“Remote Desktop for big data + DevOps + Encryption Everywhere”
Deploying trusted developer sandboxes in Amazon’s cloud
Jas...
Netcetera | 2
A case for…
• remote desktop w/“big data in the cloud”
• automated immutable system images
• not-too-inconve...
Netcetera | 3
ESA Study: 2009-2011
potential use-cases:
• …
• Cloud for free* data
access
• Cloud for remote
development
•...
Netcetera | 4
• Big, free-ish, Data
• Distinct, proprietary,
software devs
• Slow test data
distribution to
code developer...
Netcetera | 5
• hacking science data
• brand damage
• Leaking developer’s
algorithms
Summary
• Data = not sensitive
• Dev’...
Netcetera | 6
1. Hide in the network (Tor)
2. Encrypt communications
3. Encrypt data
4. Be suspicious of commercial
encryp...
Netcetera | 7
/data
sandbox a
/home/a
sandbox b
sandbox c
portal
catalog
ESA private net
ESA/CIOP DMZ
NFS ldap
encfs sshd
...
Netcetera | 8
Getting big data into the cloud
Open Cloud Day
http://aws.amazon.com/importexport/faqs/
http://calculator.s3...
Netcetera | 9
Easy? First Time Usage Single encfs
passphrase
decrypts both
dev’s /home and
shared /validate
Open Cloud Day...
Netcetera | 10
|
Easy? Daily Usage
ssh identity
derived from
existing X.509
certificate
Single encfs
passphrase
decrypts b...
Netcetera | 11
Details:
Encrypted
File
system
choices
SL6
Open Cloud Day
Netcetera | 12
name: fedora-xfce
summary: Fedora with xfce
os:
name: fedora
version: 16
hardware:
partitions:
"/":
size: 5...
Netcetera | 13
Details: server script (~500 lines)
# local firewall rules for inbound traffic
lokkit --nostart --enabled 
...
Netcetera | 14
Details: sandbox script (~250 lines)
…
chmod +x /etc/profile.d/encfs.sh
# load fuse kernel module at boot
c...
Netcetera | 15
Takeaways…
• remote desktop w/“big data in the cloud”
• automated immutable system images
• not-too-inconve...
Upcoming SlideShare
Loading in …5
×

OpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloud

469 views

Published on

This talk describes an automated trusted remote Java development sandbox hosted in the amazon cloud that uses strong encryption for system authentication and file system services. Security-conscious users can trust that their application intellectual property won't be leaked while trusting neither the cloud provider nor the operators who deploy and maintain the cloud-based sandbox service.

Published in: Health & Medicine, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
469
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
1
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

