bless better security and ops for ssh access
play

BLESS: Better Security and Ops for SSH Access Bryan D. Payne, - PowerPoint PPT Presentation

Jan 14, 2023 •357 likes •1.11k views

BLESS: Better Security and Ops for SSH Access Bryan D. Payne, Director of Product Security June 2017 Post by Ryan McGeehan 1 2 3 4 5 Phishing & Lateral Data Zero Day Backdoor Exfiltrate Movement Gathering Attack Several users

  1. BLESS: Better Security and Ops for SSH Access Bryan D. Payne, Director of Product Security June 2017

  6. Post by Ryan McGeehan

  10. 1 2 3 4 5 Phishing & Lateral Data Zero Day Backdoor Exfiltrate Movement Gathering Attack Several users Victim machine Attack elevates Data is Encrypted data are targeted is accessed access and collected, is exfiltrated, by phishing remotely by propagates prepared, typically to attacks. At adversary. throughout the and staged another least one network. for exfiltration. compromised succeeds. It exploits any system that privileges and is external information to the discovered organization. along the way. Adapted from https:/ /blogs.rsa.com/anatomy-of-an-attack/.

  11. What’s the Problem?

  13. LDAP

  14. LDAP

  15. Operator 1 App A Instances Operator 2 App B Instances App C Operator 3 Instances

  16. Operator 1 App A Instances Operator 2 Bastion App B Instances App C Operator 3 Instances

  17. What about single use SSH keys?

  18. What if they left great clues behind?

  19. And offered strong protections?

  20. Netflix’s Solution

  21. SSH Authentication

  26. Bastion’s Lambda Ephemeral Ssh Service

  28. def my_handler(event, context): message = 'Hello {} {}!'.format(event['first_name'], event['last_name']) return { 'message' : message } Invoke Lambda Lambda Response ClientContext Status + Payload

  29. Invoke BLESS BLESS Response Certificate Request Certificate Bastion BLESS

  30. Invoke BLESS BLESS Response Certificate Request Certificate Bastion BLESS Decrypt SSH CA private key AWS KMS

  31. Instances SSH with certificate Invoke BLESS BLESS Response Certificate Request Certificate Bastion BLESS Decrypt SSH CA private key AWS KMS

  32. SSH Certificates

  33. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  34. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 User or Host Principals: Certificates host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  35. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Control over what Principals: is logged by SSHd host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  36. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Short-lived certs Principals: reduce risk host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  37. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Valid for a single Principals: target (account, app, host_username Critical Options: username, etc) source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  38. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Valid from a Principals: single host host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  39. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Control what the Principals: SSH session can host_username Critical Options: be used for source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  40. Scoping Credentials

  41. Access to Bastion == Access to Instances Instances Bastion BLESS Developer

  42. App Defines Access List Foo App Bar App Bastion BLESS Developer

  43. App Defines Multiple Roles Foo App Bar App Bastion BLESS Developer

  44. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: instance_user:aws_account:app_name source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  45. Config File /etc/ssh/sshd_config # Entries to enable BLESS TrustedUserCAKeys /etc/ssh/bless_user_ssh_cas.pub AuthorizedPrincipalsFile /etc/ssh/authorized_principals/%u

  46. Config File /etc/ssh/authorized_principals/blessdemo bless_demo_instances:bless_demo_instances:123456789012:i-18badf00ddeadbeef

  47. Operational Wins

  48. Instances SSH with certificate Invoke BLESS BLESS Response Certificate Request Certificate Bastion BLESS Decrypt SSH CA private key AWS KMS

