cloud computing implementation practically using vmware
TRANSCRIPT
Cloud Security
1
ACKNOWLEDGEMENTS We are deeply indebted to our esteemed supervisor and guide Mr. Sanjay Sharma
for his invaluable guidance, help and moral support. Without his support and timely
guidance the completion of our project and its report would be far-fetched dream.
We are grateful to Mr. Lokesh Chaudhary (Director, Bytes Softech Pvt Ltd) and
Mr. Raju Tiwari (Chief Administrative Officer), for his learned guidance and
moral support which we have received from him while working on this project. We
are thankful to all the faculties of C-DAC Delhi who have contributed in some manner
directly or indirectly in our endeavor to make our project a success.
We feel indebted to express our heartiest thanks to Mr. H N Harsh and Mr. Anil
Vishwakarma for their constant support and encouragement from the native idea of
project to the great completion.
Cloud Security
2
DECLARATION
We, declare that the work is being presented in this project titled “Cloud Security”
by us, in partial fulfillment of the requirements for the award of Certificate Course
in Network Security (CCNS).
Centre for Development of Advance computing (CDAC) is an authentic record
of our own work carried out under the guidance of Mr. Sanjay Sharma.
Name of students: AMIT KUMAR JHA PALLAVI SINGH
ANUSHRI JHA KUSHAL VARSHNEY
SUBHASH PRAVEEN KUMAR SHUKLA
SAMEER SARDAR ABHISHEK
Cloud Security
3
Table of Contents
Declaration………………………..…………………………………02
Abstract ……………………………………………………………..04
1. Introduction………………………..………………………………...05
2. Cloud computing Basics ……………………..……………………...07
3. Types of Cloud....……………………………………………………..08
4. Advantages of using Cloud ...………………………………………..09
5. Cloud Architecture…………………………………………………...10
6. Security challenges……………………………………………………11
7. Need for Security in Cloud .………………………………………….16
8. Security and privacy attributes ………..……………...……………..17
9. Project Overview ………………………..…………………………….18
Cloud Security
4
ABSTRACT
The term “cloud computing" is a recent buzzword in the IT world. Behind this
fancy poetic phrase there lies a true picture of the future of computing for both in
technical perspective and social perspective. Though the term “Cloud Computing" is
recent but the idea of centralizing computation and storage in distributed data centers
maintained by third party companies is not new but it came in way back in 1990s
along with distributed computing approaches like grid computing. Cloud computing
is aimed at providing IT as a service to the
Computers have become an indispensable part of life. We need computers
everywhere, be it for work, research or in any such field. As the use of computers in
our day-to-day life increases, the computing resources that we need also go up. For
companies like Google and Microsoft, harnessing the resources as and when they
need it is not a problem. But when it comes to smaller enterprises, affordability
becomes a huge factor. With the huge infrastructure come problems like machines
failure, hard drive crashes, software bugs, etc. This might be a big headache for such
a community. Cloud Computing offers a solution to this situation.
Cloud computing is the style of computing where massively scaled IT related
capabilities are provided as a service across the internet to multiple external
customers and are billed by consumption. Many cloud computing providers have
popped up and there is a considerable growth in the usage of this service. Google,
Microsoft, Yahoo, IBM and Amazon have started providing cloud computing
services. Amazon is the pioneer in this field. Smaller companies like Smug Mug,
which is an online photo hosting site, has used cloud services for the storing all the
data and doing some of its services.
Cloud Computing is finding use in various areas like web hosting, parallel
batch processing, graphics rendering, financial modelling, web crawling, genomics
analysis, etc.
Cloud Security
5
Introduction
Cloud computing is Internet ("cloud") based development and use of computer
technology ("computing"). It is a style of computing in which dynamically scalable
and often virtualized resources are provided as a service over the Internet. Users need
not have knowledge of, expertise in, or control over the technology infrastructure "in
the cloud" that supports them.
Cloud is essentially a bunch of commodity computers networked together in
same or different geographical locations, operating together to serve a number of
customers with different need and workload on demand basis with the help of
virtualization. Cloud services are provided to the cloud users as utility services like
water, electricity, telephone using pay-as-you-use business model. These utility
services are generally described as XaaS (X as a Service) where X can be Software
or Platform or Infrastructure etc.
Cloud users use these services provided by the cloud providers and build their
applications in the internet and thus deliver them to their end users. So the cloud users
don't have to worry about installing, maintaining hardware and software needed. And
they also can afforded these services as they have to pay as much they use. So the
cloud users can reduce their expenditure and effort in the field of IT using cloud
services instead of establishing IT infrastructure themselves.
