Project Skylab:
Helping You Get Your Cloud On

Craig Balding
Founder, cloudsecurity.org




                              ...
Disclaimer

The views and opinions expressed here are
 those of Craig Balding only and in no way
represent the views, posi...
3

Last year at Brucon, I talked about Cloud Security and broke new ground through using the
Beer and Brewing as an analog...
4

But as I sat there in the speaker room as the make-up crew and hairstylists did the best they
could in the circumstance...
No More Gimmicks



                                           5

Cloud Security is not a laughing matter.
6

No more clowning around.
Sorry



                                                                            7

But my apology is two-fold. My bla...
The Cloud Security Broken Record



                                                                                      ...
9

I became an “expert source” on all things cloud security and strangely enough: cloud.
Again, sorry...



                                                                                             10

I prom...
11

But I wasn’t just challenging myself with Skylab. I’m challenging you, my fellow infosec pros.
Perhaps you’re ignoring...
s/LUKE/CLOUD?



                                                                                          12

We tend to ...
Cloud Is Coming




                                                                                               13

I’m...
What
                                                                 Are
                                                ...
15

This boils down to something really simple. We have to find our Droids. Each of have droids
to seek out. What Droids ar...
16

For me, I wanted to commit a little more to building something. I wanted to find out what
cloud technology I could use ...
F r i c t i o n



                                                                                             17

Fricti...
Prior Art




                                                                                            18

Along came p...
Motives
Learn

Get Practical

Home Server RIP

Geekin’ Out

Open Source

Community Project




                    19
# whoami
Tech Security Lead @F500
UNIX Background
Pen-Test
Incident Response
EuroTrash Security
Podcast




              ...
3 Questions For You
Do you use cloud storage?

Have you booted a machine
in a public cloud?

Have you played with cloud
ne...
Wannabe Cloudtroopers




                                                                                               2...
On Demand Test Labs



                                                                                          23

So Sk...
Target practice                                                 Testing new/updated too

                                 ...
Assurance Testing
                                 Package Golden
                                 Image as AMI

         ...
During a
                                                      Pen-Test?




                                             ...
What’s your use case?



                        27
It’s a Commodity




                                                                                          28

The key...
Infrastructure as a
                        Service


                                                                    ...
Design




                                       30

Lets touch on some design principles
Design Principles
            Hit common use cases

            On demand

            Infrastructure as code
            ...
Design Principles
                                                     Hypervisor agnostic: Xen,
                         ...
Shopping for a Cloud
     Platform
                       33
OPEN?
     API
     Core
    Source
 Development
Decision Making


                  34
Private/Public/Hybrid




                        35
Private




          36
Hybrid




         37
RH Delta-cloud




                                                                                        38

Turbo charg...
Don’t Forget




                                                                                               39

Leavin...
Terms of Service




                                                                                       40

Know the t...
Cloud Networking



                   41
Public Cloud
        Networking 101


                   One NIC Per VM
                   Limited Routing
               ...
Overlay Networks
            An overlay network is a computer network
            which is built on top of another network...
Amazon VPC




                                                                                    44

Amazon recently ope...
VPNCubed




                                                                       45

The first overlay network service f...
Config Management



                   46
Chef from Opscode




                    47
The
Practical
   Bit
(wakey, wakey)




                 48
DEMO: Sneak Peek



                   49
TO DO
Establish Amazon VPC Connection
Build Visibility VM (Splunk + extras)
Chef Recipes for Security Extras & CM
Build Ra...
Futures
       Beyond x86
      Multi-provider
     Documentation
    VMware Support
    Enhanced routing
   Explore ecosy...
cloudsecurity.org




                                                                                   52

Check out clo...
Project Updates




                                                                                           53

Recentl...
Credits
              Stormtroopers: Stefan

              http://stormtroopers365.com/



              Creators of KVM, ...
Questions?


craig@cloudsecurity.org / @craigbalding

                                          55
56
Upcoming SlideShare
Loading in …5
×

Project Skylab: Helping You Get Your Cloud On

8,679 views

Published on

Presented at BruCON by Craig Balding, founder of cloudsecurity.org, this presentation outlines the design and implementation of Skylab - an on-demand security test lab. Relying solely on OSS components and making use of Infrastructure as a Service cloud services, you'll learn what you need to create inflatable test labs - spin up, down when you need it.

