SlideShare une entreprise Scribd logo

Secure Keystone Deployment

Télécharger en tant que PPTX, PDF
Priti Desai
Priti Desai

In the Juno summit, Symantec presented it's perspective on securing Keystone. Security is really a mindset and process. We proposed a layered security approach starting with the process for securing Keystone architecture, followed by securing the environment where Keystone is deployed and configured. Since then we have been implementing those security measures in our production environment. In this talk, we will discuss exactly how we have made our Keystone deployment secure and what we have learnt along the way.

Ingénierie
1  sur  30
Secure Keystone Deployment: Lessons Learned and Best Practices Priti Desai Sr. Software Engineer Secure Keystone Deployment 1
The Symantec Team • Cloud Platform Engineering – We are building a consolidated cloud platform that provides infrastructure and platform services for next generation Symantec products and services • Me – In Security for over 6 years – Symantec Insight - Reputation Based Security – Symantec Data Analytics Platform – OpenStack Engineer - Keystone – OpenStack Security Group – Cop Open Source Secure Keystone Deployment 2
OpenStack Security Group Secure Keystone Deployment 3 security notes Retrieved from http://www.openstack.orgRetrieved from http://docs.openstack.org
Secure Keystone Deployment Why is Keystone security critical? What is Keystone? How is Authentication process implemented in Keystone? How is Authorization mechanism implemented in OpenStack?
AuthN Overview Secure Keystone Deployment 5 Cloud User Cloud User Identity (SQL/LDAP) Keystone Token (SQL) Identity (SQL/LDAP) Keystone Token (SQL) Request sent with Username and Password Verify username and password (hash of password) Successful verification Request metadata for user tenant relationship Assignment (SQL) Assignment (SQL) User tenant relationship information Request to generate new token Response with new token Response with token
AuthZ Overview Secure Keystone Deployment 6 Cloud User Cloud User Keystone OpenStack Service Keystone OpenStack Service Request sent with session token Verify session token Successful verification Is this token correct? Does it allow the service usage? Service executes the request Response with success
Secure Keystone Deployment Why is Keystone security critical? Does it store/transmit any sensitive information? What kind of cloud asset does it store? Is any type of attack possible on Keystone? Can it bring down the entire cloud?
Keystone Security is Critical Secure Keystone Deployment 8 • Gatekeeper • Access to OpenStack Cloud • Assets • Users • Passwords • Tokens • Roles • Catalog • Vulnerable to DoS Retrieved from http://internet.phillipmartin.info Retrieved from http://blogs.citypages.com Retrieved from http://assets.nydailynews.com
What was our approach to identifying key vulnerabilities? Secure Keystone Deployment 9
Security Risks Secure Keystone Deployment 10 • Global Security Office  Threat Model  Penetration Tests  Traceability Matrix Retrieved from http://www.technetics.com.au
Threat Model Secure Keystone Deployment 11
Secure Keystone Deployment 12 Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privileges Threat Model
What kind of security deficiencies did we discover? Secure Keystone Deployment 13
Secure Keystone Deployment 14 Attack: Keystone user credential theft Attack: Insecure file permissions on Keystone.conf Keystone.conf Attack: Access to cloud admin privileges for almost free Attack: Leaking sensitive data in log messages Attack: DoS – Authentication chaining - Havana Attack: Unauthorized access to MySQL database Many more …
