Stay away from the internet - securiting modern infrastructure

Transcript

1. Stay Away from the Internet Puppet Labs Gareth Rushgrove Limiting

   the attack surface for modern web infrastructure

2. Gareth Rushgrove @garethr

3. Gareth Rushgrove

4. A Bit Of Context Admitting we have a problem

5. Gareth Rushgrove Security in the news

6. Gareth Rushgrove Security in the news II

7. Gareth Rushgrove Just last week

8. Gareth Rushgrove I’ll stop now

9. Principles Worth repeating

10. Gareth Rushgrove

11. Minimize attack surface area Establish secure defaults Principle of Least

    privilege Principle of Defence in depth Don’t trust services Gareth Rushgrove - - - - -

12. Fail securely Separation of duties Avoid security through obscurity Keep

    security simple Fix security issues correctly Gareth Rushgrove - - - - -

13. Minimize attack surface area Establish secure defaults Principle of Least

    privilege Principle of Defence in depth Don’t trust services Gareth Rushgrove - - - - -

14. Minimize attack surface area Establish secure defaults Principle of Least

    privilege Principle of Defence in depth Don’t trust services Gareth Rushgrove - - - - -

15. Minimize attack surface area Establish secure defaults Principle of Least

    privilege Principle of Defence in depth Don’t trust anything services Gareth Rushgrove - - - - -

