Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Don’t Build
“Death Star” Security
Maintaining agility and security
in distributed and microservice architectures
About Me
● Drupal
○ Infrastructure (drupal.org)
○ Security
○ Performance/scalability,
especially database
● Systemd
○ Comm...
Your infrastructure is the Empire…
…and Rebel scum from Tatooine threatens it.
“Death Star” security is reinforcing the edge…
…but suffering catastrophe when that’s breached.
BOOM!
We’re not here to talk about basics or your edge
● Layer 2 or 3 Firewalls
● Web Application
Firewalls
● OWASP Top 10
● DDo...
Where Do Attackers Go Next?
● Collecting authentication data
● Using the foothold behind the firewall
○ Attacking other in...
Authentication Security
Challenge: Password Data Breach
827ccb0eea8a706c4c34a16891f84e7b
That's amazing! I've got
the same combination on
my lugga...
Pattern: Better Password Hashing
Password: 12345
Salt: 4c34a8371ce2d3116
Pepper: 27ccb0eea8a706c
HMAC
SHA512 827ccb0eea891...
Pattern: Add in Password Stretching
Password: 12345
Salt: 4c34a8371ce2d3116
Pepper: 27ccb0eea8a706c
PBKDF2
(100k rounds) 8...
Pattern: Requiring Decent Passwords
Pattern: Multifactor Authentication
Something You Have
Something You Are
or
Pattern: Federated Authentication
Pattern: Authentication Before Application
Apache
with
SAML
Drupal or WordPress
with PHP-FPM
Have You Met the Confused Deputy?
Challenge: Ambient Authority and Confused Deputies
Set a course for
Alderaan.
Governor Tarkin
How it’s
supposed
to work:
S...
Pattern: Capability-Based Security
Set a course for
ef28bc28 (signed
token for Alderaan).
Governor Tarkin
How it’s
suppose...
Pattern: Mandatory access control (MAC), like selinux
Set a course for
Alderaan.
Governor Tarkin
How it’s
supposed
to work...
Antipattern: Mandatory access control (MAC) as an afterthought
Better: Boundaries First, Container-Style
Staying Hands-Off Sensitive Data
Pattern: Delegated Handling of Sensitive Data
Payments Marketing
User
Agent
Your ApplicationHTTP GET
HTTP POST
External Se...
Pattern: Black Hole APIs
● Don’t simply divide
permissions into read
versus read+write.
● The ability to just write
allows...
Protecting Data on the Move and Endpoints
Pattern: Key Management
● AWS Key Management System
● Alliance Key Manager by Townsend Security
○ Lockr (for Drupal and Wo...
Pattern: Anonymizing Data
david@pantheon.io
xa34s@au39sm.io
Pattern: Physical Security and Device Encryption
Pattern: Smart Cards and Hardware Tokens
PIN or Password
SSH Server
Preventing a Breach from Spreading
Pattern: Systems Isolation
Web-Facing Systems Intranet Systems
Load
Balancer
Application
Server
Database
Server
Cache
Serv...
Challenge: Shared Secrets (Including Passwords)
DatabaseApp
Password or Key
Compromise
Point #1
Compromise
Point #2
Anti-pattern: Security Through Obscurity
“An analysis of the plans
found in their insecure
git repository has
demonstrated...
Pattern: Public Key Infrastructure
Admin
Firewall
CDN nginxHTTPS MySQL
Solr
HTTPS
File System
NFS or Similar
SSH Jump or V...
Creating a Local Certificate Authority (CA)
● Once: Create a certificate authority (CA):
○ Create a private key for the CA...
MySQL PKI: Server Side
[mysqld]
ssl-ca=ca.crt
ssl-cert=server.crt
ssl-key=server.key
CREATE USER 'backups'@'backup-host'
R...
MySQL PKI: Client Side
<?php
$pdo = new PDO('mysql:host=ip;dbname=db', 'user', 'pass', array(
PDO::MYSQL_ATTR_SSL_KEY => '...
Tomcat PKI: Server Side
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
scheme="https" secure="true"
keystoreF...
nginx PKI: Server Side
...
server {
listen 443 ssl;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_client...
Python PKI: Client Side
import requests
requests.get('https://api.pantheon.io',
cert=('client.crt', 'client.key')
verify='...
Questions?
@DavidStrauss
david@pantheon.io
linkedin.com/in/davidstrauss
Upcoming SlideShare
Loading in …5
×

Don't Build "Death Star" Security - O'Reilly Software Architecture Conference 2016 NYC

1,045 views

Published on

How vulnerable are your systems after the first line of defense? Do attackers get a stronger foothold after each compromise? How valuable is the data your systems can leak?

