Delivering Secure OpenStack IaaS for SaaS Products

Transcript

1. © 2012 CloudPassage Inc.! Delivering Secure OpenStack IaaS for SaaS

   Products OpenStack Summit 2012 #cloudsec | #openstack Andrew Hay! Chief Evangelist! [email protected]! twitter.com/andrewsmhay!

2. © 2012 CloudPassage Inc.! Who are you? •  Andrew Hay,

   Chief Evangelist, CloudPassage! •  Former! –  Industry Analyst @ 451 Research –  Information Security Office @ UofL and bank in Bermuda –  Product, Program and Engineering Manager @ Q1 Labs –  Linux guy at a few ISPs

3. © 2012 CloudPassage Inc.! What does CloudPassage do? Dynamic Cloud

   Firewall Automation Two-Factor Authentication Server Account Management Server Security Events & Alerting Server Vulnerability Scanning Security and compliance automation for public, private and hybrid cloud servers System Integrity Monitoring & IDS ü Eliminates barriers to cloud hosting adoption! ü Enables cloud hosting & IaaS compliance! ü Purpose built for cloud from the ground up!

4. © 2012 CloudPassage Inc.! Topics for today Overview of OpenStack

   security OpenStack host security Why the cloud makes security hard How to secure OpenStack images

5. © 2012 CloudPassage Inc.! Core OpenStack Architecture )PSJ[PO� 2VBOUVN� /PWB�

   $JOEFS� (MBODF� 4XJGU� ,FZTUPOF�

6. © 2012 CloudPassage Inc.! OpenStack Security: Quantum •  Quantum! – 

   Network connectivity as a service –  From a flat, shared network to per-tenant routers with private networks –  API to let 3rd party vendors ‘plug in’ •  e.g. Nicera Network Virtualization Platform (NVP)! –  Supports virtual port isolation, virtual port mirroring, QoS, security profiles and detailed per-port statistics. !

7. © 2012 CloudPassage Inc.! OpenStack Security: Keystone •  Keystone! – 

   Identity service used by OpenStack for authentication (authN) and high-level authorization (authZ) –  Currently supports token-based authN and user-service authorization. –  Recently re-architected to allow for expansion to support proxying external services and AuthN/AuthZ mechanisms •  e.g. oAuth, SAML and openID in future versions.! keystone  user-­‐create  -­‐-­‐name=nova  \                                            -­‐-­‐pass=Sekr3tPass  \                                            -­‐-­‐tenant_id=[the  uuid  of  the  tenant]  \                                            -­‐-­‐[email protected]  

8. © 2012 CloudPassage Inc.! OpenStack Security: Nova •  Nova! – 

   Security groups –  Firewall (iptables) –  VLAN’s –  Identity Management with Keystone $  nova  secgroup-­‐create  openpub  "Open  for  public"   $  nova  secgroup-­‐add-­‐rule  openpub  icmp  -­‐1  -­‐1  0.0.0.0/0     $  nova  secgroup-­‐add-­‐rule  openpub  tcp  22  22  0.0.0.0/0     
   OPWBNBOBHF
   OFUXPSL
   DSFBUF
   OVN@OFUXPSLT
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   a
   GJYFE@SBOHF@W
   � #  This  is  the  code  for  the  python-­‐keystoneclient  script   #  Using  token  auth  env  variables   export  SERVICE_ENDPOINT=http://127.0.0.1:5000/v2.0/   export  SERVICE_TOKEN=secrete_token   keystone  user-­‐list   keystone  tenant-­‐create  -­‐-­‐name=demo     #  Using  token  auth  flags   keystone  -­‐-­‐token=secrete  -­‐-­‐endpoint=http://127.0.0.1:5000/v2.0/  user-­‐list   keystone  -­‐-­‐token=secrete  -­‐-­‐endpoint=http://127.0.0.1:5000/v2.0/  tenant-­‐create  -­‐-­‐ name=demo     #  Using  user  +  password  +  tenant_name  env  variables   export  OS_USERNAME=admin   export  OS_PASSWORD=secrete   export  OS_TENANT_NAME=admin   keystone  user-­‐list   keystone  tenant-­‐create  -­‐-­‐name=demo     #  Using  user  +  password  +  tenant_name  flags   keystone  -­‐-­‐username=admin  -­‐-­‐password=secrete  -­‐-­‐tenant_name=admin  user-­‐list   keystone  -­‐-­‐username=admin  -­‐-­‐password=secrete  -­‐-­‐tenant_name=admin  tenant-­‐create  -­‐-­‐ name=demo  

