Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OpenStack Security Group: Status Update and Plans

OpenStack Security Group: Status Update and Plans

Bryan Payne

April 18, 2013
Tweet

More Decks by Bryan Payne

Other Decks in Technology

Transcript

  1. OpenStack Security
    Group
    Status Update and Plans
    Bryan D. Payne
    [email protected]
    Robert Clark
    [email protected]

    View Slide

  2. Recap From Last Summit
    ● Discussed the need for a unified OpenStack
    security group
    ● Attempted to gather the relevant parties
    ○ Got a lot, happy for others to join
    ● Put forward a high level game plan

    View Slide

  3. ● OSSG membership since the Grizzly summit
    *
    *
    OSSG Membership

    View Slide

  4. Launchpad Group
    ● https://launchpad.net/~openstack-ossg
    ● Linked into other areas of launchpad
    ○ security tagged bugs
    ○ linked to security note work
    ● Provides email notification for the above

    View Slide

  5. Weekly Meetings
    ● https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity
    ● IRC Meetings
    ○ Started in Jan 2013
    ○ Thursdays at 18:00 UTC
    ○ 30 minute sync-up between OSSG members
    ● Minutes posted online

    View Slide

  6. Security Notes (OSNs)
    ● https://launchpad.net/osn
    ● Purpose of OSNs
    ○ Convey security best practice information
    ○ Timely
    ○ Complement CVEs
    ● OSNs to date
    ○ Security impact of Libvirt / LXC
    ○ Keystone request header size can lead to DoS
    ● More to come

    View Slide

  7. Volume Encryption
    ● Work done by team at JHU/APL
    ○ Will be included in Havana
    ● Transparent encryption of data at rest

    View Slide

  8. HTTPS Support in Clients
    ● Work done by Dean Troyer at Nebula
    ● Starting with (early 2013 release)
    ○ python-keystoneclient
    ○ python-glanceclient
    ○ python-novaclient
    ○ python-cinderclient
    ○ python-swiftclient
    ● Clients support
    ○ Proper hostname checking
    ○ Custom certificate chains
    ○ Full certificate validation
    ○ http://hackstack.org/x/blog/2012/12/21/securing-openstack-client-connections-part-2/

    View Slide

  9. Review Efforts
    ● Mailing list discussions
    ● Security tagging for bugs / PRs
    ○ Security tag on bugs (available today)
    ○ Security tag on gerrit (work in progress)
    ● Assistance on vulnerability reports

    View Slide

  10. OpenStack Security Mailing List
    ● Setup recently (early April)
    ● Facilitates security discussions
    ○ OSSG discussions
    ○ Meeting place for security discussions
    ○ Interactions with broader development community
    ● Fills a separate niche than openstack-dev
    [email protected]

    View Slide

  11. OSSG Challenges
    ● Rethinking security at all levels
    ○ Understand current state
    ○ Monitor, influence changes
    ○ Start small, but scale
    ● OpenStack expertise vs. Security expertise
    ○ OSSG has many security experts
    ○ OSSG has less OpenStack experts
    ○ Need more participation from core developers
    ● Time -- everyone is busy

    View Slide

  12. OpenStack Simplicity
    Nova Swift

    View Slide

  13. Nova Swift
    Network
    Glance Keystone Horizon
    Cinder
    Individual Services

    View Slide

  14. Nova Swift
    Network
    Glance Keystone Horizon
    Cinder
    Security Domains

    View Slide

  15. Nova Swift
    Network
    Glance Keystone Horizon
    Cinder
    Gated Interconnects

    View Slide

  16. Nova Swift
    Network
    Glance Keystone Horizon
    Cinder
    Map Data Paths

    View Slide

  17. Good Job...?
    Secure Design Complete!

    View Slide

  18. Nova Swift
    Network
    Glance Keystone Horizon
    Cinder
    Individual Services

    View Slide

  19. Nova Swift
    Network
    Glance Keystone Horizon
    Cinder
    DNS
    Metering
    Automation
    Load Balancing
    Monitoring
    Billing
    Databases
    Orchestration
    Alarming
    Messaging
    Account Maintenance
    Lots of Glue
    Certificate
    Authorities

