Use Case : Cloud Security Design and Implementation
Upcoming SlideShare
Loading in...5
×
 

Use Case : Cloud Security Design and Implementation

on

  • 1,193 views

A developer cloud should offer several measures of security to ensure that each user's data, applications, and network remain private. Given that virtualization technologies revolve around resource ...

A developer cloud should offer several measures of security to ensure that each user's data, applications, and network remain private. Given that virtualization technologies revolve around resource sharing, it is even more important to provide security at different levels in a developer cloud. In parallel, the integrity of the machines implementing the developer cloud should be ensured at all times in order to detect, prevent, and avoid any attacks from intruders.
For more information see: http://www.oracle.com/technetwork/systems/hands-on-labs/hol-oracle-solaris-remote-lab-1894053.html

Statistics

Views

Total Views
1,193
Views on SlideShare
1,141
Embed Views
52

Actions

Likes
2
Downloads
16
Comments
0

12 Embeds 52

https://blogs.oracle.com 24
http://cuckoo9.okoza.com 9
http://feeds.feedburner.com 7
http://open.dapper.net 2
http://news.google.com 2
http://www.feedly.com 2
http://feedproxy.google.com 1
http://cloud.feedly.com 1
http://xianguo.com 1
http://blogs.oracle.com 1
http://es.flavors.me 1
http://bloggers1033.rssing.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Use Case : Cloud Security Design and Implementation Use Case : Cloud Security Design and Implementation Presentation Transcript

