securing your swiss cheese environment l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Securing Your Swiss Cheese Environment PowerPoint Presentation
Download Presentation
Securing Your Swiss Cheese Environment

Loading in 2 Seconds...

play fullscreen
1 / 65

Securing Your Swiss Cheese Environment - PowerPoint PPT Presentation


  • 139 Views
  • Uploaded on

Securing Your Swiss Cheese Environment. PAUL KOUFALIS. PRESIDENT PROGRESSWIZ CONSULTING. Progresswiz Consulting. Based in Montréal, Québec, Canada Providing technical consulting in Progress ® , UNIX, Windows, MFG/PRO and more

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Securing Your Swiss Cheese Environment' - makayla


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
securing your swiss cheese environment

Securing Your Swiss Cheese Environment

PAUL KOUFALIS

PRESIDENT

PROGRESSWIZ CONSULTING

progresswiz consulting
Progresswiz Consulting
  • Based in Montréal, Québec, Canada
  • Providing technical consulting in Progress®, UNIX, Windows, MFG/PRO and more
  • Specialized in performance tuning, system availability and business continuity planning
  • …and security of Progress-based systems

Securing Your Swiss Cheese Environment

who are you
Who Are You?
  • Executive, Manager or techie?
  • End-user? End-user that develops? VAR?
  • Your application
    • ChUI ?
    • GUI client/server?
    • N-tier?

Securing Your Swiss Cheese Environment

agenda
Agenda
  • Security Overview
  • Layer by layer from the outside-in
    • Network, server, O.S., AVM, DB…
  • Q&A

Securing Your Swiss Cheese Environment

theme of the day roi
Theme of the day: ROI
  • Focus on cost-benefit
  • What are you protecting?
  • What will it cost you to protect it?
  • What will it cost you if it gets stolen?
    • Not just € - consider reputation, trust…
  • Quick and easy solutions cost almost nothing and provide biggest bang for your buck (or €)

Securing Your Swiss Cheese Environment

security overview
Security Overview
  • Think of security as a castle with walls, moats and gates

Securing Your Swiss Cheese Environment

security overview7
Security Overview
  • Each wall is a layer of security
  • BUT…the wall has to have gates
    • each gate is a potential risk

Securing Your Swiss Cheese Environment

security overview walls
Security Overview – Walls
  • Data (TDE)
  • AVM
  • File system
  • Server
  • Network

Securing Your Swiss Cheese Environment

security overview gates
Security Overview – Gates
  • AVM
  • Files
  • Servers
    • ABL/SQL
  • Executables
  • Server login
  • Network access

Securing Your Swiss Cheese Environment

out of scope
Out of scope
  • Internet -> LAN
  • Hack shell on server
  • These are important but there’s only so much we can talk about in one hour!

Securing Your Swiss Cheese Environment

network gates
Network Gates
  • Common services
    • ftp, scp, Samba…
  • OpenEdge services
    • ABL/SQL servers
    • AppServers
    • WebSpeed, etc…

Securing Your Swiss Cheese Environment

locking the gate easy fixes
Locking the Gate – Easy Fixes
  • Turn it all off!
    • ftp, etc: force users to stay in their $HOME
    • SQL access: -ServerType 4GL
    • ABL C/S access: no “-S” startup parameter
    • Don’t start Appserver etc…
  • But butbut I needSQL/ABL/scp/Apsv…

Securing Your Swiss Cheese Environment

locking the gate abl server access
Locking the Gate – ABL Server Access
  • No full dev licenses on user PC’s
    • Easy for PC support to take green sheet and install Provision, C/N, Q/R, etc… on user PC
  • In fact – no ad hoc access
  • You need Query/Report?
      • Strip out the editor, data admin, etc from Progress installation

Securing Your Swiss Cheese Environment

non trivial fixes
Non-trivial Fixes
  • OE client on Windows Terminal Server
  • Run application at login
  • Logout at exit
  • Could be lots of €€

Securing Your Swiss Cheese Environment

locking the gate sql server access
Locking the Gate – SQL Server Access
  • Real usernames and passwords with real grants
    • More on usernames/passwords later
  • No generic “odbcuser”
    • Do you really want everyone to have read access to all data?

