Holistic Security for OpenStack Clouds
-
Upload
major-hayden -
Category
Technology
-
view
376 -
download
1
Transcript of Holistic Security for OpenStack Clouds
![Page 1: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/1.jpg)
Holistic Security for OpenStack Clouds
Major HaydenPrincipal Architect, Rackspace
@majorhayden
Photo credit: bastiend (Flickr)
![Page 2: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/2.jpg)
Image credit: Wikipedia
![Page 3: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/3.jpg)
Security feels like this
Image credit: Wikipedia
![Page 4: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/4.jpg)
Securing complex systems createsmore challenges
![Page 5: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/5.jpg)
Securing OpenStack can feel liketaking a trip to the Upside Down.
![Page 6: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/6.jpg)
It doesn’t have to be that way(even with something as complex as OpenStack)
Image credit: Pixabay
![Page 7: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/7.jpg)
The key istaking the right approach to secure a complex system.
![Page 8: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/8.jpg)
Major HaydenPrincipal Architect
● At Rackspace since 2006
● Working on OpenStack since 2012
● Focused on information security for Rackspace Private Cloud
● Fedora Linux contributor; Fedora Security Team and Server Working Group member
● Has a terrible domain name purchase habit(please, no ideas for domain names today)
![Page 9: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/9.jpg)
Holisticcharacterized by comprehension of the
parts of something as intimately interconnected and explicable only by
reference to the whole
-- Oxford English Dictionary
![Page 10: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/10.jpg)
The holistic approach for humans considers a person to be made of a body, a mind, and a spirit.
Image credit: Pixabay
![Page 11: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/11.jpg)
The holistic approach for OpenStack considersa cloud to be made of servers, software, and a business goal.
![Page 12: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/12.jpg)
A holistic approach to security involves people, processes, and technologies working in tandem.
![Page 13: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/13.jpg)
“The whole is greaterthan the sum of its parts,especially in the case of OpenStack.”
-- (partially) Aristotle
Image credit: Wikipedia
![Page 14: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/14.jpg)
How does this apply to securing an OpenStack cloud?
Let’s do a quick security refresher.
![Page 15: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/15.jpg)
Assume that attackerswill get inside eventually.
Image credit: Pixabay
![Page 16: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/16.jpg)
Attackers are on offense.They can be wrong many times.
Defenders can only be wrong once for a breach to occur.
![Page 17: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/17.jpg)
Securing only the outer perimeteris not sufficient.
![Page 18: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/18.jpg)
We must secure our OpenStack cloud.We need to go deeper.
![Page 19: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/19.jpg)
We just bought an expensive firewall for the perimeter. Isn’t that enough?
![Page 20: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/20.jpg)
(no caption necessary)
![Page 21: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/21.jpg)
Build small security improvementsat multiple layers.*
* This is the cornerstone of defense-in-depth.
![Page 22: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/22.jpg)
Individually, these changes may not seem to have much value.
All of these changes create a strong, valuable security strategy when they are added together.
![Page 23: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/23.jpg)
Let’s get to the good stuff.
Image credit: Pexels
![Page 24: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/24.jpg)
Work from the outside in(just like you would at a fancy dinner)
Image credit: Wikipedia
![Page 25: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/25.jpg)
Four layersOuter perimeter
Control and data planes
Control plane deep dive:OpenStack services and backend services
OpenStack services deep dive
Image credit: imageme (Flickr)
![Page 27: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/27.jpg)
OUTER PERIMETER SECURITY GOAL:Convince your attackers that it’s easier to attack someone else’s cloud
![Page 28: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/28.jpg)
Key concepts
Make it expensive for attackers to breach your perimeter defense
When they do make it through, ensure that you know about it immediately
Perimeters usually have openings on the outside and inside -- secure both of them
![Page 29: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/29.jpg)
Tactical objectives
Require a VPN for access from external networks
Segregate internal networks using a firewall or an internally-facing VPN
Monitor all logins (successful and unsuccessful) for unusual activity
Track bandwidth usage trends using netflow data
![Page 30: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/30.jpg)
Secure the perimeter
VPN
Internet Corporate network
Firewall
Log collector Alert system
Netflow collector
Auth system
![Page 32: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/32.jpg)
Control and data plane
Control planekeystone, nova, glance,
cinder, neutron, horizon, rabbitmq, mysql,
memcached
Data planeHypervisors and
tenant-built items (VMs, containers, networks,
storage)
![Page 33: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/33.jpg)
CONTROL/DATA PLANES SECURITY GOAL:Keep the inner workingsof your OpenStack cloud separated fromtenant infrastructure
![Page 34: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/34.jpg)
Key concepts
Tenant infrastructure should have extremely limited access to the control plane, and vice versa
A misconfigured tenant VM could open a wide hole in your secure network
Protect your cloud from VM exit exploits that allow attackers to gain hypervisor access
![Page 35: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/35.jpg)
Tactical objectives
Separate control plane, hypervisors and tenant infrastructure with VLANs and strict firewall rules (and monitor dropped packets)
Use SELinux or AppArmor on hypervisors to reduce the impact of VM and container exit exploits
![Page 36: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/36.jpg)
Hypervisor
Linux Security Module refresher
Three popular implementations: SELinux, AppArmor, and TOMOYO
sVirt (in libvirt) ensures that all processes are labeled properly (SELinux) or have profiles configured (AppArmor)
VM exit exploits are confined in most situations
Tenant VM
Storage Network
Linux Security Module
![Page 37: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/37.jpg)
Do not disableSELinux or AppArmoron your hypervisors.