Cloud is essentially provided by large distributed data centers. These data
centers are often organized as grid and the cloud is built on top of the grid services.
Cloud users are provided with virtual images of the physical machines in the data
centers. This virtualization is one of the key concepts of cloud computing as it
essentially builds the abstraction over the physical system. Many cloud applications
are gaining popularity day by day for their availability, reliability, scalability and
utility model.
Cloud Security
6
Types of Cloud Cloud can be of three types:-
1. Private Cloud: This type of cloud is maintained within an organization and used
solely for their internal purpose. So the utility model is not a big term in this scenario.
Many companies are moving towards this setting and experts consider this is the 1st
step for an organization to move into cloud. Security, network bandwidth are not
critical issues for private cloud.
2. Public Cloud: In this type an organization rents cloud services from cloud
providers on-demand basis. Services provided to the users using utility computing
model.
3. Hybrid Cloud: This type of cloud is composed of multiple internal or external
cloud. This is the scenario when an organization moves to public cloud computing
domain from its internal private cloud.
Cloud deployment model
Cloud Security
7
Advantages of using Cloud
The advantages for using cloud services can be of technical, architectural, business
etc.
1. Cloud Providers' point of view
Most of the data centers today are under-utilized. They are mostly 15% utilized.
These data centers need spare capacity just to cope with the huge spikes that
sometimes get in the server usage. Large companies having those data centers
can easily rent those computing power to other organizations and get pro t out
of it and also make the resources needed for running data center (like power)
utilized properly.
Companies having large data centers have already deployed the resources and
to provide cloud services they would need very little investment and the cost
would be incremental.
2. Cloud User’s point of view
Cloud users need not to take care about the hardware and software they use and
also they don't have to be worried about maintenance. The users are no longer
tied to someone traditional system.
Virtualization technology gives the illusion to the users that they are having all
the resources available.
Cloud users can use the resources on demand basis and pay as much as they
use. So the users can plan well for reducing their usage to minimize their
expenditure.
Scalability is one of the major advantages to cloud users. Scalability is
provided dynamically to the users. Users get as much resources as they need.
Thus this model perfectly fits in the management of rare spikes in the demand.
Cloud Security
8
Cloud Architecture The architecture of cloud involves multiple cloud components communicating
with each other over the application programming interfaces (APIs), usually web
services. The two most significant components of cloud computing architecture are
known as the front end and the back end. The front end is the part seen by the client,
i.e. the customer. This includes the clients network or computer, and the applications
used to access the cloud via a user interface such as a web browser. The back end of
the cloud computing architecture is the cloud itself, which comprises of various
computers, servers and data storage devices.
The general architecture of cloud platform is also known as cloud stack. Cloud
services may be offered in various forms from the bottom layer to top layer in which
each layer represent one service model.
The three key cloud delivery models are:
Cloud delivery model
Cloud Security
9
a) Infrastructure-as-a-Service (laaS)
Provides virtual machines and other abstracted hardware and operating
systems which may be controlled through a service API.
This type of cloud computing service enables subscribers to use
fundamental IT resources such as computing power, virtualization, data
storage, network, and so on, on demand. As cloud service providers are
responsible for managing the underlying cloud-computing infrastructure,
subscribers can avoid costs of human capital, hardware, and others.
E.g. Amazon EC2, Go grid, Sungrid, Windows SkyDrive, etc.
b) Platform-as-a-Service (PaaS)
Offers development tools, configuration management, and deployment
platforms on-demand that can be used by subscribers to develop custom
applications.
This type of cloud computing service offers the platform for the
development of applications and services. Subscribers need not buy and
manage the software and infrastructure underneath it, but have authority
over deployed applications and perhaps application hosting environment
configurations.
Advantages of writing applications in the PaaS environment includes
dynamic scalability, automated backups, and other platform services,
without the need to specifically code for it.
E.g. Intel MashMaker, Google App Engine, Force.com, Microsoft
Azure,etc.
c) Software-as-a-Service (SaaS)
Offers software to subscribers on-demand over the Internet.
This type of cloud computing service offers application software to
subscribers on demand over the Internet; the provider charges for it on
a pay-per-use basis, by subscription, by advertising, or by sharing
among multiple users.
E.g. web-based office applications like Google Docs or Calendar,
Salesforce CRM, etc.
Cloud Security
10
Security Challenges
Cloud computing becomes a successful and popular business model due to its
charming features. In addition to the benefits at hand, the former features also result
in serious cloud-specific security issues. The people whose concern is the cloud
security continue to hesitate to transfer their business to cloud. Security issues have
been the dominate barrier of the development and widespread use of cloud
computing.