Securing Your Swiss Cheese Environment

locking the gate adminserver
Locking the Gate – AdminServer
  • Non-root absolutelycritical with OpenEdge Management
    • Can run jobs
  • Use –admingroup parameter if still using Progress Explorer Tool

Securing Your Swiss Cheese Environment

locking the gate appserver
Locking the Gate – AppServer
  • Separate server
    • Not accessible except by Apsv ports
  • Use SESSION:EXPORT()
    • List of programs that can be executed by Apsv
    • Can use wildcards
  • Use “apsv” service-type userid
    • Not root

Securing Your Swiss Cheese Environment

locking the gate appserver database
Locking the Gate – AppServer + Database
  • Consider putting DB and Apsv on same box
  • Disable C/S access to DB
    • Only local Apsv can make shared memory connections
  • DB protected from remote attack
    • Must first break through operating system

Securing Your Swiss Cheese Environment

webspeed
Webspeed
  • Default:

Securing Your Swiss Cheese Environment

locking the gate webspeed
Locking the Gate – Webspeed
  • Easy to secure:

Securing Your Swiss Cheese Environment

non trivial fixes21
Non-Trivial Fixes
  • Enable SSL for all network connections
  • Shameless Plug - Come to my session tomorrow:

Secure Communications with

OpenEdge and SSL

Securing Your Swiss Cheese Environment

non trivial fixes22
Non-Trivial Fixes
  • VLAN segregation
    • Users with ad hoc privileges have no access to PROD
    • Strictly control open ports between user vLANs and server vLAN
  • €€€
    • Checkpoint Firewall is expensive!
    • Cost of maintenance is high

Securing Your Swiss Cheese Environment

operating system gates
Operating System Gates
  • Users logging in to same server as DB
  • The closer the user, the greater the danger

Securing Your Swiss Cheese Environment

locking the gate operating system
Locking the Gate – Operating System
  • Lock down the shell
    • Use restricted shell
  • Use “exec” in the .profile
    • Cannot CTRL-C out to shell
  • Put users on a different server even in ChUI
    • Client/server connection

Securing Your Swiss Cheese Environment

db files
DB Files
  • Data security useless without physical security
  • With write access to the physical files:
    • Copy DB
    • Dump the blocks containing _CAN*
    • Physically change the data values:
      • “!,*” becomes “*,*”
    • Load the blocks back in to the DB

Securing Your Swiss Cheese Environment

locking the gate db files
Locking the Gate – DB Files
  • Owned by “prodba” in group “dba”
  • Permissions = 660 (rw-rw----)
    • Also directory permissions
  • Reminder: deleting a file is a directory action, not a file action
    • Directory permissions apply

Securing Your Swiss Cheese Environment

locking the gate db files27
Locking the Gate – DB Files
  • Raison-d’être of the setuid bit on the Progress executables
  • Down side: No on-the-fly shared memory connections

Securing Your Swiss Cheese Environment

o s to avm gates
O.S. to AVM Gates
  • Control access to OpenEdge executables and configuration files
  • Only authorized users should be able to
    • D&L
    • Backup
    • Query (ad hoc)

Securing Your Swiss Cheese Environment

avm access
AVM Access
  • Don’t leave break-in tools lying around!!

Securing Your Swiss Cheese Environment

avm access30
AVM Access
  • Primary example: Full Dev key in production $DLC/progress.cfg
    • Everyone is running with a full dev license!
    • Your progress.cfg should be runtime only
      • Maybe Query/Results if absolutely necessary
  • Create a separate full.cfg for compile
    • Ask me later how to separate CFG components in progress.cfg

Securing Your Swiss Cheese Environment

locking the gates avm access
Locking the Gates – AVM Access
  • Secure what runtime users don’t need
    • Many of the $DLC procedure libraries
      • Example: adecomm.pl, prodict.pl
        • Contain _edit.p, _admin.p, etc…
    • Executables: $DLC/bin/_proutil, etc…
    • $DLC/properties/*
  • Only give the DBA group access via sudo

Securing Your Swiss Cheese Environment

locking the gates propath
Locking the Gates – PROPATH
  • Every file and directory in the PROPATH should only be readable by the masses
    • Only deployment people should have write access
  • Create a deploy group to manage code changes

-rw-rw-r–– koup deploy start.r

-rwxrwxr–x deploy deploy .

