsˌlīn/!
– A minimum or starting point used for comparisons.
• Think of it as the ‘bare minimum’ configuration for:!– Server settings – Application configurations – Running services – Etc.
• Ask yourself:!– “What do I want of my servers?”
![Page 14: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/14.jpg)
© 2013 CloudPassage Inc.! 14!
What if I only secure one or two things?
![Page 15: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/15.jpg)
© 2013 CloudPassage Inc.! 15!
What if I only secure one or two things?
![Page 16: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/16.jpg)
© 2013 CloudPassage Inc.! 16!
www
Running with baselines…
Gold Master
www www www
!�www
!�
If your baseline is not secure… Your servers built off of that baseline are also insecure
www
!�
![Page 17: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/17.jpg)
© 2013 CloudPassage Inc.! 17!
www
?www
?www
!�www
!�
Pushing out a ‘Better Master’ might solve a lot of problems
But it may (will) eventually fail you
Running with baselines…
www
?www
?Better Master
www
?www
?www
?www
?
![Page 18: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/18.jpg)
© 2013 CloudPassage Inc.! 18!
www
?www
?www
!�www
!�
Using our new ‘Gold Master’ we can trust our server’s security
Letting us focus on other, more pressing tasks
Running with baselines…
www www www www www
Gold Master
![Page 19: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/19.jpg)
© 2013 CloudPassage Inc.! 19!
Running with baselines…
Gold Master
Gold Master updates can be rolled out incrementally Keeping your operational state…operational
www
!�www
!�www www www
?�
www www www www
www
www
!�www
![Page 20: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/20.jpg)
© 2013 CloudPassage Inc.! 20!20!
How Chef Can Help
![Page 21: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/21.jpg)
© 2013 CloudPassage Inc.! 21!
Top 5 easy things to start building your secure baseline
1. Disable unnecessary services!
2. Remove unneeded packages!
3. Restrict access to sensitive files & directories!
4. Remove insecure/default configurations!
5. Allow administrative access ONLY from trusted servers/clients!
![Page 22: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/22.jpg)
© 2013 CloudPassage Inc.! 22!
Disable unnecessary services • Only what is needed…is needed!
• Shutdown and disable $ $ $ unnecessary/insecure services!– e.g. telnet, r-services, ftpd, etc.
• Take a look at:!– http://docs.opscode.com/resource_script.html – http://docs.opscode.com/resource_execute.html – http://docs.opscode.com/dsl_recipe_use_ruby.html
![Page 23: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/23.jpg)
© 2013 CloudPassage Inc.! 23!
Remove unneeded packages • If it isn’t being used…why keep it?!
• If the server doesn’t need to $ $ $ $ serve web pages!– Remove PHP, Apache/nginx
• If it’s not a database server!– Remove MySQL/PostgreSQL
• Take a look at:!– http://docs.opscode.com/resource_package.html – http://docs.opscode.com/resource_script.html – http://docs.opscode.com/resource_execute.html
![Page 24: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/24.jpg)
© 2013 CloudPassage Inc.! 24!
Remove unneeded packages – apt_package – chef_gem – dpkg_package – easy_install_package – freebsd_package – gem_package – ips_package
– macports_package – pacman_package – portage_package – rpm_package – smartos_package – solaris_package – yum_package
http://docs.opscode.com/resource_package.html�
![Page 25: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/25.jpg)
© 2013 CloudPassage Inc.! 25!
Remove unneeded packages
![Page 26: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/26.jpg)
© 2013 CloudPassage Inc.! 26!
Remove unneeded packages
![Page 27: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/27.jpg)
© 2013 CloudPassage Inc.! 27!
Restrict access to sensitive files & directories
• Protect what’s important from prying/malicious eyes!
• Ensure file permissions restrict $ $ access to sensitive files and $ $ directories!– e.g. /etc/ssh/sshd_config, /var/log/ – e.g. C:\Windows, C:\Inetpub
![Page 28: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/28.jpg)
© 2013 CloudPassage Inc.! 28!
Remove insecure/default configurations
• Disable password authentication for SSH!– Force public key authentication – Also, disable empty passwords for users
• SSH!– Ensure only v2 protocol connections are allowed
• Apache!– Minimize loadable modules – Disable ServerTokens and ServerSignature directives
![Page 29: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/29.jpg)
© 2013 CloudPassage Inc.! 29!
Remove insecure/default configurations
• Apache Example!
• Take a look at:!– http://docs.opscode.com/
essentials_cookbook_attribute_files.html – http://docs.opscode.com/essentials_roles.html
![Page 30: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/30.jpg)
© 2013 CloudPassage Inc.! 30!
Allow administrative access ONLY from trusted servers/clients • Leverage the firewall and other tools!
– Source of corporate network / admin network range
– 3rd-party tools like fail2ban
• Don’t allow (or at least restrict)$ $ $ ‘server hopping’!
• Take a look at:!– http://community.opscode.com/cookbooks/fail2ban – http://community.opscode.com/cookbooks/firewall – http://community.opscode.com/cookbooks/ssh_known_hosts
![Page 31: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/31.jpg)
© 2013 CloudPassage Inc.! 31!
If only we had more time… • More documentation to review:!
– NIST SP800-123: Guide to General Server Security • http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf!
– Halo Configuration Policy Rule Checks • http://support.cloudpassage.com/entries/22033142-configuration-policy-rule-
checks!– Center for Internet Security (CIS) Benchmarks
• http://benchmarks.cisecurity.org/downloads/benchmarks/!– Microsoft (yes, that Microsoft)
• http://www.microsoft.com/en-us/download/details.aspx?id=17606!!
![Page 32: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/32.jpg)
© 2013 CloudPassage Inc.! 32!32!
In Closing
![Page 33: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/33.jpg)
© 2013 CloudPassage Inc.! 33!
Moral of the Story
Security of your cloud servers is your responsibility
Security risk in the cloud are real (just check your ssh/RDP logs)
Security baselining isn’t just a best/better practice, it makes your life easier…
…and isn’t that why we started automating in the first place?
![Page 34: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/34.jpg)
© 2013 CloudPassage Inc.! 34!
What does CloudPassage do?
Firewall Automation
Multi-Factor Authentication
Account Management
Security Event Alerting
Configuration Security
Vulnerability Scanning
Security for virtual servers running in public and private clouds
File Integrity Monitoring
API Automation
![Page 35: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/35.jpg)
© 2013 CloudPassage Inc.! 35!
The End
• Ask questions! – Lots more info: community.cloudpassage.com – Small bits of info: @cloudpassage
• Tell me what you think! – Email: [email protected] – Twitter: @andrewsmhay
• We’re hiring! Email: [email protected]
BTW, We’re Hiring!
![Page 36: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/36.jpg)
© 2013 CloudPassage Inc.! 36!
The End+=1
• Expect a webinar! – We plan on presenting a webinar on securely
automating cloud server deployment – Follow our Twitter account for details: @cloudpassage
• Community Chef Code for Halo – https://github.com/escapestudios/chef-cloudpassage – http://community.opscode.com/cookbooks/
cloudpassage
![Page 37: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/37.jpg)
© 2013 CloudPassage Inc.! 37!
The End+=umm…more
• GitHub – http://github.com/cloudpassage – http://github.com/andrewsmhay
![Page 38: Automating secure server baselines with Chef](https://reader035.fdocuments.in/reader035/viewer/2022081400/55582343d8b42a25588b4c8f/html5/thumbnails/38.jpg)
© 2013 CloudPassage Inc.! 38!
Thank You! Andrew Hay
[email protected] @andrewsmhay
@cloudpassage #ChefConf / #CloudSec