Understanding the security and privacy risks in cloud computing and
developing efficient and effective solutions are critical for its success. Although
clouds allow customers to avoid start-up costs, reduce operating costs, and increase
their agility by immediately acquiring services and infrastructural resources when
needed, their unique architectural features also raise various security and privacy
concerns. There are three main challenges for building a Secure and trustworthy cloud
system.
a) Outsourcing - Outsourcing brings down both capital expenditure (CapEx) and
operational expenditure for cloud customers. However, outsourcing also means
that customers physically lose control on their data and tasks. The loss of control
problem has become one of the root causes of cloud insecurity.
To address outsourcing security issues, first, the cloud provider shall be
trustworthy by providing trust and secure computing and data storage; second,
outsourced data and computation shall be verifiable to customers in terms of
confidentiality, integrity, and other security services. In addition, outsourcing will
potentially incur privacy violations, due to the fact that sensitive/classified data is
out of the owners control. Data service outsourcing security - Cloud computing
provides access to data, but the challenge is to ensure that only authorized entities
can gain access to it.
Cloud Security
11
b) Multi-tenancy means that the cloud platform is shared and utilized by multiple
customers. Moreover, in a virtualized environment, data belonging to different
customers may be placed on the same physical machine by certain resource
allocation policy. Adversaries who may also be legitimate cloud customers may
exploit the co-residence issue. A series of security issues such as data breach,
computation breach, flooding attack etc., are incurred.
Although Multi-tenancy is a definite choice of cloud venders due to its
economic efficiency, it provides new vulnerabilities to the cloud platform . From
a customers perspective, the notion of using a shared infrastructure could be a
huge concern. However, the level of resource sharing and available protection
mechanisms can make a big difference.
For example, to isolate multiple tenants data, Salesforce.com employs a query
rewriter at the database level, whereas Amazon uses hypervisors at the hardware
level. Providers must account for issues such as access policies, application
deployment, and data access and protection to provide a secure, multi-tenant
environment .
Multi-tenancy security and privacy is one of the critical challenges for the
public cloud, and finding solutions is pivotal if the cloud is to be widely adopted.
However, little work exists today that not only addresses these problems but also
consistently and scalably maintains this dynamic computing environments
scalability.
C) Massive data and intense computation - Cloud computing is capable of
handling mass data storage and intense computing tasks. Therefore, traditional
security mechanisms may not suffice due to unbearable computation or
communication overhead. For example, to verify the integrity of data that is remotely
stored, it is impractical to hash the entire data set. To this end, new strategies and
protocols are expected .
Cloud Security
12
Need For Security in Cloud A users dependence on cloud is analogous to a persons dependence on public
transportation as it forces one to trust over which one have no control, limits what
one can transport, and subjects us to rules and schedules that wouldn’t apply if one
had their own vehicles. On the other hand, it is so economical that one does not
realistically have any alternative. Users of the cloud are not aware about the location
of the data and ultimately have to rely on the cloud service provider for exercising
appropriate security measures. Therefore cloud security issue is the most important
and elicited topic among the IT professionals. Security in cloud computing is of two
types:
a) Data security It focuses on protecting the software and hardware associated
with the cloud. It deals with choosing an apt location for data centers so as
to protect it from internal threats, different types of weather conditions, fire
and even physical attacks that might destroy the center physically and
external threats avoiding unauthorized access and break ins.
b) Network security Protecting the network over which cloud is running from
various attacks DOS, DDOS, IP Spoofing, ARP Spoofing and any novel
attacks that intruders may device. Attack on data affects a single user
whereas a successful attack on Network has the potential to affect multiple
users. Therefore network security is of foremost importance.
Cloud Security
13
Security and Privacy Attributes Five most representative security and privacy attributes are confidentiality,
integrity, availability, accountability, and privacy-preservability. Within the
enterprise boundaries, data transmission usually does not require encryption, or just
have a simple data encryption measure.
Security and privacy attributes
For data transmission across enterprise boundaries, both data confidentiality and
integrity should be ensured in order to prevent data from being tapped and tampered
with by unauthorized users. In other words, only the data encryption is not enough.
Data integrity is also needed to be ensured .Therefore it should ensure that transport
protocols provide both confidentiality and integrity. Confidentiality and integrity of
data transmission need to ensure not only between enterprise storage and cloud
storage but also between different cloud storage services.
Cloud Security
14
Project Overview
Cloud servers are those built, hosted and delivered through a cloud computing
environment.
