Security Architecture

How to provide secure infrastructure

Barbara Krasovec and Daniel Kouřil, EGI CSIRT

Prague, September 2022
 What is security architecture?

Some definitions:

• Overall system required to protect your infrastructure

(processes and procedures involved in preventing, mitigation
and investigating different threats)
• Security principles, methods and models designed to keep your
infrastructure safe.
• Security design that addresses potential risks involved in
certain scenarios.
• Security control, security policies and security guidelines.
• Security policies and procedures to prevent, protect, detect,
respond and recover

1
 Security architecture objectives

Security architecture applies to systems, people and network

infrastructure. It enables building security into systems:

• design,
• implementation,
• management,
• risk management.

2
Security architecture main aspects

3
 Security investments

Where to invest if the budget for security is limited? To detection

or prevention?

• Both.
• Security threats evolve, malware attacks and zero attacks are
constant.
• Thinking about incident response when it already happens is
poor strategy.
• Know your data, create backups, harden individual systems,
update software regularly, segment network into multiple
subnets, use firewall and monitor the activities.

4
 Security architecture focus

• Identifying data stores and their value/sensitivity,

• understanding of critical services,
• restricting access to the data stores,
• threat analysis and risk assessment.

5
 Some security principles

First we will have a look at some basic security concepts:

• defense in depth,
• zero trust,
• least privilege access.

6
 Defense in depth

• The objective is to minimise the effect of the compromise,

• multiple layers and methods of protection: technical,
organizational, personnel,
• prevent and mitigate the consequences of security breach,
• if one level of protection fails, the subsequent level is available,
• when a single technical, human or other failure occurs, system
should not be compromised,
• in practice: e.g. use firewall on the network border and
internally.

7
 Zero trust architecture

Zero trust means that you don’t automatically believe everything

inside your firewall can be trusted. Zero trust architecture
principles:

• Know your architecture, users, devices etc.,

• authenticate and authorize everywhere,
• use MFA,
• assess your user behavior, devices and services status,
• establish security policies,
• don’t trust any network,
• monitor users, services, devices.

8
 Zero trust

Zero trust concept evolved over the years. In the 90s this meant
providing a firewall, later on, with additional networks in place, it
involved hardening systems individually, then detection became the
principal focus.
Major changes in security happened with moving the services in
the cloud and with mobility, and remote work.

9
 Least privilege access

Principle of least privilege (POLP) access means granting minimum

level of access rights to users and services to perform their job.
Why is this important?

• reduces attack surface,

• decreases chances of an attack,
• facilitates service deployment in larger environment,
• improves system stability.

10
 Security Design Principles

• The context: understand the components of your system, its

objectives, address short-comings, separate responibilities,
understand threat model.
• Design system: network segments, services, communication
channels, authn and authz options.
• Harden system compromises.
• Include least privilege approach.
• Identify critical services and sensitive data.
• Provide mechanisms for compromise detection (collect logs
and monitor events).
• Reduce attack surface, reduce impact of the compromise and
failure.
• Provide incident response plan.
11
 CIS controls

Also known as Critical Security controls,

https://www.cisecurity.org/controls, developed by Center
for Internet security, contain a set of actions for system cyber
defense.

• Basic: should be implemented in every organization

• Foundational: best practices that would be recommended to
implement
• Organizational: focus on people and processes involved in
cybersecurity

12
 CIS controls (2)

• CIS controls are used to identify common exploits,

• provide recommendations on how to defend (safeguards),
• are measurable,
• each safeguard has a description (for small office, for large
organization with IT, for organization with security expert
group).

13
CIS controls (3)

14
https://www.sans.org/blog/cis-controls-v8
 CIS benchmarks

How to translate a CIS safeguard to action - configuration

guidelines

• more than 100 benchmarks available,

• more than 25 vendor products included,
• many vendors implement CIS benchmarks (such as Nessus,
OpenVAS etc.).

