hp helion webinar #5 - security beyond firewalls
TRANSCRIPT
OpenStack: Security beyond firewalls
Giuseppe Paternò
Managing Director GARL HP Helion Webinar, October 27th 2015
Twitter: @gpaterno E-mail: [email protected]
Website: www.gpaterno.com
@gpaternoGiuseppe Paternò
About me
IT Architect and Security Expert with background in Open Source. Former Network and Security architect for Canonical/Ubuntu, RedHat, Wind/Infostrada, Sun Microsystems and IBM and Visiting Researcher at the University of Dublin Trinity College. Past projects: standard for J2ME Over-The-Air (OTA) provisioning along with Vodafone, the study of architecture and standards for the delivery of MHP applications for the digital terrestrial television (DTT) on behalf of DTT Lab (Telecom Italia/LA7) and implementation of HLR for Vodafone landline services.Lot of writings, mainly on computer security. Managing Director of GARL, a multinational company based in Switzerland and UK, providing security services for the cloud and owner of SecurePass and login.farm.
Director of Alchemy Solutions Group, UK based company that provides enterprise consulting and architectures on OpenStack. Primary telcos and utilities are among the customers.
@gpaternoGiuseppe Paternò
Too many threats
62% Increase breaches in 2013(1)
1 in 5 Organisations have experienced an APT attack (4)
3 Trillion$ Total global impact of cybercrime(3)
8 months Is the average time an advanced threat goes unnoticed on victim’s network(2)
2,5 billion Exposed records as results of a data breach in the past 5 years(5)
1,3,5: Increased cyber security can save global economy trillions, McKinsey/World Economic Forum, January 2014 2: M-Trends 2013: attack the security gap, Mandiant, March 2013 4: ISACA’s 2014 APT study, ISACA, April 2014. Source: ISACA Cyber Security Nexus
@gpaternoGiuseppe Paternò
Network APIs Identity Application
OpenStack Domain
Guest Domain
OpenStack and Guest Security
@gpaternoGiuseppe Paternò
Network Security (OpenStack built-in systems)
@gpaternoGiuseppe Paternò
Neutron Server runs on Controller, expose APIs, enforce network model, pass to Neutron PluginNeutron Plugin runs on Controller, implements APIs, every vendor can create its own “implementation” (ex: Cisco, Juniper, ...)
Plugin Agent, run on each compute node and connect instances to the virtual network
Default implementation based on OpenVSwitchOpenFlow to be set as fundamental open protocol for building SDN
OpenStack NeutronSoftware-Defined Network in OpenStack, it answer RESTful APIs.
Still no “industry” standard for encapsulating VLANs over L3, VXLANs set to be a preferred choice but any vendor has its choice (ex: Juniper has MPLS over IP)
@gpaternoGiuseppe Paternò
OpenStack Security Groups
@gpaternoGiuseppe Paternò
OpenStack Security Groups
• Basic L3/L4 firewalling carried by security groups
• Rules can be customised as in normal firewalls
• Drills down to iptables on the L3 agent and Conntrackd to sync iptables state tables
@gpaternoGiuseppe Paternò
OpenStack Neutron FWaaSFirewall as a Service in Neutron
Different from the Security Groups in the instance
Default to IPtables support into tenant’s ip NameSpace
@gpaternoGiuseppe Paternò
OpenStack Neutron VPNaaS
@gpaternoGiuseppe Paternò
OpenStack Neutron VPNaaSNeutron has capability to handle per-tenant VPNs, named VPN-as-a-Service
Based on IPSec, just implementing IKE with “PSK” authentication mode rather than using certificates
Implemented on top of IP NameSpaces (“ip netns add vpn”)
Draft exists on bringing OpenVPN to NeutronNot suited for “roadwarriors”, i.e. clients connection
Suited for site-to-site VPNs and provide Hybrid cloud
@gpaternoGiuseppe Paternò
OpenStack Neutron L3 Agent
@gpaternoGiuseppe Paternò
Identity Security (OpenStack and apps)
@gpaternoGiuseppe Paternò
User management: keep tracks of users, roles and permissions
Service catalog: Provide a catalog of what services are available and where the OpenStack APIs EndPoint are located
OpenStack KeystoneProvides Identity, Token, Catalog and policy services for uses inside the OpenStack family and implements OpenStack’s Identity APIs
@gpaternoGiuseppe Paternò
Users A user represent a human user and has associated information such as username, password and e-mail
Tenants A tenant can represent a customer, organisation or a group.
Roles A role is what operations a user is permitted to perform in a given tenant
OpenStack Identity Management
Keystone permit the following back-ends for IDMs: SQL Backend (SQLAlchemy, it’s python), SAMLv2, LDAP and custom plugins
@gpaternoGiuseppe Paternò
Catching username and passwords means reveal the whole OpenStack infrastructure and control it!
$ curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens
OpenStack Keystone
@gpaternoGiuseppe Paternò
Security must be simple and transparent to the end user, otherwise it will be circumvented!
Identity best practices in applications
Strong authentication of the users
GeoIP
Patches, patches and patches!
Secure application programming
@gpaternoGiuseppe Paternò
Hosted Apps
Need of a central Cloud Control
Cloud Orchestrator 2FA/SSO
@gpaternoGiuseppe Paternò
Question: What is the website of the free project to address identity management across hybrid clouds?
Answer on Twitter now using hashtag #helionwebseries and win an HP Helion Cloud Box.
@gpaternoGiuseppe Paternò
APIs Security (OpenStack and Cloud Applications)
@gpaternoGiuseppe Paternò
APIsApplication APIs
APIs are your point of contact from external world, you must make them highly secure
Firewall are not enough! Anything can be sent over HTTP/HTTPS.
REST, XML-RPC, ...
Web-based APIs
@gpaternoGiuseppe Paternò
Usernames and passwords, session tokens and API keys must never appear in the URL (Proxy caching and logging)
Allow only selected HTTP methods
Protect privileged actions and sensitive resource collections
Validate inputs and enforce typing of values
Validate incoming Content-Type and other headers
Encrypt data in transit
Validation also apply to payload: JSON, XML or whatsoever
General APIs best practices
@gpaternoGiuseppe Paternò
OpenStack APIs
All OpenStack software is based on APIs, consumed from End customers and tools to access the platform programmatically
Among OpenStack components, is a way of decoupling components implementations
Easily from “curl” tools
OpenStack Command Line tools
REST clientsOpenStack Software Development Kit (SDK)
RESTFUL API
@gpaternoGiuseppe Paternò
OpenStack APIs EndPoints
@gpaternoGiuseppe Paternò
1. Obtain a Token
curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens
2. Consume the API (through the obtained token):
curl -i -X GET http://localhost:35357/v2.0/tenants -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: token"
OpenStack APIs Workflow
@gpaternoGiuseppe Paternò
The token request will reveal the endpoints URLs: Compute/Nova, S3,Image/Glance, Volume/Cinder, EC2, Identity/Keystone
Revealing the EndPoints
@gpaternoGiuseppe Paternò
Isolate API endpoint processes, especially those that reside within the public security domain should be isolated as much as possible. API endpoints should be deployed on separate hosts for increased isolation.Apply Defense-in-Depth concept: configure services, host-based firewalls, local policy (SELinux or AppArmor),
and optionally global network policy.Use Linux namespaces to assign processes into independent domainsUse network ACLs and IDS technologies to enforce explicit point to point communication between network services (ex: wire-level ACLs in L3 switches)
OpenStack APIs best practices
@gpaternoGiuseppe Paternò
Isolate API endpoint processes from each other and other processes on a machine.
Use Mandatory Access Controls (MAC) on top of Discretionary Access Controls to segregate processes, ex: SE-Linux
Objective: containment and escalation of API endpoint security breaches.
Use of MACs at the OS level severely limit access to resources and provide earlier alerting on such events.
Mandatory Access Control in APIs
@gpaternoGiuseppe Paternò
RESTful APIs, mixture of POST (in request) and JSON (in response), Channel encrypted with TLS high cypher, Based on APP ID and APP Secret
Example: /api/v1/users/info
Ex: SecurePass NG (Dreamliner) APIs Security
in functionalities, APP ID read-only or read-writein network, APP ID can be limited to a given IPv4/IPv6 in domain, APP ID is linked to only a specific realm/domain
@gpaternoGiuseppe Paternò
Continuous
Security
@gpaterno
Build
Functional tests
Static security tests
Create template
Deploy template
Automated VA
@gpaterno
Static code analysers
• http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
• http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
• https://github.com/google/firing-range
@gpaternoGiuseppe Paternò
Useful Links & Twitter
• OpenStack Security Guide:
• http://docs.openstack.org/sec/
• login.farm:
• Main website: https://login.farm
• free join: http://bit.ly/loginfarm
• SecurePass
• www.secure-pass.net
Answers to the twitter challenge
@gpaternoGiuseppe Paternò
So, if you need …
• OpenStack/OpenNebula
• Software Defined Storage
• Software Defined Networking
• from the folks that architected largest EMEA telco & bank infrastructures
• call us at Alchemy Solutions Ltd (UK) — [email protected]
• Identity management for cloud/hybrid (including AWS)
• Pen-test/Vulnerability Assessments
• Secure Enterprise DropBox replacement
• from the former Symantec and former Sun Micro/RedHat folks
• call us at GARL Sagl (Switzerland, UK) — [email protected]
Giuseppe Paternò
Managing Director GARL HP Helion Webinar, October 27th 2015
Twitter: @gpaterno E-mail: [email protected]
Website: www.gpaterno.com
Q & A