0
1 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Use Case : Cloud Security
Design and Implementation...
2 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
2 Copyright © 2011, Oracle and/or its affiliates. A...
3 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Security Challenges
• Securing Data At Rest, In Tra...
4 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Concerns With Public Cloud computing
Source : http:...
5 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle Solaris Remote Lab
•Solaris Network Virtuali...
6 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Cryptography
7 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
8 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Cryptographic Acceleration
Oracle SPARC T4 Processo...
9 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
SPARC T4 Cryptographic Acceleration
Significant Per...
10 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS: Next Generation File System
• Immense Capacit...
11 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS Encryption
• Encryption policy is set at the Z...
12 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS Encryption Example
# zfs create -o encryption=...
13 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Assured Deletion with ZFS Encryption
# zfs create ...
14 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Encrypted Swap and /tmp
$ awk '($4 == "swap") {...
15 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Networking
16 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Network Secure by Default
• Expose only required s...
17 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Network Architecture Strategies
18 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Network Virtualization
• Using network VLANs
• Com...
19 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
IP Filters
• Ability to configure what ports
are o...
20 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Network Resource Management
• Introducing network ...
21 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Data Link Protection
# dladm show-linkprop -p pro...
22 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Designed-in Virtualization
Oracle Solaris Zones
23 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Integrated Virtualization
Security
Automated Insta...
24 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle Solaris Zones
• Built-in solution for
appli...
25 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
• Restricted In-Zone Operations
– Individual opera...
26 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Immutable Zones Example (1/2)
# zonecfg -z myzone ...
27 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Immutable Zones Example (2/2)
myzone# touch /var/t...
28 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Data Architecture Strategies
29 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS Zone Root Encryption
# pktool genkey keystore=...
30 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Auditing
31 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Solaris Auditing
• Kernel-based, fine-grained intr...
32 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Per-User Auditing Policy
# userattr audit_flags g...
33 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Putting it all together
with Solaris 11 Security!
34 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle Solaris Remote Lab – Schematic
35 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
OSRL - Data
• Single Zpool multiple
ZFS file syste...
36 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
OSRL - Virtual Machines (Zones)
• Zone cloning
• l...
37 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
When 1 + 1 > 2
• Zone + ZFS
– Fast zone provisioni...
38 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
When 1 + 1 > 2
• Zones + ZFS + NFS
• Each NFS serv...
39 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Additional Resources
• Solaris 11 Security Hardeni...
40 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
For More Information / Try Out Today
• Product ove...
41 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Questions
42 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Acknowledgements
Special thanks to Darren Moffat a...
43 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Upcoming SlideShare
Loading in...5
×

Use Case : Cloud Security Design and Implementation

1,008

Published on

A developer cloud should offer several measures of security to ensure that each user's data, applications, and network remain private. Given that virtualization technologies revolve around resource sharing, it is even more important to provide security at different levels in a developer cloud. In parallel, the integrity of the machines implementing the developer cloud should be ensured at all times in order to detect, prevent, and avoid any attacks from intruders.
For more information see: http://www.oracle.com/technetwork/systems/hands-on-labs/hol-oracle-solaris-remote-lab-1894053.html

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,008
On Slideshare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
30
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Use Case : Cloud Security Design and Implementation "

