securing the fortress with barbican at symantec jason fritcher principal infrastructure engineer...

Securing the Fortress with Barbican at Symantec

Jason FritcherPrincipal Infrastructure EngineerCloud Platform Engineering

Copyright © 2015 Symantec Corporation2

About Me

• In the Internet industry for nearly 20 years

• Worked in Development and Operations roles running Internet services

• Always had an interest in and an eye towards security

• In my free time, I enjoy Electronics, Video Games and Motorcycling


Agenda

1 Introduction to Barbican

2 Barbican at Symantec

3 Barbican Hardening

4 Barbican Improvements

5 Q & A


Agenda





5 Q & A


Introduction to BarbicanYe Olde Barbican

“A Barbican is a fortified outpost or gateway, such as an outer defense to a city or castle, or any tower situated over a gate or bridge which was used for defensive purposes.”

- Wikipedia


Introduction to BarbicanToday’s Barbican

Barbican is a REST API designed for the secure storage, provisioning and management of secrets such as passwords, encryption keys and X.509 Certificates.


Introduction to Barbican

• Secrets– Hold the data to be secured.– Small objects, typically < 10KB data

• Containers– Logical grouping of secrets

• Orders– Longer running tasks, like key generation

Barbican Resources



Components

• API Processes– Handles all interactions with the clients– Processes all secret and container tasks– Submits order tasks for workers

• Worker Processes– Processes all tasks which take more than a trivial amount of time• Asymmetric key generation• Certificate management

Barbican Architecture



Potential Dependencies

• Keystone– User authentication / authorization

• External Database– Replaces default SQLite option, more scalable

• Message Queue– API to Worker communication

• Hardware Security Module– Provides secure crypto environment and master key storage

Barbican Architecture


Agenda





5 Q & A


Barbican at Symantec

• Secrets stored in Version Control System

• TLS Key Storage

• Encryption Keys

• Automated Deployments

• Automating Certificate Management

Problems



• LBaaS TLS Provisioning

• Configuration Management

• Key Management as a Service for Product Groups

Use Cases



• Galera MySQL DB Cluster– Multi master topology, plus top-notch replication, including cross data center

• RabbitMQ Cluster

• SafeNet Luna SA HSMs– More on these later

• uWSGI + Apache + mod_proxy_uwsgi– Maybe mod_security to add WAF functionality

Implementation


Agenda





5 Q & A


Barbican Hardening

• Server TLS– Enabling TLS is as simple as specifying the key and cert in my.cnf• ssl_key=/etc/pki/tls/private/mysql.key• ssl_cert=/etc/pki/tls/certs/mysql.crt

– To ensure TLS is always used, add REQUIRE SSL to your MySQL user account

• Client TLS– Activate TLS for connections by adding ssl_ca parameter to the connection string• sql_connection = mysql://barbican:[email protected]:3306/barbican?ssl_ca=/etc/barbican/ssl/ca.pem

• MySQL TLS Challenges– Intermediate certificates don’t work properly– Client hostname validation code is poor– Client/Server issues depending on OpenSSL versions

Database


Barbican Hardening

• Restricted Node Access– Should only be accessible to a small pool of personnel• For just sshd restriction, see {ALLOW,DENY}{USERS,GROUPS} in sshd_config man page• For broader restrictions, look at pam_listfile or pam_access modules

• Automation issues– Automation systems like Puppet, or Chef could be problematic, depending on risk tolerance

• Filesystem permissions– Barbican should only have read permissions to everything, except a log and tmp directory.

• Network controls– Firewall network traffic to only allow traffic from authorized hosts, Load Balancers and Monitoring

Barbican Node


Barbican Hardening

• Hardware Security Modules are specialized devices that provide a secure execution and storage environment for cryptography.

• Form factor varies in shape and size (USB, PCI-Express, Network Appliance)

• Performance varies drastically between devices– General Purpose CPUs beat HSMs for raw symmetric performance

• Not easily jumped into, some of my challenges– Data Center personnel hesitant with unfamiliar hardware– Building a secure environment within the data center– Auditing and compliance policies / processes– Separation of privileges

Hardware Security Modules


Agenda





5 Q & A


Barbican Improvements

• Existing p11_crypto and PKCS11 modules have a lot of room for improvement– Lot of round trips to the HSM per transaction– Sessions are opened, authenticated and closed per transaction– Not a lot of caching is done

• Improvements being made– First effort is to reduce the number of operations made per transaction• Caching project keys in the HSM and reusing them when possible, this saves ~4 RTs• Holding first authenticated session open to make subsequent session opens faster• Later we’ll use just a single connection or small pool to reduce setup/teardown costs

• Sync up with community efforts in this same realm

PKCS11 Performance Improvements



• Existing p11_crypto and PKCS11 modules is all or nothing– Barbican’s transaction rate become limited by the HSMs– To scale performance, you need to add more HSMs

• Improvements being made– Split class of service being implemented– First class will be the full HSM model is use today– Second class will relax security standard a little• HSM will continue to encrypt/decrypt the Project Keys• Project Keys will be used on node to do encrypt/decrypt operations on secrets• Combined with caching Project Keys, should remove majority HSM bottleneck

• Going to work with community on design for contribution

PKCS11 Classes of Service



• Existing database model provides integrity protection for encrypted secret data– Does not provide integrity protection to other stored metadata– Attacker can change metadata and Barbican won’t detect it

• Researching ways to add integrity protection without killing performance

Database Integrity Protection


Agenda





5 Q & A

Thank you!

Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Jason [email protected]

24

securing the fortress with barbican at symantec jason fritcher principal infrastructure engineer...

Documents