DEFENSE-IN-DEPTH. Shankar Chebrolu. Security Architecture Strategy for Deploying Apps and Services in IaaS Hybrid Cloud

Transcription

1 DEFENSE-IN-DEPTH Security Architecture Strategy for Deploying Apps and Services in IaaS Hybrid Cloud Shankar Chebrolu Enterprise Security Architect, Red Hat 10/08/2015

2 AGENDA ² HYBRID CLOUD & DEV-OPS MODEL ² DEFENSE-IN-DEPTH Ø Multiple Network (logical) Zones Ø Multi-factor Authentication (MFA) Ø Malware Detection & Data Loss Prevention Ø Host based Intrusion Detection System (HIDS & FIM) Ø Log Monitoring ² Q & A 2

3 DEV-OPS MODEL Term emerged from collision of two (or three) major IT tasks by the same team / person: v Dev elopment / QA v Operations (Ops) DevOps Technology Opera-ons 3

4 HYBRID CLOUD & DEV-OPS MODEL v Widespread adoption of Cloud Computing is driving the DevOps revolution in Enterprise IT Ø AWS introduces DevOps certification v DevOps is disruptive but essential to support fast paced Agile development 4

5 DEFENSE-IN-DEPTH q Problem Statement: Most developers and app team members are good at their application / service development, but not experts at the infrastructure level and hence lack relevant security expertise that is necessary to implement end-to-end security in their cloud tenant space. q Potential Solution: Self-service Defense-in-Depth using open source tools and technology

6 DEFENSE-IN-DEPTH q Deep & Elastic defense (also called Castle approach) is a military concept to prevent advance of an attacker in a war q Practical strategy for achieving end-to-end security in today s complex networked environment (e.g., hybrid cloud) q It is a best practices strategy that relies on many techniques and technologies, applicable at various levels in the stack (e.g., application, platform, host, network, etc)

7 Policies, Procedures, Awareness, Training Physical LAYERS OF DEFENSE SAMPLE Network Perimeter Network/Tiers (internal) Host/Server Applica-on Data

8 WHICH LAYERS OF DEFENSE q Layers of Defense should be chosen as a balance between: q Data Sensitivity / Data Classification q Protection / Security Capability q Performance q Operational Considerations q Cost (consider Open Source, as applicable)

9 DEFENSE-IN-DEPTH SDLC / TECH STACK SDLC Phase(s) Tech Stack Level(s) Defense Mechanism DESIGN, DEPLOYMENT NETWORK Design Mul-ple Network (Logical) Zones DESIGN, DEPLOYMENT DESIGN, DEVELOPMENT DESIGN, DEPLOYMENT DESIGN, DEPLOYMENT NETWORK, HOST, APPLICATION APPLICATION, DATA HOST, DATA ALL Mul-- factor Authen-ca-on (2FA) Malware Detec-on & Data Loss Preven-on (DLP) Host based Intrusion Detec-on System (HIDS) & FIM Log Monitoring

10 DESIGN MULTIPLE NETWORK (LOGICAL) ZONES - DESIGN, DEPLOYMENT - NETWORK

11 DESIGN MULTIPLE NETWORK (LOGICAL) ZONES Simpler One

12 MULTIPLE NETWORK (LOGICAL) ZONES LiUle More Complex

13 MULTI FACTOR AUTHENTICATION (MFA) - DESIGN, DEPLOYMENT - NETWORK, HOST, APPLICATION

14 MULTI-FACTOR AUTHENTICATION q q Jump Server / Bastion Hosts with Two Factor AuthC (2FA) Cloud Provider s VPC (Virtual Private Cloud) model or OpenVPN: 1. Cert based authentication for First Factor 2. Google Authenticator / FreeOTP based tokens as OTP (One-Time Password/ Token) for Second Factor Ø auth required pam_google_authen-cator.so (/etc/pam.d/sshd) Ø ChallengeResponseAuthen-ca-on yes (/etc/ssh/sshd_config) VPN Client VPN Gateway

