Your SlideShare is downloading. ×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Securing Your Cloud Servers with Halo NetSec

517
views

Published on

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
517
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Securing Your Cloud Servers with Halo NetSec Rand Wacker VP of Products rand@cloudpassage.com @randwacker© 2012 CloudPassage Inc.
  • 2. CloudPassage Halo was purpose-built to deliver real security for servers in the cloud.© 2012 CloudPassage Inc.
  • 3. What does CloudPassage do? Security for virtual servers running in public and private clouds Firewall Compromise & Management intrusion alerting Server Security & compliance Configurations auditing Server account Vulnerability Management Management© 2012 CloudPassage Inc.
  • 4. CloudPassage Halo Packages Halo Basic Free security for initial cloud migrationsNEW Halo NetSec Full perimeter protection and security integration Halo Professional Comprehensive security and compliance controls© 2012 CloudPassage Inc.
  • 5. Cloud Requires A New Approach to Security© 2012 CloudPassage Inc.
  • 6. Cloud Security Is New private datacenter www-1 www-2 www-3 www-4 public cloud© 2012 CloudPassage Inc.
  • 7. Cloud Security Is Different private datacenter www-1 www-2 www-3 www-4 www-4 public cloud© 2012 CloudPassage Inc.
  • 8. Cloud Security Is Complex www-7 www-8 www-9 www-10 Cloud Provider B www-4 www-5 www-6 www-7 www-8 www-9 www-10 Cloud Provider A www-1 www-2 www-3 www-4 Private Datacenter© 2012 CloudPassage Inc.
  • 9. Security Products Aren’t Adapting Metered Usage www-7 www-8 www-9 www-10 www-4 www-5 www-6 Cloud Provider B Temporary & Elastic Deployments Cloud Provider A www-1 www-2 www-3 Multiple Cloud Environments Private Datacenter© 2012 CloudPassage Inc.
  • 10. Cloud Security Responsibility© 2012 CloudPassage Inc.
  • 11. Cloud Security Responsibility Responsibility Data AWS Shared Responsibility Model Customer “…the customer should assume responsibility App Code and management of, but not limited to, the guest operating system.. and associated application software...” App Framework “it is possible for customers to enhance security Operating System and/or meet more stringent compliance requirements with the addition of… host Virtual Machine based firewalls, host based intrusion Responsibility detection/prevention, encryption and key Hypervisor Provider management.” Compute & Storage Amazon Web Services: Overview of Security Processes Shared Network Physical Facilities© 2012 CloudPassage Inc.
  • 12. Survey: Cloud Providers Question: Which cloud hosting providers do you use? 50% 30% 16% 9% 6% Amazon EC2 Rackspace Terramark GoGrid Other© 2012 CloudPassage Inc. Source: CloudPassage CloudSec Community Survey
  • 13. Survey: Cloud Security Practices Question: How do you secure your cloud servers today? Open source or custom-developed tools Commercial Tool Were not securing our cloud servers My provider does it for me Amazon Security Group Source: CloudPassage CloudSec Community Survey© 2012 CloudPassage Inc.
  • 14. Survey: Cloud Security Concerns Question: What security concerns are most important to you regarding public cloud computing? Multiple ChoiceLack of perimeter defenses and/or network 44% control Multi-tenancy of infrastructure or 40% applications Achieving compliance with PCI or other 26% standards Provider access to guest servers 24% Enterprise security tools dont work in the 23% cloud© 2012 CloudPassage Inc. Source: CloudPassage CloudSec Community Survey
  • 15. Introducing Halo NetSec© 2012 CloudPassage Inc.
  • 16. Halo NetSec provides firewalling, 2-factor authentication, and fullautomation for the protection of cloud servers.© 2012 CloudPassage Inc.
  • 17. Halo NetSec: Dynamic Cloud Firewall© 2012 CloudPassage Inc.
  • 18. Traditional Perimeter Security private datacenter App DB App DB Server Server Load App Load App Balancer Server Balancer Server Firewall© 2012 CloudPassage Inc.
  • 19. Dynamic Cloud Firewall Load Balancer FW Halo App App Server Server FW FW Halo Halo DB Master FW Halo public cloud© 2012 CloudPassage Inc.
  • 20. Dynamic Cloud Firewall Load Load Balancer Balancer FW FW Halo Halo App App App Server Server Server FW FW FW Halo Halo Halo DB DB Master Slave FW FW Halo Halo public cloud© 2012 CloudPassage Inc.
  • 21. Dynamic Cloud Firewall Load Load Balancer Balancer FW FW Halo Halo App App App Server Server App Server FW FW Server FW IP Halo Halo Halo DB DB Master Slave FW FW Halo Halo public cloud© 2012 CloudPassage Inc.
  • 22. Dynamic Cloud Firewall Load Load Balancer Balancer FW FW Halo Halo App App Server Server App FW FW Server IP Halo Halo DB DB Master Slave FW FW Halo Halo public cloud© 2012 CloudPassage Inc.
  • 23. Multi-Cloud Firewall App App DB DB App App Server Server Server Server FW FW FW FW FW FW Halo Halo Halo Halo Halo Halo US West Cloud US East Cloud Firewall DB DB Halo Halo Private Datacenter© 2012 CloudPassage Inc.
