1Security on OpenStack11/7/2013Brian Chong Global Technology Strategist

AgendaWhat is Symantec doing?Security Concepts for Grizzly ReleaseCentralized Software Defined Data Center ManagementNetwork SegmentationToken/PKI Based AuthenticationDistributed Policy ManagementAuditing and ComplianceAreas of focus for Securing a OpenStack Deployment2About Symantec and UsAbout Symantec

Making the world a safer placeEnterprise system and data protectionNorton branded consumer protection (not just Antivirus)Tackling the big problemsPioneered the Big Data approach to malware detectionSignificant cloud presence (Norton, MessageLabs, OCSP, etc.)

About Brian Chong

Infrastructure Architect for our OpenStack effortsSecurity & Network FocusedInterested in securing OpenStack at all tiers

SYMC Confidential3

What is Symantec Doing?We are building a consolidated cloud platform that provides infrastructure and platform services to host Symantec SaaS applicationsAn exciting greenfield opportunity to re-invent our cloud infrastructure with strong executive leadership supportOur development model is to use open source components as building blocksIdentify capability gaps and contribute back to communityWe have selected OpenStack as one of the underlying infrastructure services layersWe plan to analyze and improve the overall security posture of OpenStack componentsWe are starting small, but will scale to thousands of nodes across multiple data centersCloud Platform Engineering4Scope of InvestigationVersion of OpenStack : GrizzlyComponents : Nova, Neutron, Glance, Cinder, Keystone, Swift, HorizonGeneral :Database : MySQLAMQP : RabbitMQHypervisor : KVMOperating System : UbuntuCloud Platform Engineering5Security on OpenStack : Traditional Model (Defense in Depth)6Router ACLsLoad Balancer FiltersFirewall RulesApplication/Host Security6Security on OpenStack : Software Defined Data CenterCentralized Data Model for control access All Control points are accessible by the applications that control the Data Center for elasticity of the serviceAll Services have access to change the system in relatively large ways (Compute, Network, Storage) to manage service SLAsLayered Security is now much more difficult than before, which means stronger pinpoint security is more critical than beforeHost based controls become more criticalOperating SystemHypervisor / Virtualization DriverConsole77Security SphereSecurity Sphere NSecurity on OpenStack : Centralized Model8Software Defined APIRouter ACLsLoad Balancer FiltersFirewall RulesApplication Security8Security on OpenStack : Network SegmentationBMC and IPMI functions : Control of Hardware componentsDeny All except to specific participating Deployment ServersHost/Admin : Control of Operating SystemDeny All except to specific Jump ServersService API/Messaging : Control of IaaS, Messaging & Database services and AuthenticationDeny All except to each physical interface on participating ServersPrivate/Storage : VM to VM traffic and Storage or internal PaaS ServicesControlled by local Firewall Access (iptables per host or external Firewall)Public : External Access outside of the ClusterControlled by Gateway/Load Balancer/Firewall99Security on OpenStack : Token/PKI Based AuthenticationToken Expirations (assumes Caching)Correlation of all changes in the distributed model with a issued TokenPKI Token ManagementSigning Certificate ExpirationSigning Engine (HSM or SW)Root CA DistributionSSL Service ManagementSSL Certificate Expiration for ServicesRoot CA DistributionPrivate key generation and Management

10How are you going to do PKI at massive scale?How do you manage different SSL Certificates per node or per client?10Security on OpenStack : Distributed Policy ModelDefinition of different roles and policies are defined in Keystone per tenant and globallyEach service has a policy.json file that lists out which defined role for that specific service has the capability to executeEach service node should be synchronized for their specific policy files or a multi-service security model can be used for the same type of serviceEach upgrade has to maintain and define new roles that are included in every release1111Security on OpenStack : Distributed Policy Model12KeyStoneNovaNeutronRole Namepolicy.jsonpolicy.jsonRole DefinitionRole Definition12Security on OpenStack : Auditing and ComplianceAuditingSources : Message Queues, Log Files, DatabaseMessage Queue Event Validation processLog Parsers for Event Handling and Threat DetectionDatabase Triggers for Security EventsComplianceRole to Policy ValidationCode Patching and Upgrade VersioningUser Information (Name, Password, Roles, etc)IT Mgmt (ISO 27001, FISMA, FedRamp, etc)PKI Key Management13Production Level Compliance items for all Data CentersHavent found anything within OpenStack that enables this easily13Security on OpenStack : Auditing and ComplianceExample : Boot a Virtual MachineKeystone (Log, Database)Nova (Log, Message, Database)Glance (Log, Database)Neutron (Log, Message, Database)Host (Log)Horizon (Log, Database)All of these events must be correlated to make sure that the proper rules and privileges were used during each command and against a CMDB to validate authorization14Production Level Compliance items for all Data CentersHavent found anything within OpenStack that enables this easily14Areas of focus for Securing a OpenStack DeploymentMessage Server and QueuingSigning all Messages and Validating AuthorizationDatabase Server and InstancesEncryption of Critical ColumnsCertificate ManagementOverall Management and HSM IntegrationDistribution VerificationSigned Policy Distribution and Loading into all Services2 Factor Authentication / Single Sign OnToken Authentication with Single Sign On through Horizon151516Questions?