15
CIS controls - Network infrastructure mgmt

16
CIS controls - Network monitoring

17
CIS benchmark - Network configuration Linux

18
CIS benchmark - Remove services

19
 NIST standards

National Institute of Standards and Technology, non regulatory

government agency prepares guidelines and standards for
recommended security controls for information systems.

• How to categorise and protect your data?

• How to conduct risk assessments?
• How to prepare a security plan?
• How to implement security controls?
• How to measure performance and efficiency?
• How to process data?

https://www.nist.gov/cybersecurity

20
NIST cybersecurity focus

NIST contributes to the following cybersecurity topics:

21
NIST standards

NIST standards for Measurements for Information Security:

22
 ISO/IEC Standard 19249:2017

Catalogue of architectural and design principles for secure

products, systems and applications (last review 2021)

• architectural security principles (virtualisation, redundancy,

domain separation etc)
• design principles (how to minimize attack surface, privileges,
access control)
• system evaluations
• probably not widely used, as it needs to be purchased and a
lot of other free material is available.
• some critics that it doesn’t cover advanced material in the
field

23
 CIS controls eliminate risks?

Yes, but they are hard to implement, especially for a newbie,

advanced system knowledge is required.

24
 Establish security policies

Each organisation should have security policies in place. Use the

documentation that is already available:

• AARC Project: https://aarc-project.eu/policies/

policy-development-kit/
• WISE:
https://wise-community.org/published_documents

25
Hardware security

26
 Hardware security considerations

Protecting on-premise systems from natural or human tampering

(network devices, IoT devices). It includes:

• procurement process,
• supply chain,
• device security - physical security, software security,
• encryption.

Disable unused interfaces (physically, in BIOS, from OS) or

configure them in restrictive manner, e.g. USB device whitelisting.

27
OS Security

28
 Essentials of operating system
security

• modify kernel settings at runtime (sysctl), blacklist uneeded

kernel modules,
• network: close unneeded ports, limit access and services
(firewall)
• protect files - minimise access rights, FIM,
• software installed: minimize the number of installed packages,
• automate OS deployment, use configuration management
tools,
• access: use SSH-keys to login, use auditing, MFA, password
change policy,
• security software: enable SElinux, use AppArmor to limit
capabilities of programs,
• logging and monitoring: use central logging. 29
Password reality

30
 Time to choose a strong password

Seriously: use passphrases, they are secure and easy to remember,

using a space in the password is good practice.
31
Password policy Linux

Source: https://www.server-world.info
32
 Login nodes and user interfaces

• Apply password change policy or MFA,

• configure to use strong passwords,
• monitor user activity,
• lock accounts after multiple failed attempts (with PAM
system-auth),
• blacklist IP after multiple failed logins (fail2ban),
• disable password login if possible,
• configure remote logging,
• keep process accounting (psacct).
• keep track on what users execute
(https://github.com/CERN-CERT/activity_klog)

33
 Too complex services

If services are too complex to access, noone will use them.

34
 Configuration Management

Process of monitoring/deploying the hardware and software

configuration in line with IT policies.

• Enables consistency and automation,

• enables traceability of configuration changes,
• reduced security breaches,
• reduced time to restore service,
• efficient change management,
• easier upgrade automation,
• higher quality of service,
• control over running processes and permissions over the files,
• configuration backup and documentation.

35
Configuration Management Tools

Configuration Management Tools

36
 Linux hardening tools

Advanced task for a sysadmin. Checklists available, but demand

knowledge. Some Linux hardening tools available:

• Nessus: security vulnerability scanning tool (checks services

and alerts about misconfigurations)
• Zeus: configuration audit, security assessment,
self-assessment, system hardening for AWS
• OpenSCAP: vulnerability scanning and security audit tool
• Lynis: scan system for expired SSLs, outdated software, no
password user accounts, files etc.
• many others..