  1. 1. 1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Use Case : Cloud Security Design and Implementation Orgad Kimchi ISV Engineering Oracle Solaris 11
  2. 2. 2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. 2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  3. 3. 3 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Security Challenges • Securing Data At Rest, In Transit, and In Use • Minimize operating system attack surface • Prevent denial of service attacks against their infrastructure • Segregate network traffic between different cloud users • Disable hostile code (e.g.’ rootkit’ attacks) • Secure data deletions once we have done with our project
  4. 4. 4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Concerns With Public Cloud computing Source : http://blogs.gartner.com/neil_macdonald/2010/12/16/security-is-the-top-concern-for-public-cloud-but-what-does-that-really-mean/
  5. 5. 5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Solaris Remote Lab •Solaris Network Virtualization – Segregate network traffic & secure VLAN per user • Solaris Zones – Isolates partner VMs in a secure environment • Solaris ZFS – Rapid & secure deployment of images in partner VMs • Secure Global Desktop – Separates communications channels A secure cloud environment built on Solaris technologies Now in the Cloud
  6. 6. 6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Cryptography
  7. 7. 7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  8. 8. 8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Cryptographic Acceleration Oracle SPARC T4 Processor • Scalable Performance – On-core, unprivileged, cryptographic instructions – OpenSSL 5x faster than IBM POWER7 – ZFS encryption is 3x faster than Intel • Most Industry Standard Algorithms – Public Key Encryption: RSA, DSA, ECC, DH – Symmetric Key Encryption: AES, 3DES, DES, Kasumi, Camellia – Message Digests: CRC32c, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 – Random number generation (FIPS 140-2 compliant)
  9. 9. 9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. SPARC T4 Cryptographic Acceleration Significant Performance Gains for SSL • Two-way SSL • RSA-2048 • AES-256
  10. 10. 10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. ZFS: Next Generation File System • Immense Capacity (128-bit) • ZFS capacity: 256 quadrillion ZB (1ZB = 1 billion TB) • Exceeds quantum limit of Earth-based storage. • Dynamic Metadata • No limits on files, directory entries, snapshots, etc. • No tuning parameters to enable expansion. • Parallel, constant-time directory operations. • Pooled design – continuous future growth Scalability
  11. 11. 11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. ZFS Encryption • Encryption policy is set at the ZFS data set level • Supports delegation of key management operations • Leverages a dual key model: wrapping vs. encryption key • Variety of options for format/location of the wrapping key • Wrapping key inherited by child data sets
  12. 12. 12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. ZFS Encryption Example # zfs create -o encryption=on -o dedup=on -o compression=on rpool/scratch Enter passphrase for 'rpool/scratch': Enter again: # zfs get encryption,keysource,dedup,compression rpool/scratch NAME PROPERTY VALUE SOURCE rpool/scratch encryption on local rpool/scratch keysource passphrase,prompt local rpool/scratch dedup on local rpool/scratch compression on local # zfs key -u rpool/scratch # zfs mount rpool/scratch Enter passphrase for 'rpool/scratch':
  13. 13. 13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Assured Deletion with ZFS Encryption # zfs create -o encryption=on rpool/scratch Enter passphrase for 'rpool/scratch': Enter again: # zfs key -c -o keysource=raw,file:///dev/random rpool/scratch # zfs get keysource rpool/scratch NAME PROPERTY VALUE SOURCE rpool/scratch keysource raw,file:///dev/random local # zfs key –u rpool/scratch # zfs destroy rpool/scratch
  14. 14. 14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Encrypted Swap and /tmp $ awk '($4 == "swap") { print; }' /etc/vfstab /dev/zvol/dsk/rpool/swap - - swap - no encrypted $ swap –l swapfile dev swaplo blocks free /dev/lofi/1 145,1 8 2097128 2097128 $ lofiadm Block Device File Options /dev/lofi/1 /devices/pseudo/zfs@0:2 Encrypted
  15. 15. 15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Networking
  16. 16. 16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Network Secure by Default • Expose only required services to the network – Reduce the operating system network foot print – Most services are disabled; a few are set to “local only” • Integrated with Service Management Facility – Common administrative model for all service operations – Fully customizable based upon unique site requirements • Foundation for Additional Protections and Configuration
  17. 17. 17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Network Architecture Strategies
  18. 18. 18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Network Virtualization • Using network VLANs • Combine with physical switches • Layer 2 segregation • # dladm create-vnic -l net0 vnic2 -v 2 Network segregation
  19. 19. 19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. IP Filters • Ability to configure what ports are open between system • Simple to configure and SMF service • Can configure direction as well as ports
  20. 20. 20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Network Resource Management • Introducing network resource control – Bandwidth control – Flow control • Split up large network pipes • Guarantee types of network traffic for your applications • In the following example we limit the SSL traffic to 100Mb on the vnic0 network interface # dladm create-vnic vnic0 –l net0 # flowadm add-flow -l vnic0 –a transport=TCP,local_port=443 https-flow # flowadm set-flowprop -p maxbw=100M https-flow Control the Un-Controlable
  21. 21. 21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Data Link Protection # dladm show-linkprop -p protection net0 LINK PROPERTY PERM VALUE DEFAULT POSSIBLE net0 protection rw -- -- mac-nospoof, restricted, ip-nospoof, dhcp-nospoof # dladm set-linkprop -p allowed-ips=10.0.2.15 # dladm set-linkprop -p protection=mac-nospoof,ip-nospoof, restricted net0 # ping 10.0.2.2 10.0.2.2 is alive [set IP address manually to something other than 10.0.2.15.] # ping 10.0.2.2 no answer from 10.0.2.2
  22. 22. 22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Designed-in Virtualization Oracle Solaris Zones
  23. 23. 23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Integrated Virtualization Security Automated Install Packaging Zones Networking ZFS
