Public Cloud Security DIY
Amir Naftali, CTO FortyCloud
IaaS
IGT Meetup July 2013
1. What is a public cloud?
2. Network architectures
3. Two public cloud examples
4. Shared respo...
IGT Meetup July 2013
IaaS
Wikipedia - A cloud is called a 'Public cloud'
when the services are rendered over a
network tha...
IGT Meetup July 2013
IaaS
• Datacenter (Infrastructure) as-a service
• Virtualized
• Shared
• Mostly Compute, but also sto...
IGT Meetup July 2013
IaaS
In a Public Cloud
• No infrastructure ownership
• Pay Per Use (CPU hourly , storage size, networ...
Regions and Datacenters
IGT Meetup July 2013
• Datacenters are called regions
• Regions are independent
• Amazon , Rackspa...
Network Architecture
IGT Meetup July 2013
Usually, a Region has a shared internal service
network and and a shared public ...
Network Architecture Example - AWS
IGT Meetup July 2013
Network Architecture Example - Rackspace
IGT Meetup July 2013
Network Architecture
IGT Meetup July 2013
Basically, all VMs are reachable via the service
network and the public Internet
IaaS
IGT Meetup July 2013
“…In turn, you assume responsibility and management
of the guest operating system(including upda...
A Shared Responsibility Model in IaaS
IGT Meetup July 2013
Application
Hosted operating system
Virtualization layer
Physic...
Security Risks and Threats
IGT Meetup July 2013
If I can access my VMs remotely anyone else can
access them too
• What TCP...
It‟s a Jungle Out There
IGT Meetup July 2013
Simple measurements
performed in a few public datacenters show the
following ...
It‟s a Jungle Out There – Attack Example
IGT Meetup July 2013
Simple measurements
performed in a few public datacenters sh...
A Typical Start-up Scenario
IGT Meetup July 2013
IGT Meetup July 2013
So what can be done to mitigate the threats?
Network Isolation Techniques
IGT Meetup July 2013
• IP Based filtering
• Server based Firewall
• Security Groups
• Private...
EC2 Security Groups – The Basics
IGT Meetup July 2013
• Protocol and port based filtering
• Incoming traffic only
• Suppor...
EC2 Security Groups – The Basics
IGT Meetup July 2013
Example:
EC2 Security Groups
IGT Meetup July 2013
• Provide IP Based filtering – your first line of defense
• Simple and easy to us...
What is a VPC?
A VPC solution should provide us with an „enterprise-
like‟ environment where:
1. Cloud resources are isola...
AWS and Rackspace Examples
IGT Meetup July 2013
User-defined private subnets
Additional network configuration
Cloud Providers‟ VPC Implementation Discussed
IGT Meetup July 2013
• AWS provides the EC2 VPC solution a public cloud but ...
Secure Access Techniques
IGT Meetup July 2013
• Access servers directly using a secure protocol and local/central
user sto...
VPN Access DIY
Using Open Source
The Before picture
IGT Meetup July 2013
The After picture
IGT Meetup July 2013
VPN access - the DIY toolkit
• Cloud Access
• Linux with packet forwarding capability
• VPN gateway is based on OpenSwan
(...
VPN Access DIY - EC2 example (Before)
This is how my servers‟ SG look like
before the change
IGT Meetup July 2013
VPN Access DIY - EC2 example (After)
Only my GW is open to the public Internet
My Servers are open only to the GW
IGT Meet...
VPN Access DIY - EC2 example (After)
Live Demo
What have we accomplished ?
• All IP Traffic from user to the public cloud is encrypted AND
secured (not protocol specific...
Many companies have other challenges as well
IGT Meetup July 2013
• Deployment-wise
• Using several regions at the same ti...
• You can find detailed DIY examples on our blog and site
www.fortycloud.com
www.fortycloud.com/blog/
• Feel free to send ...
Contact details:
Amir Naftali
amir@fortycloud.com
@amirnaftali
Thanks
Upcoming SlideShare
Loading in …5
×

Public Cloud Security DIY @ IGT 2013

670 views

Published on

FortyCloud's CTO & Co-Founder Amir Naftali in a presentation to the IGT forum about DIY security for public cloud