(Seriously. Leave it enabled.)
![Page 38: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/38.jpg)
Control plane deep dive:OpenStack and backend services
Image credit: Wikipedia
![Page 39: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/39.jpg)
CONTROL PLANE SECURITY GOAL:Heavily restrict lateral movement and restrict access to the “crown jewels”
“crown jewels” are the databases and message queuesin your OpenStack cloud
![Page 40: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/40.jpg)
Control plane deep dive
OpenStack serviceskeystone, nova, glance,
cinder, neutron, horizon
Backend servicesmysql, rabbitmq,
memcached, syslog
The “crown jewels” are hereThe map to the “crown jewels” is here
![Page 41: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/41.jpg)
Key concepts
Allow the least amount of access possible from the OpenStack services to backend services
Further restrict access to specific ports, sources, and destinations
Deploy services into containers to apply fine-tuned network and process restrictions
![Page 42: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/42.jpg)
Tactical objectives
Use a load balancer or firewall to create a “choke point” between OpenStack and backend services
Monitor messaging and database performance closely to look for anomalies or unauthorized access
Use unique credentials for each MySQL database and RabbitMQ virtual host
![Page 43: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/43.jpg)
OpenStack services deep dive
Image credit: Wikipedia
![Page 44: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/44.jpg)
OPENSTACK SERVICES SECURITY GOAL:Know what valid communication looks like and alert oneverything else
![Page 45: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/45.jpg)
OpenStack has many (predictable) interactions
![Page 46: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/46.jpg)
Key concepts
OpenStack services are heavily interconnected, but the connections are predictable
Limit access between OpenStack services and monitor any invalid questions
![Page 47: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/47.jpg)
Tactical objectives
Use iptables rules to limit access between OpenStack services; alert on any invalid connections
Give each service a different keystone service account (with different credentials)
Monitor closely for high bandwidth usage and high connection counts
![Page 48: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/48.jpg)
Let’s wrap up
![Page 49: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/49.jpg)
Analyze.Isolate.Monitor.Repeat.
![Page 50: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/50.jpg)
These small security changesadd up to a strong defense
Image credit: Wikipedia
![Page 51: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/51.jpg)
Try OpenStack-Ansible
OpenStack-Ansible deploys enterprise-grade OpenStack clouds using Ansible.
Security and reliability are two of the core priorities for the project. Most of the security changes in this talk are already implemented.
Learn more: http://bit.ly/openstack-ansible
![Page 52: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/52.jpg)
RACKSPACE PRIVATE CLOUDPOWERED BY OPENSTACK®
Learn more about ourproven operational expertise,
industry-leading reliability,and OpenStack Everywhere.
Join us at the Rackspace booth (A22)in the OpenStack Marketplace.
RACKSPACE INVENTED OPENSTACK® – NOW WE'RE PERFECTING IT
![Page 53: Holistic Security for OpenStack Clouds](https://reader031.fdocuments.us/reader031/viewer/2022022414/587bc42e1a28ab6c3c8b50bb/html5/thumbnails/53.jpg)
Thank you!Major Hayden
Photo credit: bastiend (Flickr)