ACM.105 Limiting outbound entry to an inventory of IP addresses represented by a single rule
It is a continuation of my collection on Automating Cybersecurity Metrics.
Within the final submit we checked out how an EIPAssociation may resolve some dependency points with deployment and deletion scripts that we ran throughout attempting to deploy a brand new safety group with an AWS-managed prefix listing to an EC2 occasion.
We created the safety group with the AWS-managed prefix lists to permit community entry to an AWS service within the submit earlier than that.
However what if you wish to get to a different sort of service that requires entry to many various IP addresses like S3 however isn’t an AWS service?
You possibly can create your personal prefix listing on AWS to level to a set of IP addresses. It’s nearly as if you happen to can create and use a website title however not fairly. AWS doesn’t assist domains in safety group guidelines (or NACL guidelines however you should utilize them with AWS Firewall).
By the best way, I preface this with …I actually hope AWS and Github (Microsoft) makes this simpler quickly, with out charging extra money.
Should you learn all the best way to the top (it’s lengthy due to all the problems getting this working) you will notice that though this can be a good answer, it doesn’t remedy all our issues with GitHub — subjects I cowl with prospects on IANS Analysis consulting calls.
Why limit entry to Github in outbound networking?
What if we need to permit our developer machine to entry GitHub to obtain code however we don’t need to permit entry to your entire Web? Earlier than I reply that query, let me reply the query of WHY you’d need to do that? It’s so sophisticated. Networking is a ache. We’ve got IAM and authentication, so why trouble?
Inform me how authentication or IAM helps you within the occasion that malware will get onto your EC2 occasion and is speaking with a C2 channel on one other community — and even on one other AWS host managed by an attacker? It doesn’t. Should you don’t know what a C2 channel is, it’s how attackers “name residence” or talk with the attacker’s server. I wrote about that matter in my guide on the backside of this submit, amongst others.
Proscribing community entry helps us restrict the injury that malware on our programs can do. It additionally hopefully triggers alerts when the rejected community site visitors hits our logs in sudden locations (excluding the noise you’re going to get from hosts instantly related to the Web). I’m speaking in regards to the site visitors popping out of your host triggering rejects. Both one thing is misconfigured or somebody is attempting to do one thing they shouldn’t.
Once more, I’ll point out that this answer is normally not adequate for big organizations that need to defend their IP of their supply code repositories and stop code exfiltration, however it’s higher than what plenty of firms and builders are doing in the meanwhile. So it’s a step in the correct course.
Github IP Ranges
The very first thing we have to determine is the listing of GitHub IP addresses to which we have to present entry. Fortunately GitHub supplies this to us. If they didn’t it may be not possible to determine this out. Generally firms have IP ranges allotted to them however they use cloud companies and content material supply networks (CDNs) that make it not possible to create networking guidelines. Thanks, Github.
Right here’s how one can get the GitHub IP addresses:
It’s accessible from this URL just like the listing of AWS IP ranges:
Presently the documentation consists of the next warning:
For our functions this listing must be adequate.
Right here is likely one of the challenges when monitoring a vendor IP vary so as to add to your firewall. Github doesn’t warn you if they modify their IP ranges:
We make modifications to our IP addresses infrequently. We don’t suggest permitting by IP deal with, nevertheless if you happen to use these IP ranges we strongly encourage common monitoring of our API.
What occurs if the IP ranges change and you aren’t monitoring it? Effectively, if another person got here alongside and used an IP that was dropped for one thing nefarious that might be the worst situation. The opposite is that your connections to GitHub would fail.
Let’s take into account the primary situation. Check out the GitHub IP ranges. I already know simply by taking a look at them that almost all of them are owned by Microsoft:
You possibly can search for homeowners of IP addresses on ARIN and associated regional registries as I’ve written about in different weblog posts:
This one I didn’t instantly acknowledge. It’s owned by GitHub (acquired by Microsoft):
I’m fairly certain that each IP on this listing goes to be owned by Microsoft. If you’re at a big group and must be very particular you’ll be able to vet that. You would write your code to make sure no IP addresses are added to the listing that aren’t owned by Microsoft. In that case, it’s extremely possible that even when an IP is switched to another goal internally at Microsoft it gained’t be one thing malicious. I believe we’re fairly secure there.