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
670
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Public Cloud Security DIY @ IGT 2013

  1. 1. Public Cloud Security DIY Amir Naftali, CTO FortyCloud
  2. 2. IaaS IGT Meetup July 2013 1. What is a public cloud? 2. Network architectures 3. Two public cloud examples 4. Shared responsibility model 5. Security risks and threats 6. Network isolation techniques 7. VPCs 8. Secure access techniques 9. VPN access DIY example 10. Summary and Q&A Agenda
  3. 3. IGT Meetup July 2013 IaaS Wikipedia - A cloud is called a 'Public cloud' when the services are rendered over a network that is open for public use. So What‟s a Public Cloud
  4. 4. IGT Meetup July 2013 IaaS • Datacenter (Infrastructure) as-a service • Virtualized • Shared • Mostly Compute, but also storage services • Access to resources is done over the Internet • Service enrollment is instantaneous using web-based console • Other services like DB, LB as a service, Object Store… So What‟s a Public Cloud (2)
  5. 5. IGT Meetup July 2013 IaaS In a Public Cloud • No infrastructure ownership • Pay Per Use (CPU hourly , storage size, network usage, etc.) • Allocate resources at any given moment as much as you need (e.g. adjust your resource allocation to current demand) In a Private Cloud • Infrastructure is dedicated to you (including network gear and software licenses) • Scale is limited to the physical amount of resources you lease or buy. These are different financial and operational models Public Vs. Private Clouds
  6. 6. Regions and Datacenters IGT Meetup July 2013 • Datacenters are called regions • Regions are independent • Amazon , Rackspace, Google, Azure, HP all have regions around the world
  7. 7. Network Architecture IGT Meetup July 2013 Usually, a Region has a shared internal service network and and a shared public internet access
  8. 8. Network Architecture Example - AWS IGT Meetup July 2013
  9. 9. Network Architecture Example - Rackspace IGT Meetup July 2013
  10. 10. Network Architecture IGT Meetup July 2013 Basically, all VMs are reachable via the service network and the public Internet
  11. 11. IaaS IGT Meetup July 2013 “…In turn, you assume responsibility and management of the guest operating system(including updates and security patches), other associated application software, as well as…” “…It is possible for you to enhance security and/or meet more stringent compliance requirements by leveraging technology such as host‐ based firewalls, host‐based intrusion detection/prevention, and encryption...” Sources: http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf http://www.rackspace.com/security/ ……..“security is a partnership”…… …“USERS MUST TAKE FULL RESPONSIBILITY FOR APPLICATION OF ANY SERVICES AND/OR PROCESSES MENTIONED HEREIN…” Shared Responsibility Model
  12. 12. A Shared Responsibility Model in IaaS IGT Meetup July 2013 Application Hosted operating system Virtualization layer Physical infrastructure Customer Responsibility Cloud Provider Responsibility
  13. 13. Security Risks and Threats IGT Meetup July 2013 If I can access my VMs remotely anyone else can access them too • What TCP/IP ports are open on your cloud VMs? • What protocols/applications are you using to access your VMs? • Are you using a secure protocol/application? Are you using it in in a secure manner? What can the bad guys do? • DoS • Steal or compromise your data • Use your VMs to launch attacks on 3rd parties
  14. 14. It‟s a Jungle Out There IGT Meetup July 2013 Simple measurements performed in a few public datacenters show the following results (per virtual server): HTTP based attack vectors 40-200 per day SSH auth attempts 200-400 per day Non HTTP/SSH based attacks 1000-4000 per day
  15. 15. It‟s a Jungle Out There – Attack Example IGT Meetup July 2013 Simple measurements performed in a few public datacenters show the following results (per virtual server):
  16. 16. A Typical Start-up Scenario IGT Meetup July 2013
  17. 17. IGT Meetup July 2013 So what can be done to mitigate the threats?
  18. 18. Network Isolation Techniques IGT Meetup July 2013 • IP Based filtering • Server based Firewall • Security Groups • Private network (virtually) • AWS VPC • SDN solutions
