2. IaaS
IGT Meetup July 2013
1. What is a public cloud?
2. Network architectures
3. Two public cloud examples
4. Shared responsibility model
5. Security risks and threats
6. Network isolation techniques
7. VPCs
8. Secure access techniques
9. VPN access DIY example
10. Summary and Q&A
Agenda
3. IGT Meetup July 2013
IaaS
Wikipedia - A cloud is called a 'Public cloud'
when the services are rendered over a
network that is open for public use.
So What‟s a Public Cloud
4. IGT Meetup July 2013
IaaS
• Datacenter (Infrastructure) as-a service
• Virtualized
• Shared
• Mostly Compute, but also storage services
• Access to resources is done over the Internet
• Service enrollment is instantaneous
using web-based console
• Other services like DB, LB as a service,
Object Store…
So What‟s a Public Cloud (2)
5. IGT Meetup July 2013
IaaS
In a Public Cloud
• No infrastructure ownership
• Pay Per Use (CPU hourly , storage size, network
usage, etc.)
• Allocate resources at any given moment as much as
you need (e.g. adjust your resource allocation to current
demand)
In a Private Cloud
• Infrastructure is dedicated to you (including network
gear and software licenses)
• Scale is limited to the physical amount of resources you
lease or buy.
These are different financial and operational models
Public Vs. Private Clouds
6. Regions and Datacenters
IGT Meetup July 2013
• Datacenters are called regions
• Regions are independent
• Amazon , Rackspace, Google, Azure, HP all have
regions around the world
7. Network Architecture
IGT Meetup July 2013
Usually, a Region has a shared internal service
network and and a shared public internet access
11. IaaS
IGT Meetup July 2013
“…In turn, you assume responsibility and management
of the guest operating system(including updates and security
patches), other associated application software, as well as…”
“…It is possible for
you to enhance security and/or meet more stringent compliance
requirements by leveraging technology such as host‐
based firewalls, host‐based intrusion detection/prevention, and encryption...”
Sources:
http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
http://www.rackspace.com/security/
……..“security is a partnership”……
…“USERS MUST TAKE FULL RESPONSIBILITY FOR APPLICATION OF
ANY SERVICES AND/OR PROCESSES MENTIONED HEREIN…”
Shared Responsibility Model
12. A Shared Responsibility Model in IaaS
IGT Meetup July 2013
Application
Hosted operating system
Virtualization layer
Physical infrastructure
Customer
Responsibility
Cloud Provider
Responsibility
13. Security Risks and Threats
IGT Meetup July 2013
If I can access my VMs remotely anyone else can
access them too
• What TCP/IP ports are open on your cloud VMs?
• What protocols/applications are you using to access
your VMs?
• Are you using a secure protocol/application? Are you
using it in in a secure manner?
What can the bad guys do?
• DoS
• Steal or compromise your data
• Use your VMs to launch attacks on 3rd parties
14. It‟s a Jungle Out There
IGT Meetup July 2013
Simple measurements
performed in a few public datacenters show the
following results (per virtual server):
HTTP based attack vectors 40-200 per day
SSH auth attempts 200-400 per day
Non HTTP/SSH based attacks 1000-4000 per day
15. It‟s a Jungle Out There – Attack Example
IGT Meetup July 2013
Simple measurements
performed in a few public datacenters show
the following results (per virtual server):
17. IGT Meetup July 2013
So what can be done to mitigate the threats?
18. Network Isolation Techniques
IGT Meetup July 2013
• IP Based filtering
• Server based Firewall
• Security Groups
• Private network (virtually)
• AWS VPC
• SDN solutions
19. EC2 Security Groups – The Basics
IGT Meetup July 2013
• Protocol and port based filtering
• Incoming traffic only
• Supports only TCP, UDP and ICMP
• White list - Everything is filtered unless declared open
• A single EC2 Security Group contains a list of rules
• Security Group serves also as a role that can be used as
source address in rules
• An instance can be associated with Multiple Security Groups
• Supports a REST based API
21. EC2 Security Groups
IGT Meetup July 2013
• Provide IP Based filtering – your first line of defense
• Simple and easy to use (Role based, management console, API)
• Can add/delete rules anytime
• The only means to secure internal communication with
EC2 services like RDS, LB ….
• Platform independent (e.g. Windows, Linux)
• For management access, servers are still exposed
to public Internet
• Control incoming traffic only (output policy
is „allow all‟ based on stateful inspection)
• Doesn‟t protect against IP spoofing.
• Is hard or sometimes impossible to associate with identity (probably
not the right tool for Access Control).
• Security Groups are only associated with private addresses (when
used as source address)
• Can‟t add/delete groups after lunching an instance
• No logs
22. What is a VPC?
A VPC solution should provide us with an „enterprise-
like‟ environment where:
1. Cloud resources are isolated from public access
(access is via a DMZ)
2. Secure access for remote users (e.g. employees,
contractors, etc.)
3. Access control mechanism
IGT Meetup July 2013
23. AWS and Rackspace Examples
IGT Meetup July 2013
User-defined private subnets
Additional network configuration
24. Cloud Providers‟ VPC Implementation Discussed
IGT Meetup July 2013
• AWS provides the EC2 VPC solution a public cloud but with a VLAN
like network isolation.
• Rackspace has an SDN solution (based on OpenStack Quantum)
Using an isolated network may have some challenges
• Can‟t just simply move an existing resource to VPC, must recreate
them.
• Network architecture is different, configuration is not straightforward
(might impact design)
• Integration with provider‟s services should be revisited
• Does not extend across regions (and vendors)
• Access control and identity management solutions may still need to
be integrated by customer
25. Secure Access Techniques
IGT Meetup July 2013
• Access servers directly using a secure protocol and local/central
user store
• Servers are still exposed to the public internet
• Centralized access control – access your cloud via a VPN Gateway
• Servers are not exposed to public internet
29. VPN access - the DIY toolkit
• Cloud Access
• Linux with packet forwarding capability
• VPN gateway is based on OpenSwan
(can also use StrongSwan, OpenVPN, Racoon)
• xl2tpd (L2TP server) for user authentication and dynamic IP
allocation (along with IPSec)
• NAT based on IP Tables all traffic flowing from users
to servers
• Intra Cloud protection – IP Based FW
• EC2 Security Groups
30. VPN Access DIY - EC2 example (Before)
This is how my servers‟ SG look like
before the change
IGT Meetup July 2013
31. VPN Access DIY - EC2 example (After)
Only my GW is open to the public Internet
My Servers are open only to the GW
IGT Meetup July 2013
34. What have we accomplished ?
• All IP Traffic from user to the public cloud is encrypted AND
secured (not protocol specific)
• Simple user based access and VPN
• No direct access to servers from the public internet
• Audit user access via Gateway‟s logs
35. Many companies have other challenges as well
IGT Meetup July 2013
• Deployment-wise
• Using several regions at the same time
• Using several clouds at the same time
• Must enable secure access to 3rd parties
• High Availability
• Security-wise
• Filtering is not good enough, complete isolation required
• Must encrypt all traffic even within the region
• Stronger authentication (OTP based 2 factor auth.) required
• Compliance (e.g. PCI, HIPAA, etc.)
36. • You can find detailed DIY examples on our blog and site
www.fortycloud.com
www.fortycloud.com/blog/
• Feel free to send us any cloud related security question to
support@fortycloud.com and we will do our best to answer.
• Join a free trial of our cloud security solution at
www.fortycloud.com/free-sign-up/