Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stay away from the internet - securiting modern infrastructure

Stay away from the internet - securiting modern infrastructure

A run through three topics relevant to securing and reducing the attack surface area for modern web infrastructure. Talk of network complexity, SDN, end user device security, spearphishing, unikernels and more.

Presented at #OSCON 2015 in Amsterdam.

Gareth Rushgrove

October 27, 2015
Tweet

More Decks by Gareth Rushgrove

Other Decks in Technology

Transcript

  1. Stay Away from the Internet Puppet Labs Gareth Rushgrove Limiting

    the attack surface for modern web infrastructure
  2. Minimize attack surface area Establish secure defaults Principle of Least

    privilege Principle of Defence in depth Don’t trust services Gareth Rushgrove - - - - -
  3. Fail securely Separation of duties Avoid security through obscurity Keep

    security simple Fix security issues correctly Gareth Rushgrove - - - - -
  4. Minimize attack surface area Establish secure defaults Principle of Least

    privilege Principle of Defence in depth Don’t trust services Gareth Rushgrove - - - - -
  5. Minimize attack surface area Establish secure defaults Principle of Least

    privilege Principle of Defence in depth Don’t trust services Gareth Rushgrove - - - - -
  6. Minimize attack surface area Establish secure defaults Principle of Least

    privilege Principle of Defence in depth Don’t trust anything services Gareth Rushgrove - - - - -
  7. Enforce format (JSON, XML) Enforce schema Boundary limiting (rate, size,

    etc.) Directionality Gareth Rushgrove - - - -
  8. Enforce format (JSON, XML) Enforce schema Boundary limiting (rate, size,

    etc.) Directionality Gareth Rushgrove - - - -
  9. Enforce format (JSON, XML) Enforce schema Boundary limiting (rate, size,

    etc.) Directionality Gareth Rushgrove - - - -
  10. Enforce format (JSON, XML) Enforce schema Boundary limiting (rate, size,

    etc.) Directionality Gareth Rushgrove - - - -
  11. content_by_lua ' local cjson = require "cjson" -- make a

    subrequest, passing the request body res = ngx.location.capture( "/request", { method = ngx.HTTP_POST, body = ngx.var.request_body } ) -- if the subrequest errors if res.status == ngx.HTTP_OK then else ngx.status = ngx.HTTP_BAD_REQUEST ngx.say("invalid request") return end -- if we have a valid request, decode response as JSON local success, response = pcall(cjson.decode, res.body) if success then -- if valid JSON just pass through the response Nginx supports Lua and JS extensions, HAProxy supports Lua
  12. it 'has only a limited number of open ports' do

    expect(@open_ports.count).to eq(3) end it 'exposes a web server' do expect(@open_ports).to include('80/tcp') expect(@open_ports).to include('443/tcp') end it 'exposes an SSH server' do expect(@open_ports).to include('22/tcp') end it 'rejects email traffic' do expect(@closed_ports).to include('25/tcp') end Using any unit testing framework we can make explicit assertions against our network
  13. www.puppetlabs.com from 192.168.1.10 has only a limited number of open

    ports (FAILED - 3) exposes a web server exposes an SSH server rejects accept email traffic (FAILED - 4) Anyone can run the tests and understand what is expected and what is currently broken
  14. $ iptables -A INPUT -s 65.55.44.100 -j DROP Stop running

    individual commands on indivual machines
  15. firewall { '002 reject local traffic not on loopback interface':

    iniface => '! lo', proto => 'all', destination => '127.0.0.1/8', action => 'reject', } Necessary but not sufficient. Still requires domain knowledge and lots of context.
  16. application elk( $cluster_name = $name, $es_port = 9200 ) {

    elk::elasticsearch { 'one': export => Es_instance['one'], es_port => $es_port, es_host => $::fqdn, cluster_name => $cluster_name, } elk::elasticsearch { 'two': export => Es_instance['two'], es_port => $es_port, es_host => $::fqdn, cluster_name => $cluster_name, } elk::kibana { $name: require => Es_instance[one,two], Most users should interact at a higher level of abstraction, allowing for secure defaults to be established by experts
  17. Apple, Facebook employees hacked via website malware, Java vulnerability Gareth

    Rushgrove http://www.zdnet.com/apple-facebook-employees-hacked-via-website-malware-java-vulnerability-7000011601/
  18. Once a component is shared in a public repository, it

    stays there forever even after many newer, safer versions have been introduced. Gareth Rushgrove
  19. Components often depend on other components in order to function.

    If a vulnerability is found in a component dependency, it is difficult for the open source project or the user to know about it. Gareth Rushgrove
  20. There is clear evidence that known vulnerable or defective components

    stored in public warehouses are downloaded by development teams, and end up in our software largely unnoticed. Gareth Rushgrove
  21. Q How many people have commit access to all the

    software you use? Gareth Rushgrove
  22. Gareth Rushgrove Operating system Hardware Runtime Application Application Application Application

    Application Application Runtime But hardware is expensive so lets run multiple applications on the same machine
  23. Gareth Rushgrove Operating system Hypervisor Hardware Runtime Application Operating system

    Runtime Application Operating system Runtime Application Run multiple virtual machines! (Each with there own copy of the operating system)
  24. Gareth Rushgrove Operating system Hypervisor Hardware Runtime Application Operating system

    Runtime Application Application Application Application But the overhead of virtualisation is expensive so run multiple applicartions per VM
  25. Gareth Rushgrove Operating system Hypervisor Hardware Container Operating system Runtime

    Application Container runtime I heard you like containers so we put containers in your virtiual machines
  26. Gareth Rushgrove Operating system Hypervisor Hardware Container A different OS

    Runtime Application Container runtime Container Operating system Runtime Application Container Even more OS Runtime Application Lots and lots of containers in fact
  27. Hypervisor Hardware Gareth Rushgrove Operating system Container Static binary Container

    runtime Container Static binary Container Static binary Cool folks use static binaries and scratch containers
  28. Gareth Rushgrove Operating system Hardware Container Static binary Container runtime

    Container Static binary Container Static binary Don’t need virtualisation isolation guarantees?
  29. Hypervisor/hardware isolation Smaller attack surface area Running (a lot) less

    code Enforced immutability No default remote access Gareth Rushgrove - - - - -