Traceability Matrix Secure Keystone Deployment 15 ✖ ✖ ✖
Keystone User Credential Theft Secure Keystone Deployment 16
Mitigate: Secure Communication - SSL Secure Keystone Deployment 17 Hardware Load Balancer Hardware Load Balancer Keystone KeystoneKeystone SSL Client SSL Server SSL Client SSL Server mod_ssl 35357/SSL 5000/SSL mod_ssl 35357/SSL 5000/SSL mod_ssl 35357/SSL 5000/SSL Public API Admin API
Insecure file permissions on Keystone.conf Secure Keystone Deployment 18 Mitigate: • Restrict ownership to service user - chown keystone:keystone /etc/keystone/keystone.conf • Restrict to read and write by the owner - chmod 640 /etc/keystone/keystone.conf hostnameabc hostnameabc hostnameabcuser user user
Access to admin privileges is almost free Secure Keystone Deployment 19 • Service Token • Bootstrap Keystone • Cloud admin privileges • Register bad service/endpoints
Mitigate: Disable Service Token • Comment out admin_token from /etc/keystone/keystone.conf: admin_token=e2112effd3ff05b8c88ad14e096e6615 • Remove admin token auth middleware from /etc/keystone/keystone-paste.ini: [filter:admin_token_auth] paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory Secure Keystone Deployment 20
Who is the cloud admin now? Secure Keystone Deployment 21
Create Cloud Admin • Leveraging Keystone Domain • Before disabling service token: • Create a domain “cloud_admin_domain” • Grant “admin” role to appropriate user “Bob Smith” • Update keystone policy.json file: • Replace: "cloud_admin": [["rule:admin_required", "domain_id:admin_domain_id"]], • With: "cloud_admin”: [["rule:admin_required”,"domain_id:<cloud_admin_domain_id>"]], Secure Keystone Deployment 22
Leaking Sensitive Information in Log Messages • Debug mode include plaintext request logging • Passwords • Tokens • Mitigate: • Disable debug mode in keystone.conf with: • With debug mode ON, upgrade keystone client: • python-keystoneclient >= 0.10.1 (OSSN-0024) Secure Keystone Deployment 23 [DEFAULT] debug=False
Leaking Sensitive Information in Log Messages Identity API V2 - INFO level logs contains auth tokens (OSSN-0023) Mitigate: • Set the log level to WARN in logging.conf: Secure Keystone Deployment 24 [handler_file] class = FileHandler Level = WARN
Keystone DoS Attack Identity API V3 – Authentication Chaining – CVE-2014-2828 Secure Keystone Deployment 25
Keystone DoS Attack Mitigate: • Impacted Versions: from 2013.1 to 2013.2.3 • Patch applied during IceHouse rc2 • Upgrade Keystone >= 2013.2.4 Secure Keystone Deployment 26
Q&A Let’s talk… Secure Keystone Deployment 27
Thank You Priti Desai Priti_Desai@symantec.com @pritidesai8
References • http://docs.openstack.org/developer/keystone/ • https://blog-nkinder.rhcloud.com/?p=7 • https://blueprints.launchpad.net/keystone/+spec/service-scoped- tokens • http://docs.openstack.org/sec/ • http://www.florentflament.com/blog/setting-keystone-v3- domains.html • https://wiki.openstack.org/wiki/Security_Notes Secure Keystone Deployment 29
References (Images) • Crime Identity Theft: http://internet.phillipmartin.info/crime_identity_theft.gif • Computer Theft: http://blogs.citypages.com/blotter/Computer%20theft.gif • Mickey Washington ID: http://assets.nydailynews.com/polopoly_fs/1.1864391!/img/httpImage/image.jpg_gen/de rivatives/article_970/mickey13n-1-web.jpg • Threat, Asset, and Vulnerability: http://www.technetics.com.au/images/easyblog_images/79/b2ap3_thumbnail_manage_y our_risk_400_20140924-122014_1.jpg • Openstack security Notes: http://www.openstack.org/assets/openstack-logo/openstack- one-color-alt.pdf • OpenStack security Guide: http://docs.openstack.org/common/images/openstack- security-guide.jpg Secure Keystone Deployment 30

