Metre - Border Guard for XMPP Security Domains

Video in TIB AV-Portal: Metre - Border Guard for XMPP Security Domains

Formal Metadata

Metre - Border Guard for XMPP Security Domains
Title of Series
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date
Production Year

Content Metadata

Subject Area
Metre is an XMPP Server, but not one that serves XMPP. Instead, it lives inthe nether regions between servers - being a Man In The Middle by design andintent - filtering and securing traffic as required. Metre supports pretty well every bell, whistle, and in fact any other musicalinstrument of XMPP Server to Server security. It then filters traffic, dropsstanzas you don't want, eliding it totally on occasion. It'll throw your traffic over TLS, over DANE, over SATCOM. It'll log it all. It'll protect your autonomous security domain.
Area Collaborationism Metre Projective plane Bit Information security Information security Domain name Product (business)
Gateway (telecommunications) Context awareness Building Run time (program lifecycle phase) Code Length View (database) Multiplication sign System administrator Set (mathematics) Design by contract Function (mathematics) Open set Client (computing) Parameter (computer programming) Public key certificate Formal language Direct numerical simulation Mathematics Spherical cap Computer configuration Encryption Cuboid Diagram Software framework Endliche Modelltheorie Information security Perimeter Physical system Injektivität Personal identification number Moment (mathematics) Bit Connected space Band matrix Curvature Exterior algebra Process (computing) Self-organization Configuration space Problemorientierte Programmiersprache Quicksort Bounded variation Row (database) Metre Point (geometry) Server (computing) Game controller Identifiability Computer file Transport Layer Security Student's t-test Rule of inference Session Initiation Protocol Revision control Operator (mathematics) Touch typing Autonomic computing Energy level Graph drawing Software testing Selectivity (electronic) Proxy server Authentication User interface Default (computer science) Dialect Standard deviation Polygon mesh Line (geometry) Equivalence relation Word Software Personal digital assistant
Default (computer science) Touchscreen Computer file Order (biology) Configuration space Set (mathematics) Quicksort Directory service Mereology Public key certificate
Mathematics Arithmetic mean Email Message passing Parsing String (computer science) Interface (computing) Buffer solution Quicksort
Computer virus Group action Code Multiplication sign Range (statistics) 1 (number) Combinational logic Client (computing) Parameter (computer programming) Mechanism design Computer configuration Diagram Information security Perimeter Cybersex Injektivität Enterprise architecture Block (periodic table) Moment (mathematics) Proof theory Googol Repository (publishing) Telecommunication Metre Filter <Stochastik> Point (geometry) Server (computing) Functional (mathematics) Implementation Service (economics) Computer file Link (knot theory) Open source Heat transfer Student's t-test 2 (number) Number Product (business) Goodness of fit Pi Bridging (networking) Energy level Software testing Proxy server Address space Standard deviation Dependent and independent variables Plastikkarte Vector potential Integrated development environment Software Speech synthesis
right hello everybody I'm Dave prisoned
and I work for a company called show vine and they pay for me to come here so I might as well put their logo on things so the show vine do secure collaboration with people who really really care about security which is what draws me into this kind of area but this is mostly mostly just a hobby project that I've developed and we've taken on as I has a bit of a product so XMPP looks a bit
like this on on a on a sort of a network diagram you have clients which talk to servers and servers talk to other servers if we add in another client it looks much the same but you see that clients don't talk to clients it's only that servers talk to servers if you add in another domain then you get in certainly please admire these lines they took me ages the blinky lines offering CSS animation animation is really impressive I thought so and these you get domains talking to the mains talking the domains vailed you full mesh and the clients just hang offs particular servers but the problem with this is it's not a really sensible view of the world because these two domains are both montagu they're both probably on the same physical server so in fact they're probably the same process let alone the same organization so the way that the way that I tend to think about XMPP is like this you have a set of if we're going to use pot language autonomous security domains which I have within them they operate their own security policy they they they set the they set the rules the clients live within those that the server's live within those everything and then they have borders and then they send traffic past those borders into in this case calculate sending ties Verona and house Montague to ages of Shakespearean research to figure out a third one there and it's all Watts meter and well I like to call it a borderline server but marketing taught me that I can't so it's maybe in a nest West proxy a server deserve of proxies is one way of looking at it a border gateway although that's possibly a bit misleading yeah and SBC in sip turns but XMPP doesn't have those and a perimeter filter is another way of looking at it there is another way of looking at it but we don't mention that so where does it fit in this diagram because I need I put it in the diagram somewhere in the answer is well it kind of doesn't because the the this diagram doesn't change what we're doing is meter lives in these lines here in these boxes it acts as the border it acts as the perimeter so capulet servers how many it has connect to the eighth's meter as if it's Montague they they don't really care that just connecting out so open FirePro city both have