By way of not having the ability to entry companies, it will likely be vital to watch for modifications and failures and replace our prefix if we detect a change.
The opposite downside we have to take into account is that if we find yourself pointing to the incorrect listing of IP addresses that we’re including to our prefix listing. You’ll need to make sure you use TLS to entry the listing. TLS (the successor of SSL) ensures your site visitors is encrypted and validates that you simply get to the proper host for a website title.
Prefix Listing properties
How can we use the GitHub listing to create our prefix listing? To begin with I want an inventory of IP addresses. Let’s see what format it must be to go into our prefix listing and limits we might have.
AddressFamily — ought to actually be “model” — and as I’ve defined earlier than I’m solely utilizing IPv4.
Entries — these are our IP addresses. There’s a restrict of 100. We’ll have to contemplate that in our design. An entry consists of a required CIDR and an non-obligatory description.
MaxEntries — It’s not clear why that is required however it’s. It looks like the max entries must be 100, no? We’ll simply set it to 100.
PrefixListName — We will title our listing with out utilizing tags fortunately. The title can’t begin with com.amazonaws. It might most likely make sense to call our listing beginning with com.github.
Get the listing of GitHub CIDRs
Again to the GitHub listing, what number of entries do we’ve? Over 100? May it improve to over 100? Let’s seize the IPs and rely them. I can use curl to seize the listing:
curl https://api.github.com/meta
Now, I don’t need the headings or the IPv6 addresses. How can I repair that.
Let’s use grep to solely get issues with a “.” and a “/” in them.
To grep issues with a /:
curl https://api.github.com/meta | grep "/"
The interval is a little more sophisticated as it’s a particular character so we’ll want to flee it:
curl https://api.github.com/meta | grep "/" | grep "."
Nearer, however we don’t need quotes, commas, or areas.
We will use sed to take away these:
curl https://api.github.com/meta | grep "/" | grep "." | sed 's/"//g' | sed 's/ //g' | sed 's/,//g'
I’m certain there’s a solution to make that shorter however that makes it simpler to see what we’re doing. Select each line with a slash. Select each line out of the outcomes with a interval. Change double quotes, substitute area, substitute comma with nothing.
We will write a fast script to rely the values:
Ouch. Over 2000 CIDRs.
Possibly there are some duplicates add kind and uniq.
Not many. There are nonetheless over 2000 CIDRs.
Microsoft actually has not made this simple on us, have they?
Lowering the variety of GitHub IPs we require
Effectively, we may attempt to consolidate these CIDRS into fewer CIDRs. I wrote about that right here:
We may additionally attempt to scale back the quantity by excluding companies there we aren’t going to make use of. Run this command to get the listing of GitHub companies:
$ curl https://api.github.com/meta | grep ": ["
Well, I know that I need the git IPs. I’m not sure about the rest but I know I definitely don’t need or want actions right now. I’ll just start with git and add more ranges when I need them. We can choose all the IPs after “git” and before “packages” to get the list we want.
Now we’re down to 20 IPs
Be aware, by the way, that there is a rate limit when using the Github API. 🙂 I may have hit it…
Now we need to convert our values to a list that works with CloudFormation. Initially I thought I could just create a list but that doesn’t work as we have to create each entry in the format above. Unfortunate because it makes things much more complicated.
Here’s how I grepped a comma separated list of IPs.
Remove the count. Replace end of line with a comma and space.
I’ve got two problems left — the curl output and an extraneous comma.
Add -s to the curl command to suppress the curl output. Add one more sed at the end to remove the last character
And now we have a comma separated list of CIDRs.
Using our IP list
We can move this code into a function that we can call when creating our customer-managed prefix list:
Now create a function to create the prefix list.
Create the CloudFormation template:
Update the deploy.sh script to deploy the prefix list.
Well, my prefix list failed to deploy.