    View Slide

  20. Nova Swift
    Network
    Glance Keystone Horizon
    Cinder
    DNS
    Metering
    Automation
    Load Balancing
    Monitoring
    Billing
    Databases
    Orchestration
    Alarming
    Messaging
    Account Maintenance
    Data Paths
    Certificate
    Authorities

    View Slide

  21. Nova Swift
    Network
    Glance Keystone Horizon
    Cinder
    DNS
    Metering
    Automation
    Load Balancing
    Monitoring
    Billing
    Databases
    Orchestration
    Alarming
    Messaging
    Account Maintenance
    Message Plumbing
    Certificate
    Authorities

    View Slide

  22. Nova Swift
    Network
    Glance Keystone Horizon
    Cinder
    DNS
    Metering
    Automation
    Load Balancing
    Monitoring
    Billing
    Databases
    Orchestration
    Alarming
    Messaging
    Account Maintenance
    Billing Plumbing
    Certificate
    Authorities

    View Slide

  23. Alarm Plumbing
    Nova Swift
    Network
    Glance Keystone Horizon
    Cinder
    DNS
    Metering
    Automation
    Load Balancing
    Monitoring
    Billing
    Databases
    Orchestration
    Alarming
    Messaging
    Account Maintenance
    Certificate
    Authorities

    View Slide

  24. SSL Plumbing
    Nova Swift
    Network
    Glance Keystone Horizon
    Cinder
    DNS
    Metering
    Automation
    Load Balancing
    Monitoring
    Billing
    Databases
    Orchestration
    Alarming
    Messaging
    Account Maintenance
    Certificate
    Authorities

    View Slide

  25. Under Cloud Admin Plumbing
    Nova Swift
    Network
    Glance Keystone Horizon
    Cinder
    DNS
    Metering
    Automation
    Load Balancing
    Monitoring
    Billing
    Databases
    Orchestration
    Alarming
    Messaging
    Account Maintenance
    Certificate
    Authorities

    View Slide

  26. Nova Swift
    Network
    Glance Keystone Horizon
    Cinder
    DNS
    Metering
    Automation
    Load Balancing
    Monitoring
    Billing
    Databases
    Orchestration
    Alarming
    Messaging
    Account Maintenance
    SO MUCH PLUMBING
    Certificate
    Authorities

    View Slide

  27. PANIC ?

    View Slide

  28. KEEP
    CALM
    and
    CONTRIBUTE

    View Slide

  29. Where to start?

    View Slide

  30. OSSG Work In Progress
    ● Security Hardening Guide
    ● Recruiting
    ● OpenStack Security Notes
    ● Consultancy and Support
    ● Critical Code Review

    View Slide

  31. OpenStack Hardening Guide
    ● Initial project and templates
    ● Engaged with Private, Public and
    Government Agencies
    ● Documentation Sprint in June
    ● Security Awareness

    View Slide

  32. How You Can Help
    ● Get Involved!
    ○ Be our eyes & ears on core projects
    ○ Participate in weekly IRC meetings
    ○ Volunteer to help with security tasks
    ● Share your knowledge
    ○ OpenStack security?
    ○ Secure deployment options?
    ○ Architectural security concerns?
    ○ Please share what you know!

    View Slide

  33. Recruiting :: Enthusiasts
    ● Hardening Guide Reviewers
    ● Security Note Editors
    ● Issue Researchers
    ● Community Engagement
    ● Security Group Tooling

    View Slide

  34. Recruiting :: OpenStack Devs
    ● Code Review
    ● Design Review
    ● Security Blueprints
    ● Help with Patching
    ● Community Engagement

    View Slide

  35. Recruiting :: InfoSec Ninjas
    ● Threat Analysis
    ● Architectural Security Reviews
    ● Code Reviews
    ● Automated Code Review
    ● VMT Engagement
    ● Security Evangelism & Awareness

    View Slide

  36. ● Documentation sprint in June
    ● Lots of work to be done
    ● Actively seeking more OSSG members
    ● Work with community for improving all
    aspects of security in OpenStack
    Summary

    View Slide

  37. Questions
    Bryan D. Payne
    [email protected]
    Robert Clark
    [email protected]

    View Slide