automating secure server baselines with chef
DESCRIPTION
People are deploying servers in cloud environments faster than ever before but most are still not doing so in a safe and secure manner. Too few server instances are hardened as a part of the provisioning process; often leaving the technological doors wide open for potential service disruption by malicious threat agents — such as malware, automated attack tools and human attackers. This talk will explain how Chef can be used to automate the creation and maintenance of secure server baselines as a foundation for securely operating in cloud environments.TRANSCRIPT
© 2013 CloudPassage Inc.! 1!
Automating Secure Server Baselines with Chef
a.k.a. “Making Fixing Stupid Stuff Easy”
!
Andrew [email protected]!
@andrewsmhay | @cloudpassage!
#ChefConf / #CloudSec
© 2013 CloudPassage Inc.! 2!
Topics for today
Why the cloud makes security hard
Why secure the OS?
What is a baseline?
How Chef can be used to create secure and repeatable server and application baselines
© 2013 CloudPassage Inc.! 3!
Who are you? • My name is Andrew Hay, and I am a chef…!
© 2013 CloudPassage Inc.! 4!
Who are you? • Andrew Hay, Director of Applied Security
Research at CloudPassage, Inc.!
• Former!– Senior Industry Analyst @ 451 Research – Security Analyst @ UofL and a bank in Bermuda – Product, Program and Engineering Manager @ Q1 Labs
© 2013 CloudPassage Inc.! 5!
Goals of moving to cloud fail to mesh with security
✔ �✔ �
© 2013 CloudPassage Inc.! 6!
dmz dmz
core core
Firewall
Firewall
DB
Load Balancer
Auth Server
App Server
DB
Load Balancer
App Server
DB
We used to rely on perimeter defenses
© 2013 CloudPassage Inc.! 7!
DB
Load Balancer
App Server
App Server
But where is the perimeter in cloud?
Auth Server
DB
Load Balancer
DB
public cloud
© 2013 CloudPassage Inc.! 8!
public cloud
The server is adjacent to the perimeter
Load Balancer
App Server
App Server
DB Master
!�
!�
© 2013 CloudPassage Inc.! 9!
Why secure the OS? • A hardened OS often is the last line of
defense in the event of a security compromise.!
• It is important to note that hardening is not a panacea for security. !– It is just another layer in a good security
model.
• By definition, any machine that is accessible on a network and running services is potentially insecure.!– (i.e. pretty much any server)
© 2013 CloudPassage Inc.! 10!
Why secure the OS? • A hardened OS often is the last line of
defense in the event of a security compromise.!
• It is important to note that hardening is not a panacea for security. !– It is just another layer in a good security
model.
• By definition, any machine that is accessible on a network and running services is potentially insecure.!– (i.e. pretty much any server)
© 2013 CloudPassage Inc.! 11!
“Andrew’s Law of Servers” • There are 3 kinds of servers:!
1) Secure servers
2) Insecure servers
3) Servers that you think are secure…
server
server
!�
server
?
© 2013 CloudPassage Inc.! 12!
Servers are vulnerable • National Vulnerability Database search of CVE and CCE
vulnerabilities:!– Ubuntu
• Last 3 years: 1,015 matching records!• Last 3 months: 145 matching records!
– Red Hat Enterprise Linux • Last 3 years: 50 matching records!• Last 3 months: 23 matching records!
– Microsoft Windows (server) • Last 3 years: 319 matching records!• Last 3 months: 48 matching records!
• NVD reported 5, 715 vulnerabilities in 2012.!
• This means that last year about 16 new security vulnerabilities were discovered each day. !
© 2013 CloudPassage Inc.! 13!
What is a baseline? • base·line /ˈbāsˌlīn/!
– A minimum or starting point used for comparisons.
• Think of it as the ‘bare minimum’ configuration for:!– Server settings – Application configurations – Running services – Etc.
• Ask yourself:!– “What do I want of my servers?”
© 2013 CloudPassage Inc.! 14!
What if I only secure one or two things?
© 2013 CloudPassage Inc.! 15!
What if I only secure one or two things?
© 2013 CloudPassage Inc.! 16!
www
Running with baselines…
Gold Master
www www www
!�www
!�
If your baseline is not secure… Your servers built off of that baseline are also insecure
www
!�
© 2013 CloudPassage Inc.! 17!
www
?www
?www
!�www
!�
Pushing out a ‘Better Master’ might solve a lot of problems
But it may (will) eventually fail you
Running with baselines…
www
?www
?Better Master
www
?www
?www
?www
?
© 2013 CloudPassage Inc.! 18!
www
?www
?www
!�www
!�
Using our new ‘Gold Master’ we can trust our server’s security
Letting us focus on other, more pressing tasks
Running with baselines…
www www www www www
Gold Master
© 2013 CloudPassage Inc.! 19!
Running with baselines…
Gold Master
Gold Master updates can be rolled out incrementally Keeping your operational state…operational
www
!�www
!�www www www
?�
www www www www
www
www
!�www
© 2013 CloudPassage Inc.! 20!20!
How Chef Can Help
© 2013 CloudPassage Inc.! 21!
