Automatic Server Hardening

Hardening Framework

Created by Christoph Hartmann / Dominik Richter / Patrick Meier

Problem

Physical Security

Digital Security
  • Keep a 100-foot buffer zone around the site.
  • Limit entry points
  • Plan for bomb detection
  • Make fire doors exit only
  • Surveillance cameras
  • ...
?
Out-of-the-box server configurations are insecure and increase the probability of server attacks and data breaches.
Solution for Digital Security:

Hardening Framework

In computing, hardening is usually the process
of securing a system:

  1. Securing default configuration
  2. Reducing attack surface
  3. Automatic deployment
  4. Works on bare-metal and
    cloud     infrastructures

Honeypot attacks

Measurement of real-world computer attackes
  1. 6 Million attacks per month
  2. 200.000 attacks per day
  3. 8333 attacks per hour
  4. 138 attacks per minute
Source: Deutsche Telekom Honeypot Infrastructure, August 2014

Information Breached

  1. Real Names
  2. Birth Dates
  3. Government ID Numbers
  4. Home Address
  5. Medical Reports
  6. Phone Numbers
  7. Financial Information
  8. Email Adresses
  9. Username & Password
  10. Insurance
Source: Symantec
Source: Bloomberg

Why you should avoid manual server hardening?

Why you should avoid manual server hardening?

  1. Manual work is not 100% accurate
  2. Every project needs to reinvent the wheel
  3. Expensive and time-consuming
  4. Divergent test & production environments
  5. No measurement of compliance level
  6. Requires a lot of resources

Server Scaling

Manual hardening does not fit to autoscaling environments

Server Scaling

Manual hardening does not fit to autoscaling environments

Server Scaling

Manual hardening does not fit to autoscaling environments

Server Scaling

Manual hardening does not fit to autoscaling environments

Approach

The Hardening Framework applies secure default configuration while allowing customization for each deployment.

Component Overview

Apply hardening in seconds

Before Apply After
  • Securing default configuration
  • Reducing attack surface
  • Fullfill compliance
  • Automatic deployment
  • Works on bare-metal
  • Works on cloud infrastructures
  • Securing default configuration
  • Reducing attack surface
  • Fullfill compliance

Full demonstration is available at Vimeo

Ingredients

Automation Frameworks

Infrastructure

Continous Integration

Operating Systems

  1. Chef

  2. Puppet

  1. OpenStack
    Security Tests
    3. Source code
  3. Robocop
  4. Foodcritic
  5. puppet-lint
  1. RedHat 6.4
  2. RedHat 6.5
  3. Ubuntu 12.04
  4. Ubuntu 14.04
  5. CentOS 6.4
  6. CentOS 6.5
  7. Oracle 6.4
  8. Oracle 6.5
  9. Debian 6
  10. Debian 7

Core Team

Dominik Richter
Christoph Hartmann
Patrick Meier
Edmund Haselwanter

Contributors

References

  1. Data Breaches in the U.S.
  2. Norse
  3. Symantec Internet Security Threat Report 2014
  4. Deutsche Telekom Sicherheitstacho
  5. The Honeypot Project

THE END

Further information is available at telekomlabs.github.io