SlideShare a Scribd company logo

OpenStack: Security Beyond Firewalls

Giuseppe Paterno'
Giuseppe Paterno'

OpenStack security is a huge topic. In these slides I presented at the OpenStack Day, I analyzed cloud security the network to the application layer, going through specific layers, some in common between OpenStack itself and the applications.

SoftwareTechnology
1 of 38
Download to read offline
OpenStack: Security beyond firewalls MAKING THE CLOUD A SAFER SPACE Giuseppe “Gippa” Paternò, Network & Security NERD 30th May 2014 * OpenStackDay Italy Twitter: @gpaterno - Website: www.gpaterno.com
About me IT security products and virtualization services focused on identity protection on the Cloud, as the user is became the ultimate perimeter of a never ending distributed model. HQ based in Switzerland and whose servers are located in Switzerland. User privacy is protected by strict Swiss privacy regulations, no UE or US exceptions allowed. IT Architect and Security Expert with background in Open Source. Former Network and Security architect for Canonical, RedHat, Wind/ Infostrada, Sun Microsystems and IBM and Visiting Researcher at the University of Dublin Trinity College. Past projects: standard for J2ME Over-The-Air (OTA) provisioning along with Vodafone, the study of architecture and standards for the delivery of MHP applications for the digital terrestrial television (DTT) on behalf of DTT Lab (Telecom Italia/LA7) and implementation of HLR for Vodafone landline services. Lot of writings, mainly on computer security. CTO and Director of GARL, a multinational company based in Switzerland and UK, owner of SecurePass and SecureData. TM Secure Data beta BANK OF PASSWORDS
62% Increase breaches in 2013(1) 1 in 5 Organizations have experienced an APT attack (4) 3 Trillion$ Total global impact of cybercrime(3) 8 months Is the average time an advanced threat goes unnoticed on victim’s network(2) 2,5 billion Exposed records as results of a data breach in the past 5 years(5) 1,3,5: Increased cyber security can save global economy trillions, McKinsey/World Economic Forum, January 2014 2: M-Trends 2013: attack the security gap, Mandiant, March 2013 4: ISACA’s 2014 APT study, ISACA, April 2014. Source: ISACA Cyber Security Nexus Too many threats
Network APIs Identity Application OpenStack Domain Guest Domain OpenStack and Guest Security
Network Security (OpenStack built-in systems)
Linux Namespaces Used in OpenStack, widely adopted in Neutron, it was Originally created for Linux Control Groups (aka cgroups) PID namespaces isolate the process ID number space so that processes in different PID namespaces can have the same PID Network namespaces provide isolation of the system resources associated with networking User namespaces isolate the user and group ID number spaces. Mount namespaces isolate the set of filesystem mount points seen by a group of processes. Mentioning: IPC and Unix Time-Sharing (UTS) namespaces
Neutron Server runs on Controller, expose APIs, enforce network model, pass to Neutron Plugin Neutron Plugin runs on Controller, implements APIs, every vendor can create its own “implementation” (ex: Cisco, Juniper, ...) Plugin Agent, run on each compute node and connect instances to the virtual network Default implementation based on OpenVSwitch OpenFlow to be set as fundamental open protocol for building SDN OpenStack Neutron Software-Defined Network in OpenStack, it answer RESTful APIs. Still no “industry” standard for encapsulating VLANs over L3, VXLANs set to be a preferred choice but any vendor has its choice (ex: Juniper has MPLS over IP)
Namespaces enables multiple instances of a routing table to co-exist within the same Linux box Network namespaces make it possible to separate network domains (network interfaces, routing tables, iptables) into completely separate and independent virtual datacenters Advantage of namespaces implementation in Neutron is that tenants can create overlapping IP addresses and independent routing schema The neutron-l3-agent is designed to use network namespaces to provide multiple independent virtual routers per node. OpenStack Neutron and Network Namespaces
List Namespaces Show firewall rules in a virtual router Example of Network Namespaces # ip netns qrouter-a88f89b6-5505-4bc2-8993-57ae1f010895 qdhcp-bebd6bc8-2bd0-4bdd-890c-9657faf80444 # ip netns exec qrouter-a88f89b6-5505-4bc2-8993-57ae1f010895 iptables -L -vn Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
OpenStack Neutron L3 Agent
OpenStack Neutron FWaaS Firewall as a Service in Neutron Different from the Security Groups in the instance Default to IPtables support into tenant’s ip NameSpace
OpenStack Neutron VPNaaS Neutron has capability to handle per-tenant VPNs, named VPN-as-a-Service Based on IPSec, just implementing IKE with “PSK” authentication mode rather than using certificates Suited for site-to-site VPNs and provide Hybrid cloud Implemented on top of IP NameSpaces (“ip netns add vpn”) Draft exists on bringing OpenVPN to Neutron Not suited for “roadwarriors”, i.e. clients connection
OpenStack Neutron VPNaaS
APIs Security (OpenStack and Cloud Applications)
APIsApplication APIs APIs are your point of contact from external world, you must make them highly secure Firewall are not enough! Anything can be sent over HTTP/ HTTPS. REST, XML-RPC, ... Web-based APIs
Usernames and passwords, session tokens and API keys must never appear in the URL (Proxy caching and logging) Allow only selected HTTP methods Protect privileged actions and sensitive resource collections Validate inputs and enforce typing of values Validate incoming Content-Type and other headers Encrypt data in transit Validation also apply to payload: JSON, XML or whatsoever General APIs best practices