37
 Nessus

Source: https://www.tenable.com/products/nessus/demo

38
 OpenSCAP security standards

Security Content Automation Protocol (SCAP) is a framework for

security standards,it provides tools for assessment, measurement
and enforcement of security baselines - how to harden your system
and detect misconfigurations.

• Guidelines for Linux,

• validated by NIST (National Institute of Standards and
Technology),
• CIS control included,
• command-line tool oscap, GUI is scap-workbench,
• note that the tool has a limited span of checks and guidelines.

39
OpenSCAP report for CentOS 8

40
 Lynis

Security auditing tool for systems running Linux or Unix-based

operating system

• Security scan,
• file permissions checks,
• tips for additional OS hardening: kernel parameters (sysctl),
SSH configuration, PAM configuration etc.,
• vendor guides included,
• supports multiple standards, such as NIST and also CIS
benchmarks.

41
Lynis report

42
 Devops and security

DevSecOps is a set of practices,policies, approaches and tools,

used by IT, Dev and Ops to increase delivering applications and
services at high velocity, securely.

• Interesting project to follow: https://dev-sec.io/

• Github materials: https://github.com/dev-sec/
• OS hardening using automation tools on different OS

43
 Logging

• what to log?
• problem are different formats, timestamps, timezones
• use centralised log management, then analyse
• normalise logs (same format for all)
• provide log rotation
• specify log rotation policy (diskspace, regulatory requirements)
• visualise vital logs
• software: NXlogs, ELK, Graylog, Loki, rsyslog, syslog-ng

44
 Logging checklist

https://www.sans.org/brochure/course/log-management-in-depth/6
45
 FIS and HIDS

• FIM is a software that monitors and detects file changes that

could be indicative of a cyberattack and reports them.
• HIDS stands for host-based intrusion detection system and
represents an application that is monitoring a computer or
network for suspicious activities. (also NIDS = network
intrusion detection system).
• HIDS tools: OSSEC, Wazuh, AIDE
• poorly configured FIM and HIDS systems can lead to
excessive alerts causing Alert Fatigue

46
 Integrity monitoring

• some FIM software: Tripwire, Samhain, OSSEC

• you can set audit.rules on Linux, but only check
sensible/critical folders
• check trusted computing base
#kernel modules
lib/modules
#binaries:
/bin, /sbin, /usr/bin, /usr/local/bin, /usr/local/sbin,
/usr/sbin
#system configurations:
/etc
#critical files in
/boot, /var/spool, /home
47
Auditd - Search Logs with ausearch

48
 Firewall

A physical firewall device is usually the number one security

measure.

• Physical appliance: placed between the uplink and systems,

filters traffic before it reaches the system (Palo Alto, Cisco,
Fortinet and others)
• Software firewall: iptables, firewalld, nftables; filters traffic on
the host
• Best option: use both hardware (outer perimeter) and
software firewall (inner layers)

49
 Rootkit detectors

• rkhunter
• chrootkit

Discovering and deleting a rootkit on your server is just the

beginning of the problem solving: how did the rootkit get to the
server, how was it installed, what has been changed on the system?

50
Rkhunter scan report

51
 OS security summary

• secure configuration is key, not checking logs and using

different security scanning tools
• fail2ban is fine, but keep your SSH configuration secure
• minimise trusted computing base (the smaller the better)
• follow vulnerabilities and patch asap
• least privilege rule (give programs and users only privileges
that are required for them to work) - zero trust rule

52
Physical security

53
 Physical security

• Prevent unauthorised access of personnel, equipment,

installations, information,
• protect resources against damage, espionage, sabotage and
criminal activity,
• use locked and alarmed doors, fences, guards, CCTV cameras,
• use electronic detection and assessment systems,
• illuminated detection zones,
• armed security for vital area,
• design physical security plan (PSP) + SOP (standard
operating procedures).

54
Network security

55
 Essentials of secure network design

Where is the valuable data? Who has access to it?

