SlideShare ist ein Scribd-Unternehmen logo

Automating secure server baselines with Puppet

Als PPTX, PDF herunterladen
CloudPassage
CloudPassage

People are deploying servers in cloud environments faster than ever before but most are still not doing so in a safe and secure manner. Too few server instances are hardened as a part of the provisioning process; often leaving the technological doors wide open for potential service disruption by malicious threat agents – such as malware, automated attack tools and human attackers. This talk will explain how Puppet can be used to automate the creation and maintenance of secure server baselines as a foundation for securely operating in cloud environments.

Technologie
1 von 35
Automating Secure Server Baselines with Puppet a.k.a. “Making Fixing Stupid Stuff Easy” Andrew Hay andrew@cloudpassage.com @andrewsmhay | @cloudpassage #puppetconf - #CloudSec © 2012 CloudPassage Inc. 1
Topics for today Why the cloud makes security hard Why secure the OS? What is a baseline? How Puppet can be used to create secure and repeatable server and application baselines © 2012 CloudPassage Inc. 2
Who are you? • Andrew Hay, Chief Evangelist, CloudPassage • Former – Industry Analyst @ 451 Research – Security Analyst @ UofL and bank in Bermuda – Product, Program and Engineering Manager @ Q1 Labs – Linux guy at a few ISPs © 2012 CloudPassage Inc. 3
Goals of moving to cloud fail to mesh with security © 2012 CloudPassage Inc. 4
Cloud radically changes IT Ops Gold www-1 www-2 www-3 www-4 www-5 www-6 www-7 Master www-4 www-5 www-6 www-7 www-1 www-2 www-3 Public Cloud Private Datacenter Creating servers takes almost zero time Server location can change frequently Physical access to architecture no longer an option © 2012 CloudPassage Inc. 5
Cloud security is new private datacenter www-1 www-2 www-3 www-4 ! ! ! ! public cloud © 2012 CloudPassage Inc. 6
Cloud security is different private datacenter www-1 www-2 www-3 www-4 ! ! ! ! www-4 ! public cloud © 2012 CloudPassage Inc. 7
Cloud security is complex www- www- www- www-10 7 8 9 ! ! ! ! www- 4 www- 5 www- 6 Cloud Provider B ! ! ! www- www- www- www-10 7 8 9 ! ! ! ! Cloud Provider A www-1 www-2 www-3 www-4 ! ! ! ! Private Datacenter © 2012 CloudPassage Inc. 8
Security products aren‟t adapting No Network Access www- 7 www- 8 www- 9 www-10 ! ! ! ! www- 4 www- 5 www- 6 Cloud Provider B ! ! ! Temporary & www- www- www- www-10 Elastic Deployments ! ! ! ! 7 8 9 Cloud Provider A www-1 www-2 www-3 www-4 ! Multiple Cloud ! ! ! Environments Private Datacenter © 2012 CloudPassage Inc. 9
We used to rely on perimeter defenses Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l © 2012 CloudPassage Inc. 10
But where is the perimeter in cloud? Auth DB DB DB Server Load App Load App Balancer Server Balancer Server public cloud © 2012 CloudPassage Inc. 11
The server is adjacent to the perimeter Load Balancer App App Server Server ! DB Master ! public cloud © 2012 CloudPassage Inc. 12
Why secure the OS? • A hardened OS often is the last line of defense in the event of a security compromise. • It is important to note that hardening is not a panacea for security. – It is just another layer in a good security model. • By definition, any machine that is accessible on a network and running services is potentially insecure. – (i.e. pretty much any server) © 2012 CloudPassage Inc. 13
“Andrew‟s Law of Servers” • There are 3 kinds of servers: server 1) Secure servers server 2) Insecure servers ! server 3) Servers that you think are secure… ? © 2012 CloudPassage Inc. 14
Servers are vulnerable • National Vulnerability Database search of CVE and CCE vulnerabilities: – Ubuntu • Last 3 years: 788 matching records • Last 3 months: 100 matching records – RedHat • Last 3 years: 1,910 matching records • Last 3 months: 288 matching records – Microsoft Windows (server) • … • NVD reported 3532 vulnerabilities in 2011. • This means that last year about ten new security vulnerabilities were discovered each day. © 2012 CloudPassage Inc. 15
What is a baseline? • base·line /ˈbāsˈlīn/ – A minimum or starting point used for comparisons. • Think of it as the „bare minimum‟ configuration for: – Server settings – Application configurations – Running services – Etc. • Ask yourself: – “What do I want of my servers?” © 2012 CloudPassage Inc. 16
What if I only secure one or two things? © 2012 CloudPassage Inc. 17
Running with baselines… www www www ! ! ! Gold Master If your baseline is not secure… Your servers built off of that baseline are also insecure © 2012 CloudPassage Inc. 18
Running with baselines… www www www www www ! ? ! ? ? Better Master Pushing out a „Better Master‟ might solve a lot of problems But It will eventually fail you © 2012 CloudPassage Inc. 19
