bless better security and ops for ssh access
play

BLESS: Better Security and Ops for SSH Access Bryan D. Payne, - PowerPoint PPT Presentation

Jan 14, 2023 •357 likes •1.11k views

BLESS: Better Security and Ops for SSH Access Bryan D. Payne, Director of Product Security June 2017 Post by Ryan McGeehan 1 2 3 4 5 Phishing & Lateral Data Zero Day Backdoor Exfiltrate Movement Gathering Attack Several users

  1. BLESS: Better Security and Ops for SSH Access Bryan D. Payne, Director of Product Security June 2017

  6. Post by Ryan McGeehan

  10. 1 2 3 4 5 Phishing & Lateral Data Zero Day Backdoor Exfiltrate Movement Gathering Attack Several users Victim machine Attack elevates Data is Encrypted data are targeted is accessed access and collected, is exfiltrated, by phishing remotely by propagates prepared, typically to attacks. At adversary. throughout the and staged another least one network. for exfiltration. compromised succeeds. It exploits any system that privileges and is external information to the discovered organization. along the way. Adapted from https:/ /blogs.rsa.com/anatomy-of-an-attack/.

  11. What’s the Problem?

  13. LDAP

  14. LDAP

  15. Operator 1 App A Instances Operator 2 App B Instances App C Operator 3 Instances

  16. Operator 1 App A Instances Operator 2 Bastion App B Instances App C Operator 3 Instances

  17. What about single use SSH keys?

  18. What if they left great clues behind?

  19. And offered strong protections?

  20. Netflix’s Solution

  21. SSH Authentication

  26. Bastion’s Lambda Ephemeral Ssh Service

  28. def my_handler(event, context): message = 'Hello {} {}!'.format(event['first_name'], event['last_name']) return { 'message' : message } Invoke Lambda Lambda Response ClientContext Status + Payload

  29. Invoke BLESS BLESS Response Certificate Request Certificate Bastion BLESS

  30. Invoke BLESS BLESS Response Certificate Request Certificate Bastion BLESS Decrypt SSH CA private key AWS KMS

  31. Instances SSH with certificate Invoke BLESS BLESS Response Certificate Request Certificate Bastion BLESS Decrypt SSH CA private key AWS KMS

  32. SSH Certificates

  33. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  34. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 User or Host Principals: Certificates host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  35. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Control over what Principals: is logged by SSHd host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  36. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Short-lived certs Principals: reduce risk host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  37. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Valid for a single Principals: target (account, app, host_username Critical Options: username, etc) source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  38. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Valid from a Principals: single host host_username Critical Options: source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  39. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Control what the Principals: SSH session can host_username Critical Options: be used for source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  40. Scoping Credentials

  41. Access to Bastion == Access to Instances Instances Bastion BLESS Developer

  42. App Defines Access List Foo App Bar App Bastion BLESS Developer

  43. App Defines Multiple Roles Foo App Bar App Bastion BLESS Developer

  44. Type: ssh-rsa-cert-v01@openssh.com user certificate Public key: RSA-CERT SHA256:BLAH Signing CA: RSA SHA256:BLAH Key ID: "Any ID information you want" Serial: 0 Valid: from 2016-05-19T14:30:00 to 2016-05-19T14:34:00 Principals: host_username Critical Options: instance_user:aws_account:app_name source-address 192.168.1.1 force-command /bin/date Extensions: permit-X11-forwarding permit-agent-forwarding permit-port-forwarding permit-pty permit-user-rc

  45. Config File /etc/ssh/sshd_config # Entries to enable BLESS TrustedUserCAKeys /etc/ssh/bless_user_ssh_cas.pub AuthorizedPrincipalsFile /etc/ssh/authorized_principals/%u

  46. Config File /etc/ssh/authorized_principals/blessdemo bless_demo_instances:bless_demo_instances:123456789012:i-18badf00ddeadbeef

  47. Operational Wins

  48. Instances SSH with certificate Invoke BLESS BLESS Response Certificate Request Certificate Bastion BLESS Decrypt SSH CA private key AWS KMS

