Automating secure server baselines with Chef


Published on

People are deploying servers in cloud environments faster than ever before but most are still not doing so in a safe and secure manner. Too few server instances are hardened as a part of the provisioning process; often leaving the technological doors wide open for potential service disruption by malicious threat agents — such as malware, automated attack tools and human attackers. This talk will explain how Chef can be used to automate the creation and maintenance of secure server baselines as a foundation for securely operating in cloud environments.

Published in: Technology

Automating secure server baselines with Chef

  1. 1. © 2013 CloudPassage Inc.! 1!Automating Secure ServerBaselines with Chefa.k.a. “Making Fixing Stupid Stuff Easy”!Andrew Hay!!@andrewsmhay | @cloudpassage!#ChefConf / #CloudSec
  2. 2. © 2013 CloudPassage Inc.! 2!Topics for todayWhy the cloud makes security hardWhy secure the OS?What is a baseline?How Chef can be used to createsecure and repeatable server andapplication baselines
  3. 3. © 2013 CloudPassage Inc.! 3!Who are you?•  My name is Andrew Hay, and I am a chef…!
  4. 4. © 2013 CloudPassage Inc.! 4!Who are you?•  Andrew Hay, Director of Applied SecurityResearch at CloudPassage, Inc.!•  Former!–  Senior Industry Analyst @ 451 Research–  Security Analyst @ UofL and a bank in Bermuda–  Product, Program and Engineering Manager @ Q1 Labs
  5. 5. © 2013 CloudPassage Inc.! 5!Goals ofmoving tocloud failto meshwithsecurity✔�✔�
  6. 6. © 2013 CloudPassage Inc.! 6!dmz dmzcorecoreFirewallFirewallDBLoadBalancerAuthServerAppServerDBLoadBalancerAppServerDBWe used to rely on perimeter defenses
  7. 7. © 2013 CloudPassage Inc.! 7!DBLoadBalancerAppServerAppServerBut where is the perimeter in cloud?AuthServerDBLoadBalancerDBpublic cloud
  8. 8. © 2013 CloudPassage Inc.! 8!public cloudThe server is adjacent to the perimeterLoadBalancerAppServerAppServerDBMaster!�!�
  9. 9. © 2013 CloudPassage Inc.! 9!Why secure the OS?•  A hardened OS often is the last line ofdefense in the event of a securitycompromise.!•  It is important to note that hardening isnot a panacea for security. !–  It is just another layer in a good securitymodel. •  By definition, any machine that isaccessible on a network and runningservices is potentially insecure.!–  (i.e. pretty much any server)
  10. 10. © 2013 CloudPassage Inc.! 10!Why secure the OS?•  A hardened OS often is the last line ofdefense in the event of a securitycompromise.!•  It is important to note that hardening isnot a panacea for security. !–  It is just another layer in a good securitymodel. •  By definition, any machine that isaccessible on a network and runningservices is potentially insecure.!–  (i.e. pretty much any server)
  11. 11. © 2013 CloudPassage Inc.! 11!“Andrew’s Law of Servers”•  There are 3 kinds of servers:!1) Secure servers2) Insecure servers3) Servers that you think are secure…serverserver!�server?
  12. 12. © 2013 CloudPassage Inc.! 12!Servers are vulnerable•  National Vulnerability Database search of CVE and CCEvulnerabilities:!–  Ubuntu •  Last 3 years: 1,015 matching records!•  Last 3 months: 145 matching records!–  Red Hat Enterprise Linux•  Last 3 years: 50 matching records!•  Last 3 months: 23 matching records!–  Microsoft Windows (server)•  Last 3 years: 319 matching records!•  Last 3 months: 48 matching records!•  NVD reported 5, 715 vulnerabilities in 2012.!•  This means that last year about 16 new security vulnerabilities werediscovered each day. !
  13. 13. © 2013 CloudPassage Inc.! 13!What is a baseline?•  base·line /ˈbāsˌlīn/!–  A minimum or starting point used for comparisons.•  Think of it as the ‘bare minimum’ configurationfor:!–  Server settings–  Application configurations–  Running services–  Etc.•  Ask yourself:!–  “What do I want of my servers?”
  14. 14. © 2013 CloudPassage Inc.! 14!What if I only secure one or two things?
  15. 15. © 2013 CloudPassage Inc.! 15!What if I only secure one or two things?
  16. 16. © 2013 CloudPassage Inc.! 16!wwwRunning with baselines…Gold Masterwww wwwwww!�www!�If your baseline is not secure…Your servers built off of that baseline are also insecurewww!�
  17. 17. © 2013 CloudPassage Inc.! 17!www?www?www!�www!�Pushing out a ‘Better Master’ might solve a lot ofproblemsBut it may (will) eventually fail youRunning with baselines…www?www?Better Masterwww?www?www?www?