Recommandé

The View - Lotusscript coding best practices
The View - Lotusscript coding best practicesThe View - Lotusscript coding best practices
The View - Lotusscript coding best practicesBill Buchan
 
Tutorial: Managing Protected Data with Globus Connect Server v5
Tutorial: Managing Protected Data with Globus Connect Server v5Tutorial: Managing Protected Data with Globus Connect Server v5
Tutorial: Managing Protected Data with Globus Connect Server v5Globus
 
Oracle zdm Migrate Amazon RDS Oracle to Oracle Autonomous 2021 Kamalesh Ramas...
Oracle zdm Migrate Amazon RDS Oracle to Oracle Autonomous 2021 Kamalesh Ramas...Oracle zdm Migrate Amazon RDS Oracle to Oracle Autonomous 2021 Kamalesh Ramas...
Oracle zdm Migrate Amazon RDS Oracle to Oracle Autonomous 2021 Kamalesh Ramas...Kamalesh Ramasamy
 
Zero Data Loss Recovery Appliance - Deep Dive
Zero Data Loss Recovery Appliance - Deep DiveZero Data Loss Recovery Appliance - Deep Dive
Zero Data Loss Recovery Appliance - Deep DiveDaniele Massimi
 
IBM Spectrum scale object deep dive training
IBM Spectrum scale object deep dive trainingIBM Spectrum scale object deep dive training
IBM Spectrum scale object deep dive trainingSmita Raut
 
Compact, Compress, De-Duplicate (DAOS)
Compact, Compress, De-Duplicate (DAOS)Compact, Compress, De-Duplicate (DAOS)
Compact, Compress, De-Duplicate (DAOS)Ulrich Krause
 
Oracle MAA (Maximum Availability Architecture) 18c - An Overview
Oracle MAA (Maximum Availability Architecture) 18c - An OverviewOracle MAA (Maximum Availability Architecture) 18c - An Overview
Oracle MAA (Maximum Availability Architecture) 18c - An OverviewMarkus Michalewicz
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 

Recommandé

The View - Lotusscript coding best practices
The View - Lotusscript coding best practicesThe View - Lotusscript coding best practices
The View - Lotusscript coding best practicesBill Buchan
 
Tutorial: Managing Protected Data with Globus Connect Server v5
Tutorial: Managing Protected Data with Globus Connect Server v5Tutorial: Managing Protected Data with Globus Connect Server v5
Tutorial: Managing Protected Data with Globus Connect Server v5Globus
 
Oracle zdm Migrate Amazon RDS Oracle to Oracle Autonomous 2021 Kamalesh Ramas...
Oracle zdm Migrate Amazon RDS Oracle to Oracle Autonomous 2021 Kamalesh Ramas...Oracle zdm Migrate Amazon RDS Oracle to Oracle Autonomous 2021 Kamalesh Ramas...
Oracle zdm Migrate Amazon RDS Oracle to Oracle Autonomous 2021 Kamalesh Ramas...Kamalesh Ramasamy
 
Zero Data Loss Recovery Appliance - Deep Dive
Zero Data Loss Recovery Appliance - Deep DiveZero Data Loss Recovery Appliance - Deep Dive
Zero Data Loss Recovery Appliance - Deep DiveDaniele Massimi
 
IBM Spectrum scale object deep dive training
IBM Spectrum scale object deep dive trainingIBM Spectrum scale object deep dive training
IBM Spectrum scale object deep dive trainingSmita Raut
 
Compact, Compress, De-Duplicate (DAOS)
Compact, Compress, De-Duplicate (DAOS)Compact, Compress, De-Duplicate (DAOS)
Compact, Compress, De-Duplicate (DAOS)Ulrich Krause
 
Oracle MAA (Maximum Availability Architecture) 18c - An Overview
Oracle MAA (Maximum Availability Architecture) 18c - An OverviewOracle MAA (Maximum Availability Architecture) 18c - An Overview
Oracle MAA (Maximum Availability Architecture) 18c - An OverviewMarkus Michalewicz
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Weblogic12 c installation guide
Weblogic12 c installation guideWeblogic12 c installation guide
Weblogic12 c installation guideChinni Rajavardhan Reddy
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Docker, LinuX Container
Docker, LinuX ContainerDocker, LinuX Container
Docker, LinuX ContainerAraf Karsh Hamid
 
Cloning Oracle EBS R12: A Step by Step Procedure
Cloning Oracle EBS R12: A Step by Step ProcedureCloning Oracle EBS R12: A Step by Step Procedure
Cloning Oracle EBS R12: A Step by Step ProcedureOrazer Technologies
 
Sql server replication step by step
Sql server replication step by stepSql server replication step by step
Sql server replication step by steplaonap166
 
Arquitectura de Oracle 11g r2
Arquitectura de Oracle 11g r2Arquitectura de Oracle 11g r2
Arquitectura de Oracle 11g r2Carmen Soler
 
Zdlra copy to cloud
Zdlra copy to cloudZdlra copy to cloud
Zdlra copy to cloudSubramanyaUdupa3
 
