Design and Deploy Secure Clouds for Financial Services – Use CasesAugust 18, 2016
Copyright © PLUMgrid, Inc. 2011-2015
IntroductionSpeakers
2
Principal Solutions ArchitectJustin Moore
Sr. Solution Architect – OpenStack Tiger TeamJoe Antkowiak
PLUMgrid
Red Hat
Copyright © PLUMgrid, Inc. 2011-2015
AgendaWhat’s will be covered today
3
1 OpenStack Infrastructure Security - Addressing Common Security Challenges using
Red Hat OpenStack Platform
Security and compliance through automation and micro-segmentation with OpenStack and SDN
Micro-Segmentation Demo3
2
OpenStack Infrastructure Security
Addressing Common Security Challenges using Red Hat OpenStack Platform
Joe AntkowiakSr Solution ArchitectAugust 18, 2016
Agenda
Common OpenStack Infrastructure Security Challenges Addressing Challenges with Red Hat OpenStack Platform Director Addressing Challenges with Red Hat CloudForms
OpenStack Infrastructure Security
Common Challenges
Many Manual Tasks Infrastructure Secured Post Deployment Detecting Change and Enforcing Policy Maintaining Secure Configuration and
Policy When Upgrading and Scaling
<footer>
OPENSTACK PLATFORM DIRECTORDAY 1 + SCALING/UPGRADINGDirector is included in Red Hat
OpenStack Platform
CLOUDFORMSDAY 2 + LIFECYCLE
CloudForms is included in Red Hat OpenStack Platform
<footer>
Red Hat OpenStack Platform Director
DEPLOYMENTPLANNING OPERATIONSUpdates and upgradesScaling up and downChange management
Deployment orchestrationService configuration
Sanity checks
Network topologyService parametersResource capacity
OpenStack Orchestration
OpenStack Platform Director (OSPd)Advantages for OpenStack Security
USES OPENSTACK TO DEPLOY OPENSTACKConcepts applicable to workloads running on OpenStack are applicable to OpenStack itself
IMAGE BASEDNodes installed from a customize-able source image
TEMPLATE BASEDCustomize-able, reusable, repeatable use of Heat templates (YAML) to install, scale, and upgrade
OSP Director Image CustomizationImage Customization Examples for Security
KERNELDeploy a custom kernel build, or hardened kernel (with validation)
PACKAGESDeploy specific package versions or additional packages
LOCAL ACCOUNTS AND POLICIESDefine custom local accounts and SELinux configuration
OSP Director Template-Based DeploymentTemplate-Based Configuration Examples for Security
SSL/TLS ENABLED CONTROL PLANE AND ENDPOINTSEnable transport encryption on all control plane communication using your certificates
AAA INTEGRATIONIntegrate with your AAA infrastructure (LDAP, Kerberos, etc)
SERVICES CONFIGURATIONConfigure Logging, NTP, Monitoring Tools
<footer>
Red Hat CloudForms
UNIFIED MANAGEMENT
AND OPERATIONS
COMPLETE LIFECYCLE
MANAGEMENT
VISIBILITY AND
ANALYTICS
COMPLIANCEAND
GOVERNANCE
INTEGRATION AND
COMPOSABILITY
Unified Management for OpenStack
CloudForms Compliance and Governance
ANALYZEAutomatically perform SmartState Analysis on OpenStack Nodes and Instances (agent-less)
TRACK AND ALERTReport on changes and drift, automatically alert based on defined policy
REMEDIATEAutomatically kick off defined remediation or deeper inspection actions
Example Functions
CloudForms SmartState AnalysisExamples of Items Tracked
PACKAGES AND FILESPackage versions, new/changed files
LOCAL USERS AND ACTIONSUser actions/commands, users and groups added or changed
COMPONENT CHANGESAdded or changed network interfaces, storage attached, new instances or containers running
Thank you!Please Post Questions in WebinarVisit Red Hat at OpenStack EastAugust 23-24, NYC
red.ht/openstackred.ht/cloudforms
Security and compliance through automation and micro-segmentation with OpenStack and SDNJustin Moore
Copyright © PLUMgrid, Inc. 2011-2015
• Regulatory Compliance• PCI• SOX
• Security• Separation of concerns• Minimize attack surface• Strict enforcement of access control
• Operations• Reduce manual effort through automation• Protect against misconfiguration
• Dev/Test pointed to Prod• Incorrect or invalid firewall rule• Server placed on wrong network• Rapidly scale
Technology Challenges in FSI
Copyright © PLUMgrid, Inc. 2011-2015
• Too slow• Ticket based manual workflows take days or weeks• New methodologies demand on-demand infrastructure,
and tight integration with the SDLC• Agile• CI/CD• Micro-services
• Error prone• Lack of automation and standardization leads to errors• Incomplete or inadequate de-comission processes
• Too expensive• Scale-up Access Control devices/Forklift upgrades• Highly skilled and highly paid engineers performing trivial
ticket based activities
Traditional Approaches No Longer Work
18
Copyright © PLUMgrid, Inc. 2011-2015
• Cloud!• Ok – it’s not really that simple. What about all of
that security stuff?