  49. 5. AWS ssh tool: Use 7. BLESS: Generate and session credentials to sign SSH Certificate request a certificate Log 6. BLESS: Decrypt SSH CA Forwarder private key with KMS BLESS BLESS: Log CloudWatch certificate request Logs & results 8. BLESS: Return 10. sshd: Validate Bastion a short lived certificate, log AWS certificate certificate info KMS 1. SSH: Auth to 2. AWS SSH tool: 4. Sshaman Bastion Take request, sshd Logs Daemon: determine user, Determine 9. AWS ssh tool: application, calling user ssh with Instances instance information. RELP Server certificate Use session (syslog) credentials to request a 3. Pilgrim: certificate. Generate Keypair Request SSH Cert Sshaman Logs Developer Daemon User Developer Userspace Pilgrim Logs

  50. Key Secrecy Personal Keys Shared Keys Expiration

  51. Key Rotation vs Human Machine

  52. Logging Jun 22 00:20:55 bless-demo- instances-i-0123456789abcde sshd[####]: Accepted publickey for bless_demo_instances from Context 192.168.1.1 port ##### ssh2: RSA-CERT ID request[##################] for[user_name] from[10.0.1.1] command[test:us- east-1:bless_demo_instances:bles s_demo_instances-v001:oq-ssh] Jun 22 00:20:34 bless-demo- ssh_key[RSA de:ad:be:ef: instances-i-0123456789abcde 00:00:00:00:00:de:ad:be] sshd[####]: Accepted publickey ca[arn:aws:lambda:region:account for bless_demo_instances from :function:name] 192.168.1.1 port ##### ssh2: RSA valid_to[2017/06/22 00:25:53] SHA256:de:ad:be:ef: (serial 0) CA RSA 00:00:00:00:00:de:ad:be SHA256:8badf00d000000008bad Traditional SSH certificates with BLESS

  53. Availability Wins LDAP

  54. Yes, It’s Open Source!

  55. https:/ /github.com/Netflix/bless

  56. https:/ /github.com/Netflix/bless

  57. https:/ /github.com/Netflix/bless

  58. https:/ /github.com/Netflix/bless

  59. https:/ /github.com/Netflix/bless

  60. Demo Time

  61. User Experience

  62. 5. AWS ssh tool: Use 7. BLESS: Generate and session credentials to sign SSH Certificate request a certificate Log 6. BLESS: Decrypt SSH CA Forwarder private key with KMS BLESS BLESS: Log CloudWatch certificate request Logs & results 8. BLESS: Return 10. sshd: Validate Bastion a short lived certificate, log AWS certificate certificate info KMS 1. SSH: Auth to 2. AWS SSH tool: 4. Sshaman Bastion Take request, sshd Logs Daemon: determine user, Determine 9. AWS ssh tool: application, calling user ssh with Instances instance information. RELP Server certificate Use session (syslog) credentials to request a 3. Pilgrim: certificate. Generate Keypair Request SSH Cert Sshaman Logs Developer Daemon User Developer Userspace Pilgrim Logs

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Next Steps In Signaling (NSIS) in the IETF Roland Bless bless@tm.uka.de Institute of

Next Steps In Signaling (NSIS) in the IETF Roland Bless bless@tm.uka.de Institute of

Next Steps In Signaling (NSIS) in the IETF Roland Bless bless@tm.uka.de Institute of Telematics, University of Karlsruhe What is Signaling? Signaling exchange of (control) data between nodes to install, manage, or delete states in them

241 views • 5 slides
Bless the Lord, O My Soul Bless the Lord, O My Soul If with His love He befriend thee

Bless the Lord, O My Soul Bless the Lord, O My Soul If with His love He befriend thee

Bless the Lord, O My Soul Bless the Lord, O My Soul If with His love He befriend thee SONG SHEET - MAR 22, 2020 Chorus Praise the Lord, praise the Lord (2x) All His Benefits Verse 4 Praise to the Lord Praise the Lord, oh

552 views • 5 slides
b ra is used 75 in Bless heb Genesis, 7 in ch. 4849 Gen 1:28,

b ra is used 75 in Bless heb Genesis, 7 in ch. 4849 Gen 1:28,

b ra is used 75 in Bless heb Genesis, 7 in ch. 4849 Gen 1:28, Then God blessed them, and God said to them, Be fruitful and multiply; fill the earth and subdue it; have dominion over the fish of the sea,

350 views • 10 slides
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define Access Controls List the four Access Control Models Describe logical Access Control Methods Explain the

128 views • 8 slides
CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva OS security. Access control.

CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva OS security. Access control.

Access control Access control determines access to files and processes in OS Old area of security, but not well understood CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva OS security. Access control. 1 2 System

889 views • 5 slides
About Loxal Security Ltd Specialist access control and vacant property security company Unique

About Loxal Security Ltd Specialist access control and vacant property security company Unique

About Loxal Security Ltd Specialist access control and vacant property security company Unique range of access control technology & temporary physical security products : - Keysafes Locking Bar Void security doors & screens

368 views • 21 slides
BUSINESS PLAN GOD BLESS MARKETING SINGLE LEG NETWORK Established. 2003 MARKETING Overview

BUSINESS PLAN GOD BLESS MARKETING SINGLE LEG NETWORK Established. 2003 MARKETING Overview

BUSINESS PLAN GOD BLESS MARKETING SINGLE LEG NETWORK Established. 2003 MARKETING Overview God Bless Marketing offers Indian citizens an opportunity which leads to substantial achievements and higher level of success through its evolutionary

312 views • 18 slides
TCP for OMNeT+ + Roland Bless Mark Doll Institute of Telematics University of Karlsruhe,

TCP for OMNeT+ + Roland Bless Mark Doll Institute of Telematics University of Karlsruhe,

TCP for OMNeT+ + Roland Bless Mark Doll Institute of Telematics University of Karlsruhe, Germany Bless/Doll WSC 2004 1 Overview Motivation Introduction OMNeT+ + & TCP Concept for integration Implementation problems Evaluation

502 views • 21 slides
OS Security CS 161: Computer Security Prof. Anthony D. Joseph January 29, 2014 Access Control

OS Security CS 161: Computer Security Prof. Anthony D. Joseph January 29, 2014 Access Control

Access Control and OS Security CS 161: Computer Security Prof. Anthony D. Joseph January 29, 2014 Access Control Some resources (files, web pages, ) are sensitive. How do we limit who can access them? This is called the access

629 views • 27 slides
& PRESENT SECURITY ACCESS POINT SAFETY GATE TO PREVENT THE INFECTION SPREAD SECURITY

& PRESENT SECURITY ACCESS POINT SAFETY GATE TO PREVENT THE INFECTION SPREAD SECURITY

& PRESENT SECURITY ACCESS POINT SAFETY GATE TO PREVENT THE INFECTION SPREAD SECURITY ACCESS POINT SECURITY WAS BORN THANKS TO THE COOPERETION BETWEEN ETS AND BICARJET , TWO ITALIAN LEADERS IN THE AUTOMATION ACCESS INDUSTRY. POINT

151 views • 13 slides
Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction

Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction

Outline OS security: authentication, contd Basics of access control CSci 5271 Introduction to Computer Security Announcements intermission OS security: access control Unix-style access control Stephen McCamant Multilevel and mandatory

656 views • 9 slides
Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication

Tools for Security Physical security Access control Encryption Authentication Encapsulation Intrusion detection Common sense Lecture 2 Page 1 CS 236 Online Physical Security Lock up your computer Actually,

465 views • 35 slides
Introduction to Network Security Security Chapter 11 Remote Access Security Dr. Doug Jacobson

Introduction to Network Security Security Chapter 11 Remote Access Security Dr. Doug Jacobson

Introduction to Network Security Security Chapter 11 Remote Access Security Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Remote Access Telnet Rlogin X-Windows X-Windows FTP General

765 views • 52 slides
Analysis of IPv6 Relocation Delays draft-vogt-dna-relocation-01.txt Christian Vogt, Roland Bless,

Analysis of IPv6 Relocation Delays draft-vogt-dna-relocation-01.txt Christian Vogt, Roland Bless,

Analysis of IPv6 Relocation Delays draft-vogt-dna-relocation-01.txt Christian Vogt, Roland Bless, Mark Doll, Gregory Daley chvogt@tm.uka.de, bless@tm.uka.de, doll@tm.uka.de, greg.daley@eng.monash.edu.au Problem Statement, Proposed Solutions,

90 views • 8 slides
Introduction to Network Security Chapter 11 Remote Access Security Dr. Doug Jacobson -