OpenStack APIs All OpenStack software is based on APIs, consumed from End customers and tools to access the platform programmatically Among OpenStack components, is a way of decoupling components implementations Easily from “curl” tools OpenStack Command Line tools REST clients OpenStack Software Development Kit (SDK) RESTFUL API
OpenStack APIs EndPoints
1. Obtain a Token curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens 2. Consume the API (through the obtained token): curl -i -X GET http://localhost:35357/v2.0/tenants -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: token" OpenStack APIs Workflow
The token request will reveal the endpoints URLs: Compute/Nova, S3,Image/ Glance, Volume/Cinder, EC2, Identity/Keystone Revealing the EndPoints
Isolate API endpoint processes, especially those that reside within the public security domain should be isolated as much as possible. API endpoints should be deployed on separate hosts for increased isolation. Apply Defense-in-Depth concept: configure services, host-based firewalls, local policy (SELinux or AppArmor), and optionally global network policy. Use Linux namespaces to assign processes into independent domains Use network ACLs and IDS technologies to enforce explicit point to point communication between network services (ex: wire-level ACLs in L3 switches) OpenStack APIs best practices
Isolate API endpoint processes from each other and other processes on a machine. Use Mandatory Access Controls (MAC) on top of Discretionary Access Controls to segregate processes, ex: SE-Linux Objective: containment and escalation of API endpoint security breaches. Use of MACs at the OS level severely limit access to resources and provide earlier alerting on such events. Mandatory Access Control in APIs
RESTful APIs, mixture of POST (in request) and JSON (in response), Channel encrypted with TLS high cypher, Based on APP ID and APP Secret Example: /api/v1/users/info Ex: SecurePass NG (Dreamliner) APIs Security in functionalities, APP ID read-only or read-write in network, APP ID can be limited to a given IPv4/IPv6 in domain, APP ID is linked to only a specific realm/ domain
Identity Security (OpenStack and Cloud Applications)
User management: keep tracks of users, roles and permissions Service catalog: Provide a catalog of what services are available and where the OpenStack APIs EndPoint are located OpenStack Keystone Provides Identity, Token, Catalog and policy services for uses inside the OpenStack family and implements OpenStack’s Identity APIs
Users A user represent a human user and has associated information such as username, password and e-mail Tenants A tenant can represent a customer, organization or a group. Roles A role is what operations a user is permitted to perform in a given tenant OpenStack Identity Management Keystone permit the following back-ends for IDMs: SQL Backend (SQLAlchemy, it’s python), PAM, LDAP and custom plugins
Catching username and passwords means reveal the whole OpenStack infrastructure and control it! $ curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/ tokens OpenStack Keystone
10 millionsof victims of identity theft in USA in 2008 (Javelin Strategy and Research, 2009) 221 billions $lost every year due to identity theft (Aberdeen Group) 35 billioncorporate and government records compromised in 2010 (Aberdeen Group) 2 years of a working resource to correct damages due to identity theft (ITRC Aftermath Study, 2004) 2 billions $damages reported in Italy in 2009 (Ricerca ABI) The victims of identity theft
Security must be simple and transparent to the end user, otherwise it will be circumvented! Identity best practices in applications Strong authentication of the users GeoIP Patches, patches and patches! Secure application programming
Hosted Apps Need of a central Cloud Control Cloud Orchestrator 2FA/SSO
<Directory /srv/www/myapp> AllowOverride None Order allow,deny allow from all AuthType CAS require spgroup mygroup@company.com </Directory> Example of Web identity protection Require access through the SecurePass SSO portal with 2FA Restrict to a dynamic group (with GeoIP)
Real-life example (aka Case Study)
My accountant has his desktop computer broken, he has no time to change it, need something “always available” and in a restricted budget He needs Windows for his accounting software He has no office and works from home sometimes, he needs to access his desktop from ideally from his TV He wants to connect from his customers’, but not always a computer available for him He need emergency way of accessing the desktop from customers’ or from Internet Cafes (ex: on holidays) Must provide a secure access as he holds very confidential data Case Study: Overview & Requirements
From home, access the platform with an Android Mini-PC on existing HDMI TV, keyboard and a VPN with Mikrotik device (Equipment ~120 EUR) When at customer, access the platform with the existing Samsung Android tablet. Added bluetooth Keyboard + Mouse and OpenVPN (K+M ~60 EUR) Emergency access provided with an RDP HTML5 gateway OpenStack as the operational platform SecurePass as a security mechanism to protect access to his virtual desktop Case Study: Solution Virtualize his existing desktop system
Case Study: Overall Schema
2FA RDP over HTML5 OpenVPN Windows Machine (RDP) Web Browser OpenVPN on Android + RDP Client Appliance details
Acknowledgments TM Demo hosted by powered by teuto.net www.ostack.de Security provided by www.secure-pass.net
Thank you MAKING THE CLOUD A SAFER SPACE