Running with baselines… www www www www www ! ? ! ? Gold Master Using our new „Gold Master‟ we can trust our server‟s security Letting us focus on other, more pressing tasks © 2012 CloudPassage Inc. 20
Running with baselines… www www www www www ! ! ! Gold Master Gold Master updates can be rolled out incrementally Keeping your operational state…operational © 2012 CloudPassage Inc. 21
How Puppet Can Help © 2012 CloudPassage Inc. 22
Top 5 easy things to start building your secure baseline 1. Disable unnecessary services 2. Remove unneeded packages 3. Restrict access to sensitive files & directories 4. Remove insecure/default configurations 5. Allow administrative access ONLY from trusted servers/clients © 2012 CloudPassage Inc. 23
Disable unnecessary services • Only what is needed…is needed • Shutdown and disable unnecessary services – e.g. telnet, r-services, ftpd, etc. • Take a look at: – http://www.puppetcookbook.com/posts/ensure-service- stopped-on-boot.html – http://www.puppetcookbook.com/posts/ensure-service-is- stopped.html – http://docs.puppetlabs.com/references/latest/type.html#service © 2012 CloudPassage Inc. 24
Remove unneeded packages • If it isn‟t being used…why keep it? • If the server doesn‟t need to serve web pages – Remove PHP, Apache/nginx • If it‟s not a database server – Remove MySQL/PostgreSQL • Take a look at: – http://www.puppetcookbook.com/posts/remove-package.html – http://docs.puppetlabs.com/references/latest/type.html#packag e © 2012 CloudPassage Inc. 25
Restrict access to sensitive files & directories • Protect what‟s important from prying/malicious eyes • Ensure file permissions restrict access to sensitive files and directories – E.g. /etc/shadow, /etc/ssh/sshd_config, – E.g. /var/tmp/, /tmp/ • Take a look at: – http://docs.puppetlabs.com/references/latest/type.html#file – http://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_ v4.2.pdf © 2012 CloudPassage Inc. 26
Remove insecure/default configurations • Disable password authentication for SSH – Force public key authentication – Also, disable empty passwords for users • SSH – Ensure only v2 protocol connections are allowed • Apache – Minimize loadable modules – Disable ServerTokens and ServerSignature directives • Take a look at: – http://forge.puppetlabs.com/saz/sudo – http://forge.puppetlabs.com/jonhadfield/wordpress – http://forge.puppetlabs.com/attachmentgenie/ssh © 2012 CloudPassage Inc. 27
Allow administrative access ONLY from trusted servers/clients • Leverage the firewall and other tools – Source of corporate network / admin network range – 3rd-party tools like fail2ban • Don‟t allow „server hopping‟ • Take a look at: – http://forge.puppetlabs.com/attachmentgenie/ufw – http://forge.puppetlabs.com/example42/firewall – http://forge.puppetlabs.com/puppetlabs/denyhosts © 2012 CloudPassage Inc. 28
If only we had more time… • More documentation to review: – NIST SP800-123: Guide to General Server Security • http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf – Halo Configuration Policy Rule Checks • http://support.cloudpassage.com/entries/22033142-configuration-policy-rule- checks – CIS Red Hat Enterprise Linux 6 Benchmark v1.1.0 • http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.rhel6.110 – NSA Security Configuration Guides • http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operatin g_systems.shtml#linux2 © 2012 CloudPassage Inc. 29
In Closing © 2012 CloudPassage Inc. 30
Moral of the Story Security of your cloud servers is your responsibility Security risk in the cloud are real (just check your ssh/RDP logs) Security baselining isn‟t just a best/better practice, it makes your life easier… …and isn‟t that why we started automating in the first place? © 2012 CloudPassage Inc. 31
What does CloudPassage do? Security for virtual servers running in public and private clouds Firewall Automation File Integrity Monitoring Multi-Factor Account Authentication Management Configuration Security Event Security Alerting Vulnerability API Automation Scanning © 2012 CloudPassage Inc. 32
The End • Ask questions! – Lots more info: community.cloudpassage.com – Small bits of info: @cloudpassage • Tell me what you think! – Email: andrew@cloudpassage.com – Twitter: @andrewsmhay BTW, • We‟re hiring! We‟re DevOps, Rails, UX, SecOps, etc… Hiring! – Email: jobs@cloudpassage.com © 2012 CloudPassage Inc. 33
The End++ • Expect a webinar! – We plan on presenting a webinar on securely automating cloud server deployment – Follow our Twitter account for details: @cloudpassage • Community Puppet Code for Halo – https://github.com/mrpatrick/puppet-cloudpassage – https://github.com/rkhatibi/puppet-cloudpassage © 2012 CloudPassage Inc. 34
Thank You! Andrew Hay andrew@cloudpassage.com @andrewsmhay @cloudpassage #puppetconf - #CloudSec © 2012 CloudPassage Inc. 35