  49. 5. AWS ssh tool: Use 7. BLESS: Generate and session credentials to sign SSH Certificate request a certificate Log 6. BLESS: Decrypt SSH CA Forwarder private key with KMS BLESS BLESS: Log CloudWatch certificate request Logs & results 8. BLESS: Return 10. sshd: Validate Bastion a short lived certificate, log AWS certificate certificate info KMS 1. SSH: Auth to 2. AWS SSH tool: 4. Sshaman Bastion Take request, sshd Logs Daemon: determine user, Determine 9. AWS ssh tool: application, calling user ssh with Instances instance information. RELP Server certificate Use session (syslog) credentials to request a 3. Pilgrim: certificate. Generate Keypair Request SSH Cert Sshaman Logs Developer Daemon User Developer Userspace Pilgrim Logs

  50. Key Secrecy Personal Keys Shared Keys Expiration

  51. Key Rotation vs Human Machine

  52. Logging Jun 22 00:20:55 bless-demo- instances-i-0123456789abcde sshd[####]: Accepted publickey for bless_demo_instances from Context 192.168.1.1 port ##### ssh2: RSA-CERT ID request[##################] for[user_name] from[10.0.1.1] command[test:us- east-1:bless_demo_instances:bles s_demo_instances-v001:oq-ssh] Jun 22 00:20:34 bless-demo- ssh_key[RSA de:ad:be:ef: instances-i-0123456789abcde 00:00:00:00:00:de:ad:be] sshd[####]: Accepted publickey ca[arn:aws:lambda:region:account for bless_demo_instances from :function:name] 192.168.1.1 port ##### ssh2: RSA valid_to[2017/06/22 00:25:53] SHA256:de:ad:be:ef: (serial 0) CA RSA 00:00:00:00:00:de:ad:be SHA256:8badf00d000000008bad Traditional SSH certificates with BLESS

  53. Availability Wins LDAP

  54. Yes, It’s Open Source!

  55. https:/ /github.com/Netflix/bless

  56. https:/ /github.com/Netflix/bless

  57. https:/ /github.com/Netflix/bless

  58. https:/ /github.com/Netflix/bless

  59. https:/ /github.com/Netflix/bless

  60. Demo Time

  61. User Experience

  62. 5. AWS ssh tool: Use 7. BLESS: Generate and session credentials to sign SSH Certificate request a certificate Log 6. BLESS: Decrypt SSH CA Forwarder private key with KMS BLESS BLESS: Log CloudWatch certificate request Logs & results 8. BLESS: Return 10. sshd: Validate Bastion a short lived certificate, log AWS certificate certificate info KMS 1. SSH: Auth to 2. AWS SSH tool: 4. Sshaman Bastion Take request, sshd Logs Daemon: determine user, Determine 9. AWS ssh tool: application, calling user ssh with Instances instance information. RELP Server certificate Use session (syslog) credentials to request a 3. Pilgrim: certificate. Generate Keypair Request SSH Cert Sshaman Logs Developer Daemon User Developer Userspace Pilgrim Logs

Recommend

Next Steps In Signaling (NSIS) in the IETF Roland Bless bless@tm.uka.de Institute of

Next Steps In Signaling (NSIS) in the IETF Roland Bless bless@tm.uka.de Institute of

Next Steps In Signaling (NSIS) in the IETF Roland Bless bless@tm.uka.de Institute of Telematics, University of Karlsruhe What is Signaling? Signaling exchange of (control) data between nodes to install, manage, or delete states in them

241 views • 5 slides
Bless the Lord, O My Soul Bless the Lord, O My Soul If with His love He befriend thee

Bless the Lord, O My Soul Bless the Lord, O My Soul If with His love He befriend thee

Bless the Lord, O My Soul Bless the Lord, O My Soul If with His love He befriend thee SONG SHEET - MAR 22, 2020 Chorus Praise the Lord, praise the Lord (2x) All His Benefits Verse 4 Praise to the Lord Praise the Lord, oh

552 views • 5 slides
b ra is used 75 in Bless heb Genesis, 7 in ch. 4849 Gen 1:28,

b ra is used 75 in Bless heb Genesis, 7 in ch. 4849 Gen 1:28,

b ra is used 75 in Bless heb Genesis, 7 in ch. 4849 Gen 1:28, Then God blessed them, and God said to them, Be fruitful and multiply; fill the earth and subdue it; have dominion over the fish of the sea,

350 views • 10 slides
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define Access Controls List the four Access Control Models Describe logical Access Control Methods Explain the

128 views • 8 slides
CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva OS security. Access control.

CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva OS security. Access control.

Access control Access control determines access to files and processes in OS Old area of security, but not well understood CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva OS security. Access control. 1 2 System

889 views • 5 slides
About Loxal Security Ltd Specialist access control and vacant property security company Unique

About Loxal Security Ltd Specialist access control and vacant property security company Unique

About Loxal Security Ltd Specialist access control and vacant property security company Unique range of access control technology & temporary physical security products : - Keysafes Locking Bar Void security doors & screens

368 views • 21 slides
BUSINESS PLAN GOD BLESS MARKETING SINGLE LEG NETWORK Established. 2003 MARKETING Overview

BUSINESS PLAN GOD BLESS MARKETING SINGLE LEG NETWORK Established. 2003 MARKETING Overview

BUSINESS PLAN GOD BLESS MARKETING SINGLE LEG NETWORK Established. 2003 MARKETING Overview God Bless Marketing offers Indian citizens an opportunity which leads to substantial achievements and higher level of success through its evolutionary

312 views • 18 slides
TCP for OMNeT+ + Roland Bless Mark Doll Institute of Telematics University of Karlsruhe,

TCP for OMNeT+ + Roland Bless Mark Doll Institute of Telematics University of Karlsruhe,

TCP for OMNeT+ + Roland Bless Mark Doll Institute of Telematics University of Karlsruhe, Germany Bless/Doll WSC 2004 1 Overview Motivation Introduction OMNeT+ + & TCP Concept for integration Implementation problems Evaluation

502 views • 21 slides
OS Security CS 161: Computer Security Prof. Anthony D. Joseph January 29, 2014 Access Control

OS Security CS 161: Computer Security Prof. Anthony D. Joseph January 29, 2014 Access Control

Access Control and OS Security CS 161: Computer Security Prof. Anthony D. Joseph January 29, 2014 Access Control Some resources (files, web pages, ) are sensitive. How do we limit who can access them? This is called the access

629 views • 27 slides
& PRESENT SECURITY ACCESS POINT SAFETY GATE TO PREVENT THE INFECTION SPREAD SECURITY

& PRESENT SECURITY ACCESS POINT SAFETY GATE TO PREVENT THE INFECTION SPREAD SECURITY

& PRESENT SECURITY ACCESS POINT SAFETY GATE TO PREVENT THE INFECTION SPREAD SECURITY ACCESS POINT SECURITY WAS BORN THANKS TO THE COOPERETION BETWEEN ETS AND BICARJET , TWO ITALIAN LEADERS IN THE AUTOMATION ACCESS INDUSTRY. POINT

151 views • 13 slides
Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction

Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction

Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction to Computer Security Announcements intermission OS security: access control Unix-style access control Stephen McCamant Multilevel and mandatory

656 views • 9 slides
Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication Encapsulation Intrusion detection Common sense Lecture 2 Page 1 CS 236 Online Physical Security Lock up your computer Actually,

465 views • 35 slides
Introduction to Network Security Security Chapter 11 Remote Access Security Dr. Doug Jacobson

Introduction to Network Security Security Chapter 11 Remote Access Security Dr. Doug Jacobson

Introduction to Network Security Security Chapter 11 Remote Access Security Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Remote Access Telnet Rlogin X-Windows X-Windows FTP General

765 views • 52 slides
Analysis of IPv6 Relocation Delays draft-vogt-dna-relocation-01.txt Christian Vogt, Roland Bless,

Analysis of IPv6 Relocation Delays draft-vogt-dna-relocation-01.txt Christian Vogt, Roland Bless,

