Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security for Private OpenStack Clouds

Security for Private OpenStack Clouds

OpenStack Summit, Spring 2014. Private clouds are much more than just a public cloud behind a firewall. Private clouds reach into the enterprise and have deep integration with key shared infrastructure that is external to the cloud such as LDAP, Storage, VLANs, DNS, NTP, etc. Furthermore, private clouds have a different threat profile. Users may be from the same organization, but insider attacks and targeted external attacks motivate unique security solutions. https://www.youtube.com/watch?v=PAPMwGL3hkI

Bryan Payne

May 15, 2014
Tweet

More Decks by Bryan Payne

Other Decks in Technology

Transcript

  1. © 2014 Nebula, Inc. All rights reserved.
    (cloud) Computing for the Enterprise
    Security for Private OpenStack Clouds
    Bryan D. Payne
    May 12, 2014

    View Slide

  2. © 2014 Nebula, Inc. All rights reserved.
    “Why  Security  Ma/ers  In  A  Private  Cloud”  

    View Slide

  3. © 2014 Nebula, Inc. All rights reserved.
    Public   Private  

    View Slide

  4. © 2014 Nebula, Inc. All rights reserved.
    Private  Network  
    Internet  
    Storage  
    Email  
    LDAP  
    NTP  
    VLAN  Tunnels  
    SIEM  
    DNS  
    PKI  

    View Slide

  5. © 2014 Nebula, Inc. All rights reserved.
    Storage  
    Email  
    LDAP  
    NTP  
    VLAN  Tunnels  
    SIEM  
    DNS  
    PKI  

    View Slide

  6. © 2014 Nebula, Inc. All rights reserved.
    Storage  
    Email  
    LDAP   NTP  
    VLAN  Tunnels  
    SIEM  
    DNS  
    PKI  
    1   2  
    3  

    View Slide

  7. © 2014 Nebula, Inc. All rights reserved.
    Intelligence  
    Services  
    Serious  Organized  Crime  
    Highly  Capable  Groups  
    MoFvated  Individuals  
    Script  Kiddies  
    Likelihood  of  A,ack  
    Sophis2ca2on  &  
    Likelihood  of  
    Exploita2on  
    Source:  OpenStack  Security  Guide  

    View Slide

  8. © 2014 Nebula, Inc. All rights reserved.
    Compromise  
    User  System  
    VM  Breakout  
    API  Vuln  
    Dashboard  
    Vuln  
    Access  Cloud  
    As  Admin  
    Access  Cloud  
    As  Outsider  
    Access  Cloud  
    As  User  
    View  Other  
    Instances  
    Abuse  Cloud  
    Resources  
    View  Data  In  
    Cloud  
    View  Data  In  
    Cloud  
    Modify  LDAP  
    View  
    External  Data  
    Follow  VLANs  
    into  Corp  Net  
    Spear  
    Phishing  
    IniMal  Access   Touch  Cloud   Exploit  Cloud   Exploit  Enterprise  
    Compromise  
    Instance  

    View Slide

  9. © 2014 Nebula, Inc. All rights reserved.
    Known  hardware  
    and  soIware  
    OrchestraFon   +   =   Security  
    Opportunity  

    View Slide

  10. © 2014 Nebula, Inc. All rights reserved.
    API Endpoints
    Web Dashboard
    Compute
    Node
    Compute
    Node
    Storage
    Node
    Storage
    Node
    Guest
    Management
    Data
    Management and Control Plane Services
    Cloud Users / Administrators
    Cloud Operators
    Instance
    Instance
    Instance
    Instance
    External

    View Slide

  11. © 2014 Nebula, Inc. All rights reserved.
    OpenStack  Projects   “The  Glue”  

    View Slide

  12. © 2014 Nebula, Inc. All rights reserved.
    Cloud  A/ack  Vectors   MiFgaFon  Strategies  
    API  Endpoints   Service  hardening,  mandatory  access  controls,  code  audits  
    Web  Dashboard   CSP,  expected  domains,  HTTPS,  HSTS,  allowed  referrers  
    InformaMon  Leakage   SSL/TLS,  disable  memory  dedup,  randomize  resource  assign  
    VM  Breakout   Service  hardening,  mandatory  access  controls,  code  audits  
    Hardware  Sharing   Avoid  bare  metal  instances,  avoid  device  pass-­‐through  
    Default  Images   Secure  and  maintain  default  images  
    Secondary  AYacks   Least  priv,  mandatory  access  controls,  SSL/TLS,  strong  auth  

    View Slide

  13. © 2014 Nebula, Inc. All rights reserved.
    Threat: Information Leakage
    •  TLS for network services
    –  API endpoints
    –  Web dashboard
    –  Log feeds
    –  AD / LDAP
    –  External Storage
    •  Cross-VM attacks (timing, cache effects, etc)

    View Slide

  14. © 2014 Nebula, Inc. All rights reserved.
    Threat: VM Breakout
    •  Mandatory access controls
    –  SELinux + KVM (SVirt)
    •  Build hardening
    –  Remove unused device models from QEMU
    –  Compiler hardening flags
    •  General Node Hardening
    –  De-privilege node, with respect to cloud
    –  Boot + Runtime attestation, SELinux, etc

    View Slide

  15. © 2014 Nebula, Inc. All rights reserved.
    Threat: Control Plane Compromise
    •  Layers of Security
    –  Firewall (bi-directional on control plane)
    –  Limit propagation of sensitive data
    –  Unique secrets everywhere
    –  Audit network service interface bindings
    –  TLS, SELinux, boot + runtime attestation
    •  Primary Focus: Limit damage from a bad actor
    on the control plane

    View Slide

  16. © 2014 Nebula, Inc. All rights reserved.
    Threat: Vulnerabilities Upstream
    •  Targeted security audits
    –  Work closely with OpenStack and Linux communities
    •  Aggressive security update policies
    –  Cloud-specific triage process
    –  Be prepared to test and rollout quickly

    View Slide

  17. © 2014 Nebula, Inc. All rights reserved.
    Threat: Poor Entropy for Instances
    •  Mix entropy from multiple sources
    –  Hardware generated from multiple vendors
    •  Distribute securely / fairly
    –  Entropy stream distributed throughout cloud
    –  Available to all instances, using RNG Tools

    View Slide

  18. © 2014 Nebula, Inc. All rights reserved.
    Storage  
    Email  
    LDAP  
    NTP  
    VLAN  Tunnels  
    SIEM  
    DNS  
    PKI  

    View Slide

  19. © 2014 Nebula, Inc. All rights reserved.
    Email:  [email protected]  
    TwiYer:  @bdpsecurity  

    View Slide