Your SlideShare is downloading. ×
0
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Automating secure server baselines with Puppet
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Automating secure server baselines with Puppet

2,253

Published on

People are deploying servers in cloud environments faster than ever before but most are still not doing so in a safe and secure manner. Too few server instances are hardened as a part of the …

People are deploying servers in cloud environments faster than ever before but most are still not doing so in a safe and secure manner. Too few server instances are hardened as a part of the provisioning process; often leaving the technological doors wide open for potential service disruption by malicious threat agents – such as malware, automated attack tools and human attackers. This talk will explain how Puppet can be used to automate the creation and maintenance of secure server baselines as a foundation for securely operating in cloud environments.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,253
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
57
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Automating Secure Server Baselines with Puppet a.k.a. “Making Fixing Stupid Stuff Easy” Andrew Hay andrew@cloudpassage.com @andrewsmhay | @cloudpassage #puppetconf - #CloudSec© 2012 CloudPassage Inc. 1
  • 2. Topics for today Why the cloud makes security hard Why secure the OS? What is a baseline? How Puppet can be used to create secure and repeatable server and application baselines© 2012 CloudPassage Inc. 2
  • 3. Who are you?• Andrew Hay, Chief Evangelist, CloudPassage• Former – Industry Analyst @ 451 Research – Security Analyst @ UofL and bank in Bermuda – Product, Program and Engineering Manager @ Q1 Labs – Linux guy at a few ISPs© 2012 CloudPassage Inc. 3
  • 4. Goals ofmoving tocloud failto meshwithsecurity© 2012 CloudPassage Inc. 4
  • 5. Cloud radically changes IT Ops Gold www-1 www-2 www-3 www-4 www-5 www-6 www-7 Master www-4 www-5 www-6 www-7 www-1 www-2 www-3 Public Cloud Private Datacenter Creating servers takes almost zero time Server location can change frequently Physical access to architecture no longer an option© 2012 CloudPassage Inc. 5
  • 6. Cloud security is new private datacenter www-1 www-2 www-3 www-4 ! ! ! ! public cloud© 2012 CloudPassage Inc. 6
  • 7. Cloud security is different private datacenter www-1 www-2 www-3 www-4 ! ! ! ! www-4 ! public cloud© 2012 CloudPassage Inc. 7
  • 8. Cloud security is complex www- www- www- www-10 7 8 9 ! ! ! ! www- 4 www- 5 www- 6 Cloud Provider B ! ! ! www- www- www- www-10 7 8 9 ! ! ! ! Cloud Provider A www-1 www-2 www-3 www-4 ! ! ! ! Private Datacenter© 2012 CloudPassage Inc. 8
  • 9. Security products aren‟t adapting No Network Access www- 7 www- 8 www- 9 www-10 ! ! ! ! www- 4 www- 5 www- 6 Cloud Provider B ! ! ! Temporary & www- www- www- www-10 Elastic Deployments ! ! ! ! 7 8 9 Cloud Provider A www-1 www-2 www-3 www-4 ! Multiple Cloud ! ! ! Environments Private Datacenter© 2012 CloudPassage Inc. 9
  • 10. We used to rely on perimeter defenses Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l© 2012 CloudPassage Inc. 10
  • 11. But where is the perimeter in cloud? Auth DB DB DB Server Load App Load App Balancer Server Balancer Server public cloud© 2012 CloudPassage Inc. 11
  • 12. The server is adjacent to the perimeter Load Balancer App App Server Server ! DB Master ! public cloud© 2012 CloudPassage Inc. 12
  • 13. Why secure the OS?• A hardened OS often is the last line of defense in the event of a security compromise.• It is important to note that hardening is not a panacea for security. – It is just another layer in a good security model.• By definition, any machine that is accessible on a network and running services is potentially insecure. – (i.e. pretty much any server)© 2012 CloudPassage Inc. 13
  • 14. “Andrew‟s Law of Servers”• There are 3 kinds of servers: server 1) Secure servers server 2) Insecure servers ! server 3) Servers that you think are secure… ?© 2012 CloudPassage Inc. 14
  • 15. Servers are vulnerable• National Vulnerability Database search of CVE and CCE vulnerabilities: – Ubuntu • Last 3 years: 788 matching records • Last 3 months: 100 matching records – RedHat • Last 3 years: 1,910 matching records • Last 3 months: 288 matching records – Microsoft Windows (server) • …• NVD reported 3532 vulnerabilities in 2011.• This means that last year about ten new security vulnerabilities were discovered each day.© 2012 CloudPassage Inc. 15
  • 16. What is a baseline?• base·line /ˈbāsˈlīn/ – A minimum or starting point used for comparisons.• Think of it as the „bare minimum‟ configuration for: – Server settings – Application configurations – Running services – Etc.• Ask yourself: – “What do I want of my servers?”© 2012 CloudPassage Inc. 16
  • 17. What if I only secure one or two things?© 2012 CloudPassage Inc. 17
  • 18. Running with baselines… www www www ! ! ! Gold Master If your baseline is not secure… Your servers built off of that baseline are also insecure© 2012 CloudPassage Inc. 18
