Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Adventures in Hardening the Security of LINE's Infra

Be4518b119b8eb017625e0ead20f8fe7?s=47 LINE DevDay 2019
November 20, 2019
Technology
1
1.2k

Adventures in Hardening the Security of LINE's Infra

ByoungYun Lee
LINE Plus GrayLab Security Engineer
https://linedevday.linecorp.com/jp/2019/sessions/F1-4

Be4518b119b8eb017625e0ead20f8fe7?s=128

LINE DevDay 2019

November 20, 2019
Tweet

More Decks by LINE DevDay 2019

See All by LINE DevDay 2019
What is the engineering organization that LINE DevRel is aiming for
Be4518b119b8eb017625e0ead20f8fe7?s=48 line_devday2019
3
2k
The IoT technology inside LINE DEVELOPER DAY 2019
Be4518b119b8eb017625e0ead20f8fe7?s=48 line_devday2019
6
760
How to reduce Android app launch time by scoping your dependencies using Koin DI
Be4518b119b8eb017625e0ead20f8fe7?s=48 line_devday2019
3
560
Efficient integrating data from multiple data providers
Be4518b119b8eb017625e0ead20f8fe7?s=48 line_devday2019
0
330
Now supporting Dark Mode on LINE messenger
Be4518b119b8eb017625e0ead20f8fe7?s=48 line_devday2019
0
1.1k
LIFF v2, the latest Webview SDK lets you leverage LINE
Be4518b119b8eb017625e0ead20f8fe7?s=48 line_devday2019
0
1.1k
Modern Web Testing with Cypress.io
Be4518b119b8eb017625e0ead20f8fe7?s=48 line_devday2019
0
460
Speed up iOS Development with LLDB Code Injection and Framework Live Preview
Be4518b119b8eb017625e0ead20f8fe7?s=48 line_devday2019
1
280
Faster iOS Builds with Bazel
Be4518b119b8eb017625e0ead20f8fe7?s=48 line_devday2019
0
1.1k

Other Decks in Technology

See All in Technology
1年間のポストモーテム運用とそこから生まれたツール sre-advisor / SRE NEXT 2022
Ca6281fff64797dc419b78f51f25c0a5?s=48 fujiwara3
6
3.7k
CTOのためのQAのつくりかた #scrumniigata / SigSQA How to create QA for CTOs and VPoEs
63d1e567c2c7b1dbf340f7bea9a92876?s=48 caori_t
0
360
ヘキサゴナルアーキテクチャを利用したLambda 関数のドメインモデルの実装 Live
7689d16bbad8f2fa05a5e9afb8527675?s=48 fatsushi
3
590
スポーツ・エンタメにおける映像伝送技術の実装と挑戦 〜車載カメラ、5G〜
B16717ef4b7aab0b253d933c3934f280?s=48 mixi_engineers
PRO
0
150
Kubernetesでハマるメタバースと エッジで夢見る世界観
7c1ce501ba8a3e5ebf738a32b5811857?s=48 yudaiono
0
130
220521_SFN_品質文化試論と『LEADING QUALITY』/220521_SFN_Essay_of_Quality_Culture_and_LEADING_QUALITY
C8cde92274f0ca1ff9b046673d4f2d29?s=48 mkwrd
0
330
Stripe Search APIを利用した、LINEとStripeの顧客情報連携/line-dc-202205
E77ca94266ffd3d69f8aee91f7468264?s=48 stripehideokamoto
0
130
スクラムマスターの「観察」スキルを掘り下げる / Scrum Fest Niigata 2022
Da40bdb49bfb7a3fc9426dacac78a99c?s=48 ama_ch
0
870
Dagu | オンプレ向けワークフローエンジン(WebUI 同梱)
2a80a0a6f834a75cc418ef59175ecbb0?s=48 yohamta
1
210
一人から始めるプロダクトSRE / How to start SRE in a product team, all by yourself
12a5cec7a54018170b1a009731acf477?s=48 vtryo
4
3.1k
ドキュメントの翻訳に必要なこと
0d0586f83b68c623c4f04c752c4b515b?s=48 mayukosawai
0
190
OSS ことはじめ
Eabad423977cfc6873b8f5df62b848a6?s=48 hsbt
3
590

