• No results found

The Day After Yesterday

N/A
N/A
Protected

Academic year: 2021

Share "The Day After Yesterday"

Copied!
53
0
0

Loading.... (view fulltext now)

Full text

(1)

The Day After Yesterday

or: How I Learned to Stop Worrying About Securing the Cloud

(2)

Start at the Beginning

Virtualization Security is easy once you understand how hard it is

Cloud Security is a topic almost as

controversial as the Healthcare Bill, but much more widely debated

With all this topic encompasses, I’m going to focus only on the practical, and leave

theorizing and pontificating about “the future of cloud” to other pundits

(3)

The Next 54 Minutes

My focus is on the enterprise

My focus is largely on virtualization

I’m only going to talk specifics with regards to the most “popular” solutions

My focus is on what can you do today

(4)

Topics

Practical VirtSec

Resources

Hypervisor

Management Interface

Virtual Machines

Virtual Networks

Practical CloudSec

Risks

Mitigation

EC2 Basics

VPC

Third-party

(5)

Virtualization is...

Broad term, many uses

Abstraction of characteristics of physical compute resources from systems, users, applications

Typically:

Resource (virtual memory, RAID, SAN)

Platform (virtual machines)

(6)

Cloud is...

A nebulous term ;)

A collection of _____, comprised of _____, that can be rapidly _____

Resources hosted _____

Not a new technology!

(7)

Cloud is...

Cloud computing is a model for enabling

ubiquitous, convenient, on-demand network access to a shared pool of configurable

computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider

interaction.

(8)

VirtSec is...

Security of virtual infrastructure and the virtual machines running within it

Many considerations the same in virtual and physical infrastructure, however

Virtualization does introduce unique

architecture and a few unique challenges

(9)

CloudSec is...

Defined by individual interpretation and implementation of “cloud”

More process than technology

Subject to the same advantages and disadvantaged inherent in cloud

(10)

VirtSec in Practice

(11)

Simpler is Better

Keep It Simple, Stupid (KISS)

Make Your Architecture Simpler to Secure!

More moving pieces means more time, effort and money required to implement security completely and effectively

Don’t let the capabilities of your platform fool you into believing you need all of them

(MYASS)

(12)

Where the Wild Things Are

Five primary [sub]systems:

Compute, network and storage resources

Hypervisor / VMM / vmkernel

Virtual machines (guest OS)

Service console (COS, dom0)

Networking [layer]

(13)

Secure Your Resources

Your virtual infrastructure is only as secure as the resources that comprise it!

Securing your compute, network and

storage infrastructure is as important as securing the hypervisor and guests

(14)

Storage and Network

Zoning and masking

Isolated [dedicated] IP storage networks

Mutual CHAP for iSCSI, restrict NFS by IP

Firewalls throughout, forward and reverse proxies where possible

Consider physical log and monitoring servers, IDS/IPS, load balancers

(15)

Secure Your Hypervisor

Not generally user-serviceable

Small(ish) attack surface

Area of least control (and concern)

See hyperjacking

See redpill / bluepill

The future? Hardware Root of Trust

(16)

Service Console

In ESX, COS is based on RHEL/CentOS

Moderately secure out of the box (only authenticated and encrypted

management services on by default)

Still, needs additional hardening to be considered secure

ESXi has BusyBox, no real COS

XenServer dom0 is also CentOS

(17)

ESX Minimum Required

Hardening

Limit use of su to members of wheel group

Enforce use of sudo and use aliases

Configure TCP wrappers (hosts.deny)

Authenticate via AD or LDAP

Replace the default self-signed SSL certs

Configure NTP and remote logging

(18)

Further COS

Hardening

VMware’s Hardening Guides (VI3, vSphere)

CIS ESX server benchmark

Tripwire’s ConfigCheck, OpsCheck

XenSource wiki

(19)
(20)

Configure

NTP & remote logging

Configure host to sync time via NTP

Configure remote logging (consider Syslog- NG, Splunk, Mitre’s CEE)

Configure alarms and alerts via SNMP

Archive logs to RO medium daily

Keep your COS/dom0 patched!

(21)

Virtual Machines

VMs are highly mobile and often short-lived

“VM sprawl” results from creation of new VMs to suit every whim

Most organizations have poor change

control and/or patch management systems for virtual infrastructure

Introspection mechanisms not widely available, deployed

(22)

The Malignant OS

Needs to be hardened / secured just like on physical machines

Principles of minimization will lead to smaller, faster, more secure vm’s

(23)

Power. Respect. JEOS.

How far will you go to get it?

Just Enough Operating System

Most effective way to ensure security of virtual infrastructure

Difficult to achieve today, not impossible

nLite, vLite, LitePC

Ubuntu VM Builder, SuSE Studio, Rpath,

(24)

See the service guides at http://blackviper.com

http://nliteos.com

(25)

Guest OS Hardening

Consider automated assessment tools, checklists and/or hardening scripts

nmap, Nessus, Metasploit, CANVAS

“15 Steps to Hardening WS2003”

Microsoft Baseline Security Analyzer

Bastille Linux

(26)
(27)

VM Introspection

Examine and understand internal state of a running VM

VMSafe

XenAccess

Virtual Introspection for Xen

(28)

Virtual Networking

Built-in vSwitches provide some protection

Limit promisc mode

Prevent mac changes / forgery

Basic VLAN tagging, trunking

No native ACLs or firewalling

(29)

Enhanced Virtual

Networking

New vSwitches provide greatly enhanced functionality and security (Open vSwitch, Cisco Nexus 1000v)

You can also do a fairly effective job with:

Vyatta, LRP, FreeSCO

m0n0wall, pfsense, OpenBSD

Astaro, IPcop, Untangle

(30)

Important

Considerations

Isolated, OOB management network

Isolated, OOB ip storage networks

Redundant NICs in NIC teams across redundant switches

Physical separation between prod and dev

Physical interfaces always preferred over VLANs for segmentation

(31)

UTM-in-a-VM?

