2. Quick Intro
• Thanks for coming out!
• Enjoy the free food ☺
• Focus on security issues with IaaS cloud
• Interweave that with installing Halo
• We’re here to help!
– Ask questions
– Staff will be handy if you need us
– Any and all feedback greatly appreciated
CloudPassage Halo Installfest 2
3. Where Can I Get
These Slides?
community.cloudpassage.com
CloudPassage Halo Installfest 3
4. Tonight’s Focus
• Infrastructure as a Service (IaaS)
– Can apply to PaaS and SaaS from a
provider’s perspective
• Mostly geared to public cloud
– Although applicable to private
• Tenant security concerns
– We’ll skip physical security
CloudPassage Halo Installfest 4
5. What You Need For The Labs
• Laptop or tablet
• Root equiv access to a Linux VM
– Local or public is fine
– Spin up now if needed
• Internet access
– Wifi settings: As Posted
CloudPassage Halo Installfest 5
6. Houston…
We Have a Problem
All network security benefits
Lost in migration:
• Firewall – Filter port level access
• Firewall – Control rootkit transfer
• Proxy – Control app level data
• NIDS – Inspect stream for attacks
• Sniffer – Audit trail of network traffic
CloudPassage Halo Installfest 6
14. What About Introspection?
• Hypervisor based security
– Has visibility into all VMs
• Single point of control
– For a specific hypervisor deployment
• Public - Do you want other tenants to have
access to your hypervisor?
• Do you want your provider to have non-
auditable access to your VMs?
• Can break segregation of duties
CloudPassage Halo Installfest 14
16. Why Host Based Firewalls?
• Tenant controlled
– Provider gains no additional access
• Mitigate potential risks from vswitch or VLANs
• Supported across all cloud infrastructures
– Consistent management regardless of deployment
• Security Is portable with the VM
• This is the model supported by Halo
CloudPassage Halo Installfest 16
17. Why restrict Admin Ports?
Dshield.org data
Green = # of IPs
looking for open
SSH ports
Red = # of IPs hit
by SSH scan
CloudPassage Halo Installfest 17
19. Issues to Address
• No firewall control
• Vulnerability management
• Provider image may not meet
corporate standards
– Configuration settings
– Accounts
• Detect intrusions
CloudPassage Halo Installfest 19
20. Image Deployment
• Provider images usually not patched
• Some 3rd party images are pre-patched
– To the time of the image's release
– Which 3rd parties can you trust?
• Auto-patching usually disabled
• Some known vulnerabilities may not yet
be patched
– But it may be possible to mitigate risk is known
CloudPassage Halo Installfest 20
21. Vulnerability Wire Testing
• Some providers have restrictions
– May be limited by terms of service
– May be limited to specific products
• Targeting concerns
– What if your IP’s are not continuous?
– What if the IP changes?
• Does not detect local exploits
CloudPassage Halo Installfest 21
22. Host Based Vulnerability
Checking
• Validate compliances within the VM itself
• Can check remote and local vulnerabilities
• Typically lower cost to deploy
– Less billable utilization
• Can false negative if patch not loaded
– Kernel updates
• This is the model Halo uses
CloudPassage Halo Installfest 22
24. Issues to Address
• No firewall control
• Vulnerability management
• Provider image may not meet
corporate standards
– Configuration settings
– Accounts
• Detect intrusions
CloudPassage Halo Installfest 24
25. Configuration Settings
• Are only required processes running?
– Are they securely configured?
• Is password aging enforced?
• Is root permitted direct SSH access?
• Proper permissions on critical files?
• Is sudo or wheel properly configured?
• Any changes since deployment?
CloudPassage Halo Installfest 25
28. System Accounts
• What accounts are on the system?
• Did the provider modify the default
accounts?
– ec2-user
• Which accounts have root level access?
• Who has accounts on which servers?
• How do you add/delete accounts for
many servers simultaneously?
CloudPassage Halo Installfest 28
31. Issues to Address
• No firewall control
• Vulnerability management
• Provider image may not meet
corporate standards
– Configuration settings
– Accounts
• Detect intrusions
CloudPassage Halo Installfest 31
32. Clues To An Attack
• Some file changes indicate a compromise
• Static Web server files
• /etc/passwd has new account
• /etc/sudoers has new entries
• ssh_known_hosts has new entries
• authorized_keys has new entries
• Halo uses SHA-256 to detect changes
CloudPassage Halo Installfest 32