“Death Star” security describes a system that relies entirely on an outermost security layer and fails catastrophically when breached. As services multiply, they shouldn’t all run in a single, trusted virtual private cloud. Sharing secrets doesn’t scale either, as systems multiply and partners integrate with your product and users.

David Strauss explores security methods strong enough to cross the public Internet, flexible enough to allow new services without altering existing systems, and robust enough to avoid single points of failure. David covers the basics of public key infrastructure (PKI), explaining how PKI uniquely supports security and high availability, and demonstrates how to deploy mutual authentication and encryption across a heterogeneous infrastructure, use capability-based security, and use federated identity to provide a uniform frontend experience while still avoiding monolithic backends. David also explores JSON Web Tokens as a solution to session woes, distributing user data and trust without sharing backend persistence.

A good written summary of the key talking points: https://www.infoq.com/news/2016/04/oreilysacon-day-one

Published in: Software
  • Be the first to comment

Don't Build "Death Star" Security - O'Reilly Software Architecture Conference 2016 NYC

  1. 1. Don’t Build “Death Star” Security Maintaining agility and security in distributed and microservice architectures
  2. 2. About Me ● Drupal ○ Infrastructure (drupal.org) ○ Security ○ Performance/scalability, especially database ● Systemd ○ Committer ○ Scalable cgroups management ○ Structured logging integration ○ Launch-on-demand adapter maintainer ● Pantheon ○ CTO and Co-founder ○ Billions of monthly page views ○ Millions of containers
  3. 3. Your infrastructure is the Empire…
  4. 4. …and Rebel scum from Tatooine threatens it.
  5. 5. “Death Star” security is reinforcing the edge…
  6. 6. …but suffering catastrophe when that’s breached. BOOM!
  7. 7. We’re not here to talk about basics or your edge ● Layer 2 or 3 Firewalls ● Web Application Firewalls ● OWASP Top 10 ● DDoS Controls ● Applying updates quicklyFor the purposes of this presentation: Your first line of defense is gone!
  8. 8. Where Do Attackers Go Next? ● Collecting authentication data ● Using the foothold behind the firewall ○ Attacking other internal systems ○ Exploiting the assumption of trust ● Collecting sensitive user, payment, and patient data ● Phishing attacks from privileged email accounts
  9. 9. Authentication Security
  10. 10. Challenge: Password Data Breach 827ccb0eea8a706c4c34a16891f84e7b That's amazing! I've got the same combination on my luggage! President Skroob
  11. 11. Pattern: Better Password Hashing Password: 12345 Salt: 4c34a8371ce2d3116 Pepper: 27ccb0eea8a706c HMAC SHA512 827ccb0eea891f84e7b8a7891f84e7b06c4c34a16891f84e7
  12. 12. Pattern: Add in Password Stretching Password: 12345 Salt: 4c34a8371ce2d3116 Pepper: 27ccb0eea8a706c PBKDF2 (100k rounds) 84e7b8827ccba891f84e7b8a7891f84e7b06c4c34a16891f
  13. 13. Pattern: Requiring Decent Passwords
  14. 14. Pattern: Multifactor Authentication Something You Have Something You Are or
  15. 15. Pattern: Federated Authentication
  16. 16. Pattern: Authentication Before Application Apache with SAML Drupal or WordPress with PHP-FPM
  17. 17. Have You Met the Confused Deputy?
  18. 18. Challenge: Ambient Authority and Confused Deputies Set a course for Alderaan. Governor Tarkin How it’s supposed to work: Setting course, Governor. Helm/Weapons How it can fail: Set a course for Coruscant. Imposter Tarkin Setting course, Governor. Helm/Weapons AlderaanBOOM! CoruscantBOOM!
  19. 19. Pattern: Capability-Based Security Set a course for ef28bc28 (signed token for Alderaan). Governor Tarkin How it’s supposed to work: Setting course, Governor. Helm/Weapons Attemptedh ack: Code validation Set a course for, um, 3a2eb45a (invalid token). Imposter Tarkin Sorry, that code isn’t working in my helm system, Governor. Helm/Weapons AlderaanBOOM! Code validation