  18. 18. © 2013 CloudPassage Inc.! 18!www?www?www!�www!�Using our new ‘Gold Master’ we can trust our server’ssecurityLetting us focus on other, more pressing tasksRunning with baselines…wwwwwwwwwwwwwwwGold Master
  19. 19. © 2013 CloudPassage Inc.! 19!Running with baselines…Gold MasterGold Master updates can be rolled out incrementallyKeeping your operational state…operationalwww!�www!�www wwwwww?�wwwwwwwwwwwwwwwwww!�www
  20. 20. © 2013 CloudPassage Inc.! 20!20!How Chef Can Help
  21. 21. © 2013 CloudPassage Inc.! 21!Top 5 easy things to start buildingyour secure baseline1.  Disable unnecessary services!2.  Remove unneeded packages!3.  Restrict access to sensitive files & directories!4.  Remove insecure/default configurations!5.  Allow administrative access ONLY from trustedservers/clients!
  22. 22. © 2013 CloudPassage Inc.! 22!Disable unnecessary services•  Only what is needed…is needed!•  Shutdown and disable $ $ $unnecessary/insecure services!–  e.g. telnet, r-services, ftpd, etc.•  Take a look at:!–––
  23. 23. © 2013 CloudPassage Inc.! 23!Remove unneeded packages•  If it isn’t being used…why keep it?!•  If the server doesn’t need to $ $ $ $serve web pages!–  Remove PHP, Apache/nginx•  If it’s not a database server!–  Remove MySQL/PostgreSQL•  Take a look at:!–––
  24. 24. © 2013 CloudPassage Inc.! 24!Remove unneeded packages–  apt_package–  chef_gem–  dpkg_package–  easy_install_package–  freebsd_package–  gem_package–  ips_package–  macports_package–  pacman_package–  portage_package–  rpm_package–  smartos_package–  solaris_package–  yum_package�
  25. 25. © 2013 CloudPassage Inc.! 25!Remove unneeded packages
  26. 26. © 2013 CloudPassage Inc.! 26!Remove unneeded packages
  27. 27. © 2013 CloudPassage Inc.! 27!Restrict access to sensitive files & directories•  Protect what’s important from prying/maliciouseyes!•  Ensure file permissions restrict $ $access to sensitive files and $ $directories!–  e.g. /etc/ssh/sshd_config, /var/log/–  e.g. C:Windows,  C:Inetpub  
  28. 28. © 2013 CloudPassage Inc.! 28!Remove insecure/default configurations•  Disable password authentication for SSH!–  Force public key authentication–  Also, disable empty passwords for users•  SSH!–  Ensure only v2 protocol connections are allowed•  Apache!–  Minimize loadable modules–  Disable ServerTokens and ServerSignature directives
  29. 29. © 2013 CloudPassage Inc.! 29!Remove insecure/default configurations•  Apache Example!•  Take a look at:!––
  30. 30. © 2013 CloudPassage Inc.! 30!Allow administrative access ONLY from trustedservers/clients•  Leverage the firewall and other tools!–  Source of corporate network / admin network range–  3rd-party tools like fail2ban•  Don’t allow (or at least restrict)$ $ $‘server hopping’!•  Take a look at:!–––
  31. 31. © 2013 CloudPassage Inc.! 31!If only we had more time…•  More documentation to review:!–  NIST SP800-123: Guide to General Server Security•!–  Halo Configuration Policy Rule Checks•!–  Center for Internet Security (CIS) Benchmarks•!–  Microsoft (yes, that Microsoft)•!!
  32. 32. © 2013 CloudPassage Inc.! 32!32!In Closing
  33. 33. © 2013 CloudPassage Inc.! 33!Moral of the StorySecurity of your cloud servers is yourresponsibilitySecurity risk in the cloud are real (justcheck your ssh/RDP logs)Security baselining isn’t just a best/better practice, it makes your lifeeasier……and isn’t that why we startedautomating in the first place?
  34. 34. © 2013 CloudPassage Inc.! 34!What does CloudPassage do?Firewall AutomationMulti-FactorAuthenticationAccountManagementSecurity EventAlertingConfigurationSecurityVulnerabilityScanningSecurity for virtual servers running inpublic and private cloudsFile IntegrityMonitoringAPI Automation
  35. 35. © 2013 CloudPassage Inc.! 35!The End•  Ask questions!–  Lots more info:–  Small bits of info: @cloudpassage•  Tell me what you think!–  Email:–  Twitter: @andrewsmhay•  We’re hiring!Email: jobs@cloudpassage.comBTW,We’reHiring!
  36. 36. © 2013 CloudPassage Inc.! 36!The End+=1•  Expect a webinar!–  We plan on presenting a webinar on securelyautomating cloud server deployment–  Follow our Twitter account for details: @cloudpassage•  Community Chef Code for Halo––
  37. 37. © 2013 CloudPassage Inc.! 37!The End+=umm…more•  GitHub––
  38. 38. © 2013 CloudPassage Inc.! 38!Thank You!Andrew / #CloudSec