public cloud security diy @ igt 2013

Public Cloud Security DIY

Amir Naftali, CTO FortyCloud

IaaS

IGT Meetup July 2013

1. What is a public cloud?2. Network architectures3. Two public cloud examples 4. Shared responsibility model5. Security risks and threats6. Network isolation techniques7. VPCs8. Secure access techniques9. VPN access DIY example10. Summary and Q&A

Agenda


IaaS

Wikipedia - A cloud is called a 'Public cloud'

when the services are rendered over a

network that is open for public use.

So What’s a Public Cloud


IaaS

• Datacenter (Infrastructure) as-a service

• Virtualized

• Shared

• Mostly Compute, but also storage services

• Access to resources is done over the Internet

• Service enrollment is instantaneous

using web-based console

• Other services like DB, LB as a service,

Object Store…

So What’s a Public Cloud (2)

$IGT Meetup July 2013

IaaS

In a Public Cloud • No infrastructure ownership• Pay Per Use (CPU hourly , storage size, network

usage, etc.)• Allocate resources at any given moment as much as

you need (e.g. adjust your resource allocation to current demand)

In a Private Cloud • Infrastructure is dedicated to you (including network

gear and software licenses)• Scale is limited to the physical amount of resources you

lease or buy.

These are different financial and operational models

Public Vs. Private Clouds

Regions and Datacenters


• Datacenters are called regions

• Regions are independent

• Amazon , Rackspace, Google, Azure, HP all have

regions around the world

Network Architecture


Usually, a Region has a shared internal service network and and a shared public internet access

Network Architecture Example - AWS


Network Architecture Example - Rackspace


Network Architecture


Basically, all VMs are reachable via the service network and the public Internet

IaaS


“…In turn, you assume responsibility and management of the guest operating system(including updates and securitypatches), other associated application software, as well as…”

“…It is possible foryou to enhance security and/or meet more stringent compliance

requirements by leveraging technology such as host‐based firewalls, host‐based intrusion detection/prevention, and

encryption...”

Sources:http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdfhttp://www.rackspace.com/security/

……..“security is a partnership”……

…“USERS MUST TAKE FULL RESPONSIBILITY FOR APPLICATION OF ANY SERVICES AND/OR PROCESSES MENTIONED HEREIN…”

Shared Responsibility Model

http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf




http://www.rackspace.com/security/




A Shared Responsibility Model in IaaS


Application

Hosted operating system

Virtualization layer

Physical infrastructure

Customer Responsibility

Cloud Provider Responsibility

Security Risks and Threats


If I can access my VMs remotely anyone else can access them too

• What TCP/IP ports are open on your cloud VMs?• What protocols/applications are you using to access

your VMs?• Are you using a secure protocol/application? Are you

using it in in a secure manner?

What can the bad guys do?• DoS• Steal or compromise your data• Use your VMs to launch attacks on 3rd parties

It’s a Jungle Out There


Simple measurementsperformed in a few public datacenters show the following results (per virtual server):

HTTP based attack vectors 40-200 per daySSH auth attempts 200-400 per dayNon HTTP/SSH based attacks 1000-4000 per day

It’s a Jungle Out There – Attack Example


Simple measurementsperformed in a few public datacenters show the following results (per virtual server):

A Typical Start-up Scenario



So what can be done to mitigate the threats?

Network Isolation Techniques


• IP Based filtering

• Server based Firewall

• Security Groups

• Private network (virtually)

• AWS VPC

• SDN solutions

EC2 Security Groups – The Basics


• Protocol and port based filtering

• Incoming traffic only

• Supports only TCP, UDP and ICMP

• White list - Everything is filtered unless declared open

• A single EC2 Security Group contains a list of rules

• Security Group serves also as a role that can be used as

source address in rules

• An instance can be associated with Multiple Security Groups

• Supports a REST based API

EC2 Security Groups – The Basics


Example:

EC2 Security Groups


• Provide IP Based filtering – your first line of defense• Simple and easy to use (Role based, management console, API)• Can add/delete rules anytime• The only means to secure internal communication with

EC2 services like RDS, LB …. • Platform independent (e.g. Windows, Linux)

• For management access, servers are still exposed to public Internet

• Control incoming traffic only (output policy is ‘allow all’ based on stateful inspection)

• Doesn’t protect against IP spoofing. • Is hard or sometimes impossible to associate with identity (probably

not the right tool for Access Control). • Security Groups are only associated with private addresses (when

used as source address) • Can’t add/delete groups after lunching an instance• No logs

What is a VPC?

A VPC solution should provide us with an ‘enterprise-like’ environment where:

1. Cloud resources are isolated from public access (access is via a DMZ)

2. Secure access for remote users (e.g. employees, contractors, etc.)

3. Access control mechanism


AWS and Rackspace Examples


User-defined private subnets Additional network configuration

Cloud Providers’ VPC Implementation Discussed


• AWS provides the EC2 VPC solution a public cloud but with a VLAN like network isolation.

• Rackspace has an SDN solution (based on OpenStack Quantum)

Using an isolated network may have some challenges • Can’t just simply move an existing resource to VPC, must

recreate them.• Network architecture is different, configuration is not

straightforward (might impact design)• Integration with provider’s services should be revisited• Does not extend across regions (and vendors) • Access control and identity management solutions may still

need to be integrated by customer

Secure Access Techniques


• Access servers directly using a secure protocol and local/central

user store

• Servers are still exposed to the public internet

• Centralized access control – access your cloud via a VPN Gateway

• Servers are not exposed to public internet

VPN Access DIY

Using Open Source

The Before picture


The After picture


VPN access - the DIY toolkit

• Cloud Access • Linux with packet forwarding capability• VPN gateway is based on OpenSwan

(can also use StrongSwan, OpenVPN, Racoon)• xl2tpd (L2TP server) for user authentication and dynamic IP

allocation (along with IPSec)• NAT based on IP Tables all traffic flowing from users

to servers• Intra Cloud protection – IP Based FW

• EC2 Security Groups

VPN Access DIY - EC2 example (Before)

This is how my servers’ SG look like before the change


VPN Access DIY - EC2 example (After)

Only my GW is open to the public Internet

My Servers are open only to the GW


VPN Access DIY - EC2 example (After)

Live Demo

What have we accomplished ?

• All IP Traffic from user to the public cloud is encrypted AND

secured (not protocol specific)

• Simple user based access and VPN

• No direct access to servers from the public internet

• Audit user access via Gateway’s logs

Improving security w/o

affecting agility

Many companies have other challenges as well


• Deployment-wise• Using several regions at the same time• Using several clouds at the same time • Must enable secure access to 3rd parties• High Availability

• Security-wise• Filtering is not good enough, complete isolation

required• Must encrypt all traffic even within the region• Stronger authentication (OTP based 2 factor auth.)

required

• Compliance (e.g. PCI, HIPAA, etc.)

• You can find detailed DIY examples on our blog and site

www.fortycloud.com

www.fortycloud.com/blog/

• Feel free to send us any cloud related security question to

[email protected] and we will do our best to answer.

• Join a free trial of our cloud security solution at

www.fortycloud.com/free-sign-up/

http://www.fortycloud.com/

http://www.fortycloud.com/blog/

mailto:[email protected]

http://www.fortycloud.com/free-sign-up/

Contact details:

Amir Naftali

[email protected]

@amirnaftali

Thanks

mailto:[email protected]

public cloud security diy @ igt 2013

Technology

iaas igt meetup

datacenters igt meetup

threats igt meetup

basics igt meetup

ec2 security groups

attack example igt meetup

public datacenters

public use