Published in: Technology
0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
8,679
On SlideShare
0
From Embeds
0
Number of Embeds
2,651
Actions
Shares
0
Downloads
160
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide

Project Skylab: Helping You Get Your Cloud On

  1. 1. Project Skylab: Helping You Get Your Cloud On Craig Balding Founder, cloudsecurity.org 1
  2. 2. Disclaimer The views and opinions expressed here are those of Craig Balding only and in no way represent the views, positions or opinions - expressed or implied - of my employer or anyone else. 2
  3. 3. 3 Last year at Brucon, I talked about Cloud Security and broke new ground through using the Beer and Brewing as an analogy for cloud computing. The climax of that talk was significant after-cloud.
  4. 4. 4 But as I sat there in the speaker room as the make-up crew and hairstylists did the best they could in the circumstances, I made myself a promise. If I got selected to talk in 2010 I would take things more seriously.
  5. 5. No More Gimmicks 5 Cloud Security is not a laughing matter.
  6. 6. 6 No more clowning around.
  7. 7. Sorry 7 But my apology is two-fold. My blatant lies about gimmicks to one side...
  8. 8. The Cloud Security Broken Record 8 I was starting to feel like a stuck record, going on about high level cloud security issues.
  9. 9. 9 I became an “expert source” on all things cloud security and strangely enough: cloud.
  10. 10. Again, sorry... 10 I promise to mend my ways. Hence, the birth of my Skylab project. Rather than just talking about it, lets do something with it. Something useful, something that might just draw you into my cloud...
  11. 11. 11 But I wasn’t just challenging myself with Skylab. I’m challenging you, my fellow infosec pros. Perhaps you’re ignoring cloud, hoping it will just ‘blow over’. Or maybe, you’re convinced yourself you’re so busy, you just don’t have time to ‘get into it’. Or perhaps, you just haven’t seen the writing on the wall or believe its another dot com bust in the making.
  12. 12. s/LUKE/CLOUD? 12 We tend to take apply a ‘DEFAULT DENY’ rule to new tech. In the case of cloud, its been DEFAULT DROP. As a community it sometimes seems like our reactions sometimes cloud our vision. Why do we feel the need to be anti-something and thus not examine it critically and carefully? I think we do a dis-service to our employers when we do that.
  13. 13. Cloud Is Coming 13 I’m not here to make predictions about cloud. Personally, I see writing on the wall, but I’m not trying to convince you of that. Rather, I want to ask you a question.
  14. 14. What Are You Doing To Keep Up? 14 What are you doing to keep up? Cloud is just the latest big thing. But before that we had virtualization, we had VoIP, we had converged networking. I think we all need to challenge ourselves a little more. Seek our own truths as it were. Stop paying attention and reacting to the endless media sound bites by people that clearly don’t get security. Do original research. Apply the new technologies for ourselves before the people that pay our wages do...
  15. 15. 15 This boils down to something really simple. We have to find our Droids. Each of have droids to seek out. What Droids are you looking for? How hard are you looking? What are you waiting for? Don’t wait til you feel you’re ‘good enough’ or until ‘you have more free time’. I hope to offer you something that may make you change your mind.
  16. 16. 16 For me, I wanted to commit a little more to building something. I wanted to find out what cloud technology I could use right now to do something useful for my own R&D purposes. There are many things that can get in your way, but one big one is....
  17. 17. F r i c t i o n 17 Friction is the enemy of your imagination. I don’t know about you, but for me its not having the right set up at the right time. I’m always trading one resource for another. My free disk space is *always* on the wrong machine. I can never run enough virtual machines... Not only that, I have whims. I also have a Wim (looks at Wim), but they are mostly 2 different things... I have kites I want to fly. I have ideas I want to quickly test. But most of them never see the light of day, which makes me feel sad and deprives me of valuable learning lessons. Why? Because of friction. Infrastructure friction. Changing my test network setup is a pain. I’ll have to shuffle resources around and make compromises as I don’t have an army of machines to play with. I’ll have to “make do” and collapse multiple workloads onto single machines. Virtual machines have certainly helped - they’ve given me more options than I had before. But at the same time virtual compute has highlighted that I can never own enough hardware (“I just want to run one more”). Plus I’ve got the virtual headache of managing an ever increasing stable of virtual machine images. I want my infrastructure to be malleable like code and my operations to be automated. Or to put it another way, I need some serious lubrication.
  18. 18. Prior Art 18 Along came project Skylab. This is my meta-idea. The idea that can help bring my other ideas to life. Skylab will help me fail faster and cheaper than I can today. This isn’t pessimism, this is how great ideas come to be - you just have to let all the bad ones get themselves out of you first.
  19. 19. Motives Learn Get Practical Home Server RIP Geekin’ Out Open Source Community Project 19
  20. 20. # whoami Tech Security Lead @F500 UNIX Background Pen-Test Incident Response EuroTrash Security Podcast 20
  21. 21. 3 Questions For You Do you use cloud storage? Have you booted a machine in a public cloud? Have you played with cloud network overlays? 21
  22. 22. Wannabe Cloudtroopers 22 Come to the darkside my friends. Embrace the cloud. Or at least dip your toe in it so you can backup whatever opinion you profer. If that doesn’t convince you, I’m offering free sea- shell hats for cloud converts.