Featured

See All Featured
Imperfection Machines: The Place of Print at Facebook
7c8469ee8c9e594c65c59b919626c08d?s=48 scottboms
253
11k
We Have a Design System, Now What?
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
35
2.9k
Optimizing for Happiness
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
365
63k
Large-scale JavaScript Application Architecture
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
499
110k
What’s in a name? Adding method to the madness
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
11
1.5k
Fantastic passwords and where to find them - at NoRuKo
8ec1383b240b5ba15ffb9743fceb3c0e?s=48 philnash
25
1.5k
Fashionably flexible responsive web design (full day workshop)
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
396
62k
The Invisible Customer
4262b9cfacfb6b2c77f23e1d0310cd3e?s=48 myddelton
110
11k
Rails Girls Zürich Keynote
24fc194843a71f10949be18d5a692682?s=48 gr2m
86
12k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
E425fe9f170efa0dfaf8ab69d7107418?s=48 aki_i
21
15k
Docker and Python
Ecdea9b9714877b86cee08458f085481?s=48 trallard
27
1.5k
The Language of Interfaces
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
148
20k

Transcript

  1. 2019 DevDay Adventures in Hardening the Security of LINE's Infra

    > ByoungYun Lee > LINE Plus GrayLab Security Engineer

  2. Who Am I Security Risk Assessment @LINE > since 2018

    Offensive Security Research @GrayHash > for 3 years

  3. Scott ikeda, CPO Magazine, April 9, 2019 Eustance Huang, CNBC,

    May 4, 2019 THE PAPERS, 1 May, 2019

  4. Infrastructures An Attacker’s View

  5. Public Network Web Server API Server Database User

  6. Public Network Web Server API Server Database User www.example.com

  7. Public Network Web Server API Server Database User www.example.com api.example.com

  8. Public Network Web Server API Server Database User www.example.com api.example.com

    ?

  9. Public Network Web Server API Server Database Attacker

  10. Public Network Web Server API Server Database Attacker db.example.com database.example.com

  11. Public Network Web Server API Server Database Attacker

  12. Public Network Web Server API Server Database Attacker Developer

  13. Public Network Web Server API Server Database Attacker

  14. Public Network Web Server API Server Database Attacker Weak Password

  15. Public Network Web Server API Server Database Attacker Weak Password

  16. Public Network Web Server API Server Database Attacker Weak Password

    1, 1!, !@#, …

  17. Public Network Web Server API Server Database Attacker Port Scanning

  18. Public Network web pages etc ssh Web Server API Server

    Database Attacker Port Scanning

  19. Public Network Web Server API Server Database Attacker Exploit

  20. Public Network Web Server API Server Database Attacker Exploit

  21. Public Network Web Server API Server Database Attacker Exploit

  22. Public Network Web Server API Server Database Attacker Exploit

  23. Public Network Web Server API Server Database Attacker

  24. Public Network Web Server API Server Database Attacker Danger

  25. PRIVATE NETWORK Private Network Web Server API Server Database User

    Internal Servers

  26. Private Network PRIVATE NETWORK Web Server API Server Database User

    Internal Servers

  27. Private Network PRIVATE NETWORK Web Server API Server Database User

    Internal Servers

  28. Private Network PRIVATE NETWORK Web Server API Server Database Internal

    Servers Attacker

  29. Private Network PRIVATE NETWORK Internal Servers Users

  30. Private Network PRIVATE NETWORK Internal Servers Users

  31. Private Network PRIVATE NETWORK Internal Servers Users Attacker

  32. Lateral Movement Attack PRIVATE NETWORK Internal Servers Users Attacker

  33. Lateral Movement Attack PRIVATE NETWORK Internal Servers Users Attacker

  34. Lateral Movement Attack PRIVATE NETWORK Internal Servers Users Attacker

  35. Lateral Movement Attack PRIVATE NETWORK Internal Servers Users Attacker

  36. Lateral Movement Attack PRIVATE NETWORK Internal Servers Users Attacker Danger

  37. LINE’s Infrastructure PRIVATE NETWORK Internal Servers Users

  38. LINE’s Infrastructure PRIVATE NETWORK Internal Servers Users

  39. LINE’s Infrastructure PRIVATE NETWORK Internal Servers Users Attacker

  40. LINE’s Infrastructure PRIVATE NETWORK Internal Servers Users Attacker

  41. Goal PRIVATE NETWORK Breach SAFE SAFE SAFE

  42. Goal TCP/7000 10.0.0.1-10 TCP/5000 10.0.0.51-60 10.0.0.200

  43. Source IP Destination IP Destination Port Action 10.0.0.1-10 10.0.0.200 7000

    Allow Other 10.0.0.200 7000 Deny 10.0.0.51-60 10.0.0.200 5000 Allow Other 10.0.0.200 5000 Deny Goal

