Iceman
A symmetric TLS library written in python.
Overview
Icemicro provides solutions aimed at enabling secure docker container development. A key tenant of this is Transport Layer Security (TLS). The Icecube project realizes encrypted communication between docker containers. Using iptables, Icecube surfaces TCP and UDP packets into userspace. Using NetFilterQueue https://www.netfilter.org/ and Scapy http://www.secdev.org/projects/scapy/, Iceman encrypts, decrypts, and sets packet verdict decisions based on configured transport layer protocol (TCP/UDP), crypto strategy, traffic direction (egress/ingress), and NetFilterQueue number.
Features
- TCP/UDP payload encryption
- variable crypto strategies
- egress/ingress traffic modes
- NetFilterQueue number variability
Getting Started
Prerequisites
Vagrant is used to provision an environment suitable for Iceman development. Iceman was designed to handle intercepted Transport Layer packets. To verify and validate Iceman, It is necessary to test Iceman using the Vagrant environment.
For development:
- virtualbox https://www.virtualbox.org/wiki/Downloads
- vagrant (https://www.vagrantup.com/downloads.html)[https://www.vagrantup.com/downloads.html]
Provision the development environment
$ ICEMAN_ENCRYPTION_ENABLED=True ICEMAN_PRESHARED_KEY=supersecret123 \
vagrant up --provision && \
vagrant ssh
Standalone VM Notes
This project was heavily modified to allow for easier setup and teardown via scripts
For a normal VM, setup and teardown does not occur naturally. Some useful commands that were used:
- Useful for killing processes greater than a certain Pid (extreme)
sudo kill -9 $(pgrep '(nginx|python)')
- Clean up dangling log files and supervisor/iptable configurations
sudo rm -rf /etc/supervisor/conf.d/*
sudo rm -rf /var/log/icecube/*
- log IP traffic
sudo iptables -A OUTPUT -j LOG
sudo iptables -A INPUT -j LOG
tailf /var/log/kern.log
- configure iptables (TODO double-check that the default path is right, locally it's a bit different for me -NS)
sudo /opt/icecube/iceman/iptables.sh (client|server) (up|down)
- startup in one command with options (from icecube folder) - assumes iptables have already been configured
cd iceman/ && python setup.py install && cd .. && . ./setup.sh [server]
Testing
ubuntu@ubuntu-xenial:~$ sudo -i
root@ubuntu-xenial:~# cd /vagrant
root@ubuntu-xenial:/vagrant# make test
root@ubuntu-xenial:/vagrant# make integration-tests
Iceman Examples
Installation from source
root@ubuntu-xenial:~# cd /vagrant
root@ubuntu-xenial:/vagrant# python setup.py install
Help
root@ubuntu-xenial:~# iceman --help
usage: iceman [-h] [-v] {intercept} ...
positional arguments:
{intercept} commands
optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
Version
root@ubuntu-xenial:~# iceman --version
0.0.2
Intercept Egress Traffic
Setup iptables to direct egress udp traffic from port 10056 to NFQUEUE 0
root@ubuntu-xenial:~# iptables -A \
-A OUTPUT \
-t nat \
-p udp \
--dport 10056 \
-j NFQUEUE \
--queue-num 0
Intercept traffic using the fernet crypto strategy
root@ubuntu-xenial:~# iceman intercept \
-p udp \
-s fernet \
-t egress \
-q 0
Intercept Ingress Traffic
Setup iptables to direct ingress tcp traffic from port 5555 to NFQUEUE 1
root@ubuntu-xenial:~# iptables -A \
-A PREROUTING \
-t nat \
-p tcp \
--dport 5555 \
-j NFQUEUE \
--queue-num 1
Intercept traffic using the fernet crypto strategy
root@ubuntu-xenial:~# iceman intercept \
-p tcp \
-s fernet \
-t ingress \
-q 1
Requirements and Assumptions
Because Iceman issues packet verdicts, root privileges are required to run Iceman.
Apt packages:
- iptables
- libboost-python-dev
- libffi-dev
- libnetfilter-queue-dev
- libssl-dev
- net-tools
- nfqueue-bindings-python
- psmisc
- python-pip
- python-dev
- socat
- tcpdump
- wamerican
Note: these packages will be installed during the vagrant up --provision
phase:
https://github.com/icemicro/iceman/blob/master/provisioning/ansible/roles/common/tasks/main.yml
Installation
Iceman pip packages are hosted on PyPI: https://pypi.python.org/pypi/iceman
$ pip install iceman
Testing
The following command builds a docker container encapsulating Iceman dependencies and runs the test suite:
$ bash scripts/build.sh
Design
Contributing
- To submit an idea or suggestion, submit an issue
Getting Help
For help with installation, suggestions, or to report a bug, please submit an issue
Copyright and license
Copyright © 2017 Ironclad Encryption Corp. All rights reserved, except as follows. Code is released under the GNU General Public license Version 2. The README.md files are licensed under the Creative Commons Attribution 4.0 International License under the terms and conditions set forth in the file "license_docs.txt". You may obtain a duplicate copy of the same license, titled CC-BY-SA-4.0, at http://creativecommons.org/licenses/by/4.0/.