Recommended

Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Briefopenfly
 
Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013brian_chong
 
OpenStack Security Project
OpenStack Security ProjectOpenStack Security Project
OpenStack Security ProjectTravis McPeak
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Securityopenstackindia
 
Security Issues in OpenStack
Security Issues in OpenStackSecurity Issues in OpenStack
Security Issues in OpenStackoldbam
 
Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsMajor Hayden
 
CIS13: OpenStack API Security
CIS13: OpenStack API SecurityCIS13: OpenStack API Security
CIS13: OpenStack API SecurityCloudIDSummit
 
Openstack 101
Openstack 101Openstack 101
Openstack 101Kamesh Pemmaraju
 

Recommended

Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Briefopenfly
 
Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013brian_chong
 
OpenStack Security Project
OpenStack Security ProjectOpenStack Security Project
OpenStack Security ProjectTravis McPeak
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Securityopenstackindia
 
Security Issues in OpenStack
Security Issues in OpenStackSecurity Issues in OpenStack
Security Issues in OpenStackoldbam
 
Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsMajor Hayden
 
CIS13: OpenStack API Security
CIS13: OpenStack API SecurityCIS13: OpenStack API Security
CIS13: OpenStack API SecurityCloudIDSummit
 
Openstack 101
Openstack 101Openstack 101
Openstack 101Kamesh Pemmaraju
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architectureToni Ramirez
 
Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administrationAshish Sharma
 
Introduction to OpenStack (Juno)
Introduction to OpenStack (Juno)Introduction to OpenStack (Juno)
Introduction to OpenStack (Juno)Krunal Jain
 
OpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical OverviewOpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical OverviewThang Man
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"CREATE-NET
 
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...Giuseppe Paterno'
 
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer BangladeshOpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer BangladeshMobarak Hossain
 
Introduction to OpenStack Architecture (Grizzly Edition)
Introduction to OpenStack Architecture (Grizzly Edition)Introduction to OpenStack Architecture (Grizzly Edition)
Introduction to OpenStack Architecture (Grizzly Edition)Ken Pepple
 
OpenStack - Infrastructure as a service
OpenStack - Infrastructure as a serviceOpenStack - Infrastructure as a service
OpenStack - Infrastructure as a serviceDenis Cavalcante
 
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...Edureka!
 
