Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stay away from the internet - securiting modern infrastructure

Stay away from the internet - securiting modern infrastructure

A run through three topics relevant to securing and reducing the attack surface area for modern web infrastructure. Talk of network complexity, SDN, end user device security, spearphishing, unikernels and more.

Presented at #OSCON 2015 in Amsterdam.

Gareth Rushgrove

October 27, 2015
Tweet

More Decks by Gareth Rushgrove

Other Decks in Technology

Transcript

  1. Stay Away from the Internet
    Puppet Labs
    Gareth Rushgrove
    Limiting the attack surface for modern web infrastructure

    View full-size slide

  2. Gareth Rushgrove
    @garethr

    View full-size slide

  3. Gareth Rushgrove

    View full-size slide

  4. A Bit Of Context
    Admitting we have a problem

    View full-size slide

  5. Gareth Rushgrove
    Security in the news

    View full-size slide

  6. Gareth Rushgrove
    Security in the news II

    View full-size slide

  7. Gareth Rushgrove
    Just last week

    View full-size slide

  8. Gareth Rushgrove
    I’ll stop now

    View full-size slide

  9. Principles
    Worth repeating

    View full-size slide

  10. Gareth Rushgrove

    View full-size slide

  11. Minimize attack surface area
    Establish secure defaults
    Principle of Least privilege
    Principle of Defence in depth
    Don’t trust services
    Gareth Rushgrove
    -
    -
    -
    -
    -

    View full-size slide

  12. Fail securely
    Separation of duties
    Avoid security through obscurity
    Keep security simple
    Fix security issues correctly
    Gareth Rushgrove
    -
    -
    -
    -
    -

    View full-size slide

  13. Minimize attack surface area
    Establish secure defaults
    Principle of Least privilege
    Principle of Defence in depth
    Don’t trust services
    Gareth Rushgrove
    -
    -
    -
    -
    -

    View full-size slide

  14. Minimize attack surface area
    Establish secure defaults
    Principle of Least privilege
    Principle of Defence in depth
    Don’t trust services
    Gareth Rushgrove
    -
    -
    -
    -
    -

    View full-size slide

  15. Minimize attack surface area
    Establish secure defaults
    Principle of Least privilege
    Principle of Defence in depth
    Don’t trust anything services
    Gareth Rushgrove
    -
    -
    -
    -
    -

    View full-size slide

  16. This Talk
    We have 40 minutes to save your app

    View full-size slide

  17. Networks and infrastructure
    People + computers
    Software supply chain
    Gareth Rushgrove
    -
    -
    -

    View full-size slide

  18. Networks and infrastructure
    People + computers
    Software supply chain
    Gareth Rushgrove
    -
    -
    -

    View full-size slide

  19. Networks and infrastructure
    People + computers
    Software supply chain
    Gareth Rushgrove
    -
    -
    -

    View full-size slide

  20. Starting with the
    Network
    Open by default

    View full-size slide

  21. Everyone has an air
    gapped network right?
    Gareth Rushgrove

    View full-size slide

  22. Everything connected to
    the internet!
    Gareth Rushgrove

    View full-size slide

  23. Gareth Rushgrove
    Load
    balancer
    The
    Internet
    Database
    server
    Web server

    View full-size slide

  24. Firewalls are the answer
    Gareth Rushgrove

    View full-size slide

  25. Gareth Rushgrove
    Load
    balancer
    The
    Internet
    Database
    server
    Web server
    TCP 80, 443, 22
    TCP 22
    TCP 22

    View full-size slide

  26. NETWORK SECURE

    View full-size slide

  27. The Moat is Not Enough
    Defence in depth remember

    View full-size slide

  28. Virtual Private Network
    Gareth Rushgrove

    View full-size slide

  29. Gareth Rushgrove
    Load
    balancer
    The
    Internet
    Database
    server
    Web server
    TCP 80, 443, 22
    TCP 1723
    TCP 1723

    View full-size slide

  30. SSH jumpbox
    Gareth Rushgrove

    View full-size slide

  31. Gareth Rushgrove
    Load
    balancer
    The
    Internet
    Database
    server
    Web server
    TCP 80, 443
    TCP 1723
    Jumpbox
    TCP 22
    TCP 22