9. © 2012 CloudPassage Inc.! OpenStack Host Security…

10. © 2012 CloudPassage Inc.! Why Secure the Images? •  “We

    have security groups, infrastructure firewall rules and Keystone for authentication so we don’t need to secure the images.” – OpenStack Admin with a Plan.! l&WFSZPOF
    IBT
    B
    QMBO
    UJMM
    UIFZ
    HFU
    QVODIFE
    JO
    UIF
    NPVUIz
    –
    .JLF
    5ZTPO�

11. © 2012 CloudPassage Inc.! Why Secure the Images? •  Network-based

    security is only so good in multitenant clouds ! •  The ultimate target is the endpoint! –  So secure it •  You wouldn’t leave your doors unlocked…! –  Would you?

12. © 2012 CloudPassage Inc.! Why Secure the Images? l4PO
    XF
    MJWF
    JO
    B
    XPSME
    UIBU
    IBT
    XBMMT

    
    BOE
    UIPTF
    XBMMT
    IBWF
    UP
    CF
    HVBSEFE
    CZ
    NFO
    XJUI
    HVOT
    8IPT
    HPOOB
    EP
    JU
    :PV
    :PV
    -U
    8FJOCVSH z�

13. © 2012 CloudPassage Inc.! Firewall dmz dmz core core Firewall

    No “Natural” Segmentation DB Load Balancer Auth Server App Server DB Load Balancer App Server DB public cloud

14. © 2012 CloudPassage Inc.! Cloud Servers are More Exposed public

    cloud Load Balancer App Server App Server DB Master

15. © 2012 CloudPassage Inc.! DENY ALL – Helps & Hinders

    public cloud Load Balancer FW App Server FW App Server FW DB Master FW !  !   �

16. © 2012 CloudPassage Inc.! What About Complex Deployments? public cloud

    Load Balancer FW App Server FW App Server FW Load Balancer FW App Server FW DB Master FW DB Slave FW

17. © 2012 CloudPassage Inc.! App Server IP What About Dynamic

    Deployments? public cloud Load Balancer FW App Server FW App Server FW Load Balancer FW App Server FW DB Master FW DB Slave FW

18. © 2012 CloudPassage Inc.! From De-Provisioned to AHHH!!! public cloud

    Load Balancer FW App Server FW App Server FW Load Balancer FW DB Master FW DB Slave FW App Server IP

19. © 2012 CloudPassage Inc.! Securing OpenStack Nova Images

20. © 2012 CloudPassage Inc.! Imagine There’s No Network •  It’s

    easy if you try…! •  We should protect our servers as if they are directly connected to the Internet! –  Because in some cases, they are. !

21. © 2012 CloudPassage Inc.! Why secure the OS? •  A

    hardened OS often is the last line of defense in the event of a security compromise.! •  It is important to note that hardening is not a panacea for security. ! –  It is just another layer in a good security model. •  By definition, any machine that is accessible on a network and running services is potentially insecure.! –  (i.e. pretty much any server)

22. © 2012 CloudPassage Inc.! Top 5 Easy Things to Start

    Securing Your OpenStack Images 1.  Disable unnecessary services! 2.  Remove unneeded packages! 3.  Restrict access to sensitive files & directories! 4.  Remove insecure/default configurations! 5.  Allow administrative access ONLY from trusted servers/clients!