• SDN!• Again – it’s not really as simple as buying an SDN.
• How will we design the system to ensure that security is baked into the end-to-end environment?
• Micro-segmentation• Great – another buzzword!
• Micro-segmentation is the process of controlling access to and from a service based on the combination of security boundary and attack foot-print
• Don’t we already do that?• Not really!
So How Do We Keep Up?
19
Copyright © PLUMgrid, Inc. 2011-2015
Virtual DomainsYour Private Virtual Data Center
20
Tenant Virtual Domains• Isolation & segmentation of workloads• Self-service provision of all functions
Service Virtual Domains• Owned by Cloud Operator• Used to apply common services or security
policies• Hosts external connectivity
Virtual Domain ChainingDecouple changes from physical infrastructure
Fully distributed within IO Visor layer on each compute node
DNS
Service Virtual Domain
Tenant Virtual Domains
Copyright © PLUMgrid, Inc. 2011-2015
PLUMgrid Virtual DomainsComponents of a Virtual Domain
21
Virtual Domain
Dis
tribu
ted
Pol
icy
Enf
orce
men
t Zon
e
Edge Policy
Enforcement Point
Virtual Domain (VD) — ISOLATION• Secure Tenant Isolation for multi-tenant clouds
Contains all Network definitions for that Project• Rich set of analytics and monitoring• Option to encrypt traffic on a per VD basis
Topology — Overlay based fully Distributed Network Functions• Network topology view• DVS/DVR/NAT/DNS/DHCP functions• Fully Distributed (No hairpin or network nodes)• Integration with external VTEP Gateways• Topology based Service Insertion (FW/LB/IPS)
Policy boundary — SEGMENTATION• Group Based Policies & Micro-segmentation• All traffic in-out of VD goes through Policy Engine• Used for Security Groups (L2-4 stateless or state-
full security)• Policy based VTAP (traffic capture)• Policy based Service Insertion (FW/LB/IPS)
• Support for Service Chains or single Service Function
Copyright © PLUMgrid, Inc. 2011-2015
PLUMgrid ONS Components
22
Internet
IO Visor Gateway
IO Visor Edges (Compute Nodes)
PLUMgrid Directors
VXLAN-based Overlay
PLUMgrid CloudApex & OpsVM
Copyright © PLUMgrid, Inc. 2011-2015
Example Application – Customer Service Tool
23
DNS
Global Cloud Policy
Prod CSTDev CST
Copyright © PLUMgrid, Inc. 2011-2015
Three-Tier Architecture
Presentation tier
Logic tier
Data tier
Database Storage
GET LIST OF ALL SALES MADE LAST YEAR
ADD ALL SALES TOGETHER
> GET SALES TOTAL
> GET SALES TOTAL4 TOTAL SALES
QUERY
SALE 1SALE 2SALE 3SALE 4
Copyright © PLUMgrid, Inc. 2011-2015
PLUMgrid Policy Path
25
GroupClassification
(source & destination End
Point classification)
Packets- sMAC / .1Q- src_IP/dst_IP- Application / Ports - Protocols
Meta Data- Tenant ID / App ID- VM UUID / Name- End Point Type / Group- Location / physical Server
Behavior - Traffic Profile- Sys Call profile- Storage Access Profile
Stateful Security Groups
Security Logs & Alerts
Policy based VTAP
Traffic mirroring
Policy based
Service Insertion
VNF 1
VNF 2
VNF 3
- Service Chains- Distributed Service Insertion- Local Affinity
Micro-Segmentation Demo
26
Q&APlease use the Q&A panel to ask questions
Copyright © PLUMgrid, Inc. 2011-2015
THANK YOU!