Virtualisation.pptx
Virtualisation.pptxVirtualisation.pptx
Virtualisation.pptxISaf3
 
RAC - The Savior of DBA
RAC - The Savior of DBARAC - The Savior of DBA
RAC - The Savior of DBANikhil Kumar
 
Daos
DaosDaos
DaosUlrich Krause
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Alphorm.com Formation Ansible : Le Guide Complet du Débutant
Alphorm.com Formation Ansible : Le Guide Complet du DébutantAlphorm.com Formation Ansible : Le Guide Complet du Débutant
Alphorm.com Formation Ansible : Le Guide Complet du DébutantAlphorm
 
Introduction to Subversion
Introduction to SubversionIntroduction to Subversion
Introduction to SubversionAtul Jha
 
Docker Tutorial.pdf
Docker Tutorial.pdfDocker Tutorial.pdf
Docker Tutorial.pdfMuhammadYusuf767705
 
Linux cheat-sheet
Linux cheat-sheetLinux cheat-sheet
Linux cheat-sheetZeeshan Rizvi
 
NetBackup Appliance Family presentation
NetBackup Appliance Family presentationNetBackup Appliance Family presentation
NetBackup Appliance Family presentationSymantec
 
IBM Spectrum Scale Authentication for File Access - Deep Dive
IBM Spectrum Scale Authentication for File Access - Deep DiveIBM Spectrum Scale Authentication for File Access - Deep Dive
IBM Spectrum Scale Authentication for File Access - Deep DiveShradha Nayak Thakare
 
Vagrant
VagrantVagrant
VagrantEvans Ye
 
Disaster Recovery using Spectrum Scale Active File Management
Disaster Recovery using Spectrum Scale Active File ManagementDisaster Recovery using Spectrum Scale Active File Management
Disaster Recovery using Spectrum Scale Active File ManagementTrishali Nayar
 
Installing and Running Postfix within a Docker Container
Installing and Running Postfix within a Docker ContainerInstalling and Running Postfix within a Docker Container
Installing and Running Postfix within a Docker ContainerDocker, Inc.
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeCybera Inc.
 

Contenu connexe

Tendances

Container security
Container securityContainer security
Container securityAnthony Chow
 
Cloning Oracle EBS R12: A Step by Step Procedure
Cloning Oracle EBS R12: A Step by Step ProcedureCloning Oracle EBS R12: A Step by Step Procedure
Cloning Oracle EBS R12: A Step by Step ProcedureOrazer Technologies
 
Sql server replication step by step
Sql server replication step by stepSql server replication step by step
Sql server replication step by steplaonap166
 
Arquitectura de Oracle 11g r2
Arquitectura de Oracle 11g r2Arquitectura de Oracle 11g r2
Arquitectura de Oracle 11g r2Carmen Soler
 
Virtualisation.pptx
Virtualisation.pptxVirtualisation.pptx
Virtualisation.pptxISaf3
 
RAC - The Savior of DBA
RAC - The Savior of DBARAC - The Savior of DBA
RAC - The Savior of DBANikhil Kumar
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Alphorm.com Formation Ansible : Le Guide Complet du Débutant
Alphorm.com Formation Ansible : Le Guide Complet du DébutantAlphorm.com Formation Ansible : Le Guide Complet du Débutant
Alphorm.com Formation Ansible : Le Guide Complet du DébutantAlphorm
 
Introduction to Subversion
Introduction to SubversionIntroduction to Subversion
Introduction to SubversionAtul Jha
 
NetBackup Appliance Family presentation
NetBackup Appliance Family presentationNetBackup Appliance Family presentation
NetBackup Appliance Family presentationSymantec
 
IBM Spectrum Scale Authentication for File Access - Deep Dive
IBM Spectrum Scale Authentication for File Access - Deep DiveIBM Spectrum Scale Authentication for File Access - Deep Dive
IBM Spectrum Scale Authentication for File Access - Deep DiveShradha Nayak Thakare
 
Disaster Recovery using Spectrum Scale Active File Management
Disaster Recovery using Spectrum Scale Active File ManagementDisaster Recovery using Spectrum Scale Active File Management
Disaster Recovery using Spectrum Scale Active File ManagementTrishali Nayar
 
Installing and Running Postfix within a Docker Container
Installing and Running Postfix within a Docker ContainerInstalling and Running Postfix within a Docker Container
Installing and Running Postfix within a Docker ContainerDocker, Inc.
 

