Automating Secure Server Baselines with Puppet

Transcript

1. © 2012 CloudPassage Inc.! 1! Automating Secure Server Baselines with

   Puppet a.k.a. “Making Fixing Stupid Stuff Easy” ! Andrew Hay! [email protected]! @andrewsmhay | @cloudpassage! #puppetconf - #CloudSec

2. © 2012 CloudPassage Inc.! 2! Topics for today Why the

   cloud makes security hard Why secure the OS? What is a baseline? How Puppet can be used to create secure and repeatable server and application baselines

3. © 2012 CloudPassage Inc.! 3! Who are you? •  Andrew

   Hay, Chief Evangelist, CloudPassage! •  Former! –  Industry Analyst @ 451 Research –  Security Analyst @ UofL and bank in Bermuda –  Product, Program and Engineering Manager @ Q1 Labs –  Linux guy at a few ISPs

4. © 2012 CloudPassage Inc.! 4! Goals of moving to cloud

   fail to mesh with security ✔� ✔�

5. © 2012 CloudPassage Inc.! 5! Creating servers takes almost zero

   time Server location can change frequently Physical access to architecture no longer an option www-7 www-6 Cloud radically changes IT Ops Public Cloud Private Datacenter www-5 www-4 www-3 www-2 www-1 www-1 www-2 www-3 www-4 www-5 www-6 www-7 Gold Master

6. © 2012 CloudPassage Inc.! 6! www-1 Cloud security is new

   private datacenter public cloud www-1 � www-2 www-3 www-4 www-2 � www-3 � www-4 �

7. © 2012 CloudPassage Inc.! 7! www-4 � www-1 � www-2

   � www-3 � www-4 � Cloud security is different private datacenter public cloud www-4

8. © 2012 CloudPassage Inc.! 8! Cloud security is complex Cloud

   Provider A Cloud Provider B Private Datacenter www-1 � www-2 � www-3 � www-4 � www-4  www-5  www-6  www-7  www-8  www-9  www-10  www-7  www-8  www-9  www-10 

9. © 2012 CloudPassage Inc.! 9! Security products aren’t adapting Cloud

   Provider A Cloud Provider B Private Datacenter www-1 � www-2 � www-3 � www-4 � www-4  www-5  www-6  www-7  www-8  www-9  www-10  www-7  www-8  www-9  www-10  No Network Access Temporary & Elastic Deployments Multiple Cloud Environments

10. © 2012 CloudPassage Inc.! 10! dmz dmz core core Firewall

    Firewall DB Load Balancer Auth Server App Server DB Load Balancer App Server DB We used to rely on perimeter defenses

11. © 2012 CloudPassage Inc.! 11! DB Load Balancer App Server

    App Server But where is the perimeter in cloud? Auth Server DB Load Balancer DB public cloud

12. © 2012 CloudPassage Inc.! 12! public cloud The server is

    adjacent to the perimeter Load Balancer App Server App Server DB Master � �

13. © 2012 CloudPassage Inc.! 13! Why secure the OS? • 

    A hardened OS often is the last line of defense in the event of a security compromise.! •  It is important to note that hardening is not a panacea for security. ! –  It is just another layer in a good security model. •  By definition, any machine that is accessible on a network and running services is potentially insecure.! –  (i.e. pretty much any server)

14. © 2012 CloudPassage Inc.! 14! “Andrew’s Law of Servers” • 

    There are 3 kinds of servers:! 1) Secure servers 2) Insecure servers 3) Servers that you think are secure… server server � server

15. © 2012 CloudPassage Inc.! 15! Servers are vulnerable •  National

    Vulnerability Database search of CVE and CCE vulnerabilities:! –  Ubuntu •  Last 3 years: 788 matching records! •  Last 3 months: 100 matching records! –  RedHat •  Last 3 years: 1,910 matching records! •  Last 3 months: 288 matching records! –  Microsoft Windows (server) •  …! •  NVD reported 3532 vulnerabilities in 2011.! •  This means that last year about ten new security vulnerabilities were discovered each day. !

16. © 2012 CloudPassage Inc.! 16! What is a baseline? • 

    base·line /ˈbāsˌlīn/! –  A minimum or starting point used for comparisons. •  Think of it as the ‘bare minimum’ configuration for:! –  Server settings –  Application configurations –  Running services –  Etc. •  Ask yourself:! –  “What do I want of my servers?”

17. © 2012 CloudPassage Inc.! 17! What if I only secure

    one or two things?

18. © 2012 CloudPassage Inc.! 18! www Running with baselines… Gold

    Master www www www � www � If your baseline is not secure… Your servers built off of that baseline are also insecure www �

19. © 2012 CloudPassage Inc.! 19! www www www � www

    � Pushing out a ‘Better Master’ might solve a lot of problems But It will eventually fail you Running with baselines… www www Better Master www www www www

20. © 2012 CloudPassage Inc.! 20! www www www � www

    � Using our new ‘Gold Master’ we can trust our server’s security Letting us focus on other, more pressing tasks Running with baselines… www www www www www Gold Master

21. © 2012 CloudPassage Inc.! 21! Running with baselines… Gold Master

    Gold Master updates can be rolled out incrementally Keeping your operational state…operational www � www � www www www www www www www www www � www

22. © 2012 CloudPassage Inc.! 22! 22! How Puppet Can Help

23. © 2012 CloudPassage Inc.! 23! Top 5 easy things to

    start building your secure baseline 1.  Disable unnecessary services! 2.  Remove unneeded packages! 3.  Restrict access to sensitive files & directories! 4.  Remove insecure/default configurations! 5.  Allow administrative access ONLY from trusted servers/clients!