    View full-size slide

  32. Internal network explosion
    Gareth Rushgrove

    View full-size slide

  33. Gareth Rushgrove
    Load
    balancer
    Database
    server
    Web server

    View full-size slide

  34. Gareth Rushgrove
    In reality more like

    View full-size slide

  35. More firewalls
    Gareth Rushgrove

    View full-size slide

  36. Gareth Rushgrove
    Load
    balancer
    Database
    server
    Web server
    TCP 80, 22
    TCP 5432, 22
    TCP 80, 443, 22

    View full-size slide

  37. Why does the database
    talk to the load balancer?
    Gareth Rushgrove

    View full-size slide

  38. Gareth Rushgrove
    Load
    balancer
    Database
    server
    Web server
    TCP 80
    TCP 5432
    TCP 22
    TCP 22
    TCP 22

    View full-size slide

  39. Encrypt internal traffic too
    Gareth Rushgrove

    View full-size slide

  40. Gareth Rushgrove
    Load
    balancer
    Database
    server
    Web server
    TCP 22
    TCP 22
    TCP 22
    TCP 443
    TCP 5432

    View full-size slide

  41. Advanced Course
    No such thing as too much defence in depth

    View full-size slide

  42. Control outgoing, not just
    incoming, traffic
    Gareth Rushgrove

    View full-size slide

  43. Gareth Rushgrove
    Database
    server
    Web server
    TCP 5432
    The
    Internet

    View full-size slide

  44. Gareth Rushgrove
    Database
    server
    Web server
    TCP 5432
    The
    Internet

    View full-size slide

  45. Validate payloads
    with schemas
    Gareth Rushgrove

    View full-size slide

  46. Gareth Rushgrove
    Web server
    Application
    server
    TCP 8080

    View full-size slide

  47. Gareth Rushgrove
    Web server
    Validating
    proxy
    TCP 8080
    Application
    server
    TCP 8080

    View full-size slide

  48. Enforce format (JSON, XML)
    Enforce schema
    Boundary limiting (rate, size, etc.)
    Directionality
    Gareth Rushgrove
    -
    -
    -
    -

    View full-size slide

  49. Enforce format (JSON, XML)
    Enforce schema
    Boundary limiting (rate, size, etc.)
    Directionality
    Gareth Rushgrove
    -
    -
    -
    -

    View full-size slide

  50. Enforce format (JSON, XML)
    Enforce schema
    Boundary limiting (rate, size, etc.)
    Directionality
    Gareth Rushgrove
    -
    -
    -
    -

    View full-size slide

  51. Enforce format (JSON, XML)
    Enforce schema
    Boundary limiting (rate, size, etc.)
    Directionality
    Gareth Rushgrove
    -
    -
    -
    -

    View full-size slide

  52. Do you (always) need
    remote access?
    Gareth Rushgrove

    View full-size slide

  53. Gareth Rushgrove
    Load
    balancer
    Database
    server
    Web server
    TCP 443
    TCP 5432

    View full-size slide

  54. Gareth Rushgrove
    Load
    balancer
    Database
    server
    Web server
    TCP 443
    TCP 5432
    TCP 22 TCP 1723

    View full-size slide

  55. Gareth Rushgrove
    Load
    balancer
    Database
    server
    Web server
    TCP 443
    TCP 5432

    View full-size slide

  56. Traffic analysis
    Gareth Rushgrove
    What does normal look like?

    View full-size slide

  57. Protocol breaks
    Gareth Rushgrove

    View full-size slide

  58. Hardware boundaries
    Gareth Rushgrove

    View full-size slide

  59. Things We Can Do
    Practical tips

    View full-size slide

  60. Add validation to
    existing proxies
    Gareth Rushgrove

    View full-size slide

  61. content_by_lua '
    local cjson = require "cjson"
    -- make a subrequest, passing the request body
    res = ngx.location.capture(
    "/request",
    { method = ngx.HTTP_POST, body = ngx.var.request_body }
    )
    -- if the subrequest errors
    if res.status == ngx.HTTP_OK then
    else
    ngx.status = ngx.HTTP_BAD_REQUEST
    ngx.say("invalid request")
    return
    end
    -- if we have a valid request, decode response as JSON
    local success, response = pcall(cjson.decode, res.body)
    if success then
    -- if valid JSON just pass through the response
    Nginx supports Lua and JS extensions,