Empfohlen

Puppet for Security Compliance - GOSCON 2010
Puppet for Security Compliance - GOSCON 2010Puppet for Security Compliance - GOSCON 2010
Puppet for Security Compliance - GOSCON 2010Puppet
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
 
CloudPassage Careers
CloudPassage CareersCloudPassage Careers
CloudPassage CareersCloudPassage
 
Transforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerTransforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerCloudPassage
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpointCloudPassage
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureCloudPassage
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 

Empfohlen

Puppet for Security Compliance - GOSCON 2010
Puppet for Security Compliance - GOSCON 2010Puppet for Security Compliance - GOSCON 2010
Puppet for Security Compliance - GOSCON 2010Puppet
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
 
CloudPassage Careers
CloudPassage CareersCloudPassage Careers
CloudPassage CareersCloudPassage
 
Transforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerTransforming the CSO Role to Business Enabler
Transforming the CSO Role to Business EnablerCloudPassage
 
Rethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectRethinking Security: The Cloud Infrastructure Effect
Rethinking Security: The Cloud Infrastructure EffectCloudPassage
 
Webinar compiled powerpoint
Webinar compiled powerpointWebinar compiled powerpoint
Webinar compiled powerpointCloudPassage
 
Security and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureSecurity and Compliance for Enterprise Cloud Infrastructure
Security and Compliance for Enterprise Cloud InfrastructureCloudPassage
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloudPassage
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the CloudCloudPassage
 
Comprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachComprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachCloudPassage
 
Security that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessSecurity that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessCloudPassage
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOpsCloudPassage
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesCloudPassage
 
What You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud SecurityWhat You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud SecurityCloudPassage
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageCloudPassage
 
Delivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS ProductsDelivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS ProductsCloudPassage
 
CloudPassage Overview
CloudPassage OverviewCloudPassage Overview
CloudPassage OverviewCloudPassage
 
PCI and the Cloud
PCI and the CloudPCI and the Cloud
PCI and the CloudCloudPassage
 
Halo Installfest Slides
Halo Installfest SlidesHalo Installfest Slides
Halo Installfest SlidesCloudPassage
 
Automating Security for the Cloud - Make it Easy, Make it Safe
Automating Security for the Cloud - Make it Easy, Make it SafeAutomating Security for the Cloud - Make it Easy, Make it Safe
Automating Security for the Cloud - Make it Easy, Make it SafeCloudPassage
 
BSides SF - Automating Security for the Cloud
BSides SF - Automating Security for the CloudBSides SF - Automating Security for the Cloud
BSides SF - Automating Security for the CloudCloudPassage
 
Securing Your Cloud Servers with Halo NetSec
Securing Your Cloud Servers with Halo NetSecSecuring Your Cloud Servers with Halo NetSec
Securing Your Cloud Servers with Halo NetSecCloudPassage
 
BayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes EverythingBayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes EverythingCloudPassage
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Weitere ähnliche Inhalte

Mehr von CloudPassage

Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudCloudPassage
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloudPassage
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the CloudCloudPassage
 
Comprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachComprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachCloudPassage
 
Security that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessSecurity that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessCloudPassage
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOpsCloudPassage
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesCloudPassage
 
What You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud SecurityWhat You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud SecurityCloudPassage
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageCloudPassage
 
Delivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS ProductsDelivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS ProductsCloudPassage
 