Analysis of IPv6 Relocation Delays draft-vogt-dna-relocation-01.txt Christian Vogt, Roland Bless, Mark Doll, Gregory Daley chvogt@tm.uka.de, bless@tm.uka.de, doll@tm.uka.de, greg.daley@eng.monash.edu.au Problem Statement, Proposed Solutions,

90 views • 8 slides
Introduction to Network Security Chapter 11 Remote Access Security Dr. Doug Jacobson -

Introduction to Network Security Chapter 11 Remote Access Security Dr. Doug Jacobson -

Introduction to Network Security Chapter 11 Remote Access Security Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Remote Access Telnet Rlogin X-Windows FTP General Countermeasures

1.48k views • 104 slides
Security CS 4410 Operating Systems References: Security Introduction and Access Control by Fred

Security CS 4410 Operating Systems References: Security Introduction and Access Control by Fred

Security CS 4410 Operating Systems References: Security Introduction and Access Control by Fred Schneider Historical Context 1961 1969 1960s OSes begin to be shared. Enter: Communication Synchronization Protection Security:

1.16k views • 53 slides
Distributed File Systems Security: Anonymous access all files available to all users 14B.

Distributed File Systems Security: Anonymous access all files available to all users 14B.

5/30/2018 Distributed File Systems Security: Anonymous access all files available to all users 14B. Remote Data Access: Security no authentication required may be limited to read-only access 14C. Remote Data: Robustness examples:

391 views • 9 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Network Access Security Torino, IT March 4 th , 2005 Carsten Bormann <cabo@tzi.de>

Network Access Security Torino, IT March 4 th , 2005 Carsten Bormann <cabo@tzi.de>

An introduction to Network Access Security Torino, IT March 4 th , 2005 Carsten Bormann <cabo@tzi.de> Overview Network Access Security: Traditions WLAN Security WLAN Roaming 2 Overview Network Access Security:

782 views • 20 slides
CSCE 790 Computer Systems Security Security Policy Models Professor Qiang Zeng Spring

CSCE 790 Computer Systems Security Security Policy Models Professor Qiang Zeng Spring

CSCE 790 Computer Systems Security Security Policy Models Professor Qiang Zeng Spring 2020 Previous Class Concepts Access Control, Subject, Object Goals of Access Control Confidentiality, Integrity Access Matrix

702 views • 26 slides
Outline Multilevel and mandatory access control CSci 5271 Introduction to Computer Security

Outline Multilevel and mandatory access control CSci 5271 Introduction to Computer Security

Outline Multilevel and mandatory access control CSci 5271 Introduction to Computer Security Announcements intermission Day 10: OS security: access control Stephen McCamant Capability-based access control University of Minnesota, Computer

245 views • 5 slides
Outline Multilevel and mandatory access control CSci 5271 Introduction to Computer Security

Outline Multilevel and mandatory access control CSci 5271 Introduction to Computer Security

Outline Multilevel and mandatory access control CSci 5271 Introduction to Computer Security Announcements intermission Day 10: OS security: access control Stephen McCamant Capability-based access control University of Minnesota, Computer

486 views • 7 slides
Invocation and Opening Verses Pastor: In the name of the Father and of the Son and of the Holy

Invocation and Opening Verses Pastor: In the name of the Father and of the Son and of the Holy

Invocation and Opening Verses Pastor: In the name of the Father and of the Son and of the Holy Spirit. People: Amen Pastor: Bless the Lord, O my soul, and all that is within me, bless his holy name! People: Bless the Lord, O my soul, and

253 views • 23 slides
Sponsors.. A well-defined security plan? A document with Security Plan on the top of it

Sponsors.. A well-defined security plan? A document with Security Plan on the top of it

Sponsors.. A well-defined security plan? A document with Security Plan on the top of it SURVEY SAYS Identity & Access Management Multi-Factor Authentication Life Cycle Management Network Access Control

382 views • 24 slides

More recommend