• Physical topology: how is the network connected?

• Logical topology: how do services communicate? What is the
meaning of the information?

56
 System and network hardening

Fundamental security principle: reduce attack surface

• Disable default services that are not needed,

• restrict default permissions,
• close unneeded ports,
• use strong passwords and enforce password change policy,
• start by denying all access/ports, then allow only that which
has been explicitly permitted,
• detect if you can’t prevent.

57
 Network segmentation

It refers to segregation of the network to multiple sub-networks

(segments) by a device (switch, router, hub, bridge..) with the aim
to improve security and performance (reduced attack surface), by
using:

• access control/firewalls,
• VLANs (virtual local area network),
• SDN (software defined network).

58
 How to segregate network?

• Least privilege rule: only provide access to system that is

necessary, nothing else.
• Define zones based on the location of the sensitive data and
functionality.
• Do not make system too complex.

59
 Enterprise network

Most enterprise networks are flat, which is very problematic in case

of breach, especially if desktop computers are included, which are
an easy target for malware.

• 1st step: put servers and desktops into 2 separate subnets,

put firewall between them
• 2nd step: monitor network traffic (eg Netflow)
• 3rd step: create another segment for the applications that
need to be accessed from the internet, DMZ zone

Eg. Problem with DHCP and flat networks: each device can send
DHCP reply

60
 Common network segments

Plan - Analyse - Design - Build - Test - Deploy - Improve The

basic network segments are:

• Public network: Internet (contains no sensitive data, is not

under control of the organisation),
• DMZ network (semi-public),services need access to the
Internet: web, mail, DNS etc.,
• middleware network is used to separate DMZ from private
network (filtered access, proxy servers),
• private network: internal services (contains sensitive
information) - only access from DMZ is possible.

Firewall is usually placed between public and other networks.

61
 Basics for network topology design

• Allow internal users to access the internet,

• services that require Internet access should be limited,
• access to the internal services should be prohibited from
public network, it should be restricted to DMZ,
• resources in public network cannot be trusted,
• system that is visible from the Internet cannot contain
sensitive data (should be in DMZ),
• DMZ communicates with private network via proxy.

62
Network topology example

63
 Network attacks

Network and switches are some sort of network nodes, they are
target of malicious attacks and should be secured as any other
node and kept updated.

• DoS,
• packet sniffing,
• packet misrouting,
• SYN Flood,
• brute force attacks,
• MITM attack,
• ARP cache poisoning,
• etc.
64
 How to prevent such network
attacks?

• Account lock out,

• rate limiting (policying),
• enable IP source verify (customer cannot spoof its IP address),
• LPTS = local packet transport service - configure allowed
settings (e.g number of allowed ICMP packets, number of
TCP sessions etc.),
• provide continuous monitoring.

65
beginframe[Attack mitigation software]
Attack mitigation software

65
Usually appliances, deployed between router and network firewall,
commercial solutions. Prevent from DDoS attacks (blackholes,
scrubbing), brute force attacks, syn flood attacks etc.

• Arbor Edge Defense (AED) is an inline security appliance

deployed at the network perimeter (i.e. between the internet
router and network firewall).

• F5 Silverline DDoS prevention

• Radware Defense pro

66
 Software defined networking

The objective is to make network as flexible and as agile as a VM.

SDN enables microsegmentation and decreases the exposure to
system attacks.

66
 Device Security

Similar security prevention as for other servers.

• Keep the software updated,

• change default password,
• disable HTTP configuration for routers,
• disable IP directed broadcasts,
• block ICMP ping,
• disable IP source routing,
• establish ACLs,
• establish ingress/egress address filtering policy,
• provide physical security of the devices,
• monitor logs,
• restrict SNMP, route advertising.
67
 IPv6 vs IPv4 security

Is IPv6 networking more secure?