  44. Goal TCP/7000 10.0.0.1-10 TCP/5000 10.0.0.51-60 10.0.0.200 10.0.2.1-10

  45. Source IP Destination IP Destination Port Action 10.0.0.1-10 10.0.0.200 7000

    Allow 10.0.3.1-10 10.0.0.200 7000 Allow 10.0.4.1-10 10.0.0.200 7000 Allow 10.0.5.1-10 10.0.0.200 7000 Allow 10.0.100.50 10.0.0.200 5000 Allow 10.0.200.50 10.0.0.200 5000 Allow 10.0.300.50 10.0.0.200 5000 Allow 10.0.400.50 10.0.0.200 5000 Allow Goal

  46. Source IP Destination IP Destination Port Action 10.0.0.1-10 10.0.0.200 7000

    Allow 10.0.3.1-10 10.0.0.200 7000 Allow 10.0.4.1-10 10.0.0.200 7000 Allow 10.0.5.1-10 10.0.0.200 7000 Allow 10.0.100.50 10.0.0.200 5000 Allow 10.0.200.50 10.0.0.200 5000 Allow 10.0.300.50 10.0.0.200 5000 Allow 10.0.400.50 10.0.0.200 5000 Allow Goal

  47. Hardening Block unnecessary network access

  48. Tools

  49. LOW- MAINTENANCE Requirements CLOUD SUPPORT MULTI 
 REGIONAL PRE-EXISTING SERVICE

  50. LOW- MAINTENANCE Requirements CLOUD SUPPORT MULTI 
 REGIONAL PRE-EXISTING SERVICE

  51. Candidates We are aiming to block unnecessary network access iptables

    Network Firewall Host-based Firewall

  52. PROS iptables Easy-to-use Everyone knows how to use No cost

    No physical constraints, cloud-compatible

  53. PROS iptables Easy-to-use Everyone knows how to use No cost

    No physical constraints, cloud-compatible

  54. CONS iptables Easy-to-use Anyone can create security holes Not centralized

    = high maintenance

  55. CONS iptables Easy-to-use Anyone can create security holes Not centralized

    = high maintenance

  56. CONS iptables Easy-to-use Anyone can create security holes Not centralized

    = high maintenance

  57. PROs Network Firewall No resource overhead for hosts Already deployed:

    zero learning curve

  58. PROs Network Firewall No resource overhead for hosts Already deployed:

    zero learning curve

  59. CONs Network Firewall High cost Physical constraints: component proximity required

    Physical constraint: Incompatible with cloud infrastructure

  60. CONs Network Firewall High cost Physical constraints: component proximity required

    Physical constraint: Incompatible with cloud infrastructure

  61. Host-Based Firewall Install Firewall Apply Rules Make Rules

  62. Host-Based Firewall Install Firewall Apply Rules Make Rules

  63. Host-Based Firewall Install Firewall Apply Rules Make Rules

  64. PROs Host-Based Firewall No physical constraints, cloud-compatible Centralized administration ‘Detect

    Only’ mode

  65. PROs Host-Based Firewall No physical constraints, cloud-compatible Centralized administration ‘Detect

    Only’ mode

  66. PROs Host-Based Firewall No physical constraints, cloud-compatible Centralized administration ‘Detect

    Only’ mode

  67. So... iptables Network Firewall Host-based
 Firewall The Host-based Firewall Solution

    is the best option

  68. Hardening Steps Analyze target Design process Apply

  69. Service A's Database Servers about 700 hosts, 27 groups, 2,000

    clients Analyze Target Various Database Types • HBase • Redis • etc • Cassandra • MySQL

  70. Service A's Database Servers about 700 hosts, 27 groups, 2,000

    clients Analyze Target Various Database Types • HBase • Redis • etc • Cassandra • MySQL

  71. Service A's Database Servers about 700 hosts, 27 groups, 2,000

    clients Analyze Target Various Database Types • HBase • Redis • etc • Cassandra • MySQL

  72. Service A's Database Servers about 700 hosts, 27 groups, 2,000

    clients Analyze Target Various Database Types • HBase • Redis • etc • Cassandra • MySQL

  73. Service A's Database Servers about 700 hosts, 27 groups, 2,000

    clients Analyze Target Various Database Types • HBase • Redis • etc • Cassandra • MySQL