overrides to let you do this very very nice and simply meter then pretends to be Capulet as it connects to Montague servers so it is fronting Capulet that I don't like that where it pretends though because it implies that it's doing something wrong and there's lots of words that sound really wrong here spoofs fakes masquerades all of these have to go what it's doing is it's it authenticates as Capulet to Montague it's it's legitimately acting that way so quick reminder of how authentication works and server to server in XMPP because not everyone will remember this straight off and it's a bit complicated originally we had dial back and that was our first attempt at security in server-to-server and it looks roughly that you've got two connections one connection comes in says hello I'm hanging you know hey Bob it's as the receiving server then connects back to the originating server and just checks that it's the right connection and if it is then we're all good dial back is reliant on DNS and here's a alternative fact quote from Trump explaining how good DNS is DNS can be spooked it's there are problems there we never had a problem in the XMPP network as far as I'm aware but it's not good to rely on it so maybe we should do DNS a dns a secure DNS I mean it basically it's that the TLS for DNS I don't know I call it what you like it means that you can rely on the DNS data go to a cryptographic level and this gives us something called securely derived reference identifiers which are to do with it's not TLS it's signing hush now so for TLS in XMPP tones we always have to check the certificate for the domain and not the host unless we've got DNS SEC at which point is the host as well yeah unless there's Dane at which point it might be neither or we might be doing something else with with fingerprinting entirely so there's a lot of variations there TLS with XMPP is opportunistic we
use the start TLS model which was sort of pioneered by a cap as I'm sure you're all familiar with a cap I like to slip a cap into every talk except that we've actually developed a quite recent spec at 368 where it likes more like HTTPS where it operates on a separate port so through again lot of variations sorry did these last night when I was drunk so meter supports a selection of standards as will be on the the basic XMPP and I I'm sure you all know what all of these are so exact 220 is dial back yeah it's at 344 that's dial back with TLS then there's three six one that's SATCOM XMPP of a SATCOM meter supports that as well for low bandwidth situation 368 we've mentioned immediate mo TLS 6125 TLS P kicks off a rather obscure one because nobody seems to reference it it's quite useful for 33 to 35 is DNS SEC 50 to 80 is PK x and c are ELLs we have to do crl checking what's that and then we've got Dane and Dane SRV so there's quite a lot there and the other features it can do are lots and lots and lots of per domain controls so that you can tweak the cipher lists a particular domains you can tweak the the D H parameter length to particular domains if you want and as well as whether you're enforcing TLS or not it also handles DNS overrides that oh I should have really logged out you know and it say hello to Chris so DNS overrides allow you to override what connection it's what what server is connecting to and everyone's coming on on offline I really should have should have thought of that before it allows you to inject SRV records and it allows you to thank Hewitt and and it allows you to inject TLS a records so that you can do certificate pinning via injected Dane records if you want which is again yeah useful quick trip around the internals am i doing for time okay quick trip around the internals it's written in C++ 11 with bits of 14 as I gradually gradually got to got familiar with them so that might give you some idea of how long I've been working on this now all of the code and all of its operations are assumed to be security sensitive which in which has certain implications on the design yeah it's assumed that it is internet-facing it is assumed that it is right on the on the perimeter it does assume that every configuration option has a security impact it's designed to be sysadmin friendly it doesn't have users users don't connect to it it's designed to be support friendly so that we can build sherline can build support contracts and it's designed once all of those that are dealt with it is designed to be very very fast at switching at switching stanzas XMPP sort of packet equivalent to go through a bit more detail I think this was actually Edwin it was there you go / - why I picked C++ 11 because it's it's it's really nice no other reason really security there is no web interface it's just a straightforward flat config file you added it with operating system security and because there isn't even any sig hutch support because I decided that when I looked at it to work out exactly which which connections had to be restarted for a given conflict change I simply thought was too high-risk so that's gone it does have pretty terrible testing I will admit that if any of you had Google some of the Summer of Code students I would love to where to see some approaches to to a touch framework for this on the other hand the code is very carefully statically analyzed and and it's exploratory tested fairly well but as far as this admin friendly goes well XML config file do we like XML I don't know I like it it has smart cascading defaults so changing a changing a global will have an effect on other dependent are the dependent settings to make them the the sensible default given the global this sort of thing it also has a runtime config come on to but at the moment that it really comes into its own when you're dealing with support so by a runtime config done the config file that reads in it will then write out the entire configuration into a file this is