15 OTP AUTHENTICATION FOR APACHE q For smaller user base, avoid using LDAP with passwords q Apache webserver can be configured to authenticate using Google Authenticator: u u u hups://code.google.com/p/google- authen-cator- apache- module/downloads/detail? name=googleauthapachebinary.r10.x86_84.bz2 cp googleauthapache/mod_authn_google.so /etc/hupd/modules/ Full Documenta=on: hups://code.google.com/p/google- authen-cator- apache- module/wiki/googleauthen-catorapachemodule

16 MALWARE DETECTION & DATA LOSS PREVENTION (DLP) - DESIGN, DEVELOPMENT - APPLICATION, DATA

17 CLAMAV FOR MALWARE DETECTION/PREVENTION q ClamAV is an An-- virus engine for File / scanning, Data Loss Preven-on (DLP). Consists of 3 u-li-es: q q q Mul-- threaded daemon (clamd), Command line scanner (clamscan) and Tool for automa-c malware DB updates (freshclam) q Can be used for content scanning for web applica-on based file uploads/downloads to detect/prevent Malware.

18 CLAMAV FOR MALWARE DETECTION/PREVENTION End User ClamAV Web/App Server Database

19 MALWARE DETECTION / PREVENTION Sample Java Code: (needs libclamav- 1.0.jar) For file uploads: ClamAVScanner scanner = ClamAVScannerFactory.getScanner(); scanner.performscan(<inputstream...>); For file downloads: FileInputStream instream = new FileInputStream(downloadFile); boolean nomalware = scanner.performscan(instream); if (nomalware) write the contents of the file to servlet output stream else write error message that the file has malware, hence file download is aborted

20 DATA LOSS PREVENTION (DLP) q Used to Detect / Prevent data leaving the enterprises inadvertently q Enable DLP Module within ClamAV to scan for presence of specific data pauerns during file uploads and downloads: q Credit Card Numbers (16 digit) q SSNs (Social Security Numbers) Or Other Na-onal Iden-fiers q Configure in clamd.conf file: ² StructuredDataDetecIon yes ² StructuredMinCreditCardCount 5 ² StructuredMinSSNCount 3 ² StructuredSSNFormatNormal yes ² StructuredSSNFormatStripped yes

21 HOST BASED INTRUSION DETECTION SYSTEM (HIDS) & FILE INTEGRITY MONITORING (FIM) - DESIGN, DEPLOYMENT - APPLICATION, DATA

22 OSSEC FOR HIDS & FIM q OSSEC can be used for real-time monitoring of critical files / folders and as Host based Intrusion Detection System (HIDS) q OSSEC helps meet PCI compliance requirements: q File (e.g., Code) integrity monitoring (sec-ons 11.5, 10.5) q Log inspection and monitoring (section 10) q Policy enforcement and checking

23 OSSEC SERVER & DISTRIBUTED AGENTS

24 FILE INTEGRITY MONITORING q Most attack vectors include modification of critical system files (OS, database, etc). OSSEC can help detect and alert when they happen Apache Webserver OSSEC Agents / Clients Tomcat Appserver MySQL DB Open LDAP OSSEC Server

25 LOG MONITORING - DESIGN, DEPLOYMENT - ALL

26 LOG MONITORING q Logstash is a flexible tool for managing centralized logs/events (hmps:// q Elas-csearch tool provides real- -me search and analy-cs capabili-es. Allows to start small and scale horizontally as required (hmps:// q Kibana Data Visualiza-on and Dashboard- ing tool q ELK Stack in a DevOps Env: hmps:// stack- devops- environment/?camp=lsdocs?camp=lsdocs

27

28

29 MORE LAYERS OF DEFENSE ² Threat Modeling ² Hardening OS, Web/App/DB ² Security Patch Updates ² Secure Web Application Development ² Input Validation ² Output Sanitization ² WAF ModSecurity ² Data Encryption in Transit TLS 1.2 ² Data Encryption at Rest

30 THANK YOU plus.google.com/+redhat facebook.com/redhatinc linkedin.com/company/red-hat twitter.com/redhatnews youtube.com/user/redhatvideos

31 DESIGN MULTIPLE NETWORK (LOGICAL) ZONES Simpler One

32 MULTIPLE NETWORK (LOGICAL) ZONES LiUle More Complex

33 OSSEC SERVER & DISTRIBUTED AGENTS