It is at this point I realized I had missing the Entry format I posted above.
Now I’m stuck. We might be able to do something like this with Transform:
But as I already mentioned I am trying to avoid S3. I would have to automate an S3 bucket deployment and go over all the security settings and options, some of which I haven’t even gotten to yet in this series. It’s like putting the cart before the horse as we say in the US.
It was at this point when I stepped away from my computer for a bit and when I got back my stack was still stuck in this state:
That’s a bug. Something I did caused a problem. I don’t remember what it was.
Just out of curiosity I tried passing this value in as a parameter to the CloudFormation template: “Cidr: 1.1.1.1/32”. After overcoming some issues with bash spaces again, I got this error:
['1.1.1.1/32,'] worth handed to --parameter-overrides have to be of format Key=Worth
I didn’t actually anticipate that to work but it surely was price a shot. I don’t actually need to clarify S3 bucket safety and automation. That’s coming later. What are my choices? I can write a script to generate the CIDR portion of my template for now and use that in a hard-coded template and repair it later.
I may additionally simply use the AWS CLI:
Let’s strive that.
I all the time wish to skip to and take a look at the examples:
Again to get github IPs. We need to find yourself with this format:
Cidr=10.0.0.0/16,Description=vpc-a Cidr=10.2.0.0/16,Description=vpc-b
We are going to simply add the identical description for all of the IPs for now: “github-git” so for every CIDR we’ll want this line with an area between every entry.
Cidr=x.x.x.x/xx,Description=github-git
Again to our get_github_ips perform. We will fairly simply alter this to return the string we would like. We have to restore the top of line characters so we will loop via every line. then concatenate the correct worth for every line.
I then ran the get_github_ips alone to see the output and it seems right:
Now we will simply concatenate the command string we need to execute utilizing that:
c="aws ec2 create-managed-prefix-list
--address-family IPv4
--max-entries 10
--entries $entries
--prefix-list-name $listname"
Then name it like this:
$(c)
However what issues will we’ve once we attempt to use this strategy? The subsequent time we go to execute this script the listing will exist already. We’ve got to take some extra steps:
- Decide if the listing already exists.
- Delete the listing if it exists.
- Then run our create command.
That’s one of many good issues CloudFormation does for us. Additionally if we create this listing exterior of CloudFormation we will’t simply audit it together with all our different AWS assets. Implementing all the things to be created via CloudFormation when attainable will make your safety and possibly DevOps groups’ jobs simpler.
Making a CloudFormation template on the fly
One different choice I’ve can be to generate the entire CloudFormation template on the fly. I simply generated code on the command line to generate a command. That is form of a painful strategy.
I may have the template with placeholders in a tmp file after which substitute the values to create the CloudFormation template utilizing sed.
To create the entries we will create a brand new perform that appears like this:
Operating the perform independently we will affirm we get the outcomes we would like:
I make a duplicate of PrefixList.yaml for now and name it PrefixList.tmp. Discover I’ve placeholders for title and ips.
Create a brand new perform to switch these values. Whereas testing I’m not going to repeatedly name the Github listing perform and deplete my quota. I can take a look at with hardcoded values initially and simply print the output to the display.
My variables are positioned within the correct areas:
OK let’s substitute them with the precise values and output to the template after which deploy it. I’m going to maneuver all this into one perform. We have to add some further slashes for sed to work correctly after which substitute our temp values with our variables. Ensure that to place quote round $entries or the brand new strains is not going to course of appropriately. Additionally within the sed command under I changed the default delimiter (/) with * as a result of the entries string has slashes in it.
That labored however I observed my entries are misaligned.
We will resolve this by shifting the placeholder to the beginning of the road within the template:
Add the required areas once we concatenate our entries:
A bit hokey, but it surely works:
Now output the outcomes to a template and execute the template. Word that I renamed the template to be particular to Github on the high and use a variable to keep away from typos. I take away the template file if it exists so I do know my modifications are getting deployed. If the file doesn’t exist one thing went incorrect.
Lastly! That works and the template is deployed. We will see the ID for the prefix listing under that we will use in our safety group guidelines to permit entry to GitHub.