23. © 2012 CloudPassage Inc.! Disable unnecessary services •  Only what

    is needed…is needed! •  Shutdown and disable " " " unnecessary services! –  e.g. telnet, r-services, ftpd, etc.

24. © 2012 CloudPassage Inc.! Remove unneeded packages •  If it

    isn’t being used…why keep it?! •  If the server doesn’t need to " " " " serve web pages! –  Remove PHP, Apache/nginx •  If it’s not a database server! –  Remove MySQL/PostgreSQL

25. © 2012 CloudPassage Inc.! Restrict access to sensitive files &

    directories •  Protect what’s important from prying/malicious eyes! •  Ensure file permissions restrict " " access to sensitive files and " " directories! –  E.g. /etc/shadow, /etc/ssh/sshd_config, –  E.g. /var/tmp/, /tmp/

26. © 2012 CloudPassage Inc.! Remove insecure/default configurations •  Disable password

    authentication for SSH! –  Force public key authentication –  Also, disable empty passwords for users •  SSH! –  Ensure only v2 protocol connections are allowed •  Apache! –  Minimize loadable modules –  Disable ServerTokens and ServerSignature directives

27. © 2012 CloudPassage Inc.! Allow administrative access ONLY from trusted

    servers/clients •  Leverage the firewall and other tools! –  Source of corporate network / admin network range –  3rd-party tools like fail2ban •  Don’t allow ‘server hopping’! –  Most people use keys without passwords to make things easier L •  Facilitate on-demand access using two-factor authentication!

28. © 2012 CloudPassage Inc.! If only we had more time…

    •  More documentation to review:! –  NIST SP800-123: Guide to General Server Security •  http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf! –  Halo Configuration Policy Rule Checks •  http://support.cloudpassage.com/entries/22033142-configuration-policy-rule- checks! –  CIS Red Hat Enterprise Linux 6 Benchmark v1.1.0 •  http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.rhel6.110! –  NSA Security Configuration Guides •  http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/ operating_systems.shtml#linux2!

29. © 2012 CloudPassage Inc.! Number 6 – Employ Tools Designed

    for Cloud Environments •  You’ve locked down your server based on the Top 5! –  And other guides •  Now What?! •  Rely on a tools built for continuous cloud security:! Dynamic Cloud Firewall Automation Two-Factor Authentication Server Account Management Server Security Events & Alerting Server Vulnerability Scanning System Integrity Monitoring & IDS

30. © 2012 CloudPassage Inc.! Summary Cloud deployments require a new

    approach to security Get your house in order before adding tools on top Use tools that work on/with/in cloud environments

31. © 2012 CloudPassage Inc.! Summary++ •  Don’t be in such

    a rush to get to cloud that you trip yourself up…!

32. © 2012 CloudPassage Inc.! What does CloudPassage do? Dynamic Cloud

    Firewall Automation Two-Factor Authentication Server Account Management Server Security Events & Alerting Server Vulnerability Scanning Security and compliance automation for public, private and hybrid cloud servers System Integrity Monitoring & IDS ü Eliminates barriers to cloud hosting adoption! ü Enables cloud hosting & IaaS compliance! ü Purpose built for cloud from the ground up!

33. © 2012 CloudPassage Inc.! Try Halo FREE - 5 Minute

    Setup Register at cloudpassage.com Configure security policies in Halo web portal Install daemons on cloud servers Free Trial!

34. © 2012 CloudPassage Inc.! We Work Everywhere!

35. © 2012 CloudPassage Inc.! The End •  Ask questions! – 

    Lots more info: community.cloudpassage.com –  Small bits of info: @cloudpassage •  Tell me what you think! –  Email: [email protected] –  Twitter: @andrewsmhay •  We’re hiring! Sales Engineers, cloud/security analysts, rails devs and UX devs –  Email: [email protected] BTW, We’re Hiring!

36. © 2012 CloudPassage Inc.! Thank You! Andrew Hay [email protected] @andrewsmhay

    @cloudpassage #CloudSec | #OpenStack