Use Case : Cloud Security Design and Implementation 1. 1 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Use Case : Cloud Security
Design and Implementation
Orgad Kimchi
ISV Engineering
Oracle Solaris 11
2. 2 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
2 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
The following is intended to outline our general product direction. It is intended
for information purposes only, and may not be incorporated into any contract. It
is not a commitment to deliver any material, code, or functionality, and should
not be relied upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle’s products
remains at the sole discretion of Oracle.
3. 3 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Security Challenges
• Securing Data At Rest, In Transit, and In Use
• Minimize operating system attack surface
• Prevent denial of service attacks against their infrastructure
• Segregate network traffic between different cloud users
• Disable hostile code (e.g.’ rootkit’ attacks)
• Secure data deletions once we have done with our project
4. 4 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Concerns With Public Cloud computing
Source : http://blogs.gartner.com/neil_macdonald/2010/12/16/security-is-the-top-concern-for-public-cloud-but-what-does-that-really-mean/
5. 5 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle Solaris Remote Lab
•Solaris Network Virtualization
– Segregate network traffic & secure VLAN per user
• Solaris Zones
– Isolates partner VMs in a secure environment
• Solaris ZFS
– Rapid & secure deployment of images in partner VMs
• Secure Global Desktop
– Separates communications channels
A secure cloud environment built on Solaris technologies
Now in the Cloud
6. 6 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Cryptography
7. 7 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
8. 8 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Cryptographic Acceleration
Oracle SPARC T4 Processor
• Scalable Performance
– On-core, unprivileged, cryptographic instructions
– OpenSSL 5x faster than IBM POWER7
– ZFS encryption is 3x faster than Intel
• Most Industry Standard Algorithms
– Public Key Encryption: RSA, DSA, ECC, DH
– Symmetric Key Encryption: AES, 3DES, DES, Kasumi, Camellia
– Message Digests: CRC32c, MD5, SHA-1, SHA-224, SHA-256,
SHA-384, SHA-512
– Random number generation (FIPS 140-2 compliant)
9. 9 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
SPARC T4 Cryptographic Acceleration
Significant Performance Gains for SSL
• Two-way SSL
• RSA-2048
• AES-256
10. 10 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS: Next Generation File System
• Immense Capacity (128-bit)
• ZFS capacity: 256 quadrillion ZB (1ZB = 1 billion TB)
• Exceeds quantum limit of Earth-based storage.
• Dynamic Metadata
• No limits on files, directory entries, snapshots, etc.
• No tuning parameters to enable expansion.
• Parallel, constant-time directory operations.
• Pooled design – continuous future growth
Scalability
11. 11 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS Encryption
• Encryption policy is set at the ZFS data set level
• Supports delegation of key management operations
• Leverages a dual key model: wrapping vs. encryption key
• Variety of options for format/location of the wrapping key
• Wrapping key inherited by child data sets
12. 12 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS Encryption Example
# zfs create -o encryption=on -o dedup=on -o compression=on
rpool/scratch
Enter passphrase for 'rpool/scratch':
Enter again:
# zfs get encryption,keysource,dedup,compression rpool/scratch
NAME PROPERTY VALUE SOURCE
rpool/scratch encryption on local
rpool/scratch keysource passphrase,prompt local
rpool/scratch dedup on local
rpool/scratch compression on local
# zfs key -u rpool/scratch
# zfs mount rpool/scratch
Enter passphrase for 'rpool/scratch':
13. 13 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Assured Deletion with ZFS Encryption
# zfs create -o encryption=on rpool/scratch
Enter passphrase for 'rpool/scratch':
Enter again:
# zfs key -c -o keysource=raw,file:///dev/random rpool/scratch
# zfs get keysource rpool/scratch
NAME PROPERTY VALUE SOURCE
rpool/scratch keysource raw,file:///dev/random local
# zfs key –u rpool/scratch
# zfs destroy rpool/scratch
14. 14 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Encrypted Swap and /tmp
$ awk '($4 == "swap") { print; }' /etc/vfstab
/dev/zvol/dsk/rpool/swap - - swap - no encrypted
$ swap –l
swapfile dev swaplo blocks free
/dev/lofi/1 145,1 8 2097128 2097128
$ lofiadm
Block Device File Options
/dev/lofi/1 /devices/pseudo/zfs@0:2 Encrypted
15. 15 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Networking
16. 16 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Network Secure by Default
