identity and access management remote monitoringwh.cs.vsb.cz/sps/images/e/ef/bpsdc_l8.pdf ·...
TRANSCRIPT
Data Center Networks & Cloud Computing SecurityLecture 8
Identity and Access ManagementRemote Monitoring
Pavel Moravec
DevOPs (Development & Operations) in DCsDevOPs has 5 following “pillars of success”:
Reduce organizational silos Accept failure as normal Implement gradual changes Leverage tooling and automation Measure everything
Alternative approach: Site Reliability Engineering (Google) Includes continuous integration & cont. delivery approach
3
Identity and Access Management(IAM)
Basic Identity ManagementManage the accounts in standard identity management tools:
Lightweight Directory Access Protocol (LDAP)Remote Authentication Dial-In User Service (RADIUS)Active Directory for Microsoft-based products
Use a solution allowing Single-sign-on (SSO):KerberosOAuth2SAML 2.0OpenID connect
LDAPOpen, vendor-neutral, industry standard.Used for accessing and maintaining distributed directory information services
Simplifies CCITT X.500 DAP standardThe purpose of directory server is to maintain a central storage of information related to network users
Often a central place to store usernames and passwordsObjects with various attributes are organized into a tree structure
Hierarchical system of containersMay contain invisible attributes
The LDAP scheme that defines object classes and their attributes may be customized to maintain custom attributes
RADIUSCentralized Authentication, Authorization, and Accounting (AAA) servicesMainly used to manage access to the networkStandardized in RFC 2865 + 2866 (Accounting)User or machine sends a request to a Network Access Server (NAS) to gain access, which contacts RADIUS srv.
Username + password (CHAP style), certificates, ...One-way or mutual authentication
Roaming is feasible between DCs or even ISPsRealms are used to identify domains [email protected] requests and responses are issued, chaining is possible
Active DirectoryDirectory-based identity-related servicesMeant for Windows domain networksUses Domain Controller as a server for authorization and authentication
Provides LDAP and DNS and MS version of KerberosFederation service enables SSO
Logically divided to: forest, tree, and domain Objects may be grouped by Organization Units (OUs)Partitioning and multi-master replication is possibleMainly for Microsoft products (MacOS, Linux binding?)Azure Active Directory: IDaaS, cloud solution
KerberosNetwork authentication protocol developed mid 1980s at MITSecret key-based service for providing authentication in open networks. 2-factor authentication is available in newer versions.
Provides strong authentication for client-server applicationsSingle central server → single point of failureOn log-on or after expiration, client authenticates itself to the Authentication Server (AS) and it forwards the username to a key distribution center (KDC). KDC issues a time-stamped ticket-granting ticket (TGT) encrypted using the secret key of the ticket-granting service (TGS). Pre-authentication possible in KRB5.
Time-sensitive due to timestampsFor communication with another node, client sends the TGT to the TGS using Service Principal Name (SPN) to request a service registered at TGS (and is verified it may use it). Ticket and session keys are provided to the client who sends the ticket the service server (SS) along with service request.
Security Assertion Markup Language (SAML)XML-based OASIS open standard for exchanging authentication and authorization data between parties3 entities and their roles:
Principal – the user looking to verify his or her identityIdentity provider (idP) – entity capable of verifying the identity of principalThe service provider (SP) – entity looking to use the identity provider to verify the identity of the end user
Language for security assertions: Authentication statements – principal did authenticate with idP, authentication context may be disclosed to service prov.Attribute statements – name-value pairs for ACLsAuthorization decision statements – entity is permitted to perform action A on resource R given evidence E
Attacks: XML Signature wrapping (XSW), HTTP Referrer Attack, Signature Exclusion Attack
SAML SSO in Web Browser
Author: Tom Scavo
OAuth 2.0Open standard focusing exclusively on authorization3 (or 4) entities and their roles:
Resource owner – end user/entity owning the resource in questionResource server (OAuth Provider), which is hosting the resource
Authorization Server – verifies the identity of the resource owner and then issues access tokens to the client application.
Client (OAuth Consumer), which trying to consume the resource after getting authorized from the client
Enables applications to obtain limited access to user accounts on an HTTP(S) service, such as Facebook, GitHub, Google, …For both web and desktop applicationsDoes not support signatures, encryption, channel binding, or client verification. We need to use TLS for thatSecurity issues: Account Takeover Vulnerability, Account hijacking (session fixation, leaking auth. Code), Leaking Client credentials, Replay attack
OAuth 2.0 Application CredentialsApplication Registration – application must be registered with the service, including its name, web site/URL and Redirect URI or Callback URLOnce registered, service is able to issue “client credentials” as a client identifier and a client secret.
Client identifier is a publicly exposed string used by the service API to identify the application, and is also used to build authorization URLs that are presented to users.Client Secret is used to authenticate the identity of the application to the service API when it requests to access the user's account, it must be kept private between the application and the API.
