iceman

Release 0.3.4

A symmetric TLS library written in python

Homepage PyPI Python

Keywords
cipher, encryption, security
License
GPL-2.0
Install
pip install iceman==0.3.4

Documentation

Iceman

A symmetric TLS library written in python.

Overview

Icemicro provides solutions aimed at enabling secure docker container development. A key tenant of this is Transport Layer Security (TLS). The Icecube project realizes encrypted communication between docker containers. Using iptables, Icecube surfaces TCP and UDP packets into userspace. Using NetFilterQueue https://www.netfilter.org/ and Scapy http://www.secdev.org/projects/scapy/, Iceman encrypts, decrypts, and sets packet verdict decisions based on configured transport layer protocol (TCP/UDP), crypto strategy, traffic direction (egress/ingress), and NetFilterQueue number.

Features

  • TCP/UDP payload encryption
  • variable crypto strategies
  • egress/ingress traffic modes
  • NetFilterQueue number variability

Getting Started

Prerequisites

Vagrant is used to provision an environment suitable for Iceman development. Iceman was designed to handle intercepted Transport Layer packets. To verify and validate Iceman, It is necessary to test Iceman using the Vagrant environment.

For development:

Provision the development environment

$ ICEMAN_ENCRYPTION_ENABLED=True ICEMAN_PRESHARED_KEY=supersecret123 \
  vagrant up --provision && \
  vagrant ssh

Standalone VM Notes

This project was heavily modified to allow for easier setup and teardown via scripts

For a normal VM, setup and teardown does not occur naturally. Some useful commands that were used:

  • Useful for killing processes greater than a certain Pid (extreme)
sudo kill -9 $(pgrep '(nginx|python)')
  • Clean up dangling log files and supervisor/iptable configurations
sudo rm -rf  /etc/supervisor/conf.d/*
sudo rm -rf  /var/log/icecube/*
  • log IP traffic
sudo iptables -A OUTPUT -j LOG
sudo iptables -A INPUT -j LOG
tailf /var/log/kern.log
  • configure iptables (TODO double-check that the default path is right, locally it's a bit different for me -NS)
sudo /opt/icecube/iceman/iptables.sh (client|server) (up|down)
  • startup in one command with options (from icecube folder) - assumes iptables have already been configured
cd iceman/ && python setup.py install && cd .. && . ./setup.sh [server]

Testing

ubuntu@ubuntu-xenial:~$ sudo -i
root@ubuntu-xenial:~# cd /vagrant
root@ubuntu-xenial:/vagrant# make test
root@ubuntu-xenial:/vagrant# make integration-tests

Iceman Examples

Installation from source

root@ubuntu-xenial:~# cd /vagrant
root@ubuntu-xenial:/vagrant# python setup.py install

Help

root@ubuntu-xenial:~# iceman  --help
usage: iceman [-h] [-v] {intercept} ...

positional arguments:
  {intercept}    commands

optional arguments:
  -h, --help     show this help message and exit
  -v, --version  show program's version number and exit

Version

root@ubuntu-xenial:~# iceman --version
0.0.2

Intercept Egress Traffic

Setup iptables to direct egress udp traffic from port 10056 to NFQUEUE 0

root@ubuntu-xenial:~# iptables -A \
  -A OUTPUT \
  -t nat \
  -p udp \
  --dport 10056 \
  -j NFQUEUE \
  --queue-num 0

Intercept traffic using the fernet crypto strategy

root@ubuntu-xenial:~# iceman intercept \
  -p udp \
  -s fernet \
  -t egress \
  -q 0

Intercept Ingress Traffic

Setup iptables to direct ingress tcp traffic from port 5555 to NFQUEUE 1

root@ubuntu-xenial:~# iptables -A \
  -A PREROUTING \
  -t nat \
  -p tcp \
  --dport 5555 \
  -j NFQUEUE \
  --queue-num 1

Intercept traffic using the fernet crypto strategy

root@ubuntu-xenial:~# iceman intercept \
  -p tcp \
  -s fernet \
  -t ingress \
  -q 1

Requirements and Assumptions

Because Iceman issues packet verdicts, root privileges are required to run Iceman.

Apt packages:

  • iptables
  • libboost-python-dev
  • libffi-dev
  • libnetfilter-queue-dev
  • libssl-dev
  • net-tools
  • nfqueue-bindings-python
  • psmisc
  • python-pip
  • python-dev
  • socat
  • tcpdump
  • wamerican

Note: these packages will be installed during the vagrant up --provision phase: https://github.com/icemicro/iceman/blob/master/provisioning/ansible/roles/common/tasks/main.yml

Installation

Iceman pip packages are hosted on PyPI: https://pypi.python.org/pypi/iceman

$ pip install iceman

Testing

The following command builds a docker container encapsulating Iceman dependencies and runs the test suite:

$ bash scripts/build.sh

Design

Contributing

Getting Help

For help with installation, suggestions, or to report a bug, please submit an issue

Copyright and license

Copyright © 2017 Ironclad Encryption Corp. All rights reserved, except as follows. Code is released under the GNU General Public license Version 2. The README.md files are licensed under the Creative Commons Attribution 4.0 International License under the terms and conditions set forth in the file "license_docs.txt". You may obtain a duplicate copy of the same license, titled CC-BY-SA-4.0, at http://creativecommons.org/licenses/by/4.0/.

Stats

Dependencies
4
Dependent packages
0
Dependent repositories
0
Total releases
15
Latest release
First release
Stars
1
Forks
0
Watchers
2
Contributors
3
Repository size
167 KB
SourceRank
7

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.3.4
0.3.3
0.3.2
0.3.1
0.3.0
0.2.4
0.2.3
0.2.2
0.2.1
0.2.0
See all 15 releases

Contributors

Nicholas Smith Erik Madrid emmersown


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2021-02-16 12:34:12 UTC

Login to resync this project