CloudPassage Overview
CloudPassage OverviewCloudPassage Overview
CloudPassage OverviewCloudPassage
 
Halo Installfest Slides
Halo Installfest SlidesHalo Installfest Slides
Halo Installfest SlidesCloudPassage
 
Automating Security for the Cloud - Make it Easy, Make it Safe
Automating Security for the Cloud - Make it Easy, Make it SafeAutomating Security for the Cloud - Make it Easy, Make it Safe
Automating Security for the Cloud - Make it Easy, Make it SafeCloudPassage
 
BSides SF - Automating Security for the Cloud
BSides SF - Automating Security for the CloudBSides SF - Automating Security for the Cloud
BSides SF - Automating Security for the CloudCloudPassage
 
Securing Your Cloud Servers with Halo NetSec
Securing Your Cloud Servers with Halo NetSecSecuring Your Cloud Servers with Halo NetSec
Securing Your Cloud Servers with Halo NetSecCloudPassage
 
BayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes EverythingBayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes EverythingCloudPassage
 

Mehr von CloudPassage (18)

Technologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the CloudTechnologies You Need to Safely Use the Cloud
Technologies You Need to Safely Use the Cloud
 
Cloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO SuccessfulCloud Security: Make Your CISO Successful
Cloud Security: Make Your CISO Successful
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOps
 
45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud45 Minutes to PCI Compliance in the Cloud
45 Minutes to PCI Compliance in the Cloud
 
Comprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated ApproachComprehensive Cloud Security Requires an Automated Approach
Comprehensive Cloud Security Requires an Automated Approach
 
Security that works with, not against, your SaaS business
Security that works with, not against, your SaaS businessSecurity that works with, not against, your SaaS business
Security that works with, not against, your SaaS business
 
Integrating Security into DevOps
Integrating Security into DevOpsIntegrating Security into DevOps
Integrating Security into DevOps
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud Guidelines
 
What You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud SecurityWhat You Haven't Heard (Yet) About Cloud Security
What You Haven't Heard (Yet) About Cloud Security
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassage
 
Delivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS ProductsDelivering Secure OpenStack IaaS for SaaS Products
Delivering Secure OpenStack IaaS for SaaS Products
 
CloudPassage Overview
CloudPassage OverviewCloudPassage Overview
CloudPassage Overview
 
PCI and the Cloud
PCI and the CloudPCI and the Cloud
PCI and the Cloud
 
Halo Installfest Slides
Halo Installfest SlidesHalo Installfest Slides
Halo Installfest Slides
 
Automating Security for the Cloud - Make it Easy, Make it Safe
Automating Security for the Cloud - Make it Easy, Make it SafeAutomating Security for the Cloud - Make it Easy, Make it Safe
Automating Security for the Cloud - Make it Easy, Make it Safe
 
BSides SF - Automating Security for the Cloud
BSides SF - Automating Security for the CloudBSides SF - Automating Security for the Cloud
BSides SF - Automating Security for the Cloud
 
Securing Your Cloud Servers with Halo NetSec
Securing Your Cloud Servers with Halo NetSecSecuring Your Cloud Servers with Halo NetSec
Securing Your Cloud Servers with Halo NetSec
 
BayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes EverythingBayThreat Why The Cloud Changes Everything
BayThreat Why The Cloud Changes Everything
 

Kürzlich hochgeladen

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Kürzlich hochgeladen (20)

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Automating secure server baselines with Puppet