As we already discussed a lot about Cloud Computing theoretical concepts. Now, our
main objective is to implement a private cloud server, accessing it on a different
network. And providing security by implementing Firewall
Private cloud
Tasks to be implemented
Building and configuring ownCloud Server.
Firewall configuration and IP forwarding.
Installing client software and access cloud server on client machine
Testing port no. and security.
Cloud Security
15
Configuration
Building Cloud Server
We can build our own cloud server by ownCloud. OwnCloud provides a free,
open source file sharing and application server and platform with desktop and
smartphone applications, allowing you to create a personal or corporate cloud
under your own control. If you're a Dropbox user, then you're familiar with the
advantages of a remote cloud which keeps files on all of your desktops and
devices in sync and allows you to share them with other people.
Installing ownCloud on windows
You can install own cloud on any OS because it is an open source and cross
platform application. Here we are installing it on a Windows OS.
Prerequisites
In order to finish we need the following:
1. Microsoft Visual Studio C++ 2010 framework
2. MySQL
3. PHP 5.4 or higher
4. OwnCloud server application
We need .Net Framework in order to install ownCloud, so first confirm that
Microsoft visual studio C++ 2010 is installed in the system.
Second thing we need is, Wamp server which can provide both MySQL and
PHP. Installing both services in the system because OwnCloud is a web
Application to provide cloud service and own cloud is built in php programming
language and uses MySQL to store information into database.
Installing Wamp Server
You will see the Welcome To The WampServer Setup Wizard screen. Click
Next to continue the installation.
Cloud Security
16
Follow the default installing procedure.
After successful installation of wamp server, run it.
Cloud Security
17
Now, check the notification area that wamp server running.
Click on wamp icon, hover to apache.
Click on httpd service.
You will see a configuration file.
Scroll down to line 265 and change the script from Require local to Require all
granted and save it.
Close the file and all open folders. Click Wamp server icon from the system tray,
and then click Restart all Services.
This will allow you to access this particular local system to network.
Cloud Security
18
Installing ownCloud
Download ownCloud, unzip it and copy ownCloud folder, and paste it
in the location C:\wamp\www.
Launch the web browser, enter the URL http://localhost/ownCloud in
address bar and press enter.
OwnCloud web page appears. Enter a username admin and password
qwerty@123,under create an admin account section.
Leave the data folder location set to default.
Under configure the database section :
a) Specify the database username: here username is root and
password is set to be blank which is default (you can change or
specify your username password).
b) Specify database host as localhost and click finish setup.
It takes some time for the account to setup.
Cloud Security
19
After the account is successfully setup, a welcome to ownCloud pop-up appears
on web page. Close the pop-up.
ownCloud web page appears, displaying the directories containing files as shown
in screenshot.
Cloud Security
20
Filtering Traffic using Network Firewall
We are using network firewall for filtering traffic on cloud. Which we have
placed between cloud and private network. At the same time we are doing IP
forwarding by this network firewall. It also helps to communicate with the specified
port number as we desire i.e. port 80 here.
Note: we’re using pfsense as a network firewall.
Configuration of pfSense
According our project we need to have two NIC cards so that we can use
firewall as a router too.
As we have completed the installation process shown below.
After installation and interface assignment, pfSense has the following default
configuration:
WAN is configured as an IPv4 DHCP client
Cloud Security
21
LAN is configured with a static IPv4 address of 172.168.0.2/24
All incoming connections to WAN are blocked
All outgoing connections from LAN are allowed
NAT is performed on IPv4 traffic leaving WAN from the LAN subnet
The firewall will act as an IPv4 DHCP Server
The DNS Resolver is enabled so the firewall can accept and respond to DNS
queries
SSH is disabled.
WebGUI is running on port 443 using HTTPS.
Default credentials are set to a username of admin with password pfsense.
Now, we can access webGUI of pfSense by entering the link https://172.168.0.2 on
any system which is connected to the same LAN.
To access administrator account Username is admin and default password is
pfsense.
Cloud Security
22
This is the GUI mode of pfSense dashboard consisting system overview.
To make this Firewall as a router, we need to do port forwarding.
Now click on firewall shown in the menu bar. Then go to NAT, select PORT
Forward option and click on Edit Redirect Entry and follow various steps to
configure port forwarding.
Set Interface to WAN.
Set protocol to TCP.
Define Destination port ranges i.e. HTTP
Put Redirect Target IP (internal IP address of the server on which to map the
ports)
Define Redirect Target Port i.e. HTTP
A description may be entered here for administrative reference i.e. webserver
Set NAT Reflection to Enable(Pure NAT) and apply
Cloud Security
23
Cloud Security
24
Accessing Cloud on Different Network
To access ownCloud server, we have two methods
1. By entering link of owncloud server in the web browser and can have
access to the cloud.
