Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

HP Helion Webinar #5 - Security Beyond Firewalls

558 vues

Publié le

OpenStack security is a huge and broad topic.

In this webinar we will analyze cloud security, the network to the application layer, going through specific layers, some in common between OpenStack itself and the applications. We will also understand how security will be impacted by the cloud philosophy.

Publié dans : Technologie
  • Soyez le premier à commenter

HP Helion Webinar #5 - Security Beyond Firewalls

  1. 1. OpenStack: Security beyond firewalls Giuseppe Paternò Managing Director GARL HP Helion Webinar, October 27th 2015 Twitter: @gpaterno E-mail: gpaterno@garl.ch Website: www.gpaterno.com
  2. 2. @gpaternoGiuseppe Paternò About me IT Architect and Security Expert with background in Open Source. Former Network and Security architect for Canonical/Ubuntu, RedHat, Wind/ Infostrada, Sun Microsystems and IBM and Visiting Researcher at the University of Dublin Trinity College.
 Past projects: standard for J2ME Over-The-Air (OTA) provisioning along with Vodafone, the study of architecture and standards for the delivery of MHP applications for the digital terrestrial television (DTT) on behalf of DTT Lab (Telecom Italia/LA7) and implementation of HLR for Vodafone landline services.
 Lot of writings, mainly on computer security.
 Managing Director of GARL, a multinational company based in Switzerland and UK, providing security services for the cloud and owner of SecurePass and login.farm. Director of Alchemy Solutions Group, UK based company that provides enterprise consulting and architectures on OpenStack. Primary telcos and utilities are among the customers.
  3. 3. @gpaternoGiuseppe Paternò Too many threats 62% 
 breaches in 2013(1) 1 in 5 Organisations have experienced an APT attack (4) 3 Trillion$ 
 Total global impact of cybercrime(3) 8 months 
 Is the average time an advanced threat goes unnoticed on victim’s network(2) 2,5 billion 
 Exposed records as results of a data breach in the past 5 years(5) 1,3,5: Increased cyber security can save global economy trillions, McKinsey/World Economic Forum, January 2014 2: M-Trends 2013: attack the security gap, Mandiant, March 2013 4: ISACA’s 2014 APT study, ISACA, April 2014. Source: ISACA Cyber Security Nexus
  4. 4. @gpaternoGiuseppe Paternò Network APIs Identity Application OpenStack Domain Guest Domain OpenStack and Guest Security
  5. 5. @gpaternoGiuseppe Paternò Network Security (OpenStack built-in systems)
  6. 6. @gpaternoGiuseppe Paternò Neutron Server runs on Controller, expose APIs, enforce network model, pass to Neutron Plugin
 Neutron Plugin runs on Controller, implements APIs, every vendor can create its own “implementation” (ex: Cisco, Juniper, ...) Plugin Agent, run on each compute node and connect instances to the virtual network Default implementation based on OpenVSwitch
 OpenFlow to be set as fundamental open protocol for building SDN OpenStack Neutron Software-Defined Network in OpenStack, it answer RESTful APIs. Still no “industry” standard for encapsulating VLANs over L3, VXLANs set to be a preferred choice but any vendor has its choice (ex: Juniper has MPLS over IP)
  7. 7. @gpaternoGiuseppe Paternò OpenStack Security Groups
  8. 8. @gpaternoGiuseppe Paternò OpenStack Security Groups • Basic L3/L4 firewalling carried by security groups • Rules can be customised as in normal firewalls • Drills down to iptables on the L3 agent and Conntrackd to sync iptables state tables
  9. 9. @gpaternoGiuseppe Paternò OpenStack Neutron FWaaS Firewall as a Service in Neutron Different from the Security Groups in the instance Default to IPtables support into tenant’s ip NameSpace
  10. 10. @gpaternoGiuseppe Paternò OpenStack Neutron VPNaaS
  11. 11. @gpaternoGiuseppe Paternò OpenStack Neutron VPNaaS 
 Neutron has capability to handle per-tenant VPNs, named VPN-as-a-Service
 Based on IPSec, just implementing IKE with “PSK” authentication mode rather than using certificates
 Implemented on top of IP NameSpaces (“ip netns add vpn”)
 Draft exists on bringing OpenVPN to Neutron

 Not suited for “roadwarriors”, i.e. clients connection
 Suited for site-to-site VPNs and provide Hybrid cloud