  • 1. Automating Secure Server Baselines with Puppet a.k.a. “Making Fixing Stupid Stuff Easy” Andrew Hay andrew@cloudpassage.com @andrewsmhay | @cloudpassage #puppetconf - #CloudSec © 2012 CloudPassage Inc. 1
  • 2. Topics for today Why the cloud makes security hard Why secure the OS? What is a baseline? How Puppet can be used to create secure and repeatable server and application baselines © 2012 CloudPassage Inc. 2
  • 3. Who are you? • Andrew Hay, Chief Evangelist, CloudPassage • Former – Industry Analyst @ 451 Research – Security Analyst @ UofL and bank in Bermuda – Product, Program and Engineering Manager @ Q1 Labs – Linux guy at a few ISPs © 2012 CloudPassage Inc. 3
  • 4. Goals of moving to cloud fail to mesh with security © 2012 CloudPassage Inc. 4
  • 5. Cloud radically changes IT Ops Gold www-1 www-2 www-3 www-4 www-5 www-6 www-7 Master www-4 www-5 www-6 www-7 www-1 www-2 www-3 Public Cloud Private Datacenter Creating servers takes almost zero time Server location can change frequently Physical access to architecture no longer an option © 2012 CloudPassage Inc. 5
  • 6. Cloud security is new private datacenter www-1 www-2 www-3 www-4 ! ! ! ! public cloud © 2012 CloudPassage Inc. 6
  • 7. Cloud security is different private datacenter www-1 www-2 www-3 www-4 ! ! ! ! www-4 ! public cloud © 2012 CloudPassage Inc. 7
  • 8. Cloud security is complex www- www- www- www-10 7 8 9 ! ! ! ! www- 4 www- 5 www- 6 Cloud Provider B ! ! ! www- www- www- www-10 7 8 9 ! ! ! ! Cloud Provider A www-1 www-2 www-3 www-4 ! ! ! ! Private Datacenter © 2012 CloudPassage Inc. 8
  • 9. Security products aren‟t adapting No Network Access www- 7 www- 8 www- 9 www-10 ! ! ! ! www- 4 www- 5 www- 6 Cloud Provider B ! ! ! Temporary & www- www- www- www-10 Elastic Deployments ! ! ! ! 7 8 9 Cloud Provider A www-1 www-2 www-3 www-4 ! Multiple Cloud ! ! ! Environments Private Datacenter © 2012 CloudPassage Inc. 9
  • 10. We used to rely on perimeter defenses Auth DB DB DB Server core core Firewal l Load App Load App Balancer Server Balancer Server dmz dmz Firewal l © 2012 CloudPassage Inc. 10
  • 11. But where is the perimeter in cloud? Auth DB DB DB Server Load App Load App Balancer Server Balancer Server public cloud © 2012 CloudPassage Inc. 11
  • 12. The server is adjacent to the perimeter Load Balancer App App Server Server ! DB Master ! public cloud © 2012 CloudPassage Inc. 12
  • 13. Why secure the OS? • A hardened OS often is the last line of defense in the event of a security compromise. • It is important to note that hardening is not a panacea for security. – It is just another layer in a good security model. • By definition, any machine that is accessible on a network and running services is potentially insecure. – (i.e. pretty much any server) © 2012 CloudPassage Inc. 13
  • 14. “Andrew‟s Law of Servers” • There are 3 kinds of servers: server 1) Secure servers server 2) Insecure servers ! server 3) Servers that you think are secure… ? © 2012 CloudPassage Inc. 14
  • 15. Servers are vulnerable • National Vulnerability Database search of CVE and CCE vulnerabilities: – Ubuntu • Last 3 years: 788 matching records • Last 3 months: 100 matching records – RedHat • Last 3 years: 1,910 matching records • Last 3 months: 288 matching records – Microsoft Windows (server) • … • NVD reported 3532 vulnerabilities in 2011. • This means that last year about ten new security vulnerabilities were discovered each day. © 2012 CloudPassage Inc. 15
  • 16. What is a baseline? • base·line /ˈbāsˈlīn/ – A minimum or starting point used for comparisons. • Think of it as the „bare minimum‟ configuration for: – Server settings – Application configurations – Running services – Etc. • Ask yourself: – “What do I want of my servers?” © 2012 CloudPassage Inc. 16
  • 17. What if I only secure one or two things? © 2012 CloudPassage Inc. 17
  • 18. Running with baselines… www www www ! ! ! Gold Master If your baseline is not secure… Your servers built off of that baseline are also insecure © 2012 CloudPassage Inc. 18
  • 19. Running with baselines… www www www www www ! ? ! ? ? Better Master Pushing out a „Better Master‟ might solve a lot of problems But It will eventually fail you © 2012 CloudPassage Inc. 19
  • 20. Running with baselines… www www www www www ! ? ! ? Gold Master Using our new „Gold Master‟ we can trust our server‟s security Letting us focus on other, more pressing tasks © 2012 CloudPassage Inc. 20
  • 21. Running with baselines… www www www www www ! ! ! Gold Master Gold Master updates can be rolled out incrementally Keeping your operational state…operational © 2012 CloudPassage Inc. 21