We will head over to the VPC dashboard and discover our prefix listing right here. I didn’t find yourself naming it a reputation with a “.” as a result of that prompted issues on account of the truth that we will’t use a “.” in a few of our different names on account of inconsistent AWS naming conventions. I wrote about that in a a lot earlier submit on this collection. We selected a naming format that works throughout companies and in our CloudFormation stack names.
Add the prefix listing to our safety group guidelines
Add the brand new Egress rule to the Developer safety group.
Redeploy the developer safety group.
Subsequent downside. Despite the fact that I’m solely including two guidelines to this safety group, we’re nonetheless dealing with the restrict on guidelines per safety group.
Apparently though I solely have two guidelines, the variety of guidelines is calculated by the amount of CIDRs the prefix listing represents. Primarily based on expertise this might undoubtedly trigger an issue later if we need to proceed to create a zero-trust community. The supply of this downside isn’t zero-trust networking, it has to do with distributors designing companies that require you to open up your community to so many various IP ranges and ports.
We will get round this downside in varied methods by redesigning our community and the way builders entry supply management programs and deployment pipelines. I’m not going to enter all of the choices right here however for now I’m going to create two completely different safety teams — one for GitHub and one for S3 — to resolve this downside.
Run these two instructions:
mv Developer.yaml Github.yaml
cp Github.yaml S3.yaml
Modify the Github.yaml file to take away the S3 rule and parameter:
Modify the S3.yaml file to solely embrace the S3 rule:
For proper now I’ll simply modify the perform that deploys the developer safety group to deploy each units of guidelines.
There’s most likely a solution to make this extra generic however for proper now I’m going to vary the perform that deploys the developer safety group right into a perform to deploy the S3 secruity group because it wants an additional parameter for the S3 prefix:
I can use the generic safety group deployment for the GitHub group. I’ll add code to deploy each safety teams to deploy.sh.
Now what I spotted is that I’m nonetheless getting the identical error — most variety of guidelines — for the GitHub safety group. I solely have 20 guidelines in my Prefix Listing. You possibly can add 60 inbound and 60 outbound guidelines (whole of 120) to a safety group. What’s going on??
The one factor I can guess is that I set the utmost guidelines in my prefix listing to 100. Let’s change that to 50 and see what occurs.
One factor I forgot right here is that it’s a must to change the template tmp file that’s used to create the above template or your change will merely be overwritten:
I personally discover this error message notably annoying. This error message requires a bunch of additional work for the shopper that AWS ought to deal with behind the scenes.
In my case I simply deleted the stack and began over.
And..Are you critical? That mounted the issue.
To begin with - why does the max entries property exist in any respect? Is it supposed to permit a buyer to restrict entries to twenty for NACLs and 60 for safety teams or one thing? OK for example that may be a legitimate property so as to add. Do not use that to calculate whether or not a prefix listing exceeds the principles! Use the precise variety of CIDRs within the prefix listing.Please repair. #awswishlist.
I additionally deleted the Developer SG Guidelines stack as that’s now not required.
That is taking approach too lengthy however that’s not as a result of it’s “networking” it’s due to the best way all that is carried out and too many guidelines so as to add by distributors who don’t take into account firewall guidelines when designing programs.
And, they’ll hold doing it till prospects push them to vary these practices.
Replace the developer EC2 occasion to make use of the brand new safety teams
Subsequent we’ve to replace our EC2 occasion to make use of the brand new safety teams.
Head over to our EC2 code and replace the code so as to add the 2 new secruity teams to our VM.
Redeploy.
Now, sadly that change eliminated the EIP. We have to redeploy the EIP Affiliation now (not the EIP solely the affiliation).
And, delete the known_hosts file as we did earlier than.
Take a look at Github Clone once more
Whenever you attempt to take a look at the git clone command once more, you’ll discover that it fails. That’s as a result of the occasion needed to be recreated and all knowledge on it was misplaced throughout that redeployment. EC2 cases are ephemeral. If you wish to set up software program and hold it round you’ll have to create a customized Amazon Machine Picture (AMI) or retailer knowledge on an EBS quantity — two subjects for one more day.
