building a hyper-secure vpc on aws with puppet - puppetconf 2013
DESCRIPTION
"Building a Hyper-Secure VPC on AWS with Puppet" by Tim Nolet, Technical Architect, Xebia. Presentation Overview: This session will describe the techniques and patterns used in a real life project where the goal was to: build a VPC on AWS, make it extremely secure on all accounts, do it automated. I will describe how you can take Puppet and AWS and introduce all kinds of real life security measures, all managed by Puppet. These security measures include: Log collection and analysis (in combination with Graylog2), Transparent Proxy Hosts for DMZ separation, Host Based Firewalls to augment the non-logging AWS firewalls/security groups, CIS (Center for Internet Security) Benchmark enforcement on standard AWS Linux AMIs, change tracking with SVN. Speaker Bio: Tim Nolet is an infrastructure architect and continuous delivery consultant working for Xebia (www.xebia.com). Brought up on a steady diet of Java enterprise applications, he has helped his customers design, build and manage internet infrastructures in diverse areas of travel, retail, banking, energy and public services. Currently, he is on a mission to reap all the benefits of automated deployment and cloud engineering to deliver fast, safe and stable applications. Together with Amazon Web Services, Puppet plays a major role in this mission. Tim also smiles when you let him dive deep into performance, security and stability issues, or let him play guitar for a day.TRANSCRIPT
Puppetconf2013
BuildingaHyperSecureVPConAWS
withPuppet
TimNolet
ArchitectatXebia(theNetherlands)
Linux/Java/Cloud/Automation/Operations
github.com/tnolet
nl.linkedin.com/in/tnolet
Holland=TheNetherlands
Image:xkcd.com
Itendtoramble...
TheAssignment
TheAssignment(1)
1. BuildageneralpurposeVPConAWS
2. Standardizeapplicationdeployment
3. Applycompanysecuritypolicies
TheAssignment(2)
1. DoitwithOpenSource
2. UseAWSstandards
3. Stayclosetoreferenceimplementations
AWSandsecurity
IAM,MFA,HSMSSL,SSH,VPNISO27001PCI-DSSPGP
..andprobablysomemoreacronyms
DesignPrinciples
AGridbasedon:
3xAvailabilityZone
3xTier:web,app,data
1xManagementsubnet
DesignPrinciples
Referencestacks
ImplementedinCloudFormation
Provision:
EC2instances
SecurityGroups
RDSinstances
ELBloadbalancers
RDSinstances
etc.
public_three_tier_stack_redundant_rds.template
AMIHardening
1. ApplyCISBenchmarkforRedHatLinux
2. Log+Alertonanydiscrepancies
3. MonitorYUMsecurityupdates
Benchmark:https://benchmarks.cisecurity.org/tools2/linux/CIS_Redhat_Linux_5_Benchmark_v2.0.0.pdf
CISBenchmarkModule
manifests/1_software.pp2_osservices.pp3_specialservices.pp4_network.pp5_logaudit.pp6_accessauth.pp7_user.pp8_banners.pp9_maintenance.ppinit.pp
=>
Coooode!
#1.6AdditionalProcessHardening
#1.6.1RestrictCoreDumps
file{"/etc/security/limits.conf":source=>"puppet:///modules/cis_baseline/limits.conf",ensure=>"present",group=>"0",mode=>"644",owner=>"0",}
#1.6.2ConfigureExecShieldfile_line{"Execshield":path=>"/etc/sysctl.conf",line=>"kernel.exec-shield=1",}
Hacking/etc/pam.d/su
Allowsonlyusersinthe`wheel`grouptouse`su`
#6.5RestrictAccesstothesuCommand
augeas{"pam.d/su":context=>"/files/etc/pam.d/su/",changes=>["ins01after*[module='pam_rootok.so'][control='sufficient'][type='auth'][last()]","set01/typeauth","set01/controlrequired","set01/modulepam_wheel.so","set01/argumentuse_uid",],onlyif=>"match*[type='auth'][control='required'][module='pam_wheel.so'][argument='use_uid']size==0",}
Taggingdependentmodules
IPtablesismanagedbyitownmoduleWecheckifitisincludedusingthe`tagged`function
#4.7EnableIPtables
#CISRule4.7shouldbeenforcedthroughtheiptables/firewallmodule.#Weonlynotifyifitisnotrunning
iftagged("firewall_base"){notice("CISrule4.7EnableIPtablesisinstalledandenabled")}else{alert{"CISrule4.7EnableIPtablesisnotinstalled":}}
Tags:orderisimportant
ActualIPoftheGraylog2hostisinHiera
CentralLogging
Rsyslog=>Graylog2
/etc/rsyslog.conf#Forwardalllogstocentralloggingserver*.*@<%=central_log_app_server%>#udpforwarding
SortingSearchingAlertingGraphing
...basicallyaSIEMonthecheap
Networktrafficlogging
Why?
