Introduccion a la seguridad en Windows Azure


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Welcome and speaker’s introductionSet expectations that the session is going to be about identity and access control for applications targeting the Windows Azure platform, as opposed to the services themselves (SQL Azure, Windows Azure management calls, etc.)
  • Port Scanning/ Service EnumerationThe only ports open and addressable (internally or externally) on a Windows Azure VM are those explicitly defined in the Service Definition file. Windows Firewall is enabled on each VM in addition to enhanced VM switch packet filtering, which blocks unauthorized traffic Denial of Service Windows Azure’s load balancing will partially mitigate Denial of Service attacks from the Internet and internal networks. This mitigation is done in conjunction with the developer defining an appropriate Service Definition VM instance count scale-out. On the Internet, Windows Azure VMs are only accessible through public Virtual IP Addresses (VIPs). VIP traffic is routed through Windows Azure’s load-balancing infrastructure. Windows Azure monitors and detects internally initiated Denial of Service attacks and removes offending VMs/accounts from the network. As a further protection, the root host OS that controls guest VMs in the cloud is not directly addressable internally by other tenants on the Windows Azure network and the root host OS is not externally addressable.Windows Azure is also reviewing additional Distributed Denial of Service (DDoS) solutions available from Microsoft Global Foundation Services to help further protect against Denial of Service attacks.SpoofingVLANs are used to partition the internal network and segment it in a way that prevents compromised nodes from impersonating trusted systems such as the Fabric Controller. At the Hypervisor VM Switch, additional filters are in place to block broadcast and multicast traffic, with the exception of what is needed to maintain DHCP leases. Furthermore, the channel used by the Root OS to communicate with the Fabric Controller is encrypted and mutually authenticated over an HTTPS connection, and it provides a secure transfer path for configuration and certificate information that cannot be intercepted.Eavesdropping / Packet SniffingThe Hypervisor’s Virtual Switch prevents sniffer-based attacks against other VMs on the same physical host. Top-of-rack switches will be used to restrict which IP and MAC addresses can be used by the VMs and therefore mitigate spoofing attacks on internal networks. To sniff the wire inside the Windows Azure cloud environment, an attacker would first need to compromise a VM tenant in a way that elevated the attacker to an administrator on the VM, then use a vulnerability in the hypervisor to break into the physical machine root OS and obtain system account privileges. At that point the attacker would only be able to see traffic inbound to the compromised host destined for the dynamic IP addresses of the VM guests controlled by the hypervisor. Multi-tenant hosting and side-channel attacksInformation disclosure attacks (such as sniffing) are less severe than other forms of attack inside the Windows Azure datacenter because virtual machines are inherently untrusted by the Root OS Hypervisor. Microsoft has done a great deal of analysis to determine susceptibility to side-channel attacks. Timing attacks are the most difficult to mitigate. With timing attacks, an application carefully measures how long it takes some operations to complete and infers what is happening on another processor. By detecting cache misses, an attacker can figure out which cache lines are being accessed in code. With certain crypto implementations involving lookups from large tables, knowing the pattern of memory accesses - even at the granularity of cache lines - can reveal the key being used for encryption. While seemingly far-fetched, such attacks have been demonstrated under controlled conditions. There are a number of reasons why side-channel attacks are unlikely to succeed in Windows Azure: An attack works best in the context of hyper-threading, where the two threads share all of their caches. Many current CPUs implement fully independent cores, each with a substantial private cache. The CPU chips that Windows Azure runs on today have four cores per chip and share caches only in the third tier.Windows Azure runs on nodes containing pairs of quad-core CPUs, so there are three other CPUs sharing the cache, and seven CPUs sharing the memory bus. This level of sharing leads to a great deal of noise in any signal from one CPU to another because actions of multiple CPUs tend to obfuscate the signal.Windows Azure generally dedicates CPUs to particular VMs. Any system that takes advantage of the fact that few servers keep their CPUs busy all the time, and implements more logical CPUs than physical CPUs, might open the possibility of context switches exposing cache access patterns. Windows Azure operates differently. VMs can migrate from one CPU to another, but are unlikely to do so frequently enough to offer an attacker any information.
  • Slide ObjectiveUnderstand that Microsoft has a long history in running data centres and online applications. Bing, Live, Hotmail etc….Understand the huge amount of innovation going on at the data center levelSpeaking Points:Microsoft is one of the largest operators of datacenters in the worldYears of ExperienceLarge scale trustworthy environmentsDriving for cost and environmental efficientlyWindows Azure runs in 3 regions and 6 datacenters todayData center innovation is driving improved reliability and efficiencyPUE = Power Usage Effectiveness = Total Facility power/IT Systems Power = Indication of efficiency of DCUnder 1.8 is very good, modern cloud DCs approaching 1.2Multi-billion dollar datacenter investment700,000+ square foot Chicago and the 300,000+ square foot Dublin, Ireland data centersMicrosoft cloud services provide the reliability and security you expect for your business: 99.9% uptime SLA, 24/7 support. Microsoft understands the needs of businesses with respect to security, data privacy, compliance and risk management, and identity and access control. Microsoft datacenters are ISO 27001:2005 accredited, with SAS 70 Type I and Type II attestations.Notes:
  • Welcome and speaker’s introductionSet expectations that the session is going to be about identity and access control for applications targeting the Windows Azure platform, as opposed to the services themselves (SQL Azure, Windows Azure management calls, etc.)
