Automatic Server Hardening – Hardening Framework – Problem

View Github Repository Open presentation in a new window

TelekomLabs

See all presentation from TelekomLabs

Automatic Server Hardening – Hardening Framework – Problem

0 3

itsa-slides

On Github TelekomLabs / itsa-slides

Automatic Server Hardening

Hardening Framework

Created by Christoph Hartmann / Dominik Richter / Patrick Meier

Problem

Physical Security

Digital Security

  • Keep a 100-foot buffer zone around the site.
  • Limit entry points
  • Plan for bomb detection
  • Make fire doors exit only
  • Surveillance cameras
  • ...
?
Out-of-the-box server configurations are insecure and increase the probability of server attacks and data breaches.
Solution for Digital Security:

Hardening Framework

In computing, hardening is usually the process of securing a system:

Securing default configuration Reducing attack surface Automatic deployment Works on bare-metal and cloud infrastructures

Honeypot attacks

Measurement of real-world computer attackes
6 Million attacks per month 200.000 attacks per day 8333 attacks per hour 138 attacks per minute

Information Breached

Real Names Birth Dates Government ID Numbers Home Address Medical Reports Phone Numbers Financial Information Email Adresses Username & Password Insurance
Source: Bloomberg

Why you should avoid manual server hardening?

Why you should avoid manual server hardening?

Manual work is not 100% accurate Every project needs to reinvent the wheel Expensive and time-consuming Divergent test & production environments No measurement of compliance level Requires a lot of resources

Server Scaling

Manual hardening does not fit to autoscaling environments

Server Scaling

Manual hardening does not fit to autoscaling environments

Server Scaling

Manual hardening does not fit to autoscaling environments

Server Scaling

Manual hardening does not fit to autoscaling environments

Approach

The Hardening Framework applies secure default configuration while allowing customization for each deployment.

Component Overview

Apply hardening in seconds

Before Apply After
  • ✗ Securing default configuration
  • ✗ Reducing attack surface
  • ✗ Fullfill compliance
  • Automatic deployment
  • Works on bare-metal
  • Works on cloud infrastructures
  • ✓ Securing default configuration
  • ✓ Reducing attack surface
  • ✓ Fullfill compliance

Full demonstration is available at Vimeo

Ingredients

Automation Frameworks

Infrastructure

Continous Integration

Operating Systems

Chef Puppet OpenStack Security Tests Source code Robocop Foodcritic puppet-lint RedHat 6.4 RedHat 6.5 Ubuntu 12.04 Ubuntu 14.04 CentOS 6.4 CentOS 6.5 Oracle 6.4 Oracle 6.5 Debian 6 Debian 7

Core Team

Contributors

References

Data Breaches in the U.S. Norse Symantec Internet Security Threat Report 2014 Deutsche Telekom Sicherheitstacho The Honeypot Project

THE END

Further information is available at telekomlabs.github.io

Automatic Server Hardening Hardening Framework Created by Christoph Hartmann / Dominik Richter / Patrick Meier