Introduction to Network Security Chapter 11 Remote Access Security Dr. Doug Jacobson -

Introduction to Network Security Chapter 11 Remote Access Security Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Remote Access Telnet Rlogin X-Windows FTP General Countermeasures

1.48k views • 104 slides
Security CS 4410 Operating Systems References: Security Introduction and Access Control by Fred

Security CS 4410 Operating Systems References: Security Introduction and Access Control by Fred

Security CS 4410 Operating Systems References: Security Introduction and Access Control by Fred Schneider Historical Context 1961 1969 1960s OSes begin to be shared. Enter: Communication Synchronization Protection Security:

1.16k views • 53 slides
Key features and requirements of 5G/IMT-2020 networks Presented by: Marco Carugi, ITU expert

Key features and requirements of 5G/IMT-2020 networks Presented by: Marco Carugi, ITU expert

ITU Arab Forum on Emerging Technologies Algiers Algeria, 14-15 Feb. 2018 Key features and requirements of 5G/IMT-2020 networks Presented by: Marco Carugi, ITU expert ITU-T Q2/13 Associate Rapporteur and SG13 Mentor marco.carugi@gmail.com

561 views • 26 slides
Design Considerations - A Manufacturers Perspective 1 Introduction Ormandy Group, established

Design Considerations - A Manufacturers Perspective 1 Introduction Ormandy Group, established

Design Considerations - A Manufacturers Perspective 1 Introduction Ormandy Group, established in 2000, are a leading UK manufacturer of water heating & cooling systems covering: Commercial Industrial Food / Pharmaceutical

348 views • 23 slides
Warm Welcome Matrix SIMADO GBR Multi-port GSM-BRI Gateways Pre-eminent Features Reliable,

Warm Welcome Matrix SIMADO GBR Multi-port GSM-BRI Gateways Pre-eminent Features Reliable,

Warm Welcome Matrix SIMADO GBR Multi-port GSM-BRI Gateways Pre-eminent Features Reliable, compact and sturdy design ETSI GSM Phase2/2+ compliance Superior call routing techniques Quad-band 2G and Tri-band 3G network

959 views • 53 slides
1 Committed to Connecting the World Committed to Connecting the World Monitoring deployment and

1 Committed to Connecting the World Committed to Connecting the World Monitoring deployment and

Committed to Connecting the World Committed to Connecting the World 14 th Global Symposium for Regulators Results-oriented performance management Capitalizing on the potential of the digital world Key performance indicators measure in

266 views • 3 slides
Save Bastion Point Part 2:

Save Bastion Point Part 2:

Save Bastion Point Part 2: 2011 to mid 2012

177 views • 7 slides
Flood Fighting Structures Demonstration and Evaluation Program (FFSD) George Sills

Flood Fighting Structures Demonstration and Evaluation Program (FFSD) George Sills

Flood Fighting Structures Demonstration and Evaluation Program (FFSD) George Sills Infrastructure Conference August 2005 Coastal and Hydraulics Laboratory ERDC US Army Corps Geotechnical and Structures Laboratory of Engineers Flood

459 views • 33 slides
Results Presentation 20 August 2015 Highlights Financial > Net profit $179.2 million (down

Results Presentation 20 August 2015 Highlights Financial > Net profit $179.2 million (down

Investa Office Fund Financial Year 2015 Results Presentation 20 August 2015 Highlights Financial > Net profit $179.2 million (down 2.4%) > FFO 27.7 cpu (up 4.5%) and DPU 19.25 cpu (up 4.1%) > NTA up 27 cents to $3.62 (up 8.1%)

714 views • 49 slides
CROMWELL EUROPEAN REIT RESULTS PRESENTATION FOR THE SECOND QUARTER AND HALF YEAR ENDED 30 JUNE

CROMWELL EUROPEAN REIT RESULTS PRESENTATION FOR THE SECOND QUARTER AND HALF YEAR ENDED 30 JUNE

CROMWELL EUROPEAN REIT RESULTS PRESENTATION FOR THE SECOND QUARTER AND HALF YEAR ENDED 30 JUNE 2019 8 August 2019 Disclaimer This presentation shall be read only in conjunction and as a supplementary information to Cromwell European Real

773 views • 65 slides

More recommend