  • 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Use Case : Cloud Security Design and Implementation Orgad Kimchi ISV Engineering Oracle Solaris 11
  • 2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  • 3 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Security Challenges • Securing Data At Rest, In Transit, and In Use • Minimize operating system attack surface • Prevent denial of service attacks against their infrastructure • Segregate network traffic between different cloud users • Disable hostile code (e.g.’ rootkit’ attacks) • Secure data deletions once we have done with our project
  • 4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Concerns With Public Cloud computing Source : http://blogs.gartner.com/neil_macdonald/2010/12/16/security-is-the-top-concern-for-public-cloud-but-what-does-that-really-mean/
  • 5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Solaris Remote Lab •Solaris Network Virtualization – Segregate network traffic & secure VLAN per user • Solaris Zones – Isolates partner VMs in a secure environment • Solaris ZFS – Rapid & secure deployment of images in partner VMs • Secure Global Desktop – Separates communications channels A secure cloud environment built on Solaris technologies Now in the Cloud
  • 6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Cryptography
  • 7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Cryptographic Acceleration Oracle SPARC T4 Processor • Scalable Performance – On-core, unprivileged, cryptographic instructions – OpenSSL 5x faster than IBM POWER7 – ZFS encryption is 3x faster than Intel • Most Industry Standard Algorithms – Public Key Encryption: RSA, DSA, ECC, DH – Symmetric Key Encryption: AES, 3DES, DES, Kasumi, Camellia – Message Digests: CRC32c, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 – Random number generation (FIPS 140-2 compliant)
  • 9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. SPARC T4 Cryptographic Acceleration Significant Performance Gains for SSL • Two-way SSL • RSA-2048 • AES-256
  • 10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. ZFS: Next Generation File System • Immense Capacity (128-bit) • ZFS capacity: 256 quadrillion ZB (1ZB = 1 billion TB) • Exceeds quantum limit of Earth-based storage. • Dynamic Metadata • No limits on files, directory entries, snapshots, etc. • No tuning parameters to enable expansion. • Parallel, constant-time directory operations. • Pooled design – continuous future growth Scalability
  • 11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. ZFS Encryption • Encryption policy is set at the ZFS data set level • Supports delegation of key management operations • Leverages a dual key model: wrapping vs. encryption key • Variety of options for format/location of the wrapping key • Wrapping key inherited by child data sets
  • 12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. ZFS Encryption Example # zfs create -o encryption=on -o dedup=on -o compression=on rpool/scratch Enter passphrase for 'rpool/scratch': Enter again: # zfs get encryption,keysource,dedup,compression rpool/scratch NAME PROPERTY VALUE SOURCE rpool/scratch encryption on local rpool/scratch keysource passphrase,prompt local rpool/scratch dedup on local rpool/scratch compression on local # zfs key -u rpool/scratch # zfs mount rpool/scratch Enter passphrase for 'rpool/scratch':
  • 13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Assured Deletion with ZFS Encryption # zfs create -o encryption=on rpool/scratch Enter passphrase for 'rpool/scratch': Enter again: # zfs key -c -o keysource=raw,file:///dev/random rpool/scratch # zfs get keysource rpool/scratch NAME PROPERTY VALUE SOURCE rpool/scratch keysource raw,file:///dev/random local # zfs key –u rpool/scratch # zfs destroy rpool/scratch
  • 14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Encrypted Swap and /tmp $ awk '($4 == "swap") { print; }' /etc/vfstab /dev/zvol/dsk/rpool/swap - - swap - no encrypted $ swap –l swapfile dev swaplo blocks free /dev/lofi/1 145,1 8 2097128 2097128 $ lofiadm Block Device File Options /dev/lofi/1 /devices/pseudo/zfs@0:2 Encrypted
  • 15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Networking
  • 16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Network Secure by Default • Expose only required services to the network – Reduce the operating system network foot print – Most services are disabled; a few are set to “local only” • Integrated with Service Management Facility – Common administrative model for all service operations – Fully customizable based upon unique site requirements • Foundation for Additional Protections and Configuration
  • 17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Network Architecture Strategies
  • 18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Network Virtualization • Using network VLANs • Combine with physical switches • Layer 2 segregation • # dladm create-vnic -l net0 vnic2 -v 2 Network segregation
  • 19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. IP Filters • Ability to configure what ports are open between system • Simple to configure and SMF service • Can configure direction as well as ports
  • 20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Network Resource Management • Introducing network resource control – Bandwidth control – Flow control • Split up large network pipes • Guarantee types of network traffic for your applications • In the following example we limit the SSL traffic to 100Mb on the vnic0 network interface # dladm create-vnic vnic0 –l net0 # flowadm add-flow -l vnic0 –a transport=TCP,local_port=443 https-flow # flowadm set-flowprop -p maxbw=100M https-flow Control the Un-Controlable
  • 21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Data Link Protection # dladm show-linkprop -p protection net0 LINK PROPERTY PERM VALUE DEFAULT POSSIBLE net0 protection rw -- -- mac-nospoof, restricted, ip-nospoof, dhcp-nospoof # dladm set-linkprop -p allowed-ips=10.0.2.15 # dladm set-linkprop -p protection=mac-nospoof,ip-nospoof, restricted net0 # ping 10.0.2.2 10.0.2.2 is alive [set IP address manually to something other than 10.0.2.15.] # ping 10.0.2.2 no answer from 10.0.2.2
  • 22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Designed-in Virtualization Oracle Solaris Zones
  • 23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Integrated Virtualization Security Automated Install Packaging Zones Networking ZFS