Tendances (20)

Weblogic12 c installation guide
Weblogic12 c installation guideWeblogic12 c installation guide
Weblogic12 c installation guide
 
Container security
Container securityContainer security
Container security
 
Docker, LinuX Container
Docker, LinuX ContainerDocker, LinuX Container
Docker, LinuX Container
 
Cloning Oracle EBS R12: A Step by Step Procedure
Cloning Oracle EBS R12: A Step by Step ProcedureCloning Oracle EBS R12: A Step by Step Procedure
Cloning Oracle EBS R12: A Step by Step Procedure
 
Sql server replication step by step
Sql server replication step by stepSql server replication step by step
Sql server replication step by step
 
Arquitectura de Oracle 11g r2
Arquitectura de Oracle 11g r2Arquitectura de Oracle 11g r2
Arquitectura de Oracle 11g r2
 
Zdlra copy to cloud
Zdlra copy to cloudZdlra copy to cloud
Zdlra copy to cloud
 
Virtualisation.pptx
Virtualisation.pptxVirtualisation.pptx
Virtualisation.pptx
 
RAC - The Savior of DBA
RAC - The Savior of DBARAC - The Savior of DBA
RAC - The Savior of DBA
 
Daos
DaosDaos
Daos
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
Alphorm.com Formation Ansible : Le Guide Complet du Débutant
Alphorm.com Formation Ansible : Le Guide Complet du DébutantAlphorm.com Formation Ansible : Le Guide Complet du Débutant
Alphorm.com Formation Ansible : Le Guide Complet du Débutant
 
Introduction to Subversion
Introduction to SubversionIntroduction to Subversion
Introduction to Subversion
 
Docker Tutorial.pdf
Docker Tutorial.pdfDocker Tutorial.pdf
Docker Tutorial.pdf
 
Linux cheat-sheet
Linux cheat-sheetLinux cheat-sheet
Linux cheat-sheet
 
NetBackup Appliance Family presentation
NetBackup Appliance Family presentationNetBackup Appliance Family presentation
NetBackup Appliance Family presentation
 
IBM Spectrum Scale Authentication for File Access - Deep Dive
IBM Spectrum Scale Authentication for File Access - Deep DiveIBM Spectrum Scale Authentication for File Access - Deep Dive
IBM Spectrum Scale Authentication for File Access - Deep Dive
 
Vagrant
VagrantVagrant
Vagrant
 
Disaster Recovery using Spectrum Scale Active File Management
Disaster Recovery using Spectrum Scale Active File ManagementDisaster Recovery using Spectrum Scale Active File Management
Disaster Recovery using Spectrum Scale Active File Management
 
Installing and Running Postfix within a Docker Container
Installing and Running Postfix within a Docker ContainerInstalling and Running Postfix within a Docker Container
Installing and Running Postfix within a Docker Container
 

Similaire à Secure Keystone Deployment

Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeCybera Inc.
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013brian_chong
 
Masterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMasterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMalcolm Duncanson, CISSP
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPRafal Gancarz
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...Amazon Web Services
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld
 
DCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and ArchitectureDCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and ArchitectureDocker, Inc.
 
Cloud_Security_Final
Cloud_Security_FinalCloud_Security_Final
Cloud_Security_FinalBhavin Shah
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...Duc Lai Trung Minh
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsRightScale
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
How to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GEHow to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GEFederico Fernández Moreno
 

Similaire à Secure Keystone Deployment (20)

Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013
 
Masterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMasterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM Roles
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
 
DCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and ArchitectureDCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and Architecture
 
Cloud_Security_Final
Cloud_Security_FinalCloud_Security_Final
Cloud_Security_Final
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
 
Fiware cloud developers week brussels
Fiware cloud developers week brusselsFiware cloud developers week brussels
Fiware cloud developers week brussels
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
How to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GEHow to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GE
 

Dernier

2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projectssmsksolar
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086anil_gaur
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdfKamal Acharya
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxmaisarahman1
 
