Securing the Fortress with Barbican at Symantec
Jason FritcherPrincipal Infrastructure EngineerCloud Platform Engineering
Copyright © 2015 Symantec Corporation2
About Me
• In the Internet industry for nearly 20 years
• Worked in Development and Operations roles running Internet services
• Always had an interest in and an eye towards security
• In my free time, I enjoy Electronics, Video Games and Motorcycling
Copyright © 2015 Symantec Corporation3
Agenda
1 Introduction to Barbican
2 Barbican at Symantec
3 Barbican Hardening
4 Barbican Improvements
5 Q & A
Copyright © 2015 Symantec Corporation4
Agenda
1 Introduction to Barbican
2 Barbican at Symantec
3 Barbican Hardening
4 Barbican Improvements
5 Q & A
Copyright © 2015 Symantec Corporation5
Introduction to BarbicanYe Olde Barbican
“A Barbican is a fortified outpost or gateway, such as an outer defense to a city or castle, or any tower situated over a gate or bridge which was used for defensive purposes.”
- Wikipedia
Copyright © 2015 Symantec Corporation6
Introduction to BarbicanToday’s Barbican
Barbican is a REST API designed for the secure storage, provisioning and management of secrets such as passwords, encryption keys and X.509 Certificates.
Copyright © 2015 Symantec Corporation7
Introduction to Barbican
• Secrets– Hold the data to be secured.– Small objects, typically < 10KB data
• Containers– Logical grouping of secrets
• Orders– Longer running tasks, like key generation
Barbican Resources
Copyright © 2015 Symantec Corporation8
Introduction to Barbican
Components
• API Processes– Handles all interactions with the clients– Processes all secret and container tasks– Submits order tasks for workers
• Worker Processes– Processes all tasks which take more than a trivial amount of time• Asymmetric key generation• Certificate management
Barbican Architecture
Copyright © 2015 Symantec Corporation9
Introduction to Barbican
Potential Dependencies
• Keystone– User authentication / authorization
• External Database– Replaces default SQLite option, more scalable
• Message Queue– API to Worker communication
• Hardware Security Module– Provides secure crypto environment and master key storage
Barbican Architecture
Copyright © 2015 Symantec Corporation10
Agenda
1 Introduction to Barbican
2 Barbican at Symantec
3 Barbican Hardening
4 Barbican Improvements
5 Q & A
Copyright © 2015 Symantec Corporation11
Barbican at Symantec
• Secrets stored in Version Control System
• TLS Key Storage
• Encryption Keys
• Automated Deployments
• Automating Certificate Management
Problems
Copyright © 2015 Symantec Corporation12
Barbican at Symantec
• LBaaS TLS Provisioning
• Configuration Management
• Key Management as a Service for Product Groups
Use Cases
Copyright © 2015 Symantec Corporation13
Barbican at Symantec
• Galera MySQL DB Cluster– Multi master topology, plus top-notch replication, including cross data center
• RabbitMQ Cluster
• SafeNet Luna SA HSMs– More on these later
• uWSGI + Apache + mod_proxy_uwsgi– Maybe mod_security to add WAF functionality
Implementation
Copyright © 2015 Symantec Corporation14
Agenda
1 Introduction to Barbican
2 Barbican at Symantec
3 Barbican Hardening
4 Barbican Improvements
5 Q & A
Copyright © 2015 Symantec Corporation15
Barbican Hardening
• Server TLS– Enabling TLS is as simple as specifying the key and cert in my.cnf• ssl_key=/etc/pki/tls/private/mysql.key• ssl_cert=/etc/pki/tls/certs/mysql.crt
– To ensure TLS is always used, add REQUIRE SSL to your MySQL user account
• Client TLS– Activate TLS for connections by adding ssl_ca parameter to the connection string• sql_connection = mysql://barbican:[email protected]:3306/barbican?ssl_ca=/etc/barbican/ssl/ca.pem
• MySQL TLS Challenges– Intermediate certificates don’t work properly– Client hostname validation code is poor– Client/Server issues depending on OpenSSL versions
Database
Copyright © 2015 Symantec Corporation16
Barbican Hardening
• Restricted Node Access– Should only be accessible to a small pool of personnel• For just sshd restriction, see {ALLOW,DENY}{USERS,GROUPS} in sshd_config man page• For broader restrictions, look at pam_listfile or pam_access modules
• Automation issues– Automation systems like Puppet, or Chef could be problematic, depending on risk tolerance
• Filesystem permissions– Barbican should only have read permissions to everything, except a log and tmp directory.
• Network controls– Firewall network traffic to only allow traffic from authorized hosts, Load Balancers and Monitoring
Barbican Node
Copyright © 2015 Symantec Corporation17
Barbican Hardening
• Hardware Security Modules are specialized devices that provide a secure execution and storage environment for cryptography.
• Form factor varies in shape and size (USB, PCI-Express, Network Appliance)
• Performance varies drastically between devices– General Purpose CPUs beat HSMs for raw symmetric performance
• Not easily jumped into, some of my challenges– Data Center personnel hesitant with unfamiliar hardware– Building a secure environment within the data center– Auditing and compliance policies / processes– Separation of privileges
Hardware Security Modules
Copyright © 2015 Symantec Corporation18
Agenda
1 Introduction to Barbican
2 Barbican at Symantec
3 Barbican Hardening
4 Barbican Improvements
5 Q & A
Copyright © 2015 Symantec Corporation19
Barbican Improvements
• Existing p11_crypto and PKCS11 modules have a lot of room for improvement– Lot of round trips to the HSM per transaction– Sessions are opened, authenticated and closed per transaction– Not a lot of caching is done
• Improvements being made– First effort is to reduce the number of operations made per transaction• Caching project keys in the HSM and reusing them when possible, this saves ~4 RTs• Holding first authenticated session open to make subsequent session opens faster• Later we’ll use just a single connection or small pool to reduce setup/teardown costs
• Sync up with community efforts in this same realm
PKCS11 Performance Improvements
Copyright © 2015 Symantec Corporation20
Barbican Improvements
• Existing p11_crypto and PKCS11 modules is all or nothing– Barbican’s transaction rate become limited by the HSMs– To scale performance, you need to add more HSMs
• Improvements being made– Split class of service being implemented– First class will be the full HSM model is use today– Second class will relax security standard a little• HSM will continue to encrypt/decrypt the Project Keys• Project Keys will be used on node to do encrypt/decrypt operations on secrets• Combined with caching Project Keys, should remove majority HSM bottleneck
• Going to work with community on design for contribution
PKCS11 Classes of Service
Copyright © 2015 Symantec Corporation21
Barbican Improvements
• Existing database model provides integrity protection for encrypted secret data– Does not provide integrity protection to other stored metadata– Attacker can change metadata and Barbican won’t detect it
• Researching ways to add integrity protection without killing performance
Database Integrity Protection
Copyright © 2015 Symantec Corporation22
Agenda
1 Introduction to Barbican
2 Barbican at Symantec
3 Barbican Hardening
4 Barbican Improvements
5 Q & A
Q&A
Copyright © 2015 Symantec Corporation 23
Thank you!
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Jason [email protected]
24
Top Related