  • Automate if you can

Securing Your Swiss Cheese Environment

avm to data gates
AVM to Data Gates
  • ABL is “PUBLIC” by default

Securing Your Swiss Cheese Environment

locking the gates db security
Locking the Gates – DB Security
  • Security options
    • Usernames/passwords
    • Data Security
    • Security Administrators
    • Disable Blank Userid
  • DB options
    • Disallow Blank UserID
    • Use Runtime Permission Checking

Securing Your Swiss Cheese Environment

usernames and passwords
Usernames and Passwords
  • First level of defense: username/password
    • OpenEdge uses the _USER table
  • The default implementation is weak
    • No complex passwords, aging, etc…

Securing Your Swiss Cheese Environment

locking the gates user
Locking the Gates – _USER
  • SQL DBA = sysprogress and OpSys user that created DB
  • Make sure to create both users in _USER
  • Can also de-authorize DBA privileges with REVOKE

Securing Your Swiss Cheese Environment

data security
Data Security
  • ABL access managed by _CAN-* fields in _FILE and _FIELD records
    • Ex.: _CAN-READ = “!,Paul,Bob”
    • By default all _CAN-* fields = “*”
  • SQL access controlled via GRANT
  • Very difficult to manage data to application to user security

Securing Your Swiss Cheese Environment

security administrator
Security Administrator
  • Only SecAdmins can modify _CAN* fields
  • Only SecAdmins can add/delete _USER records
  • Normal users can modify their own _USER data

Securing Your Swiss Cheese Environment

security disable blank userid
Security – Disable Blank UserID
  • Changes default _CAN-* values from “*” to “!,*”
    • I.e. blank user cannot read/write any data
  • BUTnew tables/fields will get all “*”
  • Do not confuse with DB Options – Disable Blank UserID

Securing Your Swiss Cheese Environment

db options
DB Options
  • Disable Blank UserID
    • Very simple: need –U –P at connection
    • Could be difficult to implement
  • Runtime security
    • _CAN-* access validated at runtime
    • As of 10.1A

Securing Your Swiss Cheese Environment

locking the gates db security41
Locking the Gates – DB Security
  • Manage complex passwords and aging in your application
    • Or better yet replace it with a real authentication mgmt system (ex.: LDAP)
    • Access external auth with CLIENT-PRINCIPLE object
      • Explained in detail in next few slides…
  • Enable runtime security
  • Use security administrators and _CAN* fields

Securing Your Swiss Cheese Environment

authentication domains
Authentication Domains
  • Data Administration - Security options - Authentication Domains
    • Access via CLIENT-PRINCIPLE object
  • Transition from _USER to C-P a must
  • I strongly expect Authentication Domains and CLIENT-PRINCIPLE use to be significantly enhanced and expanded in OE 11

Securing Your Swiss Cheese Environment

authentication domains43
Authentication Domains
  • A trusted “external” authentication system
    • Example: LDAP/Active Directory
    • But could still be an external _USER
  • Use instead of SETUSERID() for ABL connections
    • SQL still requires _USER in OE10
  • Who is using CLIENT-PRINCIPLE now?

Securing Your Swiss Cheese Environment

openedge 10 implementation
OpenEdge 10 Implementation
  • Three hierarchical levels:
  • Authentication System
    • Authentication Domain
      • CLIENT-PRINCIPLE() authentication token

Securing Your Swiss Cheese Environment

authentication systems
Authentication Systems
  • User defined “types” of external authentication
  • Can be anything
  • Probably more specific uses in OE 11

Securing Your Swiss Cheese Environment

authentication domains46
Authentication Domains
  • Defines how you can authenticate a user
  • Must be of defined “Authentication System” type
  • Secret access code is the key

Securing Your Swiss Cheese Environment

authentication system and domain
Authentication System and Domain
  • In OE 10 these are strictly user defined and have no intrinsic meaning
  • Do not use “windows”, “windowsid”, “unix”, “unixid”, “OpenEdge” and “oeusertable”
    • OpenEdge may want to use them in a broader scope in the future

Securing Your Swiss Cheese Environment

authentication process
Authentication Process
  • Prepare your authentication domain(s)
  • Application Domain
    • Create Authentication Domains on the fly
      • SECURITY-POLICY:REGISTER-DOMAIN()
      • Not ideal – security risk
    • Load Authentication from one database
      • SECURITY-POLICY:LOAD-DOMAINS()
      • Better

Securing Your Swiss Cheese Environment

authentication token
Authentication Token
  • CLIENT-PRINCIPLE() object
  • Usage procedure:
    • Create object
    • Assign required and optional attributes
    • Authenticate (ex.: validate password with AD)
    • Seal C-P with domain access code

Securing Your Swiss Cheese Environment

authentication token50
Authentication Token

CREATE CLIENT-PRINCIPAL hpk.

