Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
CloudStack Secured                          John Kinsella                         @johnlkinsella               Apache Clou...
Overview           •   Code Review           •   Incident response           •   Stratosec extras           •   What’s next
LOOKING FOR WEAKNESSES IN ACS
Manual review• Process of combing code looking for flaws• “Targeted” manual review can be  cheaper, easier• Grepping for k...
This is a hack
Manual review, cont• Once we find an area where there’s a “smell,”  we investigate closer.
Static analysis• Automated!• Automation good, right?• But tools usually not cheap.
FoD Overview
Fod Source
FoD Trace
FoD Suspicious
What does this get us?So far, not much.• No critical findings discovered• Low issues possible  (eg raw error message displ...
Good guys vs bad guys                     governments                                   $$                     Malicious  ...
Email from customer
Incident response•   Report findings to ACS security team (PPMC)•   We strive to investigate and respond ASAP•   Verified ...
STRATOSEC EXTRAS
SSL• ACS Ships with SSL disabled.• Instructions in ACS wiki under “CloudStack  Security”
VPNs• SSL is nice, but we like OpenVPN for any  administrative access• Con: iOS doesn’t like OpenVPN*                     ...
Tighter firewalling• If you place unprotected hypervisors on public  Internet, after several days, you will find VMs  at a...
Testing• Vulnerability scanning• Penetration testing• Important – monitoring for changes
IDS• Run snort on hypervisors monitoring bridges• Run OSSEC, monitoring anything sensitive  – /etc• AntiVirus? Shouldn’t h...
Two Factor Authentication• Becoming more and more common• Passwords aren’t enough  – Guessable  – Stealable  – Sniffable, ...
2FA any day now…• WiKID Systems 2 factor auth• “Mutual HTTPS Authentication”• Code seems to be working, just need to tweak...
What’s next• Admin login notification• KVM + SELinux  – Working on it – not production ready• After SELinux, auditd• Goal:...
Logging• We collect/analyze logs from  – All IDS  – Network firewalls  – Web application firewalls  – Syslog (Management, ...
We’d love help•   Security Frameworks•   Security plugins (authentication, monitoring)•   grsecurity support?•   Further x...
Thanks! Questions?                      John Kinsella                    @johnlkinsella http://www.slideshare.net/jlkinsel/
Prochain SlideShare
Chargement dans…5
×

CloudStack Secured

1 940 vues

Publié le

My talk from CloudStack Collab 2012

Publié dans : Technologie
  • Soyez le premier à commenter

CloudStack Secured

  1. 1. CloudStack Secured John Kinsella @johnlkinsella Apache CloudStack PPMC Founder, Stratosec Inc.
  2. 2. Overview • Code Review • Incident response • Stratosec extras • What’s next
  3. 3. LOOKING FOR WEAKNESSES IN ACS
  4. 4. Manual review• Process of combing code looking for flaws• “Targeted” manual review can be cheaper, easier• Grepping for known patterns can quickly point to issues in code – “crypt” – “password” – “FIXME” – “this is a hack”
  5. 5. This is a hack
  6. 6. Manual review, cont• Once we find an area where there’s a “smell,” we investigate closer.
  7. 7. Static analysis• Automated!• Automation good, right?• But tools usually not cheap.
  8. 8. FoD Overview
  9. 9. Fod Source
  10. 10. FoD Trace
  11. 11. FoD Suspicious
  12. 12. What does this get us?So far, not much.• No critical findings discovered• Low issues possible (eg raw error message displayed in UI)
  13. 13. Good guys vs bad guys governments $$ Malicious user Community
  14. 14. Email from customer
  15. 15. Incident response• Report findings to ACS security team (PPMC)• We strive to investigate and respond ASAP• Verified issues• Pre-4.0 issues are forwarded to Citrix• Pre-notification list for critical vendors (Gizoogle cloudstack security response)
  16. 16. STRATOSEC EXTRAS
  17. 17. SSL• ACS Ships with SSL disabled.• Instructions in ACS wiki under “CloudStack Security”
  18. 18. VPNs• SSL is nice, but we like OpenVPN for any administrative access• Con: iOS doesn’t like OpenVPN* *Jailbroken iOS does like OpenVPN
  19. 19. Tighter firewalling• If you place unprotected hypervisors on public Internet, after several days, you will find VMs at a grub prompt• Firewall everything. Use VPN, but firewall that too.
  20. 20. Testing• Vulnerability scanning• Penetration testing• Important – monitoring for changes
  21. 21. IDS• Run snort on hypervisors monitoring bridges• Run OSSEC, monitoring anything sensitive – /etc• AntiVirus? Shouldn’t have to…
  22. 22. Two Factor Authentication• Becoming more and more common• Passwords aren’t enough – Guessable – Stealable – Sniffable, when you’re not using SSL/VPN
  23. 23. 2FA any day now…• WiKID Systems 2 factor auth• “Mutual HTTPS Authentication”• Code seems to be working, just need to tweak build
  24. 24. What’s next• Admin login notification• KVM + SELinux – Working on it – not production ready• After SELinux, auditd• Goal: Provide users with transparency
  25. 25. Logging• We collect/analyze logs from – All IDS – Network firewalls – Web application firewalls – Syslog (Management, node, AND VM) collected centrally
  26. 26. We’d love help• Security Frameworks• Security plugins (authentication, monitoring)• grsecurity support?• Further xen hardening?• Ideas? http://cloudstack.org
  27. 27. Thanks! Questions? John Kinsella @johnlkinsella http://www.slideshare.net/jlkinsel/

×