Securing the Helix Platform at Citrix

Securing the Helix Platform at CitrixJason LeonardStaff Software Engineer, SCM Team

2

Jason Leonard (jason.leonard@citrix.com) 15 years dealing with Perforce.

Adobe (5 years)Citrix (10 years)

Staff Software EngineerSource Control Team

2 team members and a manager ~20 servers, ~40 Helix repositories ~3.5TB version data

growing 300GB per year. ~250,000 commands per hour

~6M commands per day

Not a securityengineer

3

Why I chose to talk about security?

4

“On Covert Acoustical Mesh Networks in Air”

5

Do you have a secure Helix?

6

SecurityLayers

Data

Application

Operating System

Network

7

Data Security

Redundancy• Ensure your data can cope with some hardware failure• Can increase performance

On Disk Encryption• Disks can be stolen, or end up in the wrong hands• But we incur a performance penalty

Backup, Backup, Backup– If its not in three places it doesn't exist– But the data is in three places• TEST IT

Data

Application

Operating System

Network

8

Application Security

Authentication• Username• Password• Or ticket if we have already

authenticated with ‘p4 login’ Authorisation• Groups• Protections

Data

Application

Operating System

Network

run.users.authorize = 1• Otherwise ‘p4 users’ allowed

security = 4• Strong passwords• Ticket based login required• Authenticated service user

9

Authentication

security <= 2 Password based auth• Command-line• Environment• P4CONFIG file• Windows Registry

Data

Application

Operating System

Network

p4 –u jasonleonard –P mySuperSecretPa55w0rd

P4PASSWD=mySuperSecretPa55w0rd

P4PASSWD=9ed1ae7793942a500012e97c9a605a74

10

Authentication

security >= 3 Ticket based login• p4 login• Tickets timeout• Can lock to client IP• Can remote invalidate

Data

Application

Operating System

Network

p4 –u jasonleonard loginEnter password: *********

perforce:1666=jasonleonard:c6a65e9365c1f5245….

11

Operating System Security

Software firewall• Don’t neglect the firewall on your servers• Windows Firewall, iptables

Anti-virus/malware• Don’t let your anti-virus scan your metadata

OS Hardening• Ensure you follow guidelines• Remove unnecessary software• Turn off unnecessary OS features• Ensure each machine runs only one service and runs it well

Data

Application

Operating System

Network

12

Network Security

Firewalls• Separate production networks

from user networks VPN• To access production network

for configuring machines Intrusion Detection System• Log watching• Honey pot

Data

Application

Operating System

Network

SSL• Encrypt all traffic over the wire

Wireless• Disallow any wireless network to

your source control DNS/DHCP• Prevent the man-in-the-middle

attacks

13

Two way RPC Protocol

Remote Procedure Call p4 login = user-login

function client-Prompt displays• Enter password:

dm-Login contains the salted password

client-SetPassword contains our ticket

14

Secure Helix Communications

Available since 2012.1 Authenticates end point Encrypts traffic Server• Generate a certificate on the

master/broker/proxy• Run with –p ssl::1666

Client• P4PORT = ssl:host:1666• Accepts the certificate with p4 trust

C:\>p4 -p perforce:1666 trustThe fingerprint of the server of your P4PORT setting'ssl:perforce:1666' (10.0.0.1:1666) is not known.That fingerprint is 89:8E:FD:55:42:A5:D8:DC:C2:9F:33:7C:B4:AD:C9:4B:3E:22:34:9DAre you sure you want to establish trust (yes/no)?

ssl:

15

Annotate Bug (#74317)

Found by a Citrix developer • Attempting to write some

automation Large block of “random”

data seen with ‘p4 annotate’ Text file with one line longer

than 10,000 characters.

“random” is actually parts of p4d’s memory• Usually database structures

Patched in • 2015.2 Patch 3• 2015.1 Patch 13• 2014.2 Patch 12• 2014.1 Patch 20

16

Physical Security

Server Room/Lab• Door security, key, swipe?• Access policy, who can open the door?

Racks• Locked by key, combination

Servers• Case intrusion prevention• Disk drives locked

Disposal

Data

Application

Operating System

Network

17

Monitoring

Infrastructure Monitoring• Nagios XI

Log Monitoring• Nagios Log Server

18

19

Monitoring

IP Threat Analysis• Helix Threat Detection

20

What if a user sync’s code?

21

Virtual Desktops from a Datacenter

22

Do you have a secure Helix,Now?

Secure Helix… Done!

jason.leonard@citrix.com