    HAProxy supports Lua

    View full-size slide

  62. Automated unit tests to
    enforce the rules
    Gareth Rushgrove

    View full-size slide

  63. it 'has only a limited number of open ports' do
    expect(@open_ports.count).to eq(3)
    end
    it 'exposes a web server' do
    expect(@open_ports).to include('80/tcp')
    expect(@open_ports).to include('443/tcp')
    end
    it 'exposes an SSH server' do
    expect(@open_ports).to include('22/tcp')
    end
    it 'rejects email traffic' do
    expect(@closed_ports).to include('25/tcp')
    end
    Using any unit testing framework we can make

    explicit assertions against our network

    View full-size slide

  64. www.puppetlabs.com from 192.168.1.10
    has only a limited number of open ports (FAILED - 3)
    exposes a web server
    exposes an SSH server
    rejects accept email traffic (FAILED - 4)
    Anyone can run the tests and understand what is expected
    and what is currently broken

    View full-size slide

  65. Model driven automation
    and higher levels of
    abstraction
    Gareth Rushgrove

    View full-size slide

  66. $ iptables -A INPUT -s 65.55.44.100 -j DROP
    Stop running individual commands on indivual machines

    View full-size slide

  67. firewall { '002 reject local traffic not on loopback interface':
    iniface => '! lo',
    proto => 'all',
    destination => '127.0.0.1/8',
    action => 'reject',
    }
    Necessary but not sufficient. Still requires domain
    knowledge and lots of context.

    View full-size slide

  68. application elk(
    $cluster_name = $name,
    $es_port = 9200
    ) {
    elk::elasticsearch { 'one':
    export => Es_instance['one'],
    es_port => $es_port,
    es_host => $::fqdn,
    cluster_name => $cluster_name,
    }
    elk::elasticsearch { 'two':
    export => Es_instance['two'],
    es_port => $es_port,
    es_host => $::fqdn,
    cluster_name => $cluster_name,
    }
    elk::kibana { $name:
    require => Es_instance[one,two],
    Most users should interact at a higher level of abstraction,
    allowing for secure defaults to be established by experts

    View full-size slide

  69. and in a galaxy far, far
    away…
    Gareth Rushgrove

    View full-size slide

  70. Gareth Rushgrove

    View full-size slide

  71. People
    People + Computers are terrible

    View full-size slide

  72. The attack surface of your
    infrastructure also
    includes the people
    managing it
    Gareth Rushgrove

    View full-size slide

  73. Effort spent defending
    the laptop that access it
    Effort spent
    securing the
    infrastructure

    View full-size slide

  74. Effort spent defending
    the laptop that access it
    t
    e
    re

    View full-size slide

  75. Apple, Facebook
    employees hacked via
    website malware, Java
    vulnerability
    Gareth Rushgrove
    http://www.zdnet.com/apple-facebook-employees-hacked-via-website-malware-java-vulnerability-7000011601/

    View full-size slide

  76. End User Device Security
    Gareth Rushgrove

    View full-size slide

  77. Gareth Rushgrove
    UK Government guidance

    View full-size slide

  78. Gareth Rushgrove
    Per-platform guidance

    View full-size slide

  79. OPSEC
    Gareth Rushgrove

    View full-size slide

  80. Gareth Rushgrove
    Checked in AWS keys

    View full-size slide

  81. Gareth Rushgrove
    Personal .bash_profile

    View full-size slide

  82. Gareth Rushgrove
    Windows Signing Key

    View full-size slide

  83. Gareth Rushgrove
    Spearsphishing

    View full-size slide

  84. Things We Can Do
    More practical tips

    View full-size slide

  85. Gareth Rushgrove
    GitRob

    View full-size slide

  86. Gareth Rushgrove

    View full-size slide

  87. Training
    Gareth Rushgrove

    View full-size slide

  88. Other Peoples
    Software
    Most of the software you run

    was written by someone else

    View full-size slide

  89. Manage your software
    supply chain
    Gareth Rushgrove

    View full-size slide

  90. Gareth Rushgrove
    Report from Sonatype

    View full-size slide

  91. Once a component is shared in a
    public repository, it stays there
    forever even after many newer, safer
    versions have been introduced.
    Gareth Rushgrove

    View full-size slide

  92. A once safe component may
    be found to be vulnerable at
    any time.
    Gareth Rushgrove

    View full-size slide

  93. Components often depend on other
    components in order to function. If a
    vulnerability is found in a component
    dependency, it is difficult for the open
    source project or the user to know
    about it.
    Gareth Rushgrove

    View full-size slide

  94. There is clear evidence that known
    vulnerable or defective components
    stored in public warehouses are
    downloaded by development teams,
    and end up in our software largely
    unnoticed.
    Gareth Rushgrove