  • 24 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Solaris Zones • Built-in solution for application deployment • Compatibility environments • Solaris 10 only • Zones now more complete • Delegated administration • Observability • NFS shares • Network virtualization
  • 25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. • Restricted In-Zone Operations – Individual operating system hardening, RBAC, auditing, etc. – Prohibited from directly accessing kernel (modules), raw memory • External Enforcement of Zone Configuration – Configurable privileges, immutability, devices, file systems, resource controls, virtual network security controls, etc. • Observability with Integrity – Protected audit trails, file integrity verification, global zone has complete introspection capabilities Solaris Zones Security Benefits
  • 26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Immutable Zones Example (1/2) # zonecfg -z myzone 'set file-mac-profile=fixed-configuration’ # zoneadm -z myzone boot # zlogin myzone [Connected to zone 'myzone' pts/3] myzone# rm /etc/passwd rm: /etc/passwd: override protection 644 (yes/no)? y rm: /etc/passwd not removed: Read-only file system myzone# pkg install emacs pkg install: Could not complete the operation on /var/pkg/lock: read-only filesystem. myzone# rm /usr/bin/vi rm: /usr/bin/vi not removed: Read-only file system
  • 27 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Immutable Zones Example (2/2) myzone# touch /var/tmp/foo myzone# touch /tmp/bar myzone# svcadm disable ssh root@solaris:~# svcs ssh STATE STIME FMRI disabled 6:52:53 svc:/network/ssh:default
  • 28 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Data Architecture Strategies
  • 29 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. ZFS Zone Root Encryption # pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=zoneroot Enter PIN for Sun Software PKCS#11 softtoken: # zfs create -o encryption=on -o keysource=raw,pkcs11:object=zoneroot rpool/zones Enter PKCS#11 token PIN for 'rpool/zones': # zonecfg -z myzone 'create; set zonepath=/rpool/zones/myzone’ # zoneadm –z myzone install [… once install completes, the system is rebooted] # zfs key -l rpool/zones Enter PKCS#11 token PIN for 'rpool/zones': # zfs mount –a # zoneadm -z myzone boot
  • 30 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Auditing
  • 31 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Solaris Auditing • Kernel-based, fine-grained introspection • Captures commands, syscalls, admin. Actions • Flexible audit policy for global and non-global zones • Several audit trail formats: binary, text, XML, etc. • New in Solaris 11 – Auditing on by default with no performance penalty – Supports secure remote storage of audit trails – Greater visibility into system events with less “noise”
  • 32 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Per-User Auditing Policy # userattr audit_flags gbrunett # # usermod –K audit_flags=lo,ad,ex:lo gbrunett # userattr audit_flags gbrunett lo,ad,ex:no # su – gbrunett $ exit # auditreduce -r baz -c lo /var/audit/*not_term* | praudit -s header,97,2,AUE_su,,testhost,2012-11-13 06:33:21.514 -08:00 subject,testuser,baz,staff,baz,staff,5243,2804137368,0 0 testhost return,success,0
  • 33 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Putting it all together with Solaris 11 Security!
  • 34 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Solaris Remote Lab – Schematic
  • 35 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. OSRL - Data • Single Zpool multiple ZFS file systems Resource Sharing • Data stored in ZFS SA • Hybrid Storage • Disk + SSD + RAM • ZFS Cloning Performance • Encrypted ZFS • Partner specific Key • Each partner has their own ZFS File System Security Create Use Delete • Data isolated in VLAN • Separate NFS server per partner • SGD - CDM • All intra VM data transfers self contained in Blade chassis • ZFS clones - Share everything but the changes • ZFS Secure delete • ZFS encrypt + Delete almost instantaneous operation
  • 36 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. OSRL - Virtual Machines (Zones) • Zone cloning • less than 18 MB of RAM • less than 100 MB of Disk Resource Sharing • ZFS + Zone cloning • new zone in minutes Performance • ZFS encryption for zone file system • Exclusive IP stack + VNIC Security Create Use Delete • All Zones isolated in non-routable VLAN • Secure global desktop access • Resource allocation • network bandwidth • Memory • CPU • Zone shares all OS resources - Single kernel - Single storage • ZFS Secure delete • ZFS encrypt + Delete almost instantaneous operation
  • 37 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. When 1 + 1 > 2 • Zone + ZFS – Fast zone provisioning – Very low overhead – Encrypt file system as well as share resource • Zones + Network virtualization • Allows for sharing single physical network • VLAN tagging allows for creating one VLAN/Partner • Exclusive IP stack on shared physical network
  • 38 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. When 1 + 1 > 2 • Zones + ZFS + NFS • Each NFS server is a zone • Single data store • Single Physical server • Multiple NFS file systems shared with ZFS • ZFS supports NFS sharing • Encryption + Cloning reduces overhead • Zones + IPS • Global Zone has IPS proxy • Single IPS repository accessible from non routable VLAN
  • 39 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Additional Resources • Solaris 11 Security Hardening Guidelines http://docs.oracle.com/cd/E26502_01/html/E29014/index.html • Solaris 11 Secure Coding Guidelines for Developers http://docs.oracle.com/cd/E26502_01/html/E29016/scode-1.html • Glenn Faden’s Solaris 11.1 Hands On Security Lab https://blogs.oracle.com/gfaden/entry/solaris_11_1_is_available • Darren Moffat’s Solaris Security Blog https://blogs.oracle.com/darren/tags/solaris+security
  • 40 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. For More Information / Try Out Today • Product overview and download – oracle.com/solaris • Oracle Technology Network – oracle.com/technetwork/server-storage/solaris11 • System Administrators Community – oracle.com/technetwork/systems • @ORCL_Solaris • facebook.com/oraclesolaris • Oracle Solaris Insider 40
  • 41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Questions
  • 42 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Acknowledgements Special thanks to Darren Moffat and Glenn Faden, Angelo Rajadurai and many others for sharing their ideas and examples with the world.
  • 43 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.