  • Introduccion a la seguridad en Windows Azure

    1. 1. Windows Azure Security Overview<br />Juan Pablo García González<br />Solution Architect<br />DELL<br />Daniel A. Montero González<br />Software Developer Manager<br />DATCO Chile<br />
    2. 2. Agenda<br />Introducción<br />Seguridad de la Plataforma<br />Seguridad de Aplicaciones<br />Administración de Identidad<br />Seguridad de Datos<br />Seguridad Física – Data Centers<br />
    3. 3. Introducción<br />Daniel Montero<br />
    4. 4. SDL - Ciclo de vida de desarrollo de seguro<br />Los productos Microsoft son desarrollados acorde a los procesos de SDL <br />Enfoque prescriptivo pero práctico<br />Practivo – no solo en «busca de errores»<br />Elimina de forma temprana los problemas<br />Resultados probados<br />Desarrolle sus soluciones según SDL y proteja a sus clientes<br />Reduzca el número de vulnerabilidades<br />Reduzca la gravedad de sus vulnerabilidades<br />
    5. 5. Seguridad Multi Dimensional<br />Para proveer una solución segura, todos los aspectos se deben considerar<br />
    6. 6. Seguridad de Datos - Capas de Seguridad de Windows Azure<br />Capa<br />Defensa<br />Datos<br /><ul><li>Fuerte control de acceso al almacenamiento
    7. 7. Compatibilidad SSL para la transferencia de datos</li></ul>Aplicación<br /><ul><li>Código del Front-End se ejecuta bajo confianza parcial
    8. 8. Cuentas de Windows con menores privilegios</li></ul>Host<br /><ul><li>Alojados sobre plataforma Windows Server 2008
    9. 9. Límites de los host aplicados externamente por el hypervisor</li></ul>Network<br /><ul><li>El firewall de host limita el trafico hacia las VMs
    10. 10. Routers filtran los paquetes y VLANs</li></ul>Física<br /><ul><li>Seguridad física del tipo World -Class
    11. 11. Data center certificados ISO 27001 y SAS 70 Tipo II </li></li></ul><li>Las amenazas a la Nube<br />Amenazas tradicionales existentes<br />Cross-Site scripting (XSS), SQL Injection<br />Ataque DNS, Tráfico de Red}<br />Antiguas amenazas migradas<br />Aplicación de Parches automatizada e Instancias que son movidas a sistemas seguros<br />Mejoras en el control de errores por resilencia de la Nube<br />Expansión de algunas amenazas<br />Privacidad de los datos, como la ubicación de la segregación<br />Abuso de privilegios de acceso de los Administradores<br />Nuevas amenazas introducidas<br />Escalamiento de Privilegios desde la MV al Servidor Host<br />Frenos a los límites de las MVs<br />«Hyperjacking» – Uso de rootkits en el host de MV<br />
    12. 12. Seguridad de la Plataforma<br />Juan Pablo García<br />
    13. 13. El tráfico de Azure pasa entre diferentes firewalls<br />Algunos son administrador por el dueño del servicio mientras otros son manejados por Fabric<br />Firewalls<br />GuestVm<br />Host VM<br />SqlAzure<br />Local<br />Construido entre Firewall<br />
    14. 14. Host<br />Aislamiento<br />Cada Rol corre en una VM separada<br />Endurecimiento (hardening)<br />Instalación regular de updates de seguridad<br /><ul><li>Hardenedversion of Windows Server 2008 R2
    15. 15. No persistentstorage en VM
    16. 16. Drivers limitados
    17. 17. Trafico regulado por el Firewall del host</li></ul>Aislamiento<br />Hyper-v basedHypervisor<br />
    18. 18. Diferentes canales SSL<br />
    19. 19. Aislamiento en Windows Azure<br />No depende de la seguridad de Windows<br />Depende de la seguridad del Hypervisor, la red expuesta y los controladores de discos<br />La superficie de ataques es minimizada aceptando muy pocos comandos y drivers específicos<br />Un core de CPU es dedicado a un VM particular para evitar ataques «sidechannel»<br />Los discos Guest son VHD en el sistema de archivos del OS root<br />El hypervisor y Os root implementan filtro de paquetes de red para evitar Spoffing y trafico no autorizado hacia las VMs<br />
    20. 20. Defensas heredadas por las aplicaciones <br />
    21. 21. Seguridad de aplicaciones<br />Las aplicaciones debes ser construidas siguiendo las mejores practicas <br />
    22. 22. Windows AzureCode Access Security<br />
    23. 23. Windows AzureCode Access Security<br />Parcial<br />