Oauth 2.0 Protocol FlowFollowing steps are taken by application in abstract protocol flow:1. Request of authorization from Resource owner2. Sending of authorization grant obtained from Resource owner to
Authorization server3. Sending of authorization token obtained from Authorization server to
Resource serverIf authorization code is used as grant type, the source code is not exposed and Client Secret is confidential. The first step is redirected through user agent (UA, web browser) and receiving API authorization codes is routed through it to application as well.In implicit grant type, the second step is also routed through the user agent.
OpenID ConnectUsers employ a single set of credentials, managed by a 3rd party OpenID Connect identity provider (IDP) – Google, MS, … Built on top of the OAuth 2.0 protocol using REST + JSONComputing clients authenticate against authorization server and obtain basic profile information about the end-user
Local authentication system is not needed3 entities and their roles:
End user or entity that is to be verifiedRelying party (RP), looking to verify the identity of the end userThe OpenID Connect provider (OP), that registers the OpenID URL and can verify the end user’s identity
Attacks: Mix-up (binding authorization to wrong user by RP), Covert Redirect
Identity and Access Management in CloudWho can do what in given cloud accountTypical IAM Objects
User – with password, access key, 2FA/MFA device if needed. Group – user collections, multiple groups per userPermissions – assigned by IAM policies (inline/managed), JSON/?Role – another ID, no credentials, assigned to anybody, federationServices and Resources
IAM controlCentralizedFine-grained for APIs, resources, management
SecuritySeparate credentials and permissionDefault policy – deny access
16
DC Monitoring
Monitoring toolsStandard resource monitoring/data collecting tools
Simple Network Management Protocol (SNMP)Windows Management Instrumentation (WMI)Custom solution for collection + RRDTool for visualization
Multi Router Traffic Grapher (MRTG)CollectdMuninCacti
OTRS System Monitoring – automatically generates tickets for component failures in OTRS ticket system
Nagios (Nagios Core)ZabbixCustom-built solution for given DC or Cloud provider
e.g. Amazon CloudWatch
Performance monitoring of HW and SWTypically a monitoring system supplied by manufacturer:
IBM Systems DirectorOracle Enterprise ManagerSystem Center Operations Manager (Microsoft)
Consists of several typical components:Agents
Collection, aggregation, repository, …Reporting consoleManagement server
Architecture may be distributed or limited to a single server
Traffic Monitoring Dashboard Example
NagiosApplication for monitoring systems, networks & infrastructureAlerts sent to user on failure and on problem resolution as wellRunning on Linux and other UNIX-based systemsObjects (network services, host resources, network devices accessed through plugins) are accessed through agents which provide data to Nagios for storage and processingStatus is then provided through graphs, web interface, different notifications (SMS, e-mail, custom plugin, …) or processed through event handlersRedundant monitoring hosts implementation is availablePerformance data graphing is availableThere is support for database backend, storing in RRD databaseIssues with intellectual property, web sites, commercial interface
Nagios Core Examples
ZabbixPlatform for monitoring servers, networks, services and cloudC back-end and PHP/JS front-end (web interface)
Stores data in standard SQL databasesAgent-less monitoring of services like SMTP, HTTP, …Agents for UNIX- and Windows-based hosts for their monitoringSNMP monitoring of devices which support itNear real-time notification (E-mail, XMPP, SMS, alarm, …).Auto-discovery of servers and network devices
Zabbix ModulesBack-end – collects data for the server
Agents – deployed on end systems to monitor CPU, HDD, memory, …Both push (active mode) and pull (passive mode) approaches
Proxy – collects data from agents on behalf of the serversServer – retrieves monitored items, applies triggers on them, applies templates and stores data in DB. Front-end – presents through dashboards, screens & graphs
Remote ManagementOut-of-band (OOB) management – separate IP address VLAN or even a network card, console access to the device. Typically in a separate management network, protected by ACLsIn-band (IB) management, allowing remote desktop access directly through the server IP address, e.g. through VNC, Remote Desktop, Terminal Services, etc. Risk of an attacker using vulnerabilities in the service.
Bastion login servers, which work in-band (SSH) and allow accessing the out-of-band network are possible
Virtual servers with a management console allowing virt. console access to server in virtual infrastructure (VI), e.g. vSphere Selected users may be permitted to use a VPN connection to access the OOB, IB and VI management
Logging in Data CentersStandard logging infrastructure in data center
Servers, infrastructure, storages, and hypervisors sending logs to the (read-only) logging server
Normally through syslog protocolLog data accessible for analytics toolsLog entries may be encrypted to prevent unauthorized access to sensitive data
Log analytics toolsConcentration on specific service – e.g. web server logsProviding general correlations – e.g. how a fault spreadAutomated analysis with a dashboard for easy access
e.g. the vCenter Log Insight virtual appliance
Audit TrailSecurity-relevant chronological (set of) record(s) providing documentary evidence of the sequence of activities
May contain sources and destinations of the recordsIncludes information what have been affected (operation, procedure, event)
Normal user must not be able to stop/change the collection process creating audit trail
Role-based security may be applied to protect itRecords the
completed and attempted accesses and service, or data forming a logical path linking a sequence of events
Can be used to trace the transactions that have affected the contents of a record