+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...Health
 
Bridge Jacking Design Sample Calculation.pptx
Bridge Jacking Design Sample Calculation.pptxBridge Jacking Design Sample Calculation.pptx
Bridge Jacking Design Sample Calculation.pptxnuruddin69
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadhamedmustafa094
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxSCMS School of Architecture
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptNANDHAKUMARA10
 
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...HenryBriggs2
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Servicemeghakumariji156
 
Computer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to ComputersComputer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to ComputersMairaAshraf6
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdfKamal Acharya
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARKOUSTAV SARKAR
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsvanyagupta248
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxJIT KUMAR GUPTA
 

Dernier (20)

2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptxA CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
A CASE STUDY ON CERAMIC INDUSTRY OF BANGLADESH.pptx
 
+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
+97470301568>> buy weed in qatar,buy thc oil qatar,buy weed and vape oil in d...
 
Bridge Jacking Design Sample Calculation.pptx
Bridge Jacking Design Sample Calculation.pptxBridge Jacking Design Sample Calculation.pptx
Bridge Jacking Design Sample Calculation.pptx
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal load
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
scipt v1.pptxcxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
 
Computer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to ComputersComputer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to Computers
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 

Secure Keystone Deployment

  • 1. Secure Keystone Deployment: Lessons Learned and Best Practices Priti Desai Sr. Software Engineer Secure Keystone Deployment 1
  • 2. The Symantec Team • Cloud Platform Engineering – We are building a consolidated cloud platform that provides infrastructure and platform services for next generation Symantec products and services • Me – In Security for over 6 years – Symantec Insight - Reputation Based Security – Symantec Data Analytics Platform – OpenStack Engineer - Keystone – OpenStack Security Group – Cop Open Source Secure Keystone Deployment 2
  • 3. OpenStack Security Group Secure Keystone Deployment 3 security notes Retrieved from http://www.openstack.orgRetrieved from http://docs.openstack.org
  • 4. Secure Keystone Deployment Why is Keystone security critical? What is Keystone? How is Authentication process implemented in Keystone? How is Authorization mechanism implemented in OpenStack?
  • 5. AuthN Overview Secure Keystone Deployment 5 Cloud User Cloud User Identity (SQL/LDAP) Keystone Token (SQL) Identity (SQL/LDAP) Keystone Token (SQL) Request sent with Username and Password Verify username and password (hash of password) Successful verification Request metadata for user tenant relationship Assignment (SQL) Assignment (SQL) User tenant relationship information Request to generate new token Response with new token Response with token
  • 6. AuthZ Overview Secure Keystone Deployment 6 Cloud User Cloud User Keystone OpenStack Service Keystone OpenStack Service Request sent with session token Verify session token Successful verification Is this token correct? Does it allow the service usage? Service executes the request Response with success
  • 7. Secure Keystone Deployment Why is Keystone security critical? Does it store/transmit any sensitive information? What kind of cloud asset does it store? Is any type of attack possible on Keystone? Can it bring down the entire cloud?
  • 8. Keystone Security is Critical Secure Keystone Deployment 8 • Gatekeeper • Access to OpenStack Cloud • Assets • Users • Passwords • Tokens • Roles • Catalog • Vulnerable to DoS Retrieved from http://internet.phillipmartin.info Retrieved from http://blogs.citypages.com Retrieved from http://assets.nydailynews.com
  • 9. What was our approach to identifying key vulnerabilities? Secure Keystone Deployment 9