• autoconfiguration support
• IPv6 over IPv4 tunneling support, IPv4 over IPv6 support
• flexible protocol support: NDP (network discover protocol),
SLAAC (stateless address autoconfigration)
• support for encryption
• support for IPsec - authentication, integrity and protection
against replay attacks
• better QOS support (better availability)
• packet fragmentation is done by hosts only

Although it enables multiple enhancements, it isn’t more secure.

68
 Traffic sniffers

Sniffer is a program that monitors data traveling over network.

• Snort
• tcpdump
• Wireshark
• dsniff (for switches)
• Kismet (for wireless)
• nmap

69
 Network security tools

• Wireshark + tshark - network sniffer

• Metasploit - scanners for more than 1500 operations
• Nessus - identifies and corrects faulty updates
• OpenVAS - checks configuration and basic web flaws
• Argus - open-source network analysis tool
• tcpdump - network sniffer
• Kali linux - bootable Linux with multiple security and forensics
tools
• Snort - network intrusion detection and prevention system
(traffic analysis)
• Suricata - IPS
• Netcat - utility that reads/writes data accross TCP/UDP
network connections
• nmap 70
 Complexity vs usability

In network design it is important to find a compromise between the

complexity (security) of the network and its usability. If you make
your network too complex it will be difficult to manage

71
 Network design recap

• start with good planning (identify components, access, critical

data etc)
• plan growth
• design multitier network (network segments) - by functionality
and data flows
• provide security (firewall, ACLs etc)
• provide monitoring and IDS, IPS
• provide redundancy for critical services
• implement IPv6
• use secure protocols for transfers
• maintain network documentation

72
Data security

73
 Privacy vs Security

• Data security protects data from malicious threats: activity

monitoring, network security, access control, encryption,
authentication.
• Data privacy addresses proper handling, processing, storage of
data: security policies and permissions.

In order to ensure privacy, we need security.

74
 Data privacy and security
considerations

• Provide lifecycle management,

• data transfers restricted and allowed over secure channels,
• restrict access to data (ACLs, firewall, authN, authZ)
• provide backup and replication,
• encryption and key management (on AWS, newly addedd
resource will be terminated if encryption is not enabled),
• least privilege concept enforced,
• obscure raw data and only display selected portions during
operations,
• apply SIEM, FIM.

75
Data lifecycle

76
Virtualisation security

77
 Virtualisation and cloud

• virtualisation is a technology: it allows creating multiple

environments from a single, physical hardware system
• cloud is an environment: it can include bare-metal,
virtualisation, or container software

78
 Why does cloud security matter?

• hypervisors are prime targets of attacks (single point of

failure),
• if hypervisor host is vulnerable, everything else on it is
vulnerable,
• VMs can interfere with each other,
• resources and services are difficult to track,
• lack of knowledge of technical staff,
• data is sparsed on multiple servers and locations,
• all security risks present in traditional infrastructure are also
present here.

79
 Virtualisation security essentials

• don’t use default credentials,

• don’t mix production and development VMs on the same
hypervisor, use different network or at least, different security
group for production and development,
• use different credentials for production and development VMs,
• monitor all VMs (production, testing, development),
• shut down VMs that you don’t need,
• always update offline VMs before putting them back online,
• maintain inventory of VMs,
• check for open ports, default passwords, unpatched software
(nmap, Metasploit, OpenVAS, Nessus) - check also
https://github.com/dev-sec/puppet-os-hardening

80
 Cloud services

Consider the benefits of running services in the cloud.

• What are your risks?

• What are your responsibilities?
• Which domains are under your control and which in the hands
of the cloud provider?
• Where will you store your data and how will you transfer it,
use it?
• Are there any regulations about storing the data in the cloud?

