Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Openstack Security Overview - May 2012
1. Israel May 2012
OpenStack Security Overview
Israel May 2012
2012 and beyond
Zohar Alon
Co-Founder & CEO Dome9 Security
zohar@dome9.com @zoharalon
Dome9 Security Ltd. – http://www.dome9.com
2. Dome9 Quick Background Israel May 2012
• Dome9’s Mission
Manage All Cloud Security Stacks
Dome9 Founded: 2010
– Operating System, First GA: Sept ‘11
Virtual Machine Backing: Opus Capital
and/or any V*LAN Policy Employees: 10
– Firewall, VPN, IDS, Auditing &
Logging
– Technology & Service Provider
Agnostic
• Pat. Pending Security
Automation & SSH Strengthening
• Highly Affordable SaaS offering
– Users installs and manages
– Freemium to 4₵/server/hour
3. OpenStack Security Considerations
Israel May 2012
• What are you building?
– Public or Private
• Access Credentials?
– root::alpine is good
• Key Pairs
– Make sure we all have a copy of all .pems in our Gmails/DBoxes
• Security Groups
– Any, Any, Any, Accept – It just works!
• Data Sensitivity Constrains
– Nothing is encrypted, unless you work hard; HTTPS is almost free
• Inside the VMs
– Its not my responsibility. Is it?
• Other Places to avoid consider:
– API security, Image Safety, Backups, Logs
4. HP Cloud – OpenStack Public IaaS
Israel May 2012
• Out-of-the-Box OpenStack as a public IaaS
– Diablo based; Nova and Swift; in public beta now
– 3 Availability Zones (≠ AWS AZ)
– EC2 API compatible listener
– Flat network; Floating (Elastic)/Temp Public/Private IP
• Security
– EC2 Style Security Groups
• Inbound, port ranges, SG2SG within same AZ
– Instance Authentication through SSH key-pairs
• No import or sharing between AZs
– Object Storage (Swift): Public or Private setting
• No Data-at-rest Encryption
6. Quantum: Virtualizing the Network
Israel May 2012
• Tenant Facing API for network management
– Enables rich multi-level network topologies
– Decouples “Logical” network from “Physical” constrains
• Abstract Advanced Network Elements (soon…)
– Firewalls, VPNs, LBs, NAT, DHCP
– We’ll manage them as they come, but be patient
• Quantum Security Groups: More robust!
– Per VIF vs. Per VM
– Inbound and Outbound
– Flexibility could lead to complexity
8. Dome9 for OpenStack
Announcing Private Cloud Connector Israel May 2012
• Define, Manage
and automate
OpenStack SGs
• Leverage Host-
based Policies
where required
• Share your
Objects:
Networks, Serve
rs and Users
across Clouds