  • 24. Multi-Cloud Firewall App App DB DB App App Server Server Server Server FW FW FW FW FW FW Halo Halo Halo Halo Halo Halo US West Cloud US East Cloud Firewall DB DB Halo Halo Private Datacenter© 2012 CloudPassage Inc.
  • 25. Halo NetSec: GhostPorts 2-Factor Authentication© 2012 CloudPassage Inc.
  • 26. GhostPorts 2-Factor Auth YubiKey-generated one-time password USB token contains no batteries or moving parts Prevent brute force attacks on SSH and web applications© 2012 CloudPassage Inc.
  • 27. GhostPorts 2-Factor Auth DB Server FW Halo© 2012 CloudPassage Inc.
  • 28. GhostPorts 2-Factor Auth DB Server FW Halo CloudPassa ge Halo https Halo Grid© 2012 CloudPassage Inc.
  • 29. GhostPorts 2-Factor Auth DB Server FW Halo CloudPassa ge Halo https Halo Grid© 2012 CloudPassage Inc.
  • 30. GhostPorts 2-Factor Auth DB Server FW Halo© 2012 CloudPassage Inc.
  • 31. © 2012 CloudPassage Inc.
  • 32. Halo NetSec: Integration API© 2012 CloudPassage Inc.
  • 33. Halo Reduces Your Workload Things you DON’T need to script with CloudPassage Halo Managed Automatically Monitored Continually • Add new server to policy • Verify firewall rules match group policy • Remove firewall policies • Alert administrators of when servers are retired missing servers • Scan for vulnerabilities of • Monitor critical server installed software configuration files for packages security posture • Many, many more… • Many, many more…© 2012 CloudPassage Inc.
  • 34. Adding New Server Accounts www-1 www-2 Security Operations Portal Halo Halo public cloud Enterprise Provisionin GhostPorts Access, Local g System Server Accounts CloudPassa ge Halo Corporate Directory RESTful API Gateway Halo Grid private datacenter© 2012 CloudPassage Inc.
  • 35. Other Cool Halo/API Tricks• Set password reset requirements for a server user account.• Find server accounts that dont have passwords (it happens)• Find those spooky root-owned setuid files.• Generate alerts if PID files go missing.• Generate an alert if someone is in a group they shouldnt be in (like wheel).• Generate massively detailed reports of server configuration status for auditors (keep em busy for weeks).• Get a report of every server that a user *does not* have an account on.• Get a report of every server that a user has an account on.• Get alerted if a new cloud server gets created.• Learn what process that TCP/IP port is bound to.• Make sure that init.d startup scripts cant be tampered with by non-root users.• Make sure that services are not running with excessive privileges.• Monitor servers to detect old user accounts that should have been cleaned up, but might have gotten missed. Many, many more at community.cloudpassage.com© 2012 CloudPassage Inc.
  • 36. CloudPassage Halo Architecture© 2012 CloudPassage Inc.
  • 37. How It Works Halo• Halo Daemon Daemon www-1 – Ultra light-weight software – Installed on server image Halo – Automatically provisioned www-1• Halo Grid – Elastic compute grid – Hosted by CloudPassage – Does the heavy lifting for the Halo Daemons Halo Grid© 2012 CloudPassage Inc.
  • 38. www-1 Alerts, Reports www-1 www-2 and Trending www-3 www-4 Halo Halo Halo Halo User Portal CloudPassage https Halo Policies, https Commands, RESTful Reports Compute API Gateway Grid© 2012 CloudPassage Inc.
  • 39. Getting Started© 2012 CloudPassage Inc.
  • 40. CloudPassage Halo Packages Halo Basic Free security for initial cloud migrationsNEW Halo NetSec Full perimeter protection and security integration Halo Professional Comprehensive security and compliance controls© 2012 CloudPassage Inc.
  • 41. Features and Pricing Basic NetSec Pro Network Security New! Host Firewall Management ✔ ✔ ✔ GhostPorts Multi-Factor Authentication ✔ ✔ Host Security Server Exposure Monitoring ✔ ✔ ✔ Software Vulnerability Monitoring ✔ ✔ ✔ Account & Access Scanning ✔ ✔ ✔ Cloud Server Event Logging & Alerting ✔ ✔ ✔ File Integrity Monitoring ✔ Data Storage One day Two years Two years (FW events) (All scans) Maximum Scanning Frequency Daily Daily Hourly Integration, Management Support Web Management Portal ✔ ✔ ✔ RESTful API Access ✔ ✔ Professiona Technical Support Community Professional l Servers Protected Up to 25 Unlimited Unlimited Pricing FREE 3.5¢/hour 10¢/hour
  • 42. FREE 5 Minute Setup Register at cloudpassage.com/register Install daemons on cloud servers Configure security policies in Halo web portal© 2012 CloudPassage Inc.
  • 43. Summary Cloud deployments require a new approach to security Halo is the only security platform purpose-built for the cloud All you need to secure your cloud servers© 2012 CloudPassage Inc.
  • 44. Q&A Rand Wacker rand@cloudpassage.com @randwacker© 2012 CloudPassage Inc.
  • 45. Thank You! For more information: info@cloudpassage.com© 2012 CloudPassage Inc.

×