  • 22. How Puppet Can Help © 2012 CloudPassage Inc. 22
  • 23. Top 5 easy things to start building your secure baseline 1. Disable unnecessary services 2. Remove unneeded packages 3. Restrict access to sensitive files & directories 4. Remove insecure/default configurations 5. Allow administrative access ONLY from trusted servers/clients © 2012 CloudPassage Inc. 23
  • 24. Disable unnecessary services • Only what is needed…is needed • Shutdown and disable unnecessary services – e.g. telnet, r-services, ftpd, etc. • Take a look at: – http://www.puppetcookbook.com/posts/ensure-service- stopped-on-boot.html – http://www.puppetcookbook.com/posts/ensure-service-is- stopped.html – http://docs.puppetlabs.com/references/latest/type.html#service © 2012 CloudPassage Inc. 24
  • 25. Remove unneeded packages • If it isn‟t being used…why keep it? • If the server doesn‟t need to serve web pages – Remove PHP, Apache/nginx • If it‟s not a database server – Remove MySQL/PostgreSQL • Take a look at: – http://www.puppetcookbook.com/posts/remove-package.html – http://docs.puppetlabs.com/references/latest/type.html#packag e © 2012 CloudPassage Inc. 25
  • 26. Restrict access to sensitive files & directories • Protect what‟s important from prying/malicious eyes • Ensure file permissions restrict access to sensitive files and directories – E.g. /etc/shadow, /etc/ssh/sshd_config, – E.g. /var/tmp/, /tmp/ • Take a look at: – http://docs.puppetlabs.com/references/latest/type.html#file – http://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_ v4.2.pdf © 2012 CloudPassage Inc. 26
  • 27. Remove insecure/default configurations • Disable password authentication for SSH – Force public key authentication – Also, disable empty passwords for users • SSH – Ensure only v2 protocol connections are allowed • Apache – Minimize loadable modules – Disable ServerTokens and ServerSignature directives • Take a look at: – http://forge.puppetlabs.com/saz/sudo – http://forge.puppetlabs.com/jonhadfield/wordpress – http://forge.puppetlabs.com/attachmentgenie/ssh © 2012 CloudPassage Inc. 27
  • 28. Allow administrative access ONLY from trusted servers/clients • Leverage the firewall and other tools – Source of corporate network / admin network range – 3rd-party tools like fail2ban • Don‟t allow „server hopping‟ • Take a look at: – http://forge.puppetlabs.com/attachmentgenie/ufw – http://forge.puppetlabs.com/example42/firewall – http://forge.puppetlabs.com/puppetlabs/denyhosts © 2012 CloudPassage Inc. 28
  • 29. If only we had more time… • More documentation to review: – NIST SP800-123: Guide to General Server Security • http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf – Halo Configuration Policy Rule Checks • http://support.cloudpassage.com/entries/22033142-configuration-policy-rule- checks – CIS Red Hat Enterprise Linux 6 Benchmark v1.1.0 • http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.rhel6.110 – NSA Security Configuration Guides • http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operatin g_systems.shtml#linux2 © 2012 CloudPassage Inc. 29
  • 30. In Closing © 2012 CloudPassage Inc. 30
  • 31. Moral of the Story Security of your cloud servers is your responsibility Security risk in the cloud are real (just check your ssh/RDP logs) Security baselining isn‟t just a best/better practice, it makes your life easier… …and isn‟t that why we started automating in the first place? © 2012 CloudPassage Inc. 31
  • 32. What does CloudPassage do? Security for virtual servers running in public and private clouds Firewall Automation File Integrity Monitoring Multi-Factor Account Authentication Management Configuration Security Event Security Alerting Vulnerability API Automation Scanning © 2012 CloudPassage Inc. 32
  • 33. The End • Ask questions! – Lots more info: community.cloudpassage.com – Small bits of info: @cloudpassage • Tell me what you think! – Email: andrew@cloudpassage.com – Twitter: @andrewsmhay BTW, • We‟re hiring! We‟re DevOps, Rails, UX, SecOps, etc… Hiring! – Email: jobs@cloudpassage.com © 2012 CloudPassage Inc. 33
  • 34. The End++ • Expect a webinar! – We plan on presenting a webinar on securely automating cloud server deployment – Follow our Twitter account for details: @cloudpassage • Community Puppet Code for Halo – https://github.com/mrpatrick/puppet-cloudpassage – https://github.com/rkhatibi/puppet-cloudpassage © 2012 CloudPassage Inc. 34
  • 35. Thank You! Andrew Hay andrew@cloudpassage.com @andrewsmhay @cloudpassage #puppetconf - #CloudSec © 2012 CloudPassage Inc. 35