    24. 24. Seguridad del servicio de administración<br />Los clientes utilizan Windows Live ID<br />Hosted Services y storage accounts se administran en la interfaz o con las API utilizandollavespublica y privadageneradapor el usuario<br />Fabric controla las actualizaciones y controlas los nodos de computo y almacenamiento<br />Fabric corre en un HW separado<br />La comunicación es en un canal SSL<br />
    25. 25. Flujos de datos<br />
    26. 26. Identidad<br />Daniel Montero<br />
    27. 27. Identidad en la Nube<br />Windows Azure soporta ambas administraciones de identidad, basada en Roles (role-base) y basada en Derechos (claim-base)<br />
    28. 28. Administración de Identidad y Acceso<br />WS-* and SAML<br />Active Directory<br />Otros Proveedores<br />OnPremises<br />
    29. 29. AppFabric: Control de Acceso 2.0Claims-based, Federated Access Control Service<br />Provee autorización basada en reglas y derechos para: (rules-driven, claims-based):<br />Aplicaciones Web<br />Servicios Web REST<br />Servicios Web SOAP<br />Características Claves<br />Amplio soporte a proveedores de identidad, incluyendo AD FederationServices v2 y proveedores conocidos de identidad Web (Live ID, Facebook, Google, Yahoo)<br />Soporte a protocolos WS-Trust y WS-Federation<br />Configurable a través de un nuevo portal Web de Administración<br />
    30. 30. Seguridad de Datos<br />Juan Pablo García<br />
    31. 31. Seguridad de Datos<br />Los datos de usuarios está en HW separado en Storage accounts<br />El acceso a los datos es solo con la secretkey de la cuenta<br />Políticas de control de acceso a los Blob puede ser adjunta utilizando «Shared Access Signatures»<br />El acceso a los datos es utilizando SSL<br />
    32. 32. Blob Storage Security Model<br />Signs<br />Reference<br />Storage Access Key<br />Full Control<br />Shared<br />Access<br />Signatures: <br />Read / Write<br />Delete / List<br />Container<br />Level Access<br />Policie: <br />Read / Write<br />Delete / List<br />¿Público?<br />Container ACL<br />Azure Storage blob and container<br />
    33. 33. Confiabilidad Windows Azure Storage<br />Los datos son replicados en 3 Storage físicos distintos y en diferentes datacenter<br />AzureApplication<br />AzureApplication<br />Data onPremises<br />
    34. 34. Cifrado de datos en Azure<br />Es soportado con código propio<br />Aplicación cliente<br />Almacena la llave<br />Local<br />Browser no tiene<br />La llave, no puede<br />Leer la data<br />
    35. 35. Seguridad en SQL Azure<br />
    36. 36. Seguridad en SQL Azure<br />Solo se soportan autentificación SQL<br />Se debe proveer el usuario en cada conexión<br />Reset del password no obliga a reconectarse a los clientes<br />Cada 60 minutos se debe volver a autentificar<br />Cuando el aprovisionamiento SqlAzure crea una cuenta de nievel de servidor, similar SA<br />Esta cuenta se usa para crear otras cuentas<br />El puerto 1433 debe ser abierto en el firewall local<br />Se deben registrar las IP de acceso<br />
    37. 37. Comparación SQL Server y SQL Azure<br />
    38. 38. Seguridad FísicaData Center<br />Daniel Montero<br />
    39. 39. The Microsoft Cloud~100 Data Centers distribuidosGlobalmente<br />
    40. 40. Data Center – Seguridad Física<br />Certificados SAS70 y ISO27001<br />Procesos Certificados en SAS70<br />Sensores de Movimiento<br />Accesos protegidos 24 x 7<br />Control de acceso biométrico a sistemas<br />Vigilancia de Cámaras de Video<br />Alarmas de violación de seguridad<br />
    41. 41. Windows Azure Platform Data Centers<br />North America Region <br />Europe Region <br />Asia Pacific Region <br />N. Europe <br />N. Central – U.S. <br />W. Europe <br />S. Central – U.S. <br />E. Asia<br />S.E. Asia<br />6 datacenters across 3 continents<br />Simply select your data center of choice when deploying an application<br />
    42. 42. The Microsoft CloudData Center Infraestructure<br />
    43. 43. Conclusiones<br />
    44. 44. Windows Azure Security Overview<br />Juan Pablo García González<br />Solution Architect<br />DELL<br />Daniel A. Montero González<br />Software Developer Manager<br />DATCO Chile<br />