2. By ownCloud Desktop Client software through which we can sync our
local ownCloud folder directly to the cloud.
Following second method, installing ownCloud desktop client software
Cloud Security
25
After complition of installation.
Set the server address of ownCloud and click Next
Here we need to give account credential, whether you’re an admin or a user of
cloud server.
Enter username and password then click Next
Cloud Security
26
Set the Local Folder where you can copy your data and sync it to the cloud. And
click Next
Click on finish
After successful installation you will see an icon of ownCloud in notification
tray. If this icon is green, it means syncing your data directly to the cloud .
Cloud Security
27
Implementation Now, we’ll see cloud implementaion and its working.
So first we’ll create a user account in ownCloud webGUI by login as an
administrator.
So after login to the admin account, ownCloud webpage appears, displaying the
directories containing files.
Click admin at the top-right corner of the page, and select Users from drop-down
list:
You will redirected to the Users webpage. Here, you will be creating users who
will be able to log in to the cloud server and access files.
You can either assign a user to a group or assign him/her admin priviledges, by
choosing a group or an admin from the drop-down list.
Enter the name in the Login Name field, and mention a password in the password
field.
Click Create . this creates a user account, so that user can login to the cloud server
using the given credentials.
Cloud Security
28
In this project, the user is assigned to Groups, and the username and password are
kushal and florida@123
Click files icon in the left pane, click New button and select Folder. Here you
will be creating a new folder and sharing it with specific user.
As soon as you click the folder icon, a text field appears. Specify a folder name
(here share) in the field and press enter.
The newly created folder appears on the page. Click on the share folder.
Click the Upload button. And select a file which you want to share.
Cloud Security
29
The added file appears on the page . now, hover the mouse cursor on the file and
click share.
Type the name of the user with whom you want to share the file . as you type the
username, a hint is displayed below it. Click on the hint.
The share option now turns to Shared .
A folder named Shared is created in the User ownCloud account, whichever file
is shared from this admin is uploaded to this folder.
Now, navigate to the location C:\wamp\www\ownCloud\config and open the
file config.php with Notepad++
Comment the php script in the line no. 5 i.e., Trusted_domains , by adding //
before the code.
Cloud Security
30
By commenting this script, the ownCloud website can be browsed by all the
other hosts in the network. And save it.
Close the file and click WampServer icon from the system tray, and then click
Restart all Services.
Above implementaion shows how to access the webGUI of own cloud from any
system within the network. Now we’re going use ownCloud Desktop client
software in order to sync directly from any client system.
Open ownCloud software, then enter the server address.
Enter credential to log in .
Confirm that your account is syncing or not, by clicking the notification tray. If
the icon is green.
Now, your ownCloud account is synced with the local folder
C:\Users\Admin\ownCloud.
Whatever files you place in this folder will automatically be uploaded to the
ownCloud account online.
Note: the files are synchronized only when the account is logged in.
Any changes you make here such as adding/ deleting a file or a folder, will take
effect in the user account online.
Now, in order to upload a file directly from the local drive to user’s ownCloud
web Server
Copy a file and paste it in C:\Users\Admin\ownCloud\documents
Cloud Security
31
In pfsense (firewall) we wrote a rule that allows traffic only on port no. 80 i.e.
HTTP.
Now, scanning the server from kali Linux machine using NMAP.
Cloud Security
32
Conclusion
Cloud Computing is a vast topic and the above report does not give a high level
introduction to it. It is certainly not possible in the limited space of a report to do
justice to these technologies. What is in store for this technology in the near future?
Well, Cloud Computing is leading the industry’s endeavor to bank on this
revolutionary technology.
Cloud Computing Brings Possibilities……..
Increases business responsiveness
Accelerates creation of new services via rapid prototyping capabilities
Reduces acquisition complexity via service oriented approach
Uses IT resources efficiently via sharing and higher system utilization
Reduces energy consumption
Handles new and emerging workloads
Scales to extreme workloads quickly and easily
Simplifies IT management
Platform for collaboration and innovation
Cultivates skills for next generation workforce
Today, with such cloud-based interconnection seldom in evidence, cloud computing
might be more accurately described as "sky computing," with many isolated clouds
of services which IT customers must plug into individually. On the other hand, as
virtualization and SOA permeate the enterprise, the idea of loosely coupled services
running on an agile, scalable infrastructure should eventually make every enterprise
a node in the cloud. It's a long-running trend with a far-out horizon. But among big
Meta trends, cloud computing is the hardest one to argue with in the long term.