The Firewall Also Gazes Into You

Transcript

1. The firewall also gazes into you

2. About me @iangreenleaf Rails developer (backend, not devops) Hire me!

   [email protected]

3. "What's the use of firewalls?"

4. None

5. Wide-open ports Isn't that a little 1997?

6. Well...

7. MongoDB Local connections only by default Authentication possible, off by

   default

8. Sphinx full-text search Local connections possible, off by default No

   authentication

9. Memcached Local connections possible, off by default Authentication sorta possible,

   off by default

10. Redis Local connections possible, off by default Authentication possible, off

    by default Redis is open to the world by default It too offers weak authentication

11. Yikes

12. You could fix each of these individually

13. My ops policy: Assume I am stupid

14. Default to the least bad thing

15. Firewalls are dead Long live firewalls

16. When you hear "firewall", do you think of...

17. Network administrators

18. None

19. NATs

20. ssh me@server -p 2525 Keep it secret; keep it safe

21. None

22. Stupid crap interfering with my ability to play World of

    Warcraft
23. None

24. Let go of your fear

25. Firewalls that don't suck Default to DENY Assume every machine

    is public Simple firewall on each machine

26. PSA: Make sure to open your SSH port!

27. iptables

28. ufw

29. Chef/Ansible Because you are automating, right?

30. Chef f i r e w a l l cookbook

31. Chef f i r e w a l l '

    u f w ' d o a c t i o n : e n a b l e e n d

32. Chef f i r e w a l l _

    r u l e ' d e f a u l t ' d o a c t i o n : d e n y e n d

33. Chef f i r e w a l l _

    r u l e ' s s h ' d o p o r t 2 2 a c t i o n : a l l o w e n d

34. Chef f i r e w a l l _

    r u l e ' h t t p ' d o p o r t 8 0 p r o t o c o l : t c p a c t i o n : a l l o w e n d

35. That wasn't so bad

36. Ansible u f w module in 1.6+

37. Ansible n a m e : i n s t

    a l l u f w a p t : p k g = u f w s t a t e = p r e s e n t

38. Ansible n a m e : e n a b

    l e f i r e w a l l u f w : s t a t e = e n a b l e d p o l i c y = d e n y

39. Ansible n a m e : p a s s

    H T T P t h r o u g h f i r e w a l l u f w : r u l e = a l l o w p o r t = 8 0 p r o t o = t c p

40. Ansible n a m e : p a s s

    S S H t h r o u g h f i r e w a l l u f w : r u l e = a l l o w n a m e = O p e n S S H

41. Extra credit: rate limiting

42. Rate limiting n a m e : p a s

    s S S H t h r o u g h f i r e w a l l u f w : r u l e = l i m i t n a m e = O p e n S S H

43. That's it!

44. Fin