Top 5 easy things to start building your secure baseline
1. Disable unnecessary services!
2. Remove unneeded packages!
3. Restrict access to sensitive files & directories!
4. Remove insecure/default configurations!
5. Allow administrative access ONLY from trusted servers/clients!
© 2013 CloudPassage Inc.! 22!
Disable unnecessary services • Only what is needed…is needed!
• Shutdown and disable $ $ $ unnecessary/insecure services!– e.g. telnet, r-services, ftpd, etc.
• Take a look at:!– http://docs.opscode.com/resource_script.html – http://docs.opscode.com/resource_execute.html – http://docs.opscode.com/dsl_recipe_use_ruby.html
© 2013 CloudPassage Inc.! 23!
Remove unneeded packages • If it isn’t being used…why keep it?!
• If the server doesn’t need to $ $ $ $ serve web pages!– Remove PHP, Apache/nginx
• If it’s not a database server!– Remove MySQL/PostgreSQL
• Take a look at:!– http://docs.opscode.com/resource_package.html – http://docs.opscode.com/resource_script.html – http://docs.opscode.com/resource_execute.html
© 2013 CloudPassage Inc.! 24!
Remove unneeded packages – apt_package – chef_gem – dpkg_package – easy_install_package – freebsd_package – gem_package – ips_package
– macports_package – pacman_package – portage_package – rpm_package – smartos_package – solaris_package – yum_package
http://docs.opscode.com/resource_package.html�
© 2013 CloudPassage Inc.! 25!
Remove unneeded packages
© 2013 CloudPassage Inc.! 26!
Remove unneeded packages
© 2013 CloudPassage Inc.! 27!
Restrict access to sensitive files & directories
• Protect what’s important from prying/malicious eyes!
• Ensure file permissions restrict $ $ access to sensitive files and $ $ directories!– e.g. /etc/ssh/sshd_config, /var/log/ – e.g. C:\Windows, C:\Inetpub
© 2013 CloudPassage Inc.! 28!
Remove insecure/default configurations
• Disable password authentication for SSH!– Force public key authentication – Also, disable empty passwords for users
• SSH!– Ensure only v2 protocol connections are allowed
• Apache!– Minimize loadable modules – Disable ServerTokens and ServerSignature directives
© 2013 CloudPassage Inc.! 29!
Remove insecure/default configurations
• Apache Example!
• Take a look at:!– http://docs.opscode.com/
essentials_cookbook_attribute_files.html – http://docs.opscode.com/essentials_roles.html
© 2013 CloudPassage Inc.! 30!
Allow administrative access ONLY from trusted servers/clients • Leverage the firewall and other tools!
– Source of corporate network / admin network range
– 3rd-party tools like fail2ban
• Don’t allow (or at least restrict)$ $ $ ‘server hopping’!
• Take a look at:!– http://community.opscode.com/cookbooks/fail2ban – http://community.opscode.com/cookbooks/firewall – http://community.opscode.com/cookbooks/ssh_known_hosts
© 2013 CloudPassage Inc.! 31!
If only we had more time… • More documentation to review:!
– NIST SP800-123: Guide to General Server Security • http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf!
– Halo Configuration Policy Rule Checks • http://support.cloudpassage.com/entries/22033142-configuration-policy-rule-
checks!– Center for Internet Security (CIS) Benchmarks
• http://benchmarks.cisecurity.org/downloads/benchmarks/!– Microsoft (yes, that Microsoft)
• http://www.microsoft.com/en-us/download/details.aspx?id=17606!!
© 2013 CloudPassage Inc.! 32!32!
In Closing
© 2013 CloudPassage Inc.! 33!
Moral of the Story
Security of your cloud servers is your responsibility
Security risk in the cloud are real (just check your ssh/RDP logs)
Security baselining isn’t just a best/better practice, it makes your life easier…
…and isn’t that why we started automating in the first place?
© 2013 CloudPassage Inc.! 34!
What does CloudPassage do?
Firewall Automation
Multi-Factor Authentication
Account Management
Security Event Alerting
Configuration Security
Vulnerability Scanning
Security for virtual servers running in public and private clouds
File Integrity Monitoring
API Automation
© 2013 CloudPassage Inc.! 35!
The End
• Ask questions! – Lots more info: community.cloudpassage.com – Small bits of info: @cloudpassage
• Tell me what you think! – Email: [email protected] – Twitter: @andrewsmhay
• We’re hiring! Email: [email protected]
BTW, We’re Hiring!
© 2013 CloudPassage Inc.! 36!
The End+=1
• Expect a webinar! – We plan on presenting a webinar on securely
automating cloud server deployment – Follow our Twitter account for details: @cloudpassage
• Community Chef Code for Halo – https://github.com/escapestudios/chef-cloudpassage – http://community.opscode.com/cookbooks/
cloudpassage
© 2013 CloudPassage Inc.! 37!
The End+=umm…more
• GitHub – http://github.com/cloudpassage – http://github.com/andrewsmhay
© 2013 CloudPassage Inc.! 38!
Thank You! Andrew Hay
[email protected] @andrewsmhay
@cloudpassage #ChefConf / #CloudSec