1. Securing the Fortress with Barbican at Symantec Jason Fritcher Principal Infrastructure Engineer Cloud Platform Engineering

2. About Me In the Internet industry for nearly 20 years Worked in Development and Operations roles running Internet services Always had an interest in and an eye towards security In my free time, I enjoy Electronics, Video Games and Motorcycling 2 Copyright © 2015 Symantec Corporation

3. Agenda Copyright © 2015 Symantec Corporation 3 1Introduction to Barbican 2Barbican at Symantec 3Barbican Hardening 4Barbican Improvements 5Q & A

4. Agenda Copyright © 2015 Symantec Corporation 4 1Introduction to Barbican 2Barbican at Symantec 3Barbican Hardening 4Barbican Improvements 5Q & A

5. Introduction to Barbican Ye Olde Barbican 5 Copyright © 2015 Symantec Corporation “A Barbican is a fortified outpost or gateway, such as an outer defense to a city or castle, or any tower situated over a gate or bridge which was used for defensive purposes.” - Wikipedia

6. Introduction to Barbican Today’s Barbican 6 Copyright © 2015 Symantec Corporation Barbican is a REST API designed for the secure storage, provisioning and management of secrets such as passwords, encryption keys and X.509 Certificates.

7. Introduction to Barbican Secrets – Hold the data to be secured. – Small objects, typically < 10KB data Containers – Logical grouping of secrets Orders – Longer running tasks, like key generation Barbican Resources 7 Copyright © 2015 Symantec Corporation

8. Introduction to Barbican Components API Processes – Handles all interactions with the clients – Processes all secret and container tasks – Submits order tasks for workers Worker Processes – Processes all tasks which take more than a trivial amount of time Asymmetric key generation Certificate management Barbican Architecture 8 Copyright © 2015 Symantec Corporation

9. Introduction to Barbican Potential Dependencies Keystone – User authentication / authorization External Database – Replaces default SQLite option, more scalable Message Queue – API to Worker communication Hardware Security Module – Provides secure crypto environment and master key storage Barbican Architecture 9 Copyright © 2015 Symantec Corporation

10. Agenda Copyright © 2015 Symantec Corporation 10 1Introduction to Barbican 2Barbican at Symantec 3Barbican Hardening 4Barbican Improvements 5Q & A

11. Barbican at Symantec Secrets stored in Version Control System TLS Key Storage Encryption Keys Automated Deployments Automating Certificate Management Problems 11 Copyright © 2015 Symantec Corporation

12. Barbican at Symantec LBaaS TLS Provisioning Configuration Management Key Management as a Service for Product Groups Use Cases 12 Copyright © 2015 Symantec Corporation

13. Barbican at Symantec Galera MySQL DB Cluster – Multi master topology, plus top-notch replication, including cross data center RabbitMQ Cluster SafeNet Luna SA HSMs – More on these later uWSGI + Apache + mod_proxy_uwsgi – Maybe mod_security to add WAF functionality Implementation 13 Copyright © 2015 Symantec Corporation

14. Agenda Copyright © 2015 Symantec Corporation 14 1Introduction to Barbican 2Barbican at Symantec 3Barbican Hardening 4Barbican Improvements 5Q & A

15. Barbican Hardening Server TLS – Enabling TLS is as simple as specifying the key and cert in my.cnf ssl_key=/etc/pki/tls/private/mysql.key ssl_cert=/etc/pki/tls/certs/mysql.crt – To ensure TLS is always used, add REQUIRE SSL to your MySQL user account Client TLS – Activate TLS for connections by adding ssl_ca parameter to the connection string sql_connection = mysql://barbican:dbpass@db.host:3306/barbican?ssl_ca=/etc/barbican/ssl/ca.pem MySQL TLS Challenges – Intermediate certificates don’t work properly – Client hostname validation code is poor – Client/Server issues depending on OpenSSL versions Database 15 Copyright © 2015 Symantec Corporation

16. Barbican Hardening Restricted Node Access – Should only be accessible to a small pool of personnel For just sshd restriction, see {ALLOW,DENY}{USERS,GROUPS} in sshd_config man page For broader restrictions, look at pam_listfile or pam_access modules Automation issues – Automation systems like Puppet, or Chef could be problematic, depending on risk tolerance Filesystem permissions – Barbican should only have read permissions to everything, except a log and tmp directory. Network controls – Firewall network traffic to only allow traffic from authorized hosts, Load Balancers and Monitoring Barbican Node 16 Copyright © 2015 Symantec Corporation

17. Barbican Hardening Hardware Security Modules are specialized devices that provide a secure execution and storage environment for cryptography. Form factor varies in shape and size (USB, PCI-Express, Network Appliance) Performance varies drastically between devices – General Purpose CPUs beat HSMs for raw symmetric performance Not easily jumped into, some of my challenges – Data Center personnel hesitant with unfamiliar hardware – Building a secure environment within the data center – Auditing and compliance policies / processes – Separation of privileges Hardware Security Modules 17 Copyright © 2015 Symantec Corporation

18. Agenda Copyright © 2015 Symantec Corporation 18 1Introduction to Barbican 2Barbican at Symantec 3Barbican Hardening 4Barbican Improvements 5Q & A

19. Barbican Improvements Existing p11_crypto and PKCS11 modules have a lot of room for improvement – Lot of round trips to the HSM per transaction – Sessions are opened, authenticated and closed per transaction – Not a lot of caching is done Improvements being made – First effort is to reduce the number of operations made per transaction Caching project keys in the HSM and reusing them when possible, this saves ~4 RTs Holding first authenticated session open to make subsequent session opens faster Later we’ll use just a single connection or small pool to reduce setup/teardown costs Sync up with community efforts in this same realm PKCS11 Performance Improvements 19 Copyright © 2015 Symantec Corporation

20. Barbican Improvements Existing p11_crypto and PKCS11 modules is all or nothing – Barbican’s transaction rate become limited by the HSMs – To scale performance, you need to add more HSMs Improvements being made – Split class of service being implemented – First class will be the full HSM model is use today – Second class will relax security standard a little HSM will continue to encrypt/decrypt the Project Keys Project Keys will be used on node to do encrypt/decrypt operations on secrets Combined with caching Project Keys, should remove majority HSM bottleneck Going to work with community on design for contribution PKCS11 Classes of Service 20 Copyright © 2015 Symantec Corporation

21. Barbican Improvements Existing database model provides integrity protection for encrypted secret data – Does not provide integrity protection to other stored metadata – Attacker can change metadata and Barbican won’t detect it Researching ways to add integrity protection without killing performance Database Integrity Protection 21 Copyright © 2015 Symantec Corporation

22. Agenda Copyright © 2015 Symantec Corporation 22 1Introduction to Barbican 2Barbican at Symantec 3Barbican Hardening 4Barbican Improvements 5Q & A

23. Q & A 23Copyright © 2015 Symantec Corporation

24. Thank you! Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Jason Fritcher Jason_Fritcher@symantec.com 24