[rudder-dev] Strenghten the integrity of the node policy if using Relays

Benoit Peccatte benoit.peccatte at normation.com
Wed Mar 15 12:20:34 CET 2017 

Le 14/03/2017 à 10:16, Janos Mattyasovszky a écrit :
> Hi dear Rudder Community,
>
> _The issue:_
> The policy generated by the Root server is transmitted encrypted via 
> the Relay servers, but this provides only transport encryption between 
> the endpoints, and the Relays basically are by-design MITM hosts, 
> which have the ability to modify policy files and reports going back 
> through them (the inventories are signed - so they would break). This 
> requires that every relay has a high need for /integrity/, since there 
> is no real way to determine from a Rudder-Root-Server point of view if 
> any of the relay behaves rogue and injects bogus policy and modifies 
> the reports stream back to represent that all nodes are good, even if 
> they are not and are executing an attacker-provided modified policy.
>
> _Proposed solution:_
> Use cryptographic signature on the generated policy with the Root 
> Server's RSA key.
>
> With the usage of PKI a client can validate the policy received from 
> the Master before executing it by trusting the public key of it. This 
> would require the pubkey of the Root Server to be known to the Nodes. 
> Currently if you have any Relays in between, they become the effective 
> policy server for the nodes, and the nodes will not know anything 
> about the Relay not being the root server (they just behave identical 
> as if they would be connected to a root server in the POW of an 
> end-of-the-leaf node).

Does that mean you think the signature should be done by the relay ?

>
> By using a logic like "trust on first use", where the root server 
> includes it's pubkey in any policy being generated, and then the node 
> would trust the first key that it would receive if it has no policy 
> yet, it could establish a trust until a "rudder agent reset/reinit" 
> would be issued. After that the node could verify any further policy 
> by checking the signature of a file containing the hashes of all the 
> policy files.
>
> This would work as long the nodes are not connecting initially to a 
> compromised relay, or if the Pubkey of the Root Server is also 
> deployed out-of-band at the time the rudder-agent package is installed 
> and policy_server.dat is configured, so basically the node has already 
> an initial knowledge of the root server's pubkey, and would as of that 
> only trust policy signed by that root server, regardless of the path 
> the policy would travel.

Distributing the public key out of band is a possibility, distributing a 
CA and checking signature may be better for long term key management.
This CA could be managed locally by rudder or be managed by Normation 
for its clients.

>
> This would raise the overall security level and reducing the 
> criticality of a relay to "only" require /confidentiality/, since any 
> compromise would result in worst case the nodes behind a relay not 
> executing the compromised policy and if the relay was faking the 
> expected reports the nodes would have to send through the relays, so 
> we'd go from "/compromising all nodes below the relay to execute our 
> code/" down to "/cutting off the nodes from any new policy update 
> without being detected by the Root server/", which is still a great 
> improvement, and if you have out-of-Rudder monitoring for policy 
> updates (#7282), you could detect this by having nodes not receiving 
> policy updates as scheduled.
>
> A second step could be not to send the reports via unencrpyted UDP 
> Syslog, but use the same method as sending the inventories: one file 
> with the current run's reports, signed by the node's key, this would 
> also solve the issue of not being able to detect any compromised relay.

We took a step forward having signature everywhere, since the 4.1 we 
have a relay api to share files between hosts. This API uses the same 
signature mechanism as inventories that is checked everywhere.
This API could also be used in place of syslog to transmit signed 
reporting to the server.

>
> Thanks for reading,
>
> Best Regards,
> Janos Mattyasovszky
>
>
>
>
> _______________________________________________
> rudder-users mailing list
> rudder-users at lists.rudder-project.org
> http://www.rudder-project.org/mailman/listinfo/rudder-users


-- 
------------------------------------------------------------------------
*Logo Normation Benoît Peccatte*
/Architecte/
Normation <http://www.normation.com>
------------------------------------------------------------------------
*87, Rue de Turbigo, 75003 Paris, France*
Phone: 	+33 (0)1 85 08 48 96
------------------------------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.rudder-project.org/pipermail/rudder-dev/attachments/20170315/2bfeede6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo-square3.gif
Type: image/gif
Size: 1036 bytes
Desc: not available
URL: <http://www.rudder-project.org/pipermail/rudder-dev/attachments/20170315/2bfeede6/attachment.gif>

More information about the rudder-dev mailing list