scribble

Managing Chaos

About Skills Rabbit Holes Email GitHub

18 Sep 2014
Security

Obviously this is a huge area/topic. As I am thinking about what to add I find that I am a little paralized by choice. So I will start with some of the more obvious items and hopefully that will get the “writers block” out of the way.

SSH

Here I suppose I should mention to never SSH without keys. I used to be of the mind set that if I foreced myself to type the password for every account/connection I needed, I wouldn’t forget them. Well as systems scale that idea quickly fades to dust. So public/private keys are a must! In reality they do make life easier. As one would expect you always end up with many differnt pub/priv for different system accounts. I find that keeping them alayws in order IN THE SAME place is crucial. Storing them in AWS S3 with the proper security settings in place (two authentication, buckers permisions etc) is a good start.

Also ensure that the priv keys you share anywhere are also password protected. This can be a additional “pain” however you can never be to sure. Afterall you can always download them and remove the passwords if needed.

VPN

My first encounters with VPNing was with Cisco devices. As time progressed these offfering (and the license costs and restrictions tied to them) started to make them less and less attractive. Not only that, coupling flaky VPN clients (SSL, IPSEC,browser based) on developer work stations that need a consistant link make for some very vocal and consistant requests to fix the problem(s). So enter the…

The Shrew (great logo)

To attempt to fix the issue I started to use Shrew Soft. The client works great, however Cisco devices by default don’t wont to play nice, so they needed to tweaked. Plenty on Google explaining how to.

This solution was in place for some time and worked great. Until one day “nirvana” was achieved. All Cisco gear was replaced with easy to use and manage alternatives. This shift allowed other team members to be part of any future solutions, not just the guys who happened to know IOS. This then opened the door for…

OpenVPN

Sure you can use OpenVPN clients with Cisco ASA’s, however the aformentioned Shrew was running great, so why fix it if it isn’t broken. With the ASAs gone PfSense was implemented. You can connect to these firewalls in many different way however OpenVPN is basically shipped with the software. Creating and exporting OpenVPN client install bundles is amazingly easy. And ready to go MSI packages can be provided to Devs for one click setup.

The client keeps a rock solid connection to the server, compresion is easily applied, and the end result in a much quiter and happier group of developers. I don’t even pay any attention to VPN now, it is always on, always works, and that is how it should be.

Firewalls

So it would seems as though a natural segway has presented itself into the Firewall section of this post. As mentioned above I have experience with two firewall solutions. Cisco ASA and PfSense. I am purposly leaving IPTables off of this post since I would like to focus on the physical deplpyable assests.

Cisco ASA.

  1. Setup as a Master/Slave pair.
  2. Automatic fail over and fail back.
  3. Fully redundant network pathing for both upstream and downstream devices.
  4. IPS modules.
  5. Responsible for perimeter security and secure access. Intralan security provided via Cisco 3750 swithces via IP access rules.

PfSense

AWS Security (should be seperate post)


Til next time,
Travis Dolan at 08:32

scribble

About Skills Rabbit Holes Email GitHub