Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Integrate 3rd party security solution into CloudStack

1,529 views

Published on

Published in: Technology
  • Be the first to comment

Integrate 3rd party security solution into CloudStack

  1. 1. Integrate Security Product with Cloudstack Written by: Mice Xia mice_xia@tcloudcomputing.com
  2. 2. About me• About me – Project manager from TCloud Computing Ltd, Beijing, China – Apache CloudStack Committer – About TCloud • Provides cloud platform product/service to Chinese customers • Based on CloudStack• About this topic – Based on the practice and on-going work – Goal: bring some insights into integration between CS and security product
  3. 3. Outline• Background• Three categories of solutions• Integration goal and problems• Architecture• Workflow• Future work
  4. 4. Background• CS does an excellent job for building clouds • Growing needs for solutions to secure the Cloud• Seek security solutions to work with CS • Works for both private and public cloud • Multi-tenant ,self-service, • Easy to provision • Resource effective • Easy to integrate
  5. 5. Agent-based• Widely implemented in physical Guest Network environment• Relies on the agent installed on Guest VM 1 guest OS Agent• Network connection to Pattern/Mgmt Guest VM Server Agent pattern/mgmt server• Not much IAAS level integration Guest VM Agent• Cons Guest VM • Instant-on gap Agent • Resource contention CS Virtual Router
  6. 6. Gateway-based• Agentless, widely adopted in physical environment• Detect and prevent by capturing Router network traffics Offline mode Inline mode• Works fine with simple L3 Core Switch requirements• Cons • Network traffic based Available Zone • Uneasy to provide Inter-user and inter-VM protection … … … Pod 1 Pod N
  7. 7. Hypervisor-based• Dedicated for virtual environment User VM• Agentless for user VM, need an User VM ‘agent’ on hypervisor • Capture network traffics • Scan VM memory Module• Can work with any complex Hypervisor network environment
  8. 8. Brief intro to ElasterShield• Hypervisor based security product• Features <VM, Profile/Rules> • Firewall (L2, L3, L4) • IDS/IPS • Application Control • Web server protection • Anti-malware (roadmap) ElasterShield• For IT admin, no multi-tenant• Rules: defines what triggers event• Profiles: a set of enabled rules Events/Alerts
  9. 9. Brief intro to ElasterShield (cont.)• ElasterShield Manager (ESM) ESM • Storing rules/profiles • Provide UI/ web service API • Send command to ESVA Hypervisor• Security Virtual Appliance (ESVA) ESVA User VM • One for each hypervisor, stateless • Hypervisor redirects VM’s traffic to ESVA • Includes an engine to do the Hypervisor detection/prevention• Bi-directional communicate ESVA User VM between ESM and ESVA• No impact to user VM if ESVA stops
  10. 10. Integration goal• CS Integrates ES• Security as a service, ES as a service provider • Multi-tenant, defined by admins, subscribed by users, provisioned to VMs • Security offering == Security Profiles • Export new CS APIs• Generic to hypervisor-based solution (hopefully)• No change to ES code, keep it as it is• Minimum change to CS 4.0 existing code
  11. 11. Problems : Networking Public Network• Bi-directional communication is Shared Guest Network required between ESM and ESVA Management• Deploy ESVA as a user VM Network ESM ? – Connects to guest network Isolated Guest – Basic Zone Network • Ingress rules – Advanced zone ESVA • Virtual router NAT problem • Another dedicated shared network? User VM• Solution: Via management network – Works for both basic and adv zone User VM – ESVA as a special VM managed by CS – Connect it to management network programmatically VRouter
  12. 12. Problems: ESVA management• Make sure ESVA is running on each hypervisor – When a new host is added, ESVA should be deployed automatically on the host – When hypervisor is rebooted, ESVA should be started automatically – Can be destroyed manually and re-deployed• Similar to SystemVM/VRouter – Managed by CS, transparent to end user – Per hypervisor basis
  13. 13. Problems: VM life cycle conflicts• User VM State mismatch – ES can detect VM state changes by polling events directly from Hypervisor • Enable VM’s profile when it gets started • Disable VM’s profile when it gets stopped • Un-assign profile when it gets destroyed – It does not work. CS removes VM from hypervisor when it gets stopped CS VM state Stopped Destroyed Removed Hypervisor VM state Destroyed (Missing) – Solution: CS controls profile (un)assignment to VM , based on VM state in the CS
  14. 14. Architecture OverviewNew CS API ESM API ES Plug-in ESM Mgmt network CloudStack Manager Mgmt network Managed by CS ESVA ESVA User VM User VM Hypervisor Hypervisor
  15. 15. Integrate as a CS Plug-in• Provide security related APIs• Treat ESM as a resource and send commands to it• ESVA monitor and management• Tailor User VM lifecycle with existing framework• Tailor Hypervisor management
  16. 16. Plug-in• New manager/service for ESVA and ESM• Extends several CS Rest API manager to tailor process• A new resource for calling ESMResource ESVAManager ESM APIs ESMManager Plugin API• DAOs for security related … database operation ESMUserVMManagerImpl Data Access Layer
