delivering secure openstack iaas for saas products - openstack 2012.pptx

39
© 2012 CloudPassage Inc. Delivering Secure OpenStack IaaS for SaaS Products OpenStack Summit 2012 #cloudsec | #openstack Andrew Hay Chief Evangelist [email protected] twitter.com/andrewsmhay

Upload: openstack-foundation

Post on 20-Nov-2014

1.158 views

Category:

Documents


2 download

DESCRIPTION

true

TRANSCRIPT

Page 1: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Delivering Secure OpenStack IaaS for SaaS Products

OpenStack Summit 2012#cloudsec | #openstack

Andrew HayChief [email protected]/andrewsmhay

Page 2: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Who are you?• Andrew Hay, Chief Evangelist, CloudPassage

• Former– Industry Analyst @ 451 Research– Information Security Office @ UofL and bank in

Bermuda– Product, Program and Engineering Manager @ Q1 Labs– Linux guy at a few ISPs

Page 3: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

What does CloudPassage do?

Dynamic CloudFirewall Automation

Two-Factor Authentication

Server Account Management

Server SecurityEvents & Alerting

Server Vulnerability Scanning

Security and compliance automation for public, private and

hybrid cloud serversSystem Integrity Monitoring & IDS

Eliminates barriers to cloud hosting adoption

Enables cloud hosting & IaaS compliance Purpose built for cloud from the ground up

Page 4: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Topics for today

Overview of OpenStack security

OpenStack host security

Why the cloud makes security hard

How to secure OpenStack images

Page 5: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Core OpenStack Architecture

Horizon

Quantum

Nova

Cinder

Glance Swift

Keystone

Page 6: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

OpenStack Security: Quantum• Quantum

– Network connectivity as a service– From a flat, shared network to per-tenant routers with

private networks

– API to let 3rd party vendors ‘plug in’• e.g. Nicera Network Virtualization Platform (NVP)

– Supports virtual port isolation, virtual port mirroring, QoS, security profiles and detailed per-port statistics.

Page 7: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

OpenStack Security: Keystone • Keystone

– Identity service used by OpenStack for authentication (authN) and high-level authorization (authZ)

– Currently supports token-based authN and user-service authorization.

– Recently re-architected to allow for expansion to support proxying external services and AuthN/AuthZ mechanisms • e.g. oAuth, SAML and openID in future versions.

keystone user-create --name=nova \ --pass=Sekr3tPass \ --tenant_id=[the uuid of the tenant] \ [email protected]

Page 8: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

OpenStack Security: Nova• Nova

– Security groups– Firewall (iptables)

– VLAN’s

– Identity Management with Keystone

$ nova secgroup-create openpub "Open for public"$ nova secgroup-add-rule openpub icmp -1 -1 0.0.0.0/0 $ nova secgroup-add-rule openpub tcp 22 22 0.0.0.0/0

# nova-manage network create --num_networks=100 -- \ fixed_range_v4=172.16.100.0/24

# This is the code for the python-keystoneclient script# Using token auth env variablesexport SERVICE_ENDPOINT=http://127.0.0.1:5000/v2.0/export SERVICE_TOKEN=secrete_tokenkeystone user-listkeystone tenant-create --name=demo

# Using token auth flagskeystone --token=secrete --endpoint=http://127.0.0.1:5000/v2.0/ user-listkeystone --token=secrete --endpoint=http://127.0.0.1:5000/v2.0/ tenant-create --name=demo

# Using user + password + tenant_name env variablesexport OS_USERNAME=adminexport OS_PASSWORD=secreteexport OS_TENANT_NAME=adminkeystone user-listkeystone tenant-create --name=demo

# Using user + password + tenant_name flagskeystone --username=admin --password=secrete --tenant_name=admin user-listkeystone --username=admin --password=secrete --tenant_name=admin tenant-create --name=demo

Page 9: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

OpenStack Host Security…

Page 10: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Why Secure the Images?• “We have security groups, infrastructure

firewall rules and Keystone for authentication so we don’t need to secure the images.” – OpenStack Admin with a Plan.

“Everyone has a plan 'till they get punched in the mouth.” – Mike Tyson

Page 11: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Why Secure the Images?• Network-based security is only so good in

multitenant clouds

• The ultimate target is the endpoint– So secure it

• You wouldn’t leave your doors unlocked…– Would you?

Page 12: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Why Secure the Images?

“Son, we live in a world that has walls, and those walls have to be guarded by men with guns. Who's

gonna do it? You? You, Lt. Weinburg?”

Page 13: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Firewall

dmz dmz

corecore

Firewall

No “Natural” Segmentation

DB

Load Balancer

Auth Server

App Server

DB

Load Balancer

App Server

DB

public cloud

Page 14: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Cloud Servers are More Exposed

public cloud

Load Balancer

App Server

App Server

DB Master

Page 15: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

DENY ALL – Helps & Hinders

public cloud

Load Balancer

FW

App Server

FW

App Server

FW

DB Master

FW

&$#@$*@?!?!?