Introduction To OpenStack
Introduction To OpenStackIntroduction To OpenStack
Introduction To OpenStackHaim Ateya
 
Openstack Architecture
Openstack ArchitectureOpenstack Architecture
Openstack ArchitectureSrbIT
 
Openstack architure part 1
Openstack architure part 1Openstack architure part 1
Openstack architure part 1Nhan Cao Thanh
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseKeith Tobin
 
OpenStack- A ringside view of Services and Architecture
OpenStack- A ringside view of Services and ArchitectureOpenStack- A ringside view of Services and Architecture
OpenStack- A ringside view of Services and ArchitectureRitesh Somani
 
Getting started with OpenStack
Getting started with OpenStackGetting started with OpenStack
Getting started with OpenStackKnoldus Inc.
 
Cloud and OpenStack
Cloud and OpenStackCloud and OpenStack
Cloud and OpenStackSeyed Ehsan Beheshtian
 
Openstack training material
Openstack training materialOpenstack training material
Openstack training materialchenvi123
 
Intro to the FIWARE Lab
Intro to the FIWARE LabIntro to the FIWARE Lab
Intro to the FIWARE LabFIWARE
 
HP Helion Webinar #5 - Security Beyond Firewalls
HP Helion Webinar #5 - Security Beyond FirewallsHP Helion Webinar #5 - Security Beyond Firewalls
HP Helion Webinar #5 - Security Beyond FirewallsBeMyApp
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 

More Related Content

What's hot

Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architectureToni Ramirez
 
Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administrationAshish Sharma
 
Introduction to OpenStack (Juno)
Introduction to OpenStack (Juno)Introduction to OpenStack (Juno)
Introduction to OpenStack (Juno)Krunal Jain
 
OpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical OverviewOpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical OverviewThang Man
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"CREATE-NET
 
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...Giuseppe Paterno'
 
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer BangladeshOpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer BangladeshMobarak Hossain
 
Introduction to OpenStack Architecture (Grizzly Edition)
Introduction to OpenStack Architecture (Grizzly Edition)Introduction to OpenStack Architecture (Grizzly Edition)
Introduction to OpenStack Architecture (Grizzly Edition)Ken Pepple
 
OpenStack - Infrastructure as a service
OpenStack - Infrastructure as a serviceOpenStack - Infrastructure as a service
OpenStack - Infrastructure as a serviceDenis Cavalcante
 
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...Edureka!
 
Introduction To OpenStack
Introduction To OpenStackIntroduction To OpenStack
Introduction To OpenStackHaim Ateya
 
Openstack Architecture
Openstack ArchitectureOpenstack Architecture
Openstack ArchitectureSrbIT
 
Openstack architure part 1
Openstack architure part 1Openstack architure part 1
Openstack architure part 1Nhan Cao Thanh
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseKeith Tobin
 
OpenStack- A ringside view of Services and Architecture
OpenStack- A ringside view of Services and ArchitectureOpenStack- A ringside view of Services and Architecture
OpenStack- A ringside view of Services and ArchitectureRitesh Somani
 
Getting started with OpenStack
Getting started with OpenStackGetting started with OpenStack
Getting started with OpenStackKnoldus Inc.
 
Openstack training material
Openstack training materialOpenstack training material
Openstack training materialchenvi123
 
Intro to the FIWARE Lab
Intro to the FIWARE LabIntro to the FIWARE Lab
Intro to the FIWARE LabFIWARE
 

What's hot (20)

Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architecture
 
Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administration
 
Introduction to OpenStack (Juno)
Introduction to OpenStack (Juno)Introduction to OpenStack (Juno)
Introduction to OpenStack (Juno)
 
OpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical OverviewOpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical Overview
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"
 
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
 
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer BangladeshOpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
 
Introduction to OpenStack Architecture (Grizzly Edition)
Introduction to OpenStack Architecture (Grizzly Edition)Introduction to OpenStack Architecture (Grizzly Edition)
Introduction to OpenStack Architecture (Grizzly Edition)
 
OpenStack - Infrastructure as a service
OpenStack - Infrastructure as a serviceOpenStack - Infrastructure as a service
OpenStack - Infrastructure as a service
 
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...
 