  20. 20. Pattern: Mandatory access control (MAC), like selinux Set a course for Alderaan. Governor Tarkin How it’s supposed to work: Setting course, Governor. Helm/Weapons May target Rebel Set a course for Coruscant. Imposter Tarkin Setting course, Governor. Helm/Weapons Coruscant [Label: Imperial] Alderaan [Label: Rebel]BOOM! May target Rebel DENIED Attemptedh ack:
  21. 21. Antipattern: Mandatory access control (MAC) as an afterthought
  22. 22. Better: Boundaries First, Container-Style
  23. 23. Staying Hands-Off Sensitive Data
  24. 24. Pattern: Delegated Handling of Sensitive Data Payments Marketing User Agent Your ApplicationHTTP GET HTTP POST External Service Sensitive Data
  25. 25. Pattern: Black Hole APIs ● Don’t simply divide permissions into read versus read+write. ● The ability to just write allows one side to irretrievably rid itself of access to sensitive information.
  26. 26. Protecting Data on the Move and Endpoints
  27. 27. Pattern: Key Management ● AWS Key Management System ● Alliance Key Manager by Townsend Security ○ Lockr (for Drupal and WordPress) ● Vault by HashiCorp ● Many more… Database ● Audit Trail ● Alerts Key Manager App
  28. 28. Pattern: Anonymizing Data david@pantheon.io xa34s@au39sm.io
  29. 29. Pattern: Physical Security and Device Encryption
  30. 30. Pattern: Smart Cards and Hardware Tokens PIN or Password SSH Server
  31. 31. Preventing a Breach from Spreading
  32. 32. Pattern: Systems Isolation Web-Facing Systems Intranet Systems Load Balancer Application Server Database Server Cache Server Active Directory Exchange File Shares HR Records FirewallorMore
  33. 33. Challenge: Shared Secrets (Including Passwords) DatabaseApp Password or Key Compromise Point #1 Compromise Point #2
  34. 34. Anti-pattern: Security Through Obscurity “An analysis of the plans found in their insecure git repository has demonstrated a weakness in the battle station.”
  35. 35. Pattern: Public Key Infrastructure Admin Firewall CDN nginxHTTPS MySQL Solr HTTPS File System NFS or Similar SSH Jump or VPNTunnel Server Key SSH Key User HTTPS Server Certificate MariaDB PHP-FPM + Drupal Client Certificate Server Certificate Client Certificate Client Certificate Client Certificate Server Certificate Server Certificate Server Certificate
  36. 36. Creating a Local Certificate Authority (CA) ● Once: Create a certificate authority (CA): ○ Create a private key for the CA. ○ Create the certificate for the CA. ○ Distribute the certificate to your servers. ● Every time: Follow the normal certificate-creation steps: ○ Create a private key. ○ Create a certificate signing request (CSR). ○ Sign the certificate on the CA. ○ Deploy the certificate alongside the private key.
  37. 37. MySQL PKI: Server Side [mysqld] ssl-ca=ca.crt ssl-cert=server.crt ssl-key=server.key CREATE USER 'backups'@'backup-host' REQUIRE SUBJECT '/C=US/ST=California/L=San Francisco/ O=Pantheon/ CN=backups.pantheon.io/emailAddress=hosting@pantheon.io'; Supports rolling secret rotation for multiple clients!
  38. 38. MySQL PKI: Client Side <?php $pdo = new PDO('mysql:host=ip;dbname=db', 'user', 'pass', array( PDO::MYSQL_ATTR_SSL_KEY => '/etc/mysql/tls/client.key', PDO::MYSQL_ATTR_SSL_CERT => '/etc/mysql/tls/client.crt', PDO::MYSQL_ATTR_SSL_CA => '/etc/mysql/tls/ca.crt' ) ); $statement = $pdo->query('SHOW TABLES;'); $row = $statement->fetch(PDO::FETCH_ASSOC); echo htmlentities($row['_message']);
  39. 39. Tomcat PKI: Server Side <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/etc/tls/servlet.ks" keystorePass="secret" clientAuth="true" sslProtocol="TLS" truststoreFile="/etc/tls/servlet.ks" truststorePass="secret" domain="catalina" />
  40. 40. nginx PKI: Server Side ... server { listen 443 ssl; ssl_certificate server.crt; ssl_certificate_key server.key; ssl_client_certificate ca.crt; ...
  41. 41. Python PKI: Client Side import requests requests.get('https://api.pantheon.io', cert=('client.crt', 'client.key') verify='ca.crt')
  42. 42. Questions? @DavidStrauss david@pantheon.io linkedin.com/in/davidstrauss

×