  23. 23. On Demand Test Labs 23 So Skylabs is about on demand test labs. I’m sure you can think of times when you having an inflatable test lab that you can spin up and shutdown when you want could be pretty darn handy
  24. 24. Target practice Testing new/updated too NIDS/NIPS testing Exploit testing 24 On the offense side of security, there is target practice. Don’t be a dummy and ride exploits bareback. Tut tut. Always practice in a lab. For every action there is a reaction. Observe, learn, practice, profit. For your career with not be cut-short... But its not just pen-test labs...Capture the Flag, Hands-on Practicals when hiring so-called experienced pen-testers etc.
  25. 25. Assurance Testing Package Golden Image as AMI Upload, launch [1...n] Apply patches, workarounds & run tests 25 Then on the defensive side of the house, what about someone to test your mitigating controls...or heaven forbid, patches! Deploying new security tools? Again, good to have a lab. Or 3. Or 7.
  26. 26. During a Pen-Test? 26 Need a disposable IP? Need to run a phishing scam? The latest svn update from the Social Engineer Toolkit burning a hole in your toolkit?
  27. 27. What’s your use case? 27
  28. 28. It’s a Commodity 28 The key to remember when thinking about cloud is that its a commodity. You get what you pay for. But sometimes, commodity is just what you want.
  29. 29. Infrastructure as a Service 29 So what are we talking about? We’re talking about using infrastructure as a service to create on-demand test labs. We’re intentionally confining ourselves to just 1 layer of the cloud services model: we’re ignoring Platform as a Service and Software as a Service. In fact, Skylab itself will have attributes of platform and software as a service in terms of doing some of the heavy lifting for you.
  30. 30. Design 30 Lets touch on some design principles
  31. 31. Design Principles Hit common use cases On demand Infrastructure as code ("agility") Cost-conscious Hardware reuse: bring your own lab, or not 31 Need a disposable IP? Need to run a phishing scam? The latest svn update from the Social Engineer Toolkit burning a hole in your toolkit?
  32. 32. Design Principles Hypervisor agnostic: Xen, kvm, VMware Security test lab "features" Freedom: open source Pragmatic: don't reinvent infrastructure wheels Scriptable & Fun 32 Need a disposable IP? Need to run a phishing scam? The latest svn update from the Social Engineer Toolkit burning a hole in your toolkit?
  33. 33. Shopping for a Cloud Platform 33
  34. 34. OPEN? API Core Source Development Decision Making 34
  35. 35. Private/Public/Hybrid 35
  36. 36. Private 36
  37. 37. Hybrid 37
  38. 38. RH Delta-cloud 38 Turbo charge your hybrid cloud with RedHats Delta Cloud...access more cloud providers
  39. 39. Don’t Forget 39 Leaving cloud compute instances running at the cloud provider does actually cost money. It is surprisingly easy to do though. Do it once and you’ll feel stupid, do it twice and you’ll find yourself writing a script to remind you not to feel stupid :)
  40. 40. Terms of Service 40 Know the terms of service of your hosting and/or cloud provider. Check clauses about introduction of malware in particular.
  41. 41. Cloud Networking 41
  42. 42. Public Cloud Networking 101 One NIC Per VM Limited Routing Basic Firewalls 42 Use cases
  43. 43. Overlay Networks An overlay network is a computer network which is built on top of another network. Nodes in the overlay can be thought of as being connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network 43 Use cases
  44. 44. Amazon VPC 44 Amazon recently opened up their Virtual Private Cloud, currently beta This is a cloud provider specific network overlay Hook up your existing network. Software VPN on your side, Hardware on their side. All traffic traverses the customer gateway - no Internet access from within VPC Can use existing AMIs and Elastic Block Storage Amazon rapidly innovating - keep up with release details!
  45. 45. VPNCubed 45 The first overlay network service for the cloud market. Based on OpenVPN, uses CohesiveFT created VMs as cloud VPN endpoints Supports multicast. Cross connect clouds, extend your home/business network Supports Amazon EC2 and gogrid
  46. 46. Config Management 46
  47. 47. Chef from Opscode 47
  48. 48. The Practical Bit (wakey, wakey) 48
  49. 49. DEMO: Sneak Peek 49
  50. 50. TO DO Establish Amazon VPC Connection Build Visibility VM (Splunk + extras) Chef Recipes for Security Extras & CM Build Range of Victim/Enterprise VMs Create easy “DC Creator” front-end script 50
  51. 51. Futures Beyond x86 Multi-provider Documentation VMware Support Enhanced routing Explore ecosystem Improved Automation Define more Use Cases More Security Related AMIs 51
  52. 52. cloudsecurity.org 52 Check out cloudsecurity.org/resources for recommended reading on cloud security.
  53. 53. Project Updates 53 Recently created the cloud security forum (cloudsecurity.org/forum)- an independent hang out for IT and IT security people to discuss cloud security issues Topic areas out as per CSA security domains There’s a dedicated forum for Skylab which I’ll be posting to with progress updates. If you have suggestions for Skylab, please share with me there.
  54. 54. Credits Stormtroopers: Stefan http://stormtroopers365.com/ Creators of KVM, Xen, Qemu, libvirt, OpenNebula, DeltaCloud, Chef, libcloud 54 Stefan made some great images and all credit is due to him. I’m also extremely grateful for all the open source software I’m gluing together for this project. Skylab would have been very difficult, it not impossible, for a sole person to piece together without all the effort from numerous developers.
  55. 55. Questions? craig@cloudsecurity.org / @craigbalding 55
  56. 56. 56

×