  • 10. Security Risks Secure Keystone Deployment 10 • Global Security Office  Threat Model  Penetration Tests  Traceability Matrix Retrieved from http://www.technetics.com.au
  • 12. Secure Keystone Deployment 12 Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privileges Threat Model
  • 13. What kind of security deficiencies did we discover? Secure Keystone Deployment 13
  • 14. Secure Keystone Deployment 14 Attack: Keystone user credential theft Attack: Insecure file permissions on Keystone.conf Keystone.conf Attack: Access to cloud admin privileges for almost free Attack: Leaking sensitive data in log messages Attack: DoS – Authentication chaining - Havana Attack: Unauthorized access to MySQL database Many more …
  • 15. Traceability Matrix Secure Keystone Deployment 15 ✖ ✖ ✖
  • 16. Keystone User Credential Theft Secure Keystone Deployment 16
  • 17. Mitigate: Secure Communication - SSL Secure Keystone Deployment 17 Hardware Load Balancer Hardware Load Balancer Keystone KeystoneKeystone SSL Client SSL Server SSL Client SSL Server mod_ssl 35357/SSL 5000/SSL mod_ssl 35357/SSL 5000/SSL mod_ssl 35357/SSL 5000/SSL Public API Admin API
  • 18. Insecure file permissions on Keystone.conf Secure Keystone Deployment 18 Mitigate: • Restrict ownership to service user - chown keystone:keystone /etc/keystone/keystone.conf • Restrict to read and write by the owner - chmod 640 /etc/keystone/keystone.conf hostnameabc hostnameabc hostnameabcuser user user
  • 19. Access to admin privileges is almost free Secure Keystone Deployment 19 • Service Token • Bootstrap Keystone • Cloud admin privileges • Register bad service/endpoints
  • 20. Mitigate: Disable Service Token • Comment out admin_token from /etc/keystone/keystone.conf: admin_token=e2112effd3ff05b8c88ad14e096e6615 • Remove admin token auth middleware from /etc/keystone/keystone-paste.ini: [filter:admin_token_auth] paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory Secure Keystone Deployment 20
  • 21. Who is the cloud admin now? Secure Keystone Deployment 21
  • 22. Create Cloud Admin • Leveraging Keystone Domain • Before disabling service token: • Create a domain “cloud_admin_domain” • Grant “admin” role to appropriate user “Bob Smith” • Update keystone policy.json file: • Replace: "cloud_admin": [["rule:admin_required", "domain_id:admin_domain_id"]], • With: "cloud_admin”: [["rule:admin_required”,"domain_id:<cloud_admin_domain_id>"]], Secure Keystone Deployment 22
  • 23. Leaking Sensitive Information in Log Messages • Debug mode include plaintext request logging • Passwords • Tokens • Mitigate: • Disable debug mode in keystone.conf with: • With debug mode ON, upgrade keystone client: • python-keystoneclient >= 0.10.1 (OSSN-0024) Secure Keystone Deployment 23 [DEFAULT] debug=False
  • 24. Leaking Sensitive Information in Log Messages Identity API V2 - INFO level logs contains auth tokens (OSSN-0023) Mitigate: • Set the log level to WARN in logging.conf: Secure Keystone Deployment 24 [handler_file] class = FileHandler Level = WARN
  • 25. Keystone DoS Attack Identity API V3 – Authentication Chaining – CVE-2014-2828 Secure Keystone Deployment 25
  • 26. Keystone DoS Attack Mitigate: • Impacted Versions: from 2013.1 to 2013.2.3 • Patch applied during IceHouse rc2 • Upgrade Keystone >= 2013.2.4 Secure Keystone Deployment 26
  • 29. References • http://docs.openstack.org/developer/keystone/ • https://blog-nkinder.rhcloud.com/?p=7 • https://blueprints.launchpad.net/keystone/+spec/service-scoped- tokens • http://docs.openstack.org/sec/ • http://www.florentflament.com/blog/setting-keystone-v3- domains.html • https://wiki.openstack.org/wiki/Security_Notes Secure Keystone Deployment 29
  • 30. References (Images) • Crime Identity Theft: http://internet.phillipmartin.info/crime_identity_theft.gif • Computer Theft: http://blogs.citypages.com/blotter/Computer%20theft.gif • Mickey Washington ID: http://assets.nydailynews.com/polopoly_fs/1.1864391!/img/httpImage/image.jpg_gen/de rivatives/article_970/mickey13n-1-web.jpg • Threat, Asset, and Vulnerability: http://www.technetics.com.au/images/easyblog_images/79/b2ap3_thumbnail_manage_y our_risk_400_20140924-122014_1.jpg • Openstack security Notes: http://www.openstack.org/assets/openstack-logo/openstack- one-color-alt.pdf • OpenStack security Guide: http://docs.openstack.org/common/images/openstack- security-guide.jpg Secure Keystone Deployment 30