  74. Challenges Service Failure Analyze Target Because it’s one of the

    critical services No Service Downtime No

  75. Challenges Service Failure Analyze Target Because it’s one of the

    critical services No Service Downtime No

  76. Design Process Install Firewall Apply Rules Make Rules

  77. Design Process Install Firewall Apply Rules Make Rules

  78. Design Process Install Firewall Apply Rules Make Rules

  79. Design Process Install Firewall Apply Rules Make Rules

  80. Design Process Install Firewall Apply Rules Make Rules

  81. Design Process Install Firewall Apply Rules Make Rules

  82. Design Process Install Firewall Apply Rules Make Rules

  83. Design Process Install Firewall Apply Rules Make Rules

  84. Service Failure Challenges Because it’s one of the critical services

    No Service Downtime No

  85. Design Process Possible Problems > Omitted, misspelled info > Missed

    Infrastructure- related info Install Firewall Apply Rules Make Rules

  86. Design Process Possible Problems > Omitted, misspelled info > Missed

    Infrastructure- related info Install Firewall Apply Rules Make Rules

  87. Design Process Possible Problems > Kernel panic > Device driver

    conflict Install Firewall Apply Rules Make Rules

  88. Design Process Possible Problems > Kernel panic > Device driver

    conflict Install Firewall Apply Rules Make Rules

  89. Design Process Possible Problems > Degraded service performance > Other

    unexpected problems Install Firewall Apply Rules Make Rules

  90. Design Process Possible Problems > Degraded service performance > Other

    unexpected problems Install Firewall Apply Rules Make Rules

  91. Preventing Problems Design Process > ‘Detect only’ mode > Log

    vs. Rule analysis 1. Faulty Rules > Test one server with redundancy • Most services are redundant with High Availability 2. Unpredictable Failure

  92. Preventing Problems Design Process > ‘Detect only’ mode > Log

    vs. Rule analysis 1. Faulty Rules > Test one server with redundancy • Most services are redundant with High Availability 2. Unpredictable Failure

  93. Preventing Problems Design Process > ‘Detect only’ mode > Log

    vs. Rule analysis 1. Faulty Rules > Test one server with redundancy • Most services are redundant with High Availability 2. Unpredictable Failure

  94. Apply By Server Group Set ‘Deny’ mode Apply 1 host,

    
 1/2 hosts, 
 2/2 hosts Install agent Apply 1 host, 
 1/2 hosts, 
 2/2 hosts Update rule based on 
 'Detect' logs Apply rule Apply 1 host, 
 1/2 hosts, 
 2/2 hosts Make rules with
 ‘Detect Only’ Mode

  95. Apply By Server Group Set ‘Deny’ mode Apply 1 host,

    
 1/2 hosts, 
 2/2 hosts Install agent Apply 1 host, 
 1/2 hosts, 
 2/2 hosts Update rule based on 
 'Detect' logs Apply rule Apply 1 host, 
 1/2 hosts, 
 2/2 hosts Make rules with
 ‘Detect Only’ Mode

  96. Realtime Communication Service Metrics Dev & Infrastructure Team Firewall Event

    Security Team Report 
 
 Response

  97. Realtime Communication Service Metrics Dev & Infrastructure Team Firewall Event

    Security Team Report 
 
 Response

  98. Result Hosts 700 Failure 0 Groups 27

  99. Result Hosts 700 Failure 0 Groups 27

  100. Alert System

  101. Without registering firewalls Human Error Scale Out
 API Server API

    Server’s Access Denied OUTAGE

  102. Without registering firewalls Human Error Scale Out
 API Server API

    Server’s Access Denied OUTAGE

  103. Quickly (automatically) detect human errors and respond Improvement Detect ‘Deny’

    event Notify Dev/Sec teams

  104. Alert System Deny Detect Notify

  105. Alert System Deny Detect Notify

  106. Alert System Deny Detect Notify

  107. Scale Out Assign Deploy Provision Allocate

  108. Scale Out Assign Deploy Provision Allocate Detect

  109. Episode

  110. Episode

  111. Episode

  112. Inconvenience due to Improved Security Inconvenience Emergency deployment/extension requires security

    team’s support Detailed firewall policies are high-maintenance

  113. Inconvenience due to Improved Security Inconvenience Emergency deployment/extension requires security

    team’s support Detailed firewall policies are high-maintenance

  114. Inconvenience due to Improved Security Inconvenience Emergency deployment/extension requires security

    team’s support Detailed firewall policies are high-maintenance

  115. Root Cause Inconvenience due to Improved Security Emergency deployment/extension requires

    security team’s support Detailed firewall policies are high-maintenance Too Complex for Dev. Team To Understand Rules Difficult To Request a Rule Change

  116. Improvement Plan Build Firewall Control Service Hide Irrelevant Rules Provide

    Simple Rule Change UI Deployment-Group-Aware Auto-Configuration

  117. Improvement Plan Build Firewall Control Service Hide Irrelevant Rules Provide

    Simple Rule Change UI Deployment-Group-Aware Auto-Configuration

  118. Scale Out Assign Deploy Provision Allocate

  119. Scale Out Assign Deploy Provision Allocate Make Rule

  120. Scale Out Assign Deploy Provision Allocate Make Rule

  121. Scale Out Assign Deploy Provision Allocate Make Rule

  122. Epilogue

  123. Epilogue

  124. Thank You