Introduction To OpenStack
Introduction To OpenStackIntroduction To OpenStack
Introduction To OpenStack
 
Openstack Architecture
Openstack ArchitectureOpenstack Architecture
Openstack Architecture
 
Openstack architure part 1
Openstack architure part 1Openstack architure part 1
Openstack architure part 1
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
 
OpenStack- A ringside view of Services and Architecture
OpenStack- A ringside view of Services and ArchitectureOpenStack- A ringside view of Services and Architecture
OpenStack- A ringside view of Services and Architecture
 
Getting started with OpenStack
Getting started with OpenStackGetting started with OpenStack
Getting started with OpenStack
 
Cloud and OpenStack
Cloud and OpenStackCloud and OpenStack
Cloud and OpenStack
 
Openstack training material
Openstack training materialOpenstack training material
Openstack training material
 
Intro to the FIWARE Lab
Intro to the FIWARE LabIntro to the FIWARE Lab
Intro to the FIWARE Lab
 

Similar to OpenStack: Security Beyond Firewalls

HP Helion Webinar #5 - Security Beyond Firewalls
HP Helion Webinar #5 - Security Beyond FirewallsHP Helion Webinar #5 - Security Beyond Firewalls
HP Helion Webinar #5 - Security Beyond FirewallsBeMyApp
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
Workshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationWorkshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationJayaprakash R
 
Openstack workshop @ Kalasalingam
Openstack workshop @ KalasalingamOpenstack workshop @ Kalasalingam
Openstack workshop @ KalasalingamBeny Raja
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeCybera Inc.
 
OpenStack Neutron Havana Overview - Oct 2013
OpenStack Neutron Havana Overview - Oct 2013OpenStack Neutron Havana Overview - Oct 2013
OpenStack Neutron Havana Overview - Oct 2013Edgar Magana
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...Joel W. King
 
7 - Introduction to OpenStack & SDN by Ady Saputra
7 - Introduction to OpenStack & SDN by Ady Saputra7 - Introduction to OpenStack & SDN by Ady Saputra
7 - Introduction to OpenStack & SDN by Ady SaputraSDNRG ITB
 
Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Joel W. King
 
Operate with an openstack deployment by code
Operate with an openstack deployment by codeOperate with an openstack deployment by code
Operate with an openstack deployment by codeAlessandro Martellone
 
New and smart way to develop microservice for istio with micro profile
New and smart way to develop microservice for istio with micro profileNew and smart way to develop microservice for istio with micro profile
New and smart way to develop microservice for istio with micro profileEmily Jiang
 
OpenStack hands-on (All-in-One)
OpenStack hands-on (All-in-One)OpenStack hands-on (All-in-One)
OpenStack hands-on (All-in-One)JeSam Kim
 
Aptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity serviceAptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity serviceOpenStack
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenesinbroker
 
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation Ecosystem
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation EcosystemHow APIs are Transforming Cisco Solutions and Catalyzing an Innovation Ecosystem
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation EcosystemCisco DevNet
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
neutron_icehouse_update
neutron_icehouse_updateneutron_icehouse_update
neutron_icehouse_updateAkihiro Motoki
 
GDL OpenStack Community - Openstack Introduction
GDL OpenStack Community - Openstack IntroductionGDL OpenStack Community - Openstack Introduction
GDL OpenStack Community - Openstack IntroductionVictor Morales
 
OpenStack for VMware Administrators
OpenStack for VMware AdministratorsOpenStack for VMware Administrators
OpenStack for VMware AdministratorsTrevor Roberts Jr.
 

Similar to OpenStack: Security Beyond Firewalls (20)

HP Helion Webinar #5 - Security Beyond Firewalls
HP Helion Webinar #5 - Security Beyond FirewallsHP Helion Webinar #5 - Security Beyond Firewalls
HP Helion Webinar #5 - Security Beyond Firewalls
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
 
Workshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationWorkshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, Virtualization
 
Openstack workshop @ Kalasalingam
Openstack workshop @ KalasalingamOpenstack workshop @ Kalasalingam
Openstack workshop @ Kalasalingam
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
 
OpenStack Neutron Havana Overview - Oct 2013
OpenStack Neutron Havana Overview - Oct 2013OpenStack Neutron Havana Overview - Oct 2013
OpenStack Neutron Havana Overview - Oct 2013
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
 
Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...
 
7 - Introduction to OpenStack & SDN by Ady Saputra
7 - Introduction to OpenStack & SDN by Ady Saputra7 - Introduction to OpenStack & SDN by Ady Saputra
7 - Introduction to OpenStack & SDN by Ady Saputra
 
Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...
 