• Expose only required services to the network
– Reduce the operating system network foot print
– Most services are disabled; a few are set to “local only”
• Integrated with Service Management Facility
– Common administrative model for all service operations
– Fully customizable based upon unique site requirements
• Foundation for Additional Protections and Configuration
17. 17 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Network Architecture Strategies
18. 18 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Network Virtualization
• Using network VLANs
• Combine with physical switches
• Layer 2 segregation
• # dladm create-vnic -l net0 vnic2 -v 2
Network segregation
19. 19 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
IP Filters
• Ability to configure what ports
are open between system
• Simple to configure and SMF
service
• Can configure direction as
well as ports
20. 20 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Network Resource Management
• Introducing network resource control
– Bandwidth control
– Flow control
• Split up large network pipes
• Guarantee types of network traffic for
your applications
• In the following example we limit the SSL traffic to 100Mb
on the vnic0 network interface
# dladm create-vnic vnic0 –l net0
# flowadm add-flow -l vnic0 –a
transport=TCP,local_port=443 https-flow
# flowadm set-flowprop -p maxbw=100M https-flow
Control the Un-Controlable
21. 21 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Data Link Protection
# dladm show-linkprop -p protection net0
LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
net0 protection rw -- -- mac-nospoof,
restricted,
ip-nospoof,
dhcp-nospoof
# dladm set-linkprop -p allowed-ips=10.0.2.15
# dladm set-linkprop -p protection=mac-nospoof,ip-nospoof,
restricted net0
# ping 10.0.2.2
10.0.2.2 is alive
[set IP address manually to something other than 10.0.2.15.]
# ping 10.0.2.2
no answer from 10.0.2.2
22. 22 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Designed-in Virtualization
Oracle Solaris Zones
23. 23 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Integrated Virtualization
Security
Automated Install
Packaging Zones
Networking
ZFS
24. 24 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle Solaris Zones
• Built-in solution for
application deployment
• Compatibility environments
• Solaris 10 only
• Zones now more complete
• Delegated administration
• Observability
• NFS shares
• Network virtualization
25. 25 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
• Restricted In-Zone Operations
– Individual operating system hardening, RBAC, auditing, etc.
– Prohibited from directly accessing kernel (modules), raw memory
• External Enforcement of Zone Configuration
– Configurable privileges, immutability, devices, file systems,
resource controls, virtual network security controls, etc.
• Observability with Integrity
– Protected audit trails, file integrity verification, global zone has
complete introspection capabilities
Solaris Zones Security Benefits
26. 26 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Immutable Zones Example (1/2)
# zonecfg -z myzone 'set file-mac-profile=fixed-configuration’
# zoneadm -z myzone boot
# zlogin myzone
[Connected to zone 'myzone' pts/3]
myzone# rm /etc/passwd
rm: /etc/passwd: override protection 644 (yes/no)? y
rm: /etc/passwd not removed: Read-only file system
myzone# pkg install emacs
pkg install: Could not complete the operation on /var/pkg/lock:
read-only filesystem.
myzone# rm /usr/bin/vi
rm: /usr/bin/vi not removed: Read-only file system
27. 27 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Immutable Zones Example (2/2)
myzone# touch /var/tmp/foo
myzone# touch /tmp/bar
myzone# svcadm disable ssh
root@solaris:~# svcs ssh
STATE STIME FMRI
disabled 6:52:53 svc:/network/ssh:default
28. 28 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Data Architecture Strategies
29. 29 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS Zone Root Encryption
# pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=zoneroot
Enter PIN for Sun Software PKCS#11 softtoken:
# zfs create -o encryption=on -o keysource=raw,pkcs11:object=zoneroot
rpool/zones
Enter PKCS#11 token PIN for 'rpool/zones':
# zonecfg -z myzone 'create; set zonepath=/rpool/zones/myzone’
# zoneadm –z myzone install
[… once install completes, the system is rebooted]
# zfs key -l rpool/zones
Enter PKCS#11 token PIN for 'rpool/zones':
# zfs mount –a
# zoneadm -z myzone boot
30. 30 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Auditing
31. 31 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Solaris Auditing
• Kernel-based, fine-grained introspection
• Captures commands, syscalls, admin. Actions
• Flexible audit policy for global and non-global zones
• Several audit trail formats: binary, text, XML, etc.