actually an example of part of the config file screens not wide enough but you'll see that not only do it does it write out all the settings including any defaults any drive settings so it includes like the fact that we're checking pickax status and this sort of thing it also includes comments about the configuration so we so in order to figure out exactly what you're running configuration really is you have a complete snapshot of it including any reference certificates keys the the whole lot put in the data directory so
that you can find it and examine it and yeah potentially examine it for changes so fast switching means very few buffer copies very fast parsing I use a fork of rapid XML which I've announced a bit and that one of the things that rapid accent XML allows us to do is skip XML resi realization retail realization is is at least those slowest parsing so if we can skip it we skipped half the time and
what I mean by this is his that his Estanza and we've got the what we tend to refer to as the stands the header sort of the the message tags themselves and what we can do is we can extract this string here and simply copy it from one buffer to another rapid XML allows us to do this it makes it very very fast to to move stanzas from one interface to
another which keeps the latency Brahe nice and low so as I say I I wrote these while I was drunk and so what what can we do now because we are sitting in this in this diagram on these edges now that we're there and we've established the the security between these there at a basic communications level what else can we do with this so meter has a concept of filters which allow you to read in the stanzas as they're going through perhaps choose to discard them perhaps choose to create new ones so that we can respond to traffic that before it hits the the real server and potentially alter them only I haven't actually written the API for that but you can always just discard and create new ones so it's not a huge deal the examples that I got the XMPP world has a has a problem with Russian spam at the moment so just as a just as a proof of concept I knocked out something that will take you to code code blocks and go yeah it contains this one and I don't speak any Russian despite having Russian friends and so I can drop those packets on the floor and my spam goes away that's very very nice although quite brutal but it's it's a it's an interesting proof of concept a slightly more interesting one is this disco is the capability discovery mechanism and XMPP and what we can do is as disco requests come in so for the discovery we can hand back a previous discovery response so that again that never passes through now this in combination with a use of meteor in for example SATCOM when you've got very slow links can save quite a large amount of traffic at least one does because like before [Laughter] and so what's on the roadmap on the roadmap we can we've got the the functionality so what else can we do we could we could actually suppress maybe inject client capabilities and which seems like a useful trick to be able to do so we can instead of many blocking say file transfer traffic if you don't allow that across your parameter we might say we might start saying well actually this this client can't even do file transfer don't offer it which improves the user experience instead of simply blocking traffic other things we can do speaking of file transfer we can intercept maybe bridge between goods so that we can inject file transfer proxies things like this strip out internal network addresses on on his sessions maybe even check files maybe dump them in and virus scan them on the way through so we've got again a large number of options things that you want to do on your perimeter finally security labeling like I say shoreline works in in some high security environments although we mostly use security labeling here in cyber threat intelligence and the enterprise world and we've already got a complete security labeling implementations called spoofing I did a lightning talk on that last year and so we can actually build in a policy enforcement point check labels against clearances exciting things like that and we can do where we can do more than that I'm really keen to if anybody is a potential google Summer of Code student I'm really keen to where to see what people can do with us you would be will be working within the the X the XMPP standards foundation there's an umbrella group for Google of Summer of Code and if you're if you're able to pitch in an idea I'm really I'm all ears so with that oh I make it three minutes 20 seconds are there any questions have you done intro tests between meter and other
service well there is only one of them I know and and you develop it I know so you can answer that question yourself which would be not yet but I have discussed that discussed this with your cer in fact and he said yes so yeah that's very much on the cards yes much as we like to have the entire pie obviously if we don't we should at least interoperate indeed yeah very much though I mean I I run meteor in production against my protecting my own server so I'm confident that it works with a wide range of service but the yeah formal interrupt testing particularly with the satcoms SATCOM and labeling yeah absolutely okay and I really should have put the github repository on here should night it is open source I've always that would be really embarrassing coming here and talking about something that wasn't wouldn't so it's MIT license and it is on github was within my github you can look for meter within my github handle is DWD Delta whiskey Delta that the issues that you don't see the road IP the certain issue or something you would like to solve I mean this is a parameter you don't see the remote I know you don't that's because you will see meat as I hear us from the inside it's only a problem if you're trying to do security in perimeter security on the inside but I'm assuming you'd do the perimeter security within meter so I'm thinking not god I got one minute 13 seconds I guess I think you've made some time you [Applause]


  303 ms - page object


AV-Portal 3.20.2 (36f6df173ce4850b467c9cb7af359cf1cdaed247)