ASSIGN hpk:USER-ID = "pk"

hpk:DOMAIN-NAME = "PK_1"

hpk:DOMAIN-TYPE = "PKTEST"

hpk:DOMAIN-DESCRIPTION = "PK Auth"

hpk:SESSION-ID = SUBSTRING ( BASE64-ENCODE(GENERATE-UUID), 1, 22)

hpk:ROLES = "user,finance".

/* Password verification code here */

Securing Your Swiss Cheese Environment

authentication token51
Authentication Token

/* Seal token with the encrypted access code */

IF NOT hpk:SEAL(“34gd798080a") THEN

DO:

MESSAGE "SEAL FAILED WITH detail"

hpk:STATE-DETAIL

VIEW-AS ALERT-BOX.

END.

Securing Your Swiss Cheese Environment

token validation
Token Validation
  • Validate the token
    • SECURITY-POLICY:SET-CLIENT()
      • Validate sealed C-P against current application context
    • SET-DB-CLIENT()
      • Validate sealed C-P against one or more specific databases

Securing Your Swiss Cheese Environment

token validation53
Token Validation

/* Load security domains from DB 1 */

SECURITY-POLICY:LOAD-DOMAINS(1) NO-ERROR.

IF NOT SECURITY-POLICY:SET-CLIENT(hpk) THEN

DO:

MESSAGE "SET-CLIENT failed"

VIEW-AS ALERT-BOX.

hpk:LOGOUT.

DELETE OBJECT hpk.

END.

Securing Your Swiss Cheese Environment

token validation54
Token Validation
  • Any DB already connected at SECURITY-POLICY:SET-CLIENT() automatically gets a SET-DB-CLIENT()
  • If you connect another DB you must SET-DB-CLIENT(hpk,dbalias) in your connection code

Securing Your Swiss Cheese Environment

authentication system architecture
Authentication System Architecture
  • Think “weakest link”
    • Potentially C-P:SEAL(“access code”)
  • Solution:
    • Do not let the client code SEAL the token
    • Farm out to AppServer on strongly secured server

Securing Your Swiss Cheese Environment

ideal authentication system architecture
Ideal Authentication System Architecture

Securing Your Swiss Cheese Environment

locking the gates external authentication
Locking the Gates – External Authentication
  • Obviously not trivial but not overly difficult either
  • Start with a simple solution
    • Local SEAL()
    • Still using _USER
  • Implement plug-and-play authentication architecture
    • Some customers will want LDAP
    • Ready for new future auth systems

Securing Your Swiss Cheese Environment

final remarks external authentication
Final Remarks – External Authentication
  • More stuff to look into:
    • Trusted Application Authentication Domains
    • Using LDAP for role-based authorization
      • This is to authorize access to functions in your application
    • A number of white papers on Communities
      • LDAP example from Michael Jacobs

Securing Your Swiss Cheese Environment

aerial attacks
Aerial Attacks!
  • Wow – everything is soooo secure from the ground
  • Firewalls in place
  • No p-code anywhere
  • No full.cfg
  • Super LDAP C-P security
  • Aren’t you proud of yourself?
    • Wait a minute…

Securing Your Swiss Cheese Environment

locking the gates aerial attacks
Locking the Gates – Aerial Attacks
  • Stop refreshing your TEST environment with PROD data!
    • Scramble the data first
  • Control and limit generic usernames
    • User “qad” password “qad”
    • SQL “odbcuser”
  • No developers in PROD DB
    • I know you’re guilty of this one

Securing Your Swiss Cheese Environment

locking the gates segregate roles
Locking the Gates – Segregate Roles
  • How segregated are your roles?
    • DBA
    • Developer
    • QA
  • No one person should be able to write, compile and promote code
  • Need to invest some time to develop S.O.P.’s

Securing Your Swiss Cheese Environment

remember our castle walls
Remember our Castle Walls

Securing Your Swiss Cheese Environment

credits
Credits
  • An extra special thanks to Michael Jacobs

Securing Your Swiss Cheese Environment

slide64

Questions?

Securing Your Swiss Cheese Environment

more questions or comments
More Questions or Comments?
  • Email me at pk@progresswiz.com
  • Presentations, tools and more available at

www.progresswiz.com