  17. 17. Workflow: Add ESM 1) Call plug-in API 2) Connect to ES manager ElasterShield Plug-in ElasterShield CloudStack Manager ManagerDatabase 3) Persist into DB1) Admin user or external UI calls Plug-in API (addElasterShield) • Parameters include ESM url/account/password • One ESM per zone or per installation?2) Plug-in calls ESM’s APIs to: • test connection with specified authentication • Get ESM info such like version, license, etc.3) Plug-in persists the ESM info into CS database
  18. 18. Workflow: Enable Security protection 1 ) Call plug-in API:1) Admin user or external UI calls plug-in enableSecurityProtection API (enableSecurityProtection) • Cluster wide enable 3) Activate ESVA2) ES Plug-in deploys ESVA • Deploy ESVA on each host of the ES Plug-in ESM cluster • With specified service offering CloudStack and template Manager • Start ESVA 2) Start ESVA on each3) Activate ESVA hypervisor of the cluster • Plug-in calls ESM API to activate each ESVA ESVA ESVA Hypervisor Hypervisor
  19. 19. Workflow: List Security Offering 2) Call ESM API, listSecurityProfiles ElasterShield Plug-in ElasterShield 1) Call plug-in API Manager listSecurityOffering CloudStack Manager1) User or external UI calls Plug-in API (listSecurityOffering) • Fetch all security offerings with query parameters • Id, name, description2) Plug-in calls ESM’s APIs to: • List security profiles from ESM
  20. 20. Workflow: Define Security Profiles Admin defines Rules/profiles 2) Call ESM API listSecurityProfiles ElasterShield Plug-in ElasterShield1) Call plug-in API ManagerlistSecurityOffering CloudStack Manager• For this Stage, this will be not implemented in plug-in, because it’s product-specific• Admins use ESM’s UI to define profiles• Users use Plug-in API to list and apply profiles
  21. 21. Workflow: Apply security offering 1) Call plug-in API 3) Call ESM API, applySecurityOffering assignSecurityProfile ElasterShield Plug-in ElasterShield CloudStack Manager ManagerDatabase 2) Persist into DB1) User or external UI calls plug-in API (applySecurityOffering) • Specify VM id and security offering id2) Plug-in persists <VM, offering> mapping into DB • Address multi-tenant problem3) Plug-in calls ESM API to assign corresponding profile if VM is running
  22. 22. Workflow: Start Virtual Machine 4) Call ESM API, 3) Get profile assignSecurityProfile ElasterShield Plug-in ElasterShieldDatabase Manager CloudStack Manager 1) Call CS API 2) Start User VM startVirtualMachine User VM 5) ESM notifies ESVA to take effect ESVA Hypervisor1) User or UI calls CS API (startVirtualMachine)2) CS checks ESVA status and starts user VM as usual3) After user VM is started, plug-in gets this VM’s profile (VirtualMachineGuru.finalizeStart)4) Plug-in call ESM API to assign profile to the VM5) ESM notifies ESVA in the same hypervisor with VM to take effect profile
  23. 23. Workflow: Stop Virtual Machine 4) Call ESM API, 3) Get profile unassignSecurityProfile ElasterShield Plug-in ElasterShieldDatabase Manager CloudStack Manager 1) Call CS API 2) Stop user VM stopVirtualMachine User VM 5) ESM notifies ESVA to take effect ESVA Hypervisor1) User or UI calls CS API (stopVirtualMachine)2) CS powers off user VM as usual3) After user VM is shut down, plug-in gets this VM’s profile (VirtualMachineGuru.finalizeStop)4) Plug-in calls ESM API to unassign profile to the VM5) ESM notifies ESVA in the same hypervisor with VM to take profile effect
  24. 24. Workflow: Destroy Virtual Machine ElasterShield Plug-in 1) Call CS API Database 2) Remove from DB destroyVirtualMachine CloudStack Manager1) User or UI calls CS API (destroyVirtualMachine) • VM is destroyed as usual by CS2) When VM gets expunged, plug-in removes <VM, profile> mapping from DB • VirtualMachineGuru.finalizeExpunge
  25. 25. Workflow: Add a new host 5) Call ESM API to activate ElasterShield Plug-in ElasterShield Manager CloudStack Manager 1) Call CS API 2) Add host 3) Deploy ESVA addHost ESVA Hypervisor1) User or UI calls CS API (addHost)2) CS add a new hypervisor host as usual3) Deploy ESVA4) Plug-in persist ESVA info
  26. 26. Workflow: Maintain a host 3) Call ESM API to de-activate ESVA ElasterShield Plug-in ElasterShield Manager CloudStack Manager1) Call CS API 2) Power off ESVAprepareHostForMaintenance ESVA Hypervisor1) User or UI calls CS API (prepareHostForMaintenance)2) Stop ESVA on it • update ESVA status into DB3) Plug-in call ESM API to deactivate ESVA • unassign security profiles to VMs that cannot be migrated
  27. 27. Workflow: Query Events/Alerts ElasterShield Plug-in ElasterShield1) Call plug-in API 2) Call ESM API ManagerquerySecurityEvents CloudStack Manager1) User or external UI calls plug-in API (querySecurityEvents) • With query parameters such as time, VM id, user id, etc2) Plug-in calls ESM’s API to fetch events/alerts
  28. 28. Workflow: ESVA upgrading 2) Call ESM API to upgrade ElasterShield Plug-in ElasterShield Manager 1) Call plug-in API CloudStack Manager upgradeESVA 3) Notify ESVA 4) Download upgrade package Web server ESVA Hypervisor1) Call plug-in API to upgrade ESVA , with a URL parameter2) Plug-in forward the API to ESM3) ESM notifies all ESVA to upgrade4) ESVA downloads upgrading package from the URL specified5) ESVA upgrade itself, it still functions during the upgrading.
  29. 29. Summary & Future work• Summary – Develop plug-in with existing CS framework – Leverage CS to manage security virtual appliance – Tailor process• Future work – Make the security offering more generic – Make it easier for CS to introduce a new system VM

×