    View full-size slide

  95. Q How many people have
    commit access to all the
    software you use?
    Gareth Rushgrove

    View full-size slide

  96. A Too many to count
    Gareth Rushgrove

    View full-size slide

  97. The End of the
    General Purpose
    Operating System
    And other tales

    View full-size slide

  98. Gareth Rushgrove
    Operating system
    Hardware
    Application
    Once upon a time…

    View full-size slide

  99. Gareth Rushgrove
    Operating system
    Hardware
    Runtime
    Application
    Your application might need a runtime so lets add one

    View full-size slide

  100. Gareth Rushgrove
    Operating system
    Hardware
    Runtime
    Application
    Application Application
    Application
    Application Application
    Runtime
    But hardware is expensive so lets run multiple applications
    on the same machine

    View full-size slide

  101. Gareth Rushgrove
    Operating system
    Hypervisor
    Hardware
    Runtime
    Application
    Applications need isolating so lets use virtualisation

    View full-size slide

  102. Gareth Rushgrove
    Operating system
    Hypervisor
    Hardware
    Runtime
    Application
    Operating system
    Runtime
    Application
    Operating system
    Runtime
    Application
    Run multiple virtual machines! (Each with there

    own copy of the operating system)

    View full-size slide

  103. Gareth Rushgrove
    Operating system
    Hypervisor
    Hardware
    Runtime
    Application
    Operating system
    Runtime
    Application Application
    Application Application
    But the overhead of virtualisation is expensive so run
    multiple applicartions per VM

    View full-size slide

  104. Gareth Rushgrove
    Operating system
    Hypervisor
    Hardware
    Container
    Operating system
    Runtime
    Application
    Container runtime
    I heard you like containers so we put containers in your
    virtiual machines

    View full-size slide

  105. Gareth Rushgrove
    Operating system
    Hypervisor
    Hardware
    Container
    A different OS
    Runtime
    Application
    Container runtime
    Container
    Operating system
    Runtime
    Application
    Container
    Even more OS
    Runtime
    Application
    Lots and lots of containers in fact

    View full-size slide

  106. Hypervisor
    Hardware
    Gareth Rushgrove
    Operating system
    Container
    Static binary
    Container runtime
    Container
    Static binary
    Container
    Static binary
    Cool folks use static binaries and scratch containers

    View full-size slide

  107. Gareth Rushgrove
    Operating system
    Hardware
    Container
    Static binary
    Container runtime
    Container
    Static binary
    Container
    Static binary
    Don’t need virtualisation isolation guarantees?

    View full-size slide

  108. Unikernels
    A library operating system

    View full-size slide

  109. What if there is no OS
    above the hypervisor?
    Gareth Rushgrove

    View full-size slide

  110. Gareth Rushgrove
    Unikernel
    Hypervisor
    Hardware
    Unikernels compile your application to a kernel, which can
    run on a hypervisor. That’s it.

    View full-size slide

  111. Gareth Rushgrove
    Rise of the Virtual Library OS

    View full-size slide

  112. Gareth Rushgrove
    MirageOS

    View full-size slide

  113. Gareth Rushgrove
    HaLVM

    View full-size slide

  114. Gareth Rushgrove
    Rump Kernel

    View full-size slide

  115. Gareth Rushgrove
    LING

    View full-size slide

  116. Gareth Rushgrove
    IncludeOS

    View full-size slide

  117. Gareth Rushgrove

    View full-size slide

  118. Hypervisor/hardware isolation
    Smaller attack surface area
    Running (a lot) less code
    Enforced immutability
    No default remote access
    Gareth Rushgrove
    -
    -
    -
    -
    -

    View full-size slide

  119. Things We Can Do
    Maybe not as practical

    View full-size slide

  120. Map out your software
    supply chain
    Gareth Rushgrove

    View full-size slide

  121. Rewrite everything OCaml
    and run MirageOS :)
    Gareth Rushgrove

    View full-size slide

  122. Conclusions
    Can the future be better?

    View full-size slide

  123. Formal proofs
    Gareth Rushgrove

    View full-size slide

  124. Gareth Rushgrove
    Use of Formal Methods at AWS

    View full-size slide

  125. Model based automation
    Gareth Rushgrove

    View full-size slide

  126. Whole new ways of
    building software systems
    Gareth Rushgrove

    View full-size slide

  127. Questions?
    And thanks for listening

    View full-size slide