• New in Solaris 11
– Auditing on by default with no performance penalty
– Supports secure remote storage of audit trails
– Greater visibility into system events with less “noise”
32. 32 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Per-User Auditing Policy
# userattr audit_flags gbrunett
#
# usermod –K audit_flags=lo,ad,ex:lo gbrunett
# userattr audit_flags gbrunett
lo,ad,ex:no
# su – gbrunett
$ exit
# auditreduce -r baz -c lo /var/audit/*not_term* | praudit -s
header,97,2,AUE_su,,testhost,2012-11-13 06:33:21.514 -08:00
subject,testuser,baz,staff,baz,staff,5243,2804137368,0 0 testhost
return,success,0
33. 33 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Putting it all together
with Solaris 11 Security!
34. 34 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle Solaris Remote Lab – Schematic
35. 35 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
OSRL - Data
• Single Zpool multiple
ZFS file systems
Resource
Sharing
• Data stored in ZFS SA
• Hybrid Storage
• Disk + SSD + RAM
• ZFS Cloning
Performance
• Encrypted ZFS
• Partner specific Key
• Each partner has their
own ZFS File System
Security
Create
Use
Delete
• Data isolated in VLAN
• Separate NFS server per
partner
• SGD - CDM
• All intra VM data
transfers self contained
in Blade chassis
• ZFS clones
- Share everything but the
changes
• ZFS Secure delete
• ZFS encrypt + Delete
almost instantaneous
operation
36. 36 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
OSRL - Virtual Machines (Zones)
• Zone cloning
• less than 18 MB of RAM
• less than 100 MB of Disk
Resource
Sharing
• ZFS + Zone cloning
• new zone in minutes
Performance
• ZFS encryption for zone
file system
• Exclusive IP stack +
VNIC
Security
Create
Use
Delete
• All Zones isolated in
non-routable VLAN
• Secure global desktop
access
• Resource allocation
• network bandwidth
• Memory
• CPU
• Zone shares all OS
resources
- Single kernel
- Single storage
• ZFS Secure delete
• ZFS encrypt + Delete
almost instantaneous
operation
37. 37 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
When 1 + 1 > 2
• Zone + ZFS
– Fast zone provisioning
– Very low overhead
– Encrypt file system as well as share resource
• Zones + Network virtualization
• Allows for sharing single physical network
• VLAN tagging allows for creating one VLAN/Partner
• Exclusive IP stack on shared physical network
38. 38 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
When 1 + 1 > 2
• Zones + ZFS + NFS
• Each NFS server is a zone
• Single data store
• Single Physical server
• Multiple NFS file systems shared with ZFS
• ZFS supports NFS sharing
• Encryption + Cloning reduces overhead
• Zones + IPS
• Global Zone has IPS proxy
• Single IPS repository accessible from non routable VLAN
39. 39 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Additional Resources
• Solaris 11 Security Hardening Guidelines
http://docs.oracle.com/cd/E26502_01/html/E29014/index.html
• Solaris 11 Secure Coding Guidelines for Developers
http://docs.oracle.com/cd/E26502_01/html/E29016/scode-1.html
• Glenn Faden’s Solaris 11.1 Hands On Security Lab
https://blogs.oracle.com/gfaden/entry/solaris_11_1_is_available
• Darren Moffat’s Solaris Security Blog
https://blogs.oracle.com/darren/tags/solaris+security
40. 40 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
For More Information / Try Out Today
• Product overview and download
– oracle.com/solaris
• Oracle Technology Network
– oracle.com/technetwork/server-storage/solaris11
• System Administrators Community
– oracle.com/technetwork/systems
• @ORCL_Solaris
• facebook.com/oraclesolaris
• Oracle Solaris Insider
40
41. 41 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Questions
42. 42 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Acknowledgements
Special thanks to Darren Moffat and Glenn Faden, Angelo
Rajadurai and many others for sharing their ideas and
examples with the world.
43. 43 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.