  • 19. Running with baselines… www www www www www ! ? ! ? ? Better Master Pushing out a „Better Master‟ might solve a lot of problems But It will eventually fail you© 2012 CloudPassage Inc. 19
  • 20. Running with baselines… www www www www www ! ? ! ? Gold Master Using our new „Gold Master‟ we can trust our server‟s security Letting us focus on other, more pressing tasks© 2012 CloudPassage Inc. 20
  • 21. Running with baselines… www www www www www ! ! ! Gold Master Gold Master updates can be rolled out incrementally Keeping your operational state…operational© 2012 CloudPassage Inc. 21
  • 22. How Puppet Can Help© 2012 CloudPassage Inc. 22
  • 23. Top 5 easy things to start buildingyour secure baseline1. Disable unnecessary services2. Remove unneeded packages3. Restrict access to sensitive files & directories4. Remove insecure/default configurations5. Allow administrative access ONLY from trusted servers/clients© 2012 CloudPassage Inc. 23
  • 24. Disable unnecessary services• Only what is needed…is needed• Shutdown and disable unnecessary services – e.g. telnet, r-services, ftpd, etc.• Take a look at: – http://www.puppetcookbook.com/posts/ensure-service- stopped-on-boot.html – http://www.puppetcookbook.com/posts/ensure-service-is- stopped.html – http://docs.puppetlabs.com/references/latest/type.html#service© 2012 CloudPassage Inc. 24
  • 25. Remove unneeded packages• If it isn‟t being used…why keep it?• If the server doesn‟t need to serve web pages – Remove PHP, Apache/nginx• If it‟s not a database server – Remove MySQL/PostgreSQL• Take a look at: – http://www.puppetcookbook.com/posts/remove-package.html – http://docs.puppetlabs.com/references/latest/type.html#packag e© 2012 CloudPassage Inc. 25
  • 26. Restrict access to sensitive files & directories• Protect what‟s important from prying/malicious eyes• Ensure file permissions restrict access to sensitive files and directories – E.g. /etc/shadow, /etc/ssh/sshd_config, – E.g. /var/tmp/, /tmp/• Take a look at: – http://docs.puppetlabs.com/references/latest/type.html#file – http://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_ v4.2.pdf© 2012 CloudPassage Inc. 26
  • 27. Remove insecure/default configurations• Disable password authentication for SSH – Force public key authentication – Also, disable empty passwords for users• SSH – Ensure only v2 protocol connections are allowed• Apache – Minimize loadable modules – Disable ServerTokens and ServerSignature directives• Take a look at: – http://forge.puppetlabs.com/saz/sudo – http://forge.puppetlabs.com/jonhadfield/wordpress – http://forge.puppetlabs.com/attachmentgenie/ssh© 2012 CloudPassage Inc. 27
  • 28. Allow administrative access ONLY from trustedservers/clients• Leverage the firewall and other tools – Source of corporate network / admin network range – 3rd-party tools like fail2ban• Don‟t allow „server hopping‟• Take a look at: – http://forge.puppetlabs.com/attachmentgenie/ufw – http://forge.puppetlabs.com/example42/firewall – http://forge.puppetlabs.com/puppetlabs/denyhosts© 2012 CloudPassage Inc. 28
  • 29. If only we had more time…• More documentation to review: – NIST SP800-123: Guide to General Server Security • http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf – Halo Configuration Policy Rule Checks • http://support.cloudpassage.com/entries/22033142-configuration-policy-rule- checks – CIS Red Hat Enterprise Linux 6 Benchmark v1.1.0 • http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.rhel6.110 – NSA Security Configuration Guides • http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operatin g_systems.shtml#linux2© 2012 CloudPassage Inc. 29
  • 30. In Closing© 2012 CloudPassage Inc. 30
  • 31. Moral of the Story Security of your cloud servers is your responsibility Security risk in the cloud are real (just check your ssh/RDP logs) Security baselining isn‟t just a best/better practice, it makes your life easier… …and isn‟t that why we started automating in the first place?© 2012 CloudPassage Inc. 31
  • 32. What does CloudPassage do? Security for virtual servers running in public and private clouds Firewall Automation File Integrity Monitoring Multi-Factor Account Authentication Management Configuration Security Event Security Alerting Vulnerability API Automation Scanning© 2012 CloudPassage Inc. 32
  • 33. The End • Ask questions! – Lots more info: community.cloudpassage.com – Small bits of info: @cloudpassage • Tell me what you think! – Email: andrew@cloudpassage.com – Twitter: @andrewsmhay BTW, • We‟re hiring! We‟re DevOps, Rails, UX, SecOps, etc… Hiring! – Email: jobs@cloudpassage.com© 2012 CloudPassage Inc. 33
  • 34. The End++ • Expect a webinar! – We plan on presenting a webinar on securely automating cloud server deployment – Follow our Twitter account for details: @cloudpassage • Community Puppet Code for Halo – https://github.com/mrpatrick/puppet-cloudpassage – https://github.com/rkhatibi/puppet-cloudpassage© 2012 CloudPassage Inc. 34
  • 35. Thank You! Andrew Hay andrew@cloudpassage.com @andrewsmhay @cloudpassage #puppetconf - #CloudSec© 2012 CloudPassage Inc. 35

×