Upload
perforce
View
261
Download
0
Embed Size (px)
Citation preview
Securing the Helix Platform at CitrixJason LeonardStaff Software Engineer, SCM Team
2
Jason Leonard ([email protected]) 15 years dealing with Perforce.
Adobe (5 years)Citrix (10 years)
Staff Software EngineerSource Control Team
2 team members and a manager ~20 servers, ~40 Helix repositories ~3.5TB version data
growing 300GB per year. ~250,000 commands per hour
~6M commands per day
Not a securityengineer
3
Why I chose to talk about security?
4
“On Covert Acoustical Mesh Networks in Air”
5
Do you have a secure Helix?
6
SecurityLayers
Data
Application
Operating System
Network
7
Data Security
Redundancy• Ensure your data can cope with some hardware failure• Can increase performance
On Disk Encryption• Disks can be stolen, or end up in the wrong hands• But we incur a performance penalty
Backup, Backup, Backup– If its not in three places it doesn't exist– But the data is in three places• TEST IT
Data
Application
Operating System
Network
8
Application Security
Authentication• Username• Password• Or ticket if we have already
authenticated with ‘p4 login’ Authorisation• Groups• Protections
Data
Application
Operating System
Network
run.users.authorize = 1• Otherwise ‘p4 users’ allowed
security = 4• Strong passwords• Ticket based login required• Authenticated service user
9
Authentication
security <= 2 Password based auth• Command-line• Environment• P4CONFIG file• Windows Registry
Data
Application
Operating System
Network
p4 –u jasonleonard –P mySuperSecretPa55w0rd
P4PASSWD=mySuperSecretPa55w0rd
P4PASSWD=9ed1ae7793942a500012e97c9a605a74
10
Authentication
security >= 3 Ticket based login• p4 login• Tickets timeout• Can lock to client IP• Can remote invalidate
Data
Application
Operating System
Network
p4 –u jasonleonard loginEnter password: *********
perforce:1666=jasonleonard:c6a65e9365c1f5245….
11
Operating System Security
Software firewall• Don’t neglect the firewall on your servers• Windows Firewall, iptables
Anti-virus/malware• Don’t let your anti-virus scan your metadata
OS Hardening• Ensure you follow guidelines• Remove unnecessary software• Turn off unnecessary OS features• Ensure each machine runs only one service and runs it well
Data
Application
Operating System
Network
12
Network Security
Firewalls• Separate production networks
from user networks VPN• To access production network
for configuring machines Intrusion Detection System• Log watching• Honey pot
Data
Application
Operating System
Network
SSL• Encrypt all traffic over the wire
Wireless• Disallow any wireless network to
your source control DNS/DHCP• Prevent the man-in-the-middle
attacks
13
Two way RPC Protocol
Remote Procedure Call p4 login = user-login
function client-Prompt displays• Enter password:
dm-Login contains the salted password
client-SetPassword contains our ticket
14
Secure Helix Communications
Available since 2012.1 Authenticates end point Encrypts traffic Server• Generate a certificate on the
master/broker/proxy• Run with –p ssl::1666
Client• P4PORT = ssl:host:1666• Accepts the certificate with p4 trust
C:\>p4 -p perforce:1666 trustThe fingerprint of the server of your P4PORT setting'ssl:perforce:1666' (10.0.0.1:1666) is not known.That fingerprint is 89:8E:FD:55:42:A5:D8:DC:C2:9F:33:7C:B4:AD:C9:4B:3E:22:34:9DAre you sure you want to establish trust (yes/no)?
ssl:
15
Annotate Bug (#74317)
Found by a Citrix developer • Attempting to write some
automation Large block of “random”
data seen with ‘p4 annotate’ Text file with one line longer
than 10,000 characters.
“random” is actually parts of p4d’s memory• Usually database structures
Patched in • 2015.2 Patch 3• 2015.1 Patch 13• 2014.2 Patch 12• 2014.1 Patch 20
16
Physical Security
Server Room/Lab• Door security, key, swipe?• Access policy, who can open the door?
Racks• Locked by key, combination
Servers• Case intrusion prevention• Disk drives locked
Disposal
Data
Application
Operating System
Network
17
Monitoring
Infrastructure Monitoring• Nagios XI
Log Monitoring• Nagios Log Server
18
19
Monitoring
IP Threat Analysis• Helix Threat Detection
20
What if a user sync’s code?
21
Virtual Desktops from a Datacenter
22
Do you have a secure Helix,Now?
Secure Helix… Done!