Operate with an openstack deployment by code
Operate with an openstack deployment by codeOperate with an openstack deployment by code
Operate with an openstack deployment by code
 
New and smart way to develop microservice for istio with micro profile
New and smart way to develop microservice for istio with micro profileNew and smart way to develop microservice for istio with micro profile
New and smart way to develop microservice for istio with micro profile
 
OpenStack hands-on (All-in-One)
OpenStack hands-on (All-in-One)OpenStack hands-on (All-in-One)
OpenStack hands-on (All-in-One)
 
Aptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity serviceAptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity service
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenes
 
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation Ecosystem
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation EcosystemHow APIs are Transforming Cisco Solutions and Catalyzing an Innovation Ecosystem
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation Ecosystem
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
neutron_icehouse_update
neutron_icehouse_updateneutron_icehouse_update
neutron_icehouse_update
 
GDL OpenStack Community - Openstack Introduction
GDL OpenStack Community - Openstack IntroductionGDL OpenStack Community - Openstack Introduction
GDL OpenStack Community - Openstack Introduction
 
OpenStack for VMware Administrators
OpenStack for VMware AdministratorsOpenStack for VMware Administrators
OpenStack for VMware Administrators
 

More from Giuseppe Paterno'

OpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITOpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITGiuseppe Paterno'
 
Let's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudLet's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudGiuseppe Paterno'
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxGiuseppe Paterno'
 
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimediGiuseppe Paterno'
 
How the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacentersHow the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacentersGiuseppe Paterno'
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Giuseppe Paterno'
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free softwareGiuseppe Paterno'
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxGiuseppe Paterno'
 
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiComparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiGiuseppe Paterno'
 
La gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarieLa gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarieGiuseppe Paterno'
 
Secure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and EtherpadSecure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and EtherpadGiuseppe Paterno'
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remediesGiuseppe Paterno'
 
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimediGiuseppe Paterno'
 

More from Giuseppe Paterno' (14)

OpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITOpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture IT
 
Let's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudLet's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloud
 
SecurePass at OpenBrighton
SecurePass at OpenBrightonSecurePass at OpenBrighton
SecurePass at OpenBrighton
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
 
How the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacentersHow the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacenters
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free software
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiComparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
 
La gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarieLa gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarie
 
Secure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and EtherpadSecure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and Etherpad
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remedies
 
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
 

Recently uploaded

Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noidabntitsolutionsrishis
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfIdiosysTechnologies1
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 

Recently uploaded (20)

Buds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in NoidaBuds n Tech IT Solutions: Top-Notch Web Services in Noida
Buds n Tech IT Solutions: Top-Notch Web Services in Noida
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdf
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 