Page 16: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

What About Complex Deployments?

public cloud

Load Balancer

FW

App Server

FW

App Server

FW

Load Balancer

FW

App Server

FW

DB Master

FW

DB Slave

FW

Page 17: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

App Server

IP

What About Dynamic Deployments?

public cloud

Load Balancer

FW

App Server

FW

App Server

FW

Load Balancer

FW

App Server

FW

DB Master

FW

DB Slave

FW

Page 18: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

From De-Provisioned to AHHH!!!

public cloud

Load Balancer

FW

App Server

FW

App Server

FW

Load Balancer

FW

DB Master

FW

DB Slave

FW

App Server

IP

Page 19: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Securing OpenStack Nova Images

Page 20: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Imagine There’s No Network• It’s easy if you try…

• We should protect our servers as if they are directly connected to the Internet– Because in some cases, they are.

Page 21: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Why secure the OS?• A hardened OS often is the last line

of defense in the event of a security compromise.

• It is important to note that hardening is not a panacea for security. – It is just another layer in a good security

model.

• By definition, any machine that is accessible on a network and running services is potentially insecure.– (i.e. pretty much any server)

REDUCE ATT

ACK

SURFACE A

REA

Page 22: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Top 5 Easy Things to Start Securing Your OpenStack Images1. Disable unnecessary services

2. Remove unneeded packages

3. Restrict access to sensitive files & directories

4. Remove insecure/default configurations

5. Allow administrative access ONLY from trusted servers/clients

Page 23: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Disable unnecessary services• Only what is needed…is needed

• Shutdown and disable unnecessary services– e.g. telnet, r-services, ftpd, etc.

Page 24: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Remove unneeded packages• If it isn’t being used…why keep it?

• If the server doesn’t need to serve web pages– Remove PHP, Apache/nginx

• If it’s not a database server– Remove MySQL/PostgreSQL

Page 25: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Restrict access to sensitive files & directories• Protect what’s important from

prying/malicious eyes

• Ensure file permissions restrict access to sensitive files and directories– E.g. /etc/shadow, /etc/ssh/sshd_config, – E.g. /var/tmp/, /tmp/

Page 26: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Remove insecure/default configurations• Disable password authentication for SSH

– Force public key authentication– Also, disable empty passwords for users

• SSH– Ensure only v2 protocol connections are allowed

• Apache– Minimize loadable modules– Disable ServerTokens and ServerSignature directives

Page 27: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Allow administrative access ONLY from trusted servers/clients

• Leverage the firewall and other tools– Source of corporate network / admin

network range– 3rd-party tools like fail2ban

• Don’t allow ‘server hopping’– Most people use keys without passwords

to make things easier

• Facilitate on-demand access using two-factor authentication

Page 28: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

What do we want?Security

!

Bieber!

Security!

Page 29: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

When do we want it?Now!

Bieber!!!!

Now!

Page 30: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

How do we get it?Ummm..

Kidnap!

Er, ah?

Page 31: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Automate, automate, automate• There exist numerous tools to help automate

locking down a server

Page 32: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

If only we had more time…• More documentation to review:

– NIST SP800-123: Guide to General Server Security• http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf

– Halo Configuration Policy Rule Checks• http://support.cloudpassage.com/entries/22033142-configuration-policy-rule-

checks– CIS Red Hat Enterprise Linux 6 Benchmark v1.1.0

• http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.rhel6.110– NSA Security Configuration Guides

• http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml#linux2

Page 33: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Number 6 – Employ Tools Designed for Cloud Environments• You’ve locked down your server

based on the Top 5– And other guides

• Now What?

• Rely on a tools built for continuous cloud security:

Dynamic Cloud

Firewall

AutomationTwo-Factor

Authentication

Server Account

Management

Server Security

Events & Alerting

Server Vulnerability

Scanning

System Integrity

Monitoring & IDS

Page 34: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Summary

Cloud deployments require a new approach to security

Get your house in order before adding tools on top

Use tools that work on/with/in cloud environments

Page 35: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Summary++• Don’t be in such a rush to get to cloud that

you trip yourself up…

Page 36: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Try Halo FREE - 5 Minute Setup

Register at cloudpassage.com

Configure security policies in Halo web

portal

Install daemons on cloud servers

Free Trial!

Page 37: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

We Work Everywhere!

Any & All

Page 38: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

The End

• Ask questions!– Lots more info:

community.cloudpassage.com– Small bits of info: @cloudpassage

• Tell me what you think!– Email: [email protected]– Twitter: @andrewsmhay

• We’re hiring!Sales Engineers, cloud/security

analysts, rails devs and UX devs– Email: [email protected]

BTW, We’re Hiring

!

Page 39: Delivering Secure OpenStack IaaS for SaaS Products - OpenStack 2012.pptx

© 2012 CloudPassage Inc.

Thank You!Andrew Hay

[email protected]@andrewsmhay

@cloudpassage#CloudSec | #OpenStack