16. This Talk We have 40 minutes to save your app

17. Networks and infrastructure People + computers Software supply chain Gareth

    Rushgrove - - -

18. Networks and infrastructure People + computers Software supply chain Gareth

    Rushgrove - - -

19. Networks and infrastructure People + computers Software supply chain Gareth

    Rushgrove - - -

20. Starting with the Network Open by default

21. Everyone has an air gapped network right? Gareth Rushgrove

22. Everything connected to the internet! Gareth Rushgrove

23. Gareth Rushgrove Load balancer The Internet Database server Web server

24. Firewalls are the answer Gareth Rushgrove

25. Gareth Rushgrove Load balancer The Internet Database server Web server

    TCP 80, 443, 22 TCP 22 TCP 22

26. NETWORK SECURE

27. The Moat is Not Enough Defence in depth remember

28. Virtual Private Network Gareth Rushgrove

29. Gareth Rushgrove Load balancer The Internet Database server Web server

    TCP 80, 443, 22 TCP 1723 TCP 1723

30. SSH jumpbox Gareth Rushgrove

31. Gareth Rushgrove Load balancer The Internet Database server Web server

    TCP 80, 443 TCP 1723 Jumpbox TCP 22 TCP 22

32. Internal network explosion Gareth Rushgrove

33. Gareth Rushgrove Load balancer Database server Web server

34. Gareth Rushgrove In reality more like

35. More firewalls Gareth Rushgrove

36. Gareth Rushgrove Load balancer Database server Web server TCP 80,

    22 TCP 5432, 22 TCP 80, 443, 22

37. Why does the database talk to the load balancer? Gareth

    Rushgrove

38. Gareth Rushgrove Load balancer Database server Web server TCP 80

    TCP 5432 TCP 22 TCP 22 TCP 22

39. Encrypt internal traffic too Gareth Rushgrove

40. Gareth Rushgrove Load balancer Database server Web server TCP 22

    TCP 22 TCP 22 TCP 443 TCP 5432

41. Advanced Course No such thing as too much defence in

    depth

42. Control outgoing, not just incoming, traffic Gareth Rushgrove

43. Gareth Rushgrove Database server Web server TCP 5432 The Internet

44. Gareth Rushgrove Database server Web server TCP 5432 The Internet

45. Validate payloads with schemas Gareth Rushgrove

46. Gareth Rushgrove Web server Application server TCP 8080

47. Gareth Rushgrove Web server Validating proxy TCP 8080 Application server

    TCP 8080

48. Enforce format (JSON, XML) Enforce schema Boundary limiting (rate, size,

    etc.) Directionality Gareth Rushgrove - - - -

49. Enforce format (JSON, XML) Enforce schema Boundary limiting (rate, size,

    etc.) Directionality Gareth Rushgrove - - - -

50. Enforce format (JSON, XML) Enforce schema Boundary limiting (rate, size,

    etc.) Directionality Gareth Rushgrove - - - -

51. Enforce format (JSON, XML) Enforce schema Boundary limiting (rate, size,

    etc.) Directionality Gareth Rushgrove - - - -

52. Do you (always) need remote access? Gareth Rushgrove

53. Gareth Rushgrove Load balancer Database server Web server TCP 443

    TCP 5432

54. Gareth Rushgrove Load balancer Database server Web server TCP 443

    TCP 5432 TCP 22 TCP 1723

55. Gareth Rushgrove Load balancer Database server Web server TCP 443

    TCP 5432

56. Traffic analysis Gareth Rushgrove What does normal look like?

57. Protocol breaks Gareth Rushgrove

58. Hardware boundaries Gareth Rushgrove

59. Things We Can Do Practical tips

60. Add validation to existing proxies Gareth Rushgrove

61. content_by_lua ' local cjson = require "cjson" -- make a

    subrequest, passing the request body res = ngx.location.capture( "/request", { method = ngx.HTTP_POST, body = ngx.var.request_body } ) -- if the subrequest errors if res.status == ngx.HTTP_OK then else ngx.status = ngx.HTTP_BAD_REQUEST ngx.say("invalid request") return end -- if we have a valid request, decode response as JSON local success, response = pcall(cjson.decode, res.body) if success then -- if valid JSON just pass through the response Nginx supports Lua and JS extensions, HAProxy supports Lua

62. Automated unit tests to enforce the rules Gareth Rushgrove

63. it 'has only a limited number of open ports' do

    expect(@open_ports.count).to eq(3) end it 'exposes a web server' do expect(@open_ports).to include('80/tcp') expect(@open_ports).to include('443/tcp') end it 'exposes an SSH server' do expect(@open_ports).to include('22/tcp') end it 'rejects email traffic' do expect(@closed_ports).to include('25/tcp') end Using any unit testing framework we can make explicit assertions against our network

64. www.puppetlabs.com from 192.168.1.10 has only a limited number of open

    ports (FAILED - 3) exposes a web server exposes an SSH server rejects accept email traffic (FAILED - 4) Anyone can run the tests and understand what is expected and what is currently broken

65. Model driven automation and higher levels of abstraction Gareth Rushgrove

66. $ iptables -A INPUT -s 65.55.44.100 -j DROP Stop running

    individual commands on indivual machines

67. firewall { '002 reject local traffic not on loopback interface':

    iniface => '! lo', proto => 'all', destination => '127.0.0.1/8', action => 'reject', } Necessary but not sufficient. Still requires domain knowledge and lots of context.

68. application elk( $cluster_name = $name, $es_port = 9200 ) {

    elk::elasticsearch { 'one': export => Es_instance['one'], es_port => $es_port, es_host => $::fqdn, cluster_name => $cluster_name, } elk::elasticsearch { 'two': export => Es_instance['two'], es_port => $es_port, es_host => $::fqdn, cluster_name => $cluster_name, } elk::kibana { $name: require => Es_instance[one,two], Most users should interact at a higher level of abstraction, allowing for secure defaults to be established by experts

69. and in a galaxy far, far away… Gareth Rushgrove

70. Gareth Rushgrove

71. People People + Computers are terrible

72. The attack surface of your infrastructure also includes the people

    managing it Gareth Rushgrove

73. Effort spent defending the laptop that access it Effort spent

    securing the infrastructure

74. Effort spent defending the laptop that access it t e

    re

75. Apple, Facebook employees hacked via website malware, Java vulnerability Gareth

    Rushgrove http://www.zdnet.com/apple-facebook-employees-hacked-via-website-malware-java-vulnerability-7000011601/