  12. 12. @gpaternoGiuseppe Paternò OpenStack Neutron L3 Agent
  13. 13. @gpaternoGiuseppe Paternò Identity Security (OpenStack and apps)
  14. 14. @gpaternoGiuseppe Paternò User management: keep tracks of users, roles and permissions Service catalog: Provide a catalog of what services are available and where the OpenStack APIs EndPoint are located OpenStack Keystone Provides Identity, Token, Catalog and policy services for uses inside the OpenStack family and implements OpenStack’s Identity APIs
  15. 15. @gpaternoGiuseppe Paternò Users 
 A user represent a human user and has associated information such as username, password and e-mail Tenants 
 A tenant can represent a customer, organisation or a group. Roles 
 A role is what operations a user is permitted to perform in a given tenant OpenStack Identity Management Keystone permit the following back-ends for IDMs: SQL Backend (SQLAlchemy, it’s python), SAMLv2, LDAP and custom plugins
  16. 16. @gpaternoGiuseppe Paternò Catching username and passwords means reveal the whole OpenStack infrastructure and control it! $ curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/ tokens OpenStack Keystone
  17. 17. @gpaternoGiuseppe Paternò Security must be simple and transparent to the end user, otherwise it will be circumvented! Identity best practices in applications Strong authentication of the users GeoIP Patches, patches and patches! Secure application programming
  18. 18. @gpaternoGiuseppe Paternò Hosted Apps Need of a central Cloud Control Cloud Orchestrator 2FA/SSO
  19. 19. @gpaternoGiuseppe Paternò https://login.farm Solution
  20. 20. @gpaternoGiuseppe Paternò Question: What is the website of the free project to address identity management across hybrid clouds? Answer on Twitter now using hashtag #helionwebseries and win an HP Helion Cloud Box.
  21. 21. @gpaternoGiuseppe Paternò APIs Security (OpenStack and Cloud Applications)
  22. 22. @gpaternoGiuseppe Paternò APIsApplication APIs APIs are your point of contact from external world, you must make them highly secure Firewall are not enough! Anything can be sent over HTTP/ HTTPS. REST, XML-RPC, ... Web-based APIs
  23. 23. @gpaternoGiuseppe Paternò Usernames and passwords, session tokens and API keys must never appear in the URL (Proxy caching and logging) Allow only selected HTTP methods Protect privileged actions and sensitive resource collections Validate inputs and enforce typing of values Validate incoming Content-Type and other headers Encrypt data in transit Validation also apply to payload: JSON, XML or whatsoever General APIs best practices
  24. 24. @gpaternoGiuseppe Paternò OpenStack APIs All OpenStack software is based on APIs, consumed from End customers and tools to access the platform programmatically Among OpenStack components, is a way of decoupling components implementations Easily from “curl” tools OpenStack Command Line tools REST clients OpenStack Software Development Kit (SDK) RESTFUL API
  25. 25. @gpaternoGiuseppe Paternò OpenStack APIs EndPoints
  26. 26. @gpaternoGiuseppe Paternò 1. Obtain a Token curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens 2. Consume the API (through the obtained token): curl -i -X GET http://localhost:35357/v2.0/tenants -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: token" OpenStack APIs Workflow
  27. 27. @gpaternoGiuseppe Paternò The token request will reveal the endpoints URLs: Compute/Nova, S3,Image/ Glance, Volume/Cinder, EC2, Identity/Keystone Revealing the EndPoints
  28. 28. @gpaternoGiuseppe Paternò Isolate API endpoint processes, especially those that reside within the public security domain should be isolated as much as possible. API endpoints should be deployed on separate hosts for increased isolation.
 Apply Defense-in-Depth concept: configure services, host-based firewalls, local policy (SELinux or AppArmor), and optionally global network policy.
 Use Linux namespaces to assign processes into independent domains
 Use network ACLs and IDS technologies to enforce explicit point to point communication between network services (ex: wire-level ACLs in L3 switches) OpenStack APIs best practices
  29. 29. @gpaternoGiuseppe Paternò Isolate API endpoint processes from each other and other processes on a machine. Use Mandatory Access Controls (MAC) on top of Discretionary Access Controls to segregate processes, ex: SE-Linux Objective: containment and escalation of API endpoint security breaches. Use of MACs at the OS level severely limit access to resources and provide earlier alerting on such events. Mandatory Access Control in APIs
  30. 30. @gpaternoGiuseppe Paternò RESTful APIs, mixture of POST (in request) and JSON (in response), Channel encrypted with TLS high cypher, Based on APP ID and APP Secret Example: /api/v1/users/info Ex: SecurePass NG (Dreamliner) APIs Security in functionalities, APP ID read-only or read-write
 in network, APP ID can be limited to a given IPv4/IPv6 
 in domain, APP ID is linked to only a specific realm/ domain
  31. 31. @gpaternoGiuseppe Paternò Continuous Security
  32. 32. @gpaterno Build Functional tests Static security tests Create template Deploy template Automated VA
  33. 33. @gpaterno Static code analysers • http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html • http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis • https://github.com/google/firing-range
  34. 34. @gpaternoGiuseppe Paternò Useful Links & Twitter • OpenStack Security Guide: • http://docs.openstack.org/sec/ • login.farm: • Main website: https://login.farm • free join: http://bit.ly/loginfarm • SecurePass • www.secure-pass.net Answers to the twitter challenge
  35. 35. @gpaternoGiuseppe Paternò So, if you need … • OpenStack/OpenNebula • Software Defined Storage • Software Defined Networking • from the folks that architected largest EMEA telco & bank infrastructures • call us at Alchemy Solutions Ltd (UK) — info@alchemy.solutions • Identity management for cloud/ hybrid (including AWS) • Pen-test/Vulnerability Assessments • Secure Enterprise DropBox replacement • from the former Symantec and former Sun Micro/RedHat folks • call us at GARL Sagl (Switzerland, UK) — info@garl.ch
  36. 36. Giuseppe Paternò Managing Director GARL HP Helion Webinar, October 27th 2015 Twitter: @gpaterno E-mail: gpaterno@garl.ch Website: www.gpaterno.com Q & A