  24. 24. 24 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Solaris Zones • Built-in solution for application deployment • Compatibility environments • Solaris 10 only • Zones now more complete • Delegated administration • Observability • NFS shares • Network virtualization
  25. 25. 25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. • Restricted In-Zone Operations – Individual operating system hardening, RBAC, auditing, etc. – Prohibited from directly accessing kernel (modules), raw memory • External Enforcement of Zone Configuration – Configurable privileges, immutability, devices, file systems, resource controls, virtual network security controls, etc. • Observability with Integrity – Protected audit trails, file integrity verification, global zone has complete introspection capabilities Solaris Zones Security Benefits
  26. 26. 26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Immutable Zones Example (1/2) # zonecfg -z myzone 'set file-mac-profile=fixed-configuration’ # zoneadm -z myzone boot # zlogin myzone [Connected to zone 'myzone' pts/3] myzone# rm /etc/passwd rm: /etc/passwd: override protection 644 (yes/no)? y rm: /etc/passwd not removed: Read-only file system myzone# pkg install emacs pkg install: Could not complete the operation on /var/pkg/lock: read-only filesystem. myzone# rm /usr/bin/vi rm: /usr/bin/vi not removed: Read-only file system
  27. 27. 27 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Immutable Zones Example (2/2) myzone# touch /var/tmp/foo myzone# touch /tmp/bar myzone# svcadm disable ssh root@solaris:~# svcs ssh STATE STIME FMRI disabled 6:52:53 svc:/network/ssh:default
  28. 28. 28 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Data Architecture Strategies
  29. 29. 29 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. ZFS Zone Root Encryption # pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=zoneroot Enter PIN for Sun Software PKCS#11 softtoken: # zfs create -o encryption=on -o keysource=raw,pkcs11:object=zoneroot rpool/zones Enter PKCS#11 token PIN for 'rpool/zones': # zonecfg -z myzone 'create; set zonepath=/rpool/zones/myzone’ # zoneadm –z myzone install [… once install completes, the system is rebooted] # zfs key -l rpool/zones Enter PKCS#11 token PIN for 'rpool/zones': # zfs mount –a # zoneadm -z myzone boot
  30. 30. 30 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Auditing
  31. 31. 31 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Solaris Auditing • Kernel-based, fine-grained introspection • Captures commands, syscalls, admin. Actions • Flexible audit policy for global and non-global zones • Several audit trail formats: binary, text, XML, etc. • New in Solaris 11 – Auditing on by default with no performance penalty – Supports secure remote storage of audit trails – Greater visibility into system events with less “noise”
  32. 32. 32 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Per-User Auditing Policy # userattr audit_flags gbrunett # # usermod –K audit_flags=lo,ad,ex:lo gbrunett # userattr audit_flags gbrunett lo,ad,ex:no # su – gbrunett $ exit # auditreduce -r baz -c lo /var/audit/*not_term* | praudit -s header,97,2,AUE_su,,testhost,2012-11-13 06:33:21.514 -08:00 subject,testuser,baz,staff,baz,staff,5243,2804137368,0 0 testhost return,success,0
  33. 33. 33 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Putting it all together with Solaris 11 Security!
  34. 34. 34 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Oracle Solaris Remote Lab – Schematic
  35. 35. 35 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. OSRL - Data • Single Zpool multiple ZFS file systems Resource Sharing • Data stored in ZFS SA • Hybrid Storage • Disk + SSD + RAM • ZFS Cloning Performance • Encrypted ZFS • Partner specific Key • Each partner has their own ZFS File System Security Create Use Delete • Data isolated in VLAN • Separate NFS server per partner • SGD - CDM • All intra VM data transfers self contained in Blade chassis • ZFS clones - Share everything but the changes • ZFS Secure delete • ZFS encrypt + Delete almost instantaneous operation
  36. 36. 36 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. OSRL - Virtual Machines (Zones) • Zone cloning • less than 18 MB of RAM • less than 100 MB of Disk Resource Sharing • ZFS + Zone cloning • new zone in minutes Performance • ZFS encryption for zone file system • Exclusive IP stack + VNIC Security Create Use Delete • All Zones isolated in non-routable VLAN • Secure global desktop access • Resource allocation • network bandwidth • Memory • CPU • Zone shares all OS resources - Single kernel - Single storage • ZFS Secure delete • ZFS encrypt + Delete almost instantaneous operation
  37. 37. 37 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. When 1 + 1 > 2 • Zone + ZFS – Fast zone provisioning – Very low overhead – Encrypt file system as well as share resource • Zones + Network virtualization • Allows for sharing single physical network • VLAN tagging allows for creating one VLAN/Partner • Exclusive IP stack on shared physical network
  38. 38. 38 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. When 1 + 1 > 2 • Zones + ZFS + NFS • Each NFS server is a zone • Single data store • Single Physical server • Multiple NFS file systems shared with ZFS • ZFS supports NFS sharing • Encryption + Cloning reduces overhead • Zones + IPS • Global Zone has IPS proxy • Single IPS repository accessible from non routable VLAN
  39. 39. 39 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Additional Resources • Solaris 11 Security Hardening Guidelines http://docs.oracle.com/cd/E26502_01/html/E29014/index.html • Solaris 11 Secure Coding Guidelines for Developers http://docs.oracle.com/cd/E26502_01/html/E29016/scode-1.html • Glenn Faden’s Solaris 11.1 Hands On Security Lab https://blogs.oracle.com/gfaden/entry/solaris_11_1_is_available • Darren Moffat’s Solaris Security Blog https://blogs.oracle.com/darren/tags/solaris+security
  40. 40. 40 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. For More Information / Try Out Today • Product overview and download – oracle.com/solaris • Oracle Technology Network – oracle.com/technetwork/server-storage/solaris11 • System Administrators Community – oracle.com/technetwork/systems • @ORCL_Solaris • facebook.com/oraclesolaris • Oracle Solaris Insider 40
  41. 41. 41 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Questions
  42. 42. 42 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Acknowledgements Special thanks to Darren Moffat and Glenn Faden, Angelo Rajadurai and many others for sharing their ideas and examples with the world.
  43. 43. 43 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×