81
 Cloud security challenges

• for customer: no longer access to the hypervisor or hardware

(physical, host security), cannot control which customers host
on the same host and how well they protect their VMs
• for cloud provider: complex network designs and no control
over the state of VMs

82
 Private vs private cloud

• Private cloud:
• security is a responsibility of the organisation,
• number of VMs is pretty stable,
• scalability is limited,
• bandwidth is limited,
• data storage and access under control of the organisation,
• potential of providing perfectly safe environment (behind a
firewall).
• Public cloud:
• shared responsibility between customer and cloud provider,
• seemingly infinite resources,
• main target for security attacks (security is big investment),
• no control over data for customer,
• customer needs to trust cloud provider.

83
Cloud models

84
 Common threats in the cloud

• cyber attacks: DoS, spoofing, man-in-the-middle,

• escalation of privileges, unauthorized access,
• hijacking accounts,
• misconfigurations,
• internal/external threats,
• malware,
• data breaches,
• insecure interfaces/APIs,
• external data sharing and data transfers,
• insufficient tehnical skills,
• VM escape,
• leaked credentials (commited to git).

85
 How to prevent common attacks?

• Spoofing: use SSH keys for authentication, TLS for

communication, strong pasword policy, link Keystone with
LDAP directory
• Tampering: use digital signatures for data integrity (Glance
supports image signing), mandatory access control (MAC)
and role based access control (RBAC) to protect services
• Repudation: central logging and auditing in place, SIEM,
monitor networks of anomalies (IDS/IPS)
• Data disclosure: use encryption, MAC/RBAC
• DoS: redundant services (HA), use quotas per
domain/project/user, isolate services from direct access, use
proxy to access services from DMZ, good network design
• Escalation of privileges: MFA, restrict API, monitor
86
Questions?

87
 References

• Aditya K. Sood: Empirical Cloud security, Mercury Learning

• Joseph Migga Kizza: Guide to Computer Network Security,
Springer
• Silvano Gai: Building a future-proof Cloud Infrastructure
• Vickler Andy: Linux Security and Administration
• Chris Anley and other:The Shellcoder’s Handbook Discovering
and Exploiting Security Holes, Wiley Publishing
• Shuangbao Paul Wang: Computer Architecture and
Organization, Springer
• Sean-Philip Oryano: CEH v9 certified ethical hacker study
guide, Sybex

88
 References (2)

• Kevin Mitnick: The art of deception - Controlling the Human

Element of Security, Wiley
• Bruce Schneier: Secrets and Lies, Digital Security in a
Networked World, Wiley
• Heather Adkins and other: Building Secure and Reliable
Systems, O’Reilley
• Musaab Hasan, Zayed Balbahaith: Mastering Linux Security,
Lambert Academic Publishing
• Thomas Limoncelli: The practice of System and Network
administration
• Daniel Regalado and all: Gray Hat Hacking, McGraw Hill
Education
• Donald A. Tevault : Mastering Linux Security and Hardening,
Packt Publishing 89
 References (3)

• James Turnbull: Hardening Linux, APress

• NIST NCP: https://ncp.nist.gov/repository
• CIS benchmarks:
https://www.cisecurity.org/cis-benchmarks/
• CIS controls: https://www.cisecurity.org/controls
• How to secure anything, https:
//github.com/veeral-patel/how-to-secure-anything
• JISC cyber report 2022, https://repository.jisc.ac.uk/
8732/1/cyber-impact-report-2022.pdf

90
 References (4)

• Aditya K. Sood: Empirical Cloud security, Mercury Learning

• Chris Dotson: Practical Cloud security, O’Reilly Media
• Fabio Alessandro Locati: Openstack cloud security, Packt
Publishing
• Ben Malisow: CCSP Certified Cloud Security Professional
Official Study Guide, Sybex
• Silvano Gai: Building a future-proof Cloud Infrastructure
• Chris Binnie, Rory McCune: Cloud Native Security, Wiley
Publishing
• Ben Silverman and Michael Solberg: OpenStack for
Architects, Packt Publishing
• Donald A. Tevault : Mastering Linux Security and Hardening,
Packt Publishing
• James Turnbull: Hardening Linux, APress 91