24. © 2012 CloudPassage Inc.! 24! Disable unnecessary services •  Only

    what is needed…is needed! •  Shutdown and disable $ $ $ unnecessary services! –  e.g. telnet, r-services, ftpd, etc. •  Take a look at:! –  http://www.puppetcookbook.com/posts/ensure-service- stopped-on-boot.html –  http://www.puppetcookbook.com/posts/ensure-service-is- stopped.html –  http://docs.puppetlabs.com/references/latest/ type.html#service

25. © 2012 CloudPassage Inc.! 25! Remove unneeded packages •  If

    it isn’t being used…why keep it?! •  If the server doesn’t need to $ $ $ $ serve web pages! –  Remove PHP, Apache/nginx •  If it’s not a database server! –  Remove MySQL/PostgreSQL •  Take a look at:! –  http://www.puppetcookbook.com/posts/remove-package.html –  http://docs.puppetlabs.com/references/latest/ type.html#package

26. © 2012 CloudPassage Inc.! 26! Restrict access to sensitive files

    & directories •  Protect what’s important from prying/malicious eyes! •  Ensure file permissions restrict $ $ access to sensitive files and $ $ directories! –  E.g. /etc/shadow, /etc/ssh/sshd_config, –  E.g. /var/tmp/, /tmp/   •  Take a look at:! –  http://docs.puppetlabs.com/references/latest/type.html#file –  http://www.nsa.gov/ia/_files/os/redhat/ NSA_RHEL_5_GUIDE_v4.2.pdf

27. © 2012 CloudPassage Inc.! 27! Remove insecure/default configurations •  Disable

    password authentication for SSH! –  Force public key authentication –  Also, disable empty passwords for users •  SSH! –  Ensure only v2 protocol connections are allowed •  Apache! –  Minimize loadable modules –  Disable ServerTokens and ServerSignature directives •  Take a look at:! –  http://forge.puppetlabs.com/saz/sudo –  http://forge.puppetlabs.com/jonhadfield/wordpress –  http://forge.puppetlabs.com/attachmentgenie/ssh

28. © 2012 CloudPassage Inc.! 28! Allow administrative access ONLY from

    trusted servers/clients •  Leverage the firewall and other tools! –  Source of corporate network / admin network range –  3rd-party tools like fail2ban •  Don’t allow ‘server hopping’! •  Take a look at:! –  http://forge.puppetlabs.com/attachmentgenie/ufw –  http://forge.puppetlabs.com/example42/firewall –  http://forge.puppetlabs.com/puppetlabs/denyhosts

29. © 2012 CloudPassage Inc.! 29! If only we had more

    time… •  More documentation to review:! –  NIST SP800-123: Guide to General Server Security •  http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf! –  Halo Configuration Policy Rule Checks •  http://support.cloudpassage.com/entries/22033142-configuration-policy-rule- checks! –  CIS Red Hat Enterprise Linux 6 Benchmark v1.1.0 •  http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.rhel6.110! –  NSA Security Configuration Guides •  http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/ operating_systems.shtml#linux2!

30. © 2012 CloudPassage Inc.! 30! 30! In Closing

31. © 2012 CloudPassage Inc.! 31! Moral of the Story Security

    of your cloud servers is your responsibility Security risk in the cloud are real (just check your ssh/RDP logs) Security baselining isn’t just a best/ better practice, it makes your life easier… …and isn’t that why we started automating in the first place?

32. © 2012 CloudPassage Inc.! 32! What does CloudPassage do? Firewall

    Automation Multi-Factor Authentication Account Management Security Event Alerting Configuration Security Vulnerability Scanning Security for virtual servers running in public and private clouds File Integrity Monitoring API Automation

33. © 2012 CloudPassage Inc.! 33! The End •  Ask questions!

    –  Lots more info: community.cloudpassage.com –  Small bits of info: @cloudpassage •  Tell me what you think! –  Email: [email protected] –  Twitter: @andrewsmhay •  We’re hiring! DevOps, Rails, UX, SecOps, etc… –  Email: [email protected] BTW, We’re Hiring!

34. © 2012 CloudPassage Inc.! 34! The End++ •  Expect a

    webinar! –  We plan on presenting a webinar on securely automating cloud server deployment –  Follow our Twitter account for details: @cloudpassage •  Community Puppet Code for Halo –  https://github.com/mrpatrick/puppet-cloudpassage –  https://github.com/rkhatibi/puppet-cloudpassage

35. © 2012 CloudPassage Inc.! 35! Thank You! Andrew Hay [email protected]

    @andrewsmhay @cloudpassage #puppetconf - #CloudSec