76. End User Device Security Gareth Rushgrove

77. Gareth Rushgrove UK Government guidance

78. Gareth Rushgrove Per-platform guidance

79. OPSEC Gareth Rushgrove

80. Gareth Rushgrove Checked in AWS keys

81. Gareth Rushgrove Personal .bash_profile

82. Gareth Rushgrove Windows Signing Key

83. Gareth Rushgrove Spearsphishing

84. Things We Can Do More practical tips

85. Gareth Rushgrove GitRob

86. Gareth Rushgrove

87. Training Gareth Rushgrove

88. Other Peoples Software Most of the software you run was

    written by someone else

89. Manage your software supply chain Gareth Rushgrove

90. Gareth Rushgrove Report from Sonatype

91. Once a component is shared in a public repository, it

    stays there forever even after many newer, safer versions have been introduced. Gareth Rushgrove

92. A once safe component may be found to be vulnerable

    at any time. Gareth Rushgrove

93. Components often depend on other components in order to function.

    If a vulnerability is found in a component dependency, it is difficult for the open source project or the user to know about it. Gareth Rushgrove

94. There is clear evidence that known vulnerable or defective components

    stored in public warehouses are downloaded by development teams, and end up in our software largely unnoticed. Gareth Rushgrove

95. Q How many people have commit access to all the

    software you use? Gareth Rushgrove

96. A Too many to count Gareth Rushgrove

97. The End of the General Purpose Operating System And other

    tales

98. Gareth Rushgrove Operating system Hardware Application Once upon a time…

99. Gareth Rushgrove Operating system Hardware Runtime Application Your application might

    need a runtime so lets add one

100. Gareth Rushgrove Operating system Hardware Runtime Application Application Application Application

     Application Application Runtime But hardware is expensive so lets run multiple applications on the same machine

101. Gareth Rushgrove Operating system Hypervisor Hardware Runtime Application Applications need

     isolating so lets use virtualisation

102. Gareth Rushgrove Operating system Hypervisor Hardware Runtime Application Operating system

     Runtime Application Operating system Runtime Application Run multiple virtual machines! (Each with there own copy of the operating system)

103. Gareth Rushgrove Operating system Hypervisor Hardware Runtime Application Operating system

     Runtime Application Application Application Application But the overhead of virtualisation is expensive so run multiple applicartions per VM

104. Gareth Rushgrove Operating system Hypervisor Hardware Container Operating system Runtime

     Application Container runtime I heard you like containers so we put containers in your virtiual machines

105. Gareth Rushgrove Operating system Hypervisor Hardware Container A different OS

     Runtime Application Container runtime Container Operating system Runtime Application Container Even more OS Runtime Application Lots and lots of containers in fact

106. Hypervisor Hardware Gareth Rushgrove Operating system Container Static binary Container

     runtime Container Static binary Container Static binary Cool folks use static binaries and scratch containers

107. Gareth Rushgrove Operating system Hardware Container Static binary Container runtime

     Container Static binary Container Static binary Don’t need virtualisation isolation guarantees?

108. Unikernels A library operating system

109. What if there is no OS above the hypervisor? Gareth

     Rushgrove

110. Gareth Rushgrove Unikernel Hypervisor Hardware Unikernels compile your application to

     a kernel, which can run on a hypervisor. That’s it.

111. Gareth Rushgrove Rise of the Virtual Library OS

112. Gareth Rushgrove MirageOS

113. Gareth Rushgrove HaLVM

114. Gareth Rushgrove Rump Kernel

115. Gareth Rushgrove LING

116. Gareth Rushgrove IncludeOS

117. Gareth Rushgrove

118. Hypervisor/hardware isolation Smaller attack surface area Running (a lot) less

     code Enforced immutability No default remote access Gareth Rushgrove - - - - -

119. Things We Can Do Maybe not as practical

120. Map out your software supply chain Gareth Rushgrove

121. Rewrite everything OCaml and run MirageOS :) Gareth Rushgrove

122. Conclusions Can the future be better?

123. Formal proofs Gareth Rushgrove

124. Gareth Rushgrove Use of Formal Methods at AWS

125. Model based automation Gareth Rushgrove

126. Whole new ways of building software systems Gareth Rushgrove

127. Questions? And thanks for listening