OpenStack: Security Beyond Firewalls

  • 1. OpenStack: Security beyond firewalls MAKING THE CLOUD A SAFER SPACE Giuseppe “Gippa” Paternò, Network & Security NERD 30th May 2014 * OpenStackDay Italy Twitter: @gpaterno - Website: www.gpaterno.com
  • 2. About me IT security products and virtualization services focused on identity protection on the Cloud, as the user is became the ultimate perimeter of a never ending distributed model. HQ based in Switzerland and whose servers are located in Switzerland. User privacy is protected by strict Swiss privacy regulations, no UE or US exceptions allowed. IT Architect and Security Expert with background in Open Source. Former Network and Security architect for Canonical, RedHat, Wind/ Infostrada, Sun Microsystems and IBM and Visiting Researcher at the University of Dublin Trinity College. Past projects: standard for J2ME Over-The-Air (OTA) provisioning along with Vodafone, the study of architecture and standards for the delivery of MHP applications for the digital terrestrial television (DTT) on behalf of DTT Lab (Telecom Italia/LA7) and implementation of HLR for Vodafone landline services. Lot of writings, mainly on computer security. CTO and Director of GARL, a multinational company based in Switzerland and UK, owner of SecurePass and SecureData. TM Secure Data beta BANK OF PASSWORDS
  • 3. 62% Increase breaches in 2013(1) 1 in 5 Organizations have experienced an APT attack (4) 3 Trillion$ Total global impact of cybercrime(3) 8 months Is the average time an advanced threat goes unnoticed on victim’s network(2) 2,5 billion Exposed records as results of a data breach in the past 5 years(5) 1,3,5: Increased cyber security can save global economy trillions, McKinsey/World Economic Forum, January 2014 2: M-Trends 2013: attack the security gap, Mandiant, March 2013 4: ISACA’s 2014 APT study, ISACA, April 2014. Source: ISACA Cyber Security Nexus Too many threats
  • 4. Network APIs Identity Application OpenStack Domain Guest Domain OpenStack and Guest Security
  • 6. Linux Namespaces Used in OpenStack, widely adopted in Neutron, it was Originally created for Linux Control Groups (aka cgroups) PID namespaces isolate the process ID number space so that processes in different PID namespaces can have the same PID Network namespaces provide isolation of the system resources associated with networking User namespaces isolate the user and group ID number spaces. Mount namespaces isolate the set of filesystem mount points seen by a group of processes. Mentioning: IPC and Unix Time-Sharing (UTS) namespaces
  • 7. Neutron Server runs on Controller, expose APIs, enforce network model, pass to Neutron Plugin Neutron Plugin runs on Controller, implements APIs, every vendor can create its own “implementation” (ex: Cisco, Juniper, ...) Plugin Agent, run on each compute node and connect instances to the virtual network Default implementation based on OpenVSwitch OpenFlow to be set as fundamental open protocol for building SDN OpenStack Neutron Software-Defined Network in OpenStack, it answer RESTful APIs. Still no “industry” standard for encapsulating VLANs over L3, VXLANs set to be a preferred choice but any vendor has its choice (ex: Juniper has MPLS over IP)
  • 8. Namespaces enables multiple instances of a routing table to co-exist within the same Linux box Network namespaces make it possible to separate network domains (network interfaces, routing tables, iptables) into completely separate and independent virtual datacenters Advantage of namespaces implementation in Neutron is that tenants can create overlapping IP addresses and independent routing schema The neutron-l3-agent is designed to use network namespaces to provide multiple independent virtual routers per node. OpenStack Neutron and Network Namespaces
  • 9. List Namespaces Show firewall rules in a virtual router Example of Network Namespaces # ip netns qrouter-a88f89b6-5505-4bc2-8993-57ae1f010895 qdhcp-bebd6bc8-2bd0-4bdd-890c-9657faf80444 # ip netns exec qrouter-a88f89b6-5505-4bc2-8993-57ae1f010895 iptables -L -vn Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
  • 11. OpenStack Neutron FWaaS Firewall as a Service in Neutron Different from the Security Groups in the instance Default to IPtables support into tenant’s ip NameSpace
  • 12. OpenStack Neutron VPNaaS Neutron has capability to handle per-tenant VPNs, named VPN-as-a-Service Based on IPSec, just implementing IKE with “PSK” authentication mode rather than using certificates Suited for site-to-site VPNs and provide Hybrid cloud Implemented on top of IP NameSpaces (“ip netns add vpn”) Draft exists on bringing OpenVPN to Neutron Not suited for “roadwarriors”, i.e. clients connection
  • 14. APIs Security (OpenStack and Cloud Applications)
  • 15. APIsApplication APIs APIs are your point of contact from external world, you must make them highly secure Firewall are not enough! Anything can be sent over HTTP/ HTTPS. REST, XML-RPC, ... Web-based APIs
  • 16. Usernames and passwords, session tokens and API keys must never appear in the URL (Proxy caching and logging) Allow only selected HTTP methods Protect privileged actions and sensitive resource collections Validate inputs and enforce typing of values Validate incoming Content-Type and other headers Encrypt data in transit Validation also apply to payload: JSON, XML or whatsoever General APIs best practices
