Public Cloud Security DIY @ IGT 2013

Public Cloud Security DIY
Amir Naftali, CTO FortyCloud

IaaS
IGT Meetup July 2013
1. What is a public cloud?
2. Network architectures
3. Two public cloud examples
4. Shared responsibility model
5. Security risks and threats
6. Network isolation techniques
7. VPCs
8. Secure access techniques
9. VPN access DIY example
10. Summary and Q&A
Agenda

IaaS
Wikipedia - A cloud is called a 'Public cloud'
when the services are rendered over a
network that is open for public use.
So What‟s a Public Cloud

IaaS
• Datacenter (Infrastructure) as-a service
• Virtualized
• Shared
• Mostly Compute, but also storage services
• Access to resources is done over the Internet
• Service enrollment is instantaneous
using web-based console
• Other services like DB, LB as a service,
Object Store…
So What‟s a Public Cloud (2)

IaaS
In a Public Cloud
• No infrastructure ownership
• Pay Per Use (CPU hourly , storage size, network
usage, etc.)
• Allocate resources at any given moment as much as
you need (e.g. adjust your resource allocation to current
demand)
In a Private Cloud
• Infrastructure is dedicated to you (including network
gear and software licenses)
• Scale is limited to the physical amount of resources you
lease or buy.
These are different financial and operational models
Public Vs. Private Clouds

Regions and Datacenters
• Datacenters are called regions
• Regions are independent
• Amazon , Rackspace, Google, Azure, HP all have
regions around the world

Network Architecture
Usually, a Region has a shared internal service
network and and a shared public internet access

Network Architecture Example - AWS

Network Architecture Example - Rackspace

Network Architecture
Basically, all VMs are reachable via the service
network and the public Internet

IaaS
“…In turn, you assume responsibility and management
of the guest operating system(including updates and security
patches), other associated application software, as well as…”
“…It is possible for
you to enhance security and/or meet more stringent compliance
requirements by leveraging technology such as host‐
based firewalls, host‐based intrusion detection/prevention, and encryption...”
Sources:
http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
http://www.rackspace.com/security/
……..“security is a partnership”……
…“USERS MUST TAKE FULL RESPONSIBILITY FOR APPLICATION OF
ANY SERVICES AND/OR PROCESSES MENTIONED HEREIN…”
Shared Responsibility Model

A Shared Responsibility Model in IaaS
Application
Hosted operating system
Virtualization layer
Physical infrastructure
Customer
Responsibility
Cloud Provider
Responsibility

Security Risks and Threats
If I can access my VMs remotely anyone else can
access them too
• What TCP/IP ports are open on your cloud VMs?
• What protocols/applications are you using to access
your VMs?
• Are you using a secure protocol/application? Are you
using it in in a secure manner?
What can the bad guys do?
• DoS
• Steal or compromise your data
• Use your VMs to launch attacks on 3rd parties

It‟s a Jungle Out There
Simple measurements
performed in a few public datacenters show the
following results (per virtual server):
HTTP based attack vectors 40-200 per day
SSH auth attempts 200-400 per day
Non HTTP/SSH based attacks 1000-4000 per day

It‟s a Jungle Out There – Attack Example
Simple measurements
performed in a few public datacenters show
the following results (per virtual server):

A Typical Start-up Scenario

So what can be done to mitigate the threats?

Network Isolation Techniques
• IP Based filtering
• Server based Firewall
• Security Groups
• Private network (virtually)
• AWS VPC
• SDN solutions

EC2 Security Groups – The Basics
• Protocol and port based filtering
• Incoming traffic only
• Supports only TCP, UDP and ICMP
• White list - Everything is filtered unless declared open
• A single EC2 Security Group contains a list of rules
• Security Group serves also as a role that can be used as
source address in rules
• An instance can be associated with Multiple Security Groups
• Supports a REST based API

EC2 Security Groups – The Basics
Example:

EC2 Security Groups
• Provide IP Based filtering – your first line of defense
• Simple and easy to use (Role based, management console, API)
• Can add/delete rules anytime
• The only means to secure internal communication with
EC2 services like RDS, LB ….
• Platform independent (e.g. Windows, Linux)
• For management access, servers are still exposed
to public Internet
• Control incoming traffic only (output policy
is „allow all‟ based on stateful inspection)
• Doesn‟t protect against IP spoofing.
• Is hard or sometimes impossible to associate with identity (probably
not the right tool for Access Control).
• Security Groups are only associated with private addresses (when
used as source address)
• Can‟t add/delete groups after lunching an instance
• No logs

What is a VPC?
A VPC solution should provide us with an „enterprise-
like‟ environment where:
1. Cloud resources are isolated from public access
(access is via a DMZ)
2. Secure access for remote users (e.g. employees,
contractors, etc.)
3. Access control mechanism

AWS and Rackspace Examples
User-defined private subnets
Additional network configuration

Cloud Providers‟ VPC Implementation Discussed
• AWS provides the EC2 VPC solution a public cloud but with a VLAN
like network isolation.
• Rackspace has an SDN solution (based on OpenStack Quantum)
Using an isolated network may have some challenges
• Can‟t just simply move an existing resource to VPC, must recreate
them.
• Network architecture is different, configuration is not straightforward
(might impact design)
• Integration with provider‟s services should be revisited
• Does not extend across regions (and vendors)
• Access control and identity management solutions may still need to
be integrated by customer

Secure Access Techniques
• Access servers directly using a secure protocol and local/central
user store
• Servers are still exposed to the public internet
• Centralized access control – access your cloud via a VPN Gateway
• Servers are not exposed to public internet

VPN Access DIY
Using Open Source

The Before picture

The After picture

VPN access - the DIY toolkit
• Cloud Access
• Linux with packet forwarding capability
• VPN gateway is based on OpenSwan
(can also use StrongSwan, OpenVPN, Racoon)
• xl2tpd (L2TP server) for user authentication and dynamic IP
allocation (along with IPSec)
• NAT based on IP Tables all traffic flowing from users
to servers
• Intra Cloud protection – IP Based FW
• EC2 Security Groups

VPN Access DIY - EC2 example (Before)
This is how my servers‟ SG look like
before the change

VPN Access DIY - EC2 example (After)
Only my GW is open to the public Internet
My Servers are open only to the GW

VPN Access DIY - EC2 example (After)

What have we accomplished ?
• All IP Traffic from user to the public cloud is encrypted AND
secured (not protocol specific)
• Simple user based access and VPN
• No direct access to servers from the public internet
• Audit user access via Gateway‟s logs

Many companies have other challenges as well
• Deployment-wise
• Using several regions at the same time
• Using several clouds at the same time
• Must enable secure access to 3rd parties
• High Availability
• Security-wise
• Filtering is not good enough, complete isolation required
• Must encrypt all traffic even within the region
• Stronger authentication (OTP based 2 factor auth.) required
• Compliance (e.g. PCI, HIPAA, etc.)

• You can find detailed DIY examples on our blog and site
www.fortycloud.com
www.fortycloud.com/blog/
• Feel free to send us any cloud related security question to
support@fortycloud.com and we will do our best to answer.
• Join a free trial of our cloud security solution at
www.fortycloud.com/free-sign-up/

Contact details:
Amir Naftali
amir@fortycloud.com
@amirnaftali
Thanks

Public Cloud Security DIY @ IGT 2013

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Public Cloud Security DIY @ IGT 2013

Similar to Public Cloud Security DIY @ IGT 2013 (20)

Recently uploaded

Recently uploaded (20)

Public Cloud Security DIY @ IGT 2013