In addition to firewalls, consider that you may need to provide VM-based IDS / IPS, authentication, NAC, and/or malware

protection and content filtering within your virtual networks

Astaro and Untangle provide much of this functionality already

(32)
(33)

Configuration

Management

Configuration management and change control are two of the most critical

elements in an effective security policy

Also the two most frequently overlooked, and/or shoddily implemented processes

There are tools available to help, you just have to use them!

(34)
(35)

http://veeam.com

(36)

http://racktables.org

http://opennetadmin.com/

(37)

CloudSec in Practice

(38)

"Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility falls upon one or more third parties. "

From the CSA’s Security Guidance for

Critical Areas of Focus in Cloud Computing

(39)

Fundamentals

K.I.S.S. (M.Y.A.S.S.)

Define assets, understand trust models

Understanding cloud key to securing cloud

5 cloud characteristics

3 service models

4 deployment models

(40)

4 8 15 16 23 42

Five characteristics

On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured service

Three service models

SaaS, PaaS, IaaS

Four deployment models

Public, Community, Private, Hybrid

(41)

Cloud Security Alliance

(42)

What Do We Mean By

Cloud Security?

Infrastructure security?

Virtualization security?

Application security?

Compliance?

It’s all about the assets

(43)

What Do You Mean

What Do I Mean?

Infrastructure, virtualization, application

security no less important than before, but managed differently

Compliance is important, but useless taken out of context (SAS 70 TII, but with which controls?)

Compliance doesn’t fully address governance, residency, access

(44)

“The spot where we intend to fight must not be made known; for then the enemy will have to prepare against a possible

attack at several different points;”

Sun Tzu

(45)

Predominant Risks

Loss of governance

[Lack of

transparency]

Lock-in

Isolation failure

Management interface compromise

Data protection

Incomplete or

insecure data deletion

Malicious insider

From ENISA’s Benefits, Risks and

Recommendations for Information Security

(46)

Barriers

Largely questions of governance, residency and compliancy

Where is your data?

Who has access?

Who controls and manages it?

How is the data accessed?

(47)

Mitigation

Encrypt locally before storing in the cloud

Ensure external key storage and management

Keep private data out of cloud

Build protection mechanisms directly into your resources in the cloud

Host private cloud

(48)

Encourage Adoption of

Open Standards

Will help with transparency

Will help avoid lock-in

Will help in understanding governance

Will help in achieving compliancy

(49)

Required Reading

CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing

ENISA’s Benefits, Risks and

Recommendations for Information Security

CloudSecurity.org

RationalSurvivability.com/blog

(50)

EC2 Security Basics

Automate, orchestrate, standardize using RightScale, Puppet, Chef, etc

Firewall rules / security groups

SSH keys, AWS multi-factor auth

Use modern, trusted AMI’s, patch regularly

Know what you’re doing? Roll your own

(51)

Virtual Private Clouds

Connect existing datacenter infrastructure to isolated cloud resources

Private, overlay network

Extend existing datacenter security and monitoring controls into the cloud

Amazon VPC

CohesiveFT VPN-Cubed

CloudSwitch

(52)

More CloudSec

EnStratus

Extra-cloud key and credential storage and management

PerspecSys

Apps in the cloud, data at home

More solutions coming every day, and I interested in hearing about those I

neglected to include or mention!

(53)

In Conclusion

VirtSec and CloudSec follow the same rules that the rest of our infrastructure follows, though

they do introduce new surfaces, forms of

exposure, and questions about governance and responsibility

Secure your resources first, then focus on

hardening your guests and instances -- the most likely sources of compromise and/or data loss / theft / manipulation

References

Related documents

Alberto Diaspro, Istituto Italiano di Tecnologia and University of Genoa, Italy Francesco Baldini, National Research Council, Florence, Italy.. Paolo Bianchini, Istituto Italiano

When all available data were analysed (regardless if the data set had missing variables or not) (analysis 2 Table  2 ), multivariable regression models predicted mortality at

Thermal desorption (TD), a remediation method used to remove hydrocarbons from contaminated soils, may cause changes in soil properties that threaten soil function and

workforce, and future collaborative programs are anticipated. Assessment of the extent to which this criterion is met and an analysis of the school’s strengths, weaknesses, and

=> If you want to do anything useful with cloud computing, you have to trust the provider.

However, in most developing countries, including OIC members, low technological base, high Internet usage costs, low GDP per capita, lack of appropriate financial and

A flight experiment was conducted to investigate the pressure distribution, local flow conditions, and boundary-layer transition characteristics on a large flat plate in

It will: define the concept of an effective remedy; establish Hong Kong’s legal responsibility to provide an effective remedy for human rights violations as a party to International