  • 17. OpenStack APIs All OpenStack software is based on APIs, consumed from End customers and tools to access the platform programmatically Among OpenStack components, is a way of decoupling components implementations Easily from “curl” tools OpenStack Command Line tools REST clients OpenStack Software Development Kit (SDK) RESTFUL API
  • 19. 1. Obtain a Token curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens 2. Consume the API (through the obtained token): curl -i -X GET http://localhost:35357/v2.0/tenants -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: token" OpenStack APIs Workflow
  • 20. The token request will reveal the endpoints URLs: Compute/Nova, S3,Image/ Glance, Volume/Cinder, EC2, Identity/Keystone Revealing the EndPoints
  • 21. Isolate API endpoint processes, especially those that reside within the public security domain should be isolated as much as possible. API endpoints should be deployed on separate hosts for increased isolation. Apply Defense-in-Depth concept: configure services, host-based firewalls, local policy (SELinux or AppArmor), and optionally global network policy. Use Linux namespaces to assign processes into independent domains Use network ACLs and IDS technologies to enforce explicit point to point communication between network services (ex: wire-level ACLs in L3 switches) OpenStack APIs best practices
  • 22. Isolate API endpoint processes from each other and other processes on a machine. Use Mandatory Access Controls (MAC) on top of Discretionary Access Controls to segregate processes, ex: SE-Linux Objective: containment and escalation of API endpoint security breaches. Use of MACs at the OS level severely limit access to resources and provide earlier alerting on such events. Mandatory Access Control in APIs
  • 23. RESTful APIs, mixture of POST (in request) and JSON (in response), Channel encrypted with TLS high cypher, Based on APP ID and APP Secret Example: /api/v1/users/info Ex: SecurePass NG (Dreamliner) APIs Security in functionalities, APP ID read-only or read-write in network, APP ID can be limited to a given IPv4/IPv6 in domain, APP ID is linked to only a specific realm/ domain
  • 24. Identity Security (OpenStack and Cloud Applications)
  • 25. User management: keep tracks of users, roles and permissions Service catalog: Provide a catalog of what services are available and where the OpenStack APIs EndPoint are located OpenStack Keystone Provides Identity, Token, Catalog and policy services for uses inside the OpenStack family and implements OpenStack’s Identity APIs
  • 26. Users A user represent a human user and has associated information such as username, password and e-mail Tenants A tenant can represent a customer, organization or a group. Roles A role is what operations a user is permitted to perform in a given tenant OpenStack Identity Management Keystone permit the following back-ends for IDMs: SQL Backend (SQLAlchemy, it’s python), PAM, LDAP and custom plugins
  • 27. Catching username and passwords means reveal the whole OpenStack infrastructure and control it! $ curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/ tokens OpenStack Keystone
  • 28. 10 millionsof victims of identity theft in USA in 2008 (Javelin Strategy and Research, 2009) 221 billions $lost every year due to identity theft (Aberdeen Group) 35 billioncorporate and government records compromised in 2010 (Aberdeen Group) 2 years of a working resource to correct damages due to identity theft (ITRC Aftermath Study, 2004) 2 billions $damages reported in Italy in 2009 (Ricerca ABI) The victims of identity theft
  • 29. Security must be simple and transparent to the end user, otherwise it will be circumvented! Identity best practices in applications Strong authentication of the users GeoIP Patches, patches and patches! Secure application programming
  • 30. Hosted Apps Need of a central Cloud Control Cloud Orchestrator 2FA/SSO
  • 31. <Directory /srv/www/myapp> AllowOverride None Order allow,deny allow from all AuthType CAS require spgroup mygroup@company.com </Directory> Example of Web identity protection Require access through the SecurePass SSO portal with 2FA Restrict to a dynamic group (with GeoIP)
  • 33. My accountant has his desktop computer broken, he has no time to change it, need something “always available” and in a restricted budget He needs Windows for his accounting software He has no office and works from home sometimes, he needs to access his desktop from ideally from his TV He wants to connect from his customers’, but not always a computer available for him He need emergency way of accessing the desktop from customers’ or from Internet Cafes (ex: on holidays) Must provide a secure access as he holds very confidential data Case Study: Overview & Requirements
  • 34. From home, access the platform with an Android Mini-PC on existing HDMI TV, keyboard and a VPN with Mikrotik device (Equipment ~120 EUR) When at customer, access the platform with the existing Samsung Android tablet. Added bluetooth Keyboard + Mouse and OpenVPN (K+M ~60 EUR) Emergency access provided with an RDP HTML5 gateway OpenStack as the operational platform SecurePass as a security mechanism to protect access to his virtual desktop Case Study: Solution Virtualize his existing desktop system
  • 37. Acknowledgments TM Demo hosted by powered by teuto.net www.ostack.de Security provided by www.secure-pass.net
  • 38. Thank you MAKING THE CLOUD A SAFER SPACE