Reinstall git. Add -y so that you don’t have to substantiate. Additionally replace the OS to get any safety updates.
sudo yum replace -y
sudo yum set up git -y
Now strive your git clone command once more.
git clone https://github.com/tradichel/SecurityMetricsAutomation
And…it really works. Lastly!!
Potential CloudFormation fixes for the above problems
This submit took WAY longer than I anticipated. That is the way it goes when deploying to cloud environments rather a lot. 🙂 I’m used to it. However I want issues had been simpler.
It’s unlucky that we can’t go in an inventory of CIDRS (with out utilizing an S3 bucket) to CloudFormation to create this listing. Maybe somebody at AWS will learn this. There are two potential options.
- Go in a comma separated listing of IPS if you happen to don’t have descriptions.
- Go in a comma separated listing of descriptions and a comma separated listing of IP — however that sounds error inclined and has a “code scent.” It’s simply not proper.
- Maybe a brand new “sort” for CloudFormation is required that takes a Yaml or JSON snippet. That’s sophisticated although as a result of it might be more durable to validate and will result in safety issues. Possibly if it was a well-defined sort.
- Alternatively, don’t power folks to make use of an S3 bucket however slightly permit them to include an inventory from a neighborhood file, as an “embrace” CloudFormation template. I may simply generate the portion of the template that defines the entries.
Should you’re considering what about customized capabilities in CloudFormation — I wrote about that earlier than. CloudFormation is absolutely knowledge that defines a configuration or describes assets. It’s not executable code. Mixing the 2 is messy and never one thing a seasoned programmer usually does. You retain these two issues separate. Including executable code to CloudFormation is like including executable code to XML or JSON. Not really useful. It lets pentesters and attackers like me do dangerous issues. 🙂
Fixes by Distributors to scale back community guidelines
Moderately than blame networking for being exhausting, let’s direct the blame to the suitable supply. Distributors have to design networking to reduce the variety of guidelines prospects have so as to add to firewalls to entry their companies. Interval. This requires considerate community design.
If a buyer really has to entry companies all around the world, maybe they want many various IP ranges. Nevertheless, if I solely have to entry S3 in a single area, there must be one, possibly two CIDRs for that and I ought to have the ability to level to solely these via a website title or prefix listing.
Identical for GitHub. Why do I want 20 completely different CIDRs to entry Github and that’s only for git. Then for all the opposite companies I’ve so as to add 2000 CIDR ranges? Come on. That’s ridiculous. Scale back these CIDRs for the shopper as an alternative of creating me do the calculations to scale back that quantity.
I hope distributors will begin being extra take into account to their prospects in terms of networking as an alternative of telling prospects they don’t want firewall guidelines anymore — when these guidelines and related community logging are top-of-the-line solution to inform in case you have been breached. Additionally they stop a myriad of assaults higher than authentication alone.
This submit is an ideal instance of the issues brought on by too many community guidelines and overly sophisticated networking necessities.
Issues this answer doesn’t remedy
As you’ll be able to see on this submit, I used to be in a position to pull down code from a public GitHub repository. Though you’ll be able to limit entry to GitHub you’ll be able to’t limit entry to a particular repository this fashion. That is why bigger firms or firms involved about builders both exfiltrating mental property or downloading random code with malware use alternate options. However for a small firm involved with malware establishing C2 channels, this may also help (presuming they can’t set up a C2 channel utilizing Github!)
Alright…this submit took approach too lengthy.
Keep tuned as we attempt to add a VPC endpoint …lastly… for this host to entry CloudFormation and let’s see what occurs to our present entry.
Comply with for updates.
Teri Radichel
Should you preferred this story please clap and comply with:
Medium: Teri Radichel or E mail Listing: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests companies through LinkedIn: Teri Radichel or IANS Analysis
© 2nd Sight Lab 2022
All of the posts on this collection:
____________________________________________
Creator:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration take a look at or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety courses, articles, white papers, displays, and podcasts