  19. 19. EC2 Security Groups – The Basics IGT Meetup July 2013 • Protocol and port based filtering • Incoming traffic only • Supports only TCP, UDP and ICMP • White list - Everything is filtered unless declared open • A single EC2 Security Group contains a list of rules • Security Group serves also as a role that can be used as source address in rules • An instance can be associated with Multiple Security Groups • Supports a REST based API
  20. 20. EC2 Security Groups – The Basics IGT Meetup July 2013 Example:
  21. 21. EC2 Security Groups IGT Meetup July 2013 • Provide IP Based filtering – your first line of defense • Simple and easy to use (Role based, management console, API) • Can add/delete rules anytime • The only means to secure internal communication with EC2 services like RDS, LB …. • Platform independent (e.g. Windows, Linux) • For management access, servers are still exposed to public Internet • Control incoming traffic only (output policy is „allow all‟ based on stateful inspection) • Doesn‟t protect against IP spoofing. • Is hard or sometimes impossible to associate with identity (probably not the right tool for Access Control). • Security Groups are only associated with private addresses (when used as source address) • Can‟t add/delete groups after lunching an instance • No logs
  22. 22. What is a VPC? A VPC solution should provide us with an „enterprise- like‟ environment where: 1. Cloud resources are isolated from public access (access is via a DMZ) 2. Secure access for remote users (e.g. employees, contractors, etc.) 3. Access control mechanism IGT Meetup July 2013
  23. 23. AWS and Rackspace Examples IGT Meetup July 2013 User-defined private subnets Additional network configuration
  24. 24. Cloud Providers‟ VPC Implementation Discussed IGT Meetup July 2013 • AWS provides the EC2 VPC solution a public cloud but with a VLAN like network isolation. • Rackspace has an SDN solution (based on OpenStack Quantum) Using an isolated network may have some challenges • Can‟t just simply move an existing resource to VPC, must recreate them. • Network architecture is different, configuration is not straightforward (might impact design) • Integration with provider‟s services should be revisited • Does not extend across regions (and vendors) • Access control and identity management solutions may still need to be integrated by customer
  25. 25. Secure Access Techniques IGT Meetup July 2013 • Access servers directly using a secure protocol and local/central user store • Servers are still exposed to the public internet • Centralized access control – access your cloud via a VPN Gateway • Servers are not exposed to public internet
  26. 26. VPN Access DIY Using Open Source
  27. 27. The Before picture IGT Meetup July 2013
  28. 28. The After picture IGT Meetup July 2013
  29. 29. VPN access - the DIY toolkit • Cloud Access • Linux with packet forwarding capability • VPN gateway is based on OpenSwan (can also use StrongSwan, OpenVPN, Racoon) • xl2tpd (L2TP server) for user authentication and dynamic IP allocation (along with IPSec) • NAT based on IP Tables all traffic flowing from users to servers • Intra Cloud protection – IP Based FW • EC2 Security Groups
  30. 30. VPN Access DIY - EC2 example (Before) This is how my servers‟ SG look like before the change IGT Meetup July 2013
  31. 31. VPN Access DIY - EC2 example (After) Only my GW is open to the public Internet My Servers are open only to the GW IGT Meetup July 2013
  32. 32. VPN Access DIY - EC2 example (After)
  33. 33. Live Demo
  34. 34. What have we accomplished ? • All IP Traffic from user to the public cloud is encrypted AND secured (not protocol specific) • Simple user based access and VPN • No direct access to servers from the public internet • Audit user access via Gateway‟s logs
  35. 35. Many companies have other challenges as well IGT Meetup July 2013 • Deployment-wise • Using several regions at the same time • Using several clouds at the same time • Must enable secure access to 3rd parties • High Availability • Security-wise • Filtering is not good enough, complete isolation required • Must encrypt all traffic even within the region • Stronger authentication (OTP based 2 factor auth.) required • Compliance (e.g. PCI, HIPAA, etc.)
  36. 36. • You can find detailed DIY examples on our blog and site www.fortycloud.com www.fortycloud.com/blog/ • Feel free to send us any cloud related security question to support@fortycloud.com and we will do our best to answer. • Join a free trial of our cloud security solution at www.fortycloud.com/free-sign-up/
  37. 37. Contact details: Amir Naftali amir@fortycloud.com @amirnaftali Thanks

×