AWSSecurityGroupsandNetworkACL'sdon'tloganything
Networktrafficlogging
How?
Puppet+IPtables+Rsyslog+Graylog2
Extendingthepuppetlabs_firewallmodulefromtheforgehttps://forge.puppetlabs.com/puppetlabs/firewall
Allow/Drop/Log
1. AlloworDropconnections2. Taginitialconnections,onbothdroppedandallowed3. Don'ttagestablishedandrelatedconnections4. LogtoGraylog2viarsyslog
LetRelatedandEstablishedpassthroughunharmed
Allow/Drop/Log
firewall{"000INPUTallowrelatedandestablished":state=>["RELATED","ESTABLISHED"],action=>"accept",chain=>"INPUT",proto=>"all",}
Allow/Drop/Log
firewallchain{'LOGNEW:filter:IPv4':ensure=>present,}
firewall{"100LogallNEWconnections":chain=>"LOGNEW",log_level=>"info",log_prefix=>"FIREWALLTCPINBOUND",jump=>"LOG",}
firewall{"101Accepttheconnection":chain=>"LOGNEW",action=>"accept",}
Createa"LOGNEW"chainforallNEWconnectionsTagthemwithaprefixandjumpthemtotheLOGtargetThenaccepttheconnections
JumpyourallowedtraffictotheLOGNEWchain
Allow/Drop/Log
firewall{"100allowssh":state=>["NEW"],dport=>"22",proto=>"tcp",jump=>"LOGNEW"}
Exceptions...
ProxiesDNSDatabaserunningnodesOtherbridgingtypenodes
CustomFactertotherescue!
IPrangesmatchtheGRID
AvailabilityzoneTier
Av.ZonecustomFact
defget_avzoneipaddress=Facter.value(:ipaddress)ifFacter.value(:tier)=="management"av_zone="zone_1b"elsifipaddress=~(/^.*\.*\.*\.([012345][0-9]|6[0-2])$/)avzone="zone_1a"elsifipaddress=~(/^.*\.*\.*\.(6[5-9]|[789][0-9]|1[0-1][0-9]|12[0-6])$/)avzone="zone_1b"elsifipaddress=~(/^.*\.*\.*\.(129|1[3-8][0-9]|190)$/)avzone="zone_1c"elseavzone="default"endend
Done!
Good/Bad/PlainUgly
Good
Community!
Good
Graylog2isgreatandextremelyflexible
Good
VPCisthewaytogoonAWS
CloudFormation'spowerisincredible
Bad
PerformanceoflargecatalogswithPuppet2.7
file{"/etc/somedirectory":recurse=>true,ignore=>["work","temp","log"],checksum=>none}
Hiera-GPGiscumbersometosaytheleast
Bad
JSONnotationofCloudFormationtemplates
...meh
Tip:CFNDSL=RubyDSLforCloudFormationtemplates
https://github.com/howech/cfndsl
Ugly
Unifiedstateandlifecyclemanagement
Ugly
Everythingisautomated,butusingit'sown:
1. DSL2. Authentication/Authorization3. Paradigms4. Versioning5. Younameit...
Ugly
Onesinglesourceoftruthfor:
1. Audittrail/logging2. Instancestatus3. Applicationstatus4. CRUDactionsonthewholeinfrastructure
Hope?!
RightScale,Scalr,Cloudifyandsimilar?AWSOpsWorks?
Hope?!
NotthirdpartyorapluginPartofthecoreNotSaaSonlyEnterprise
CloudProvisioning,ConfigurationManagementandApplicationDeployment
Rantover...
Questions?