OpenCloudDay 2014: Deploying trusted developer sandboxes in Amazon's cloud

  1. 1. “Remote Desktop for big data + DevOps + Encryption Everywhere” Deploying trusted developer sandboxes in Amazon’s cloud Jason Brazile, Remi Locherer, Ronnie Brunner 10 June 2014 Open Cloud Day
  2. 2. Netcetera | 2 A case for… • remote desktop w/“big data in the cloud” • automated immutable system images • not-too-inconvenient encryption everywhere Open Cloud Day
  3. 3. Netcetera | 3 ESA Study: 2009-2011 potential use-cases: • … • Cloud for free* data access • Cloud for remote development • … Background: (*)https://www.google.com/?q=ESA+Earth+Observation+Data+Policy ESRIN/Contract Nr. 227700/09/I-SB final report (245 pages) Open Cloud Day
  4. 4. Netcetera | 4 • Big, free-ish, Data • Distinct, proprietary, software devs • Slow test data distribution to code developers • Devs nervous about their code leaking ESA CIOP Proprietary Algorithm A dev’d by X Proprietary Algorithm B dev’d by Y Instead, bring the devs to the data (in the cloud)Soln? Open Cloud Day
  5. 5. Netcetera | 5 • hacking science data • brand damage • Leaking developer’s algorithms Summary • Data = not sensitive • Dev’s Code = sensitive • Soln à easy for devs (non-)Priorities… Zzz Open Cloud Day
  6. 6. Netcetera | 6 1. Hide in the network (Tor) 2. Encrypt communications 3. Encrypt data 4. Be suspicious of commercial encryption from large vendors 5. Use public-domain encryption Schneier’s “NSA” Recommendations Open Cloud Day http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance Image source: Wikipedia w/ESA CIOP 4 of 5 are built-in to system
  7. 7. Netcetera | 7 /data sandbox a /home/a sandbox b sandbox c portal catalog ESA private net ESA/CIOP DMZ NFS ldap encfs sshd encfs sshd encfs sshd user a Admin user b user c Existing X.509 certs Cloud Sandbox Prototype X.509 derived ssh key ldap config limits user c to sandbox c nfs mount of encfs encrypted /home/a sandbox images basically read-only Open Cloud Day /home/b /home/c knows no CIOP secrets
  8. 8. Netcetera | 8 Getting big data into the cloud Open Cloud Day http://aws.amazon.com/importexport/faqs/ http://calculator.s3.amazonaws.com/index.html?s=importexport http://docs.aws.amazon.com/AWSImportExport/latest/DG/GSCreateSampleEBSImportRequest.html 1. Net or Post? 2. Est. Cost 3. Submit job
  9. 9. Netcetera | 9 Easy? First Time Usage Single encfs passphrase decrypts both dev’s /home and shared /validate Open Cloud Day ssh identity derived from existing X.509 certificate 1. 2.
  10. 10. Netcetera | 10 | Easy? Daily Usage ssh identity derived from existing X.509 certificate Single encfs passphrase decrypts both dev’s /home and shared /validate ldap directory centralized access control to machines and nfs mounts Open Cloud Day 1. 2.
  11. 11. Netcetera | 11 Details: Encrypted File system choices SL6 Open Cloud Day
  12. 12. Netcetera | 12 name: fedora-xfce summary: Fedora with xfce os: name: fedora version: 16 hardware: partitions: "/": size: 5 packages: - @base - @base-x - @fonts - @xfce-desktop - @critical-path-xfce access_key: yourawsaccesskey secret_access_key: youawssecretkey account_number: youramazonaccountnumber cert_file: /root/.ec2/yourcertificate.pem key_file: /root/.ec2/yourprivatekey.pem Details: just the OS The only change needed: name: sl version: 6 Note: boxgrinder is “sleeping”. Now we use appliance-creator (~150 line shell script) Open Cloud Day https://github.com/netceteragroup/esa-beam/blob/master/beam-3dveglab-vlab/src/main/scripts/build_fedora_virtual_image.sh
  13. 13. Netcetera | 13 Details: server script (~500 lines) # local firewall rules for inbound traffic lokkit --nostart --enabled --service=ssh --port=111:tcp --port=111:udp --port=514:tcp --port=636:tcp --port=662:tcp --port=662:udp --port=2049:tcp --port=2049:udp --port=32803:tcp --port=32769:udp # 111 rpc (for nfs) # ldap-ssl (port 636) # 514 rsyslog # 662 statd (for nfs) # 2049 nfs4 # 32803,32769 lockd (for nfs) Nice-to-have: rsyslog à TLS rsyslog # ldap configuration yum install -y openldap-clients openldap-servers nss-pam-ldapd # prepare ldap cert cd /etc/openldap/cacerts openssl genrsa -out cert.key 2048 … openssl req -new -key cert.key -out cert.csr -subj "/C=IT/L=Default City/O=Default Company Ltd/CN=192.168.11.10" … /usr/sbin/cacertdir_rehash /export/certs/ cat <<EOF> /etc/openldap/slapd.d/cn=config.ldif … cat <<EOF> /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif … cat <<EOF> /etc/openldap/slapd.d/cn=config/cn=schema/cn={12}autofs.ldif … cat <<EOF> /etc/openldap/slapd.d/cn=config/cn=schema/cn={14}ldappubkey.ldif … cat <<EOF> /etc/openldap/g-pod.ldif … slapadd -l /etc/openldap/g-pod.ldif • Firewall • Nfs/autofs • Certificates • Ldap • Syslog Open Cloud Day
  14. 14. Netcetera | 14 Details: sandbox script (~250 lines) … chmod +x /etc/profile.d/encfs.sh # load fuse kernel module at boot cat <<EOF> /etc/sysconfig/modules/encfs.modules #!/bin/bash exec /sbin/modprobe fuse >/dev/null 2>&1 EOF chmod +x /etc/sysconfig/modules/encfs.modules yum install -y openssh-ldap echo 'AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper' >> /etc/ssh/sshd_config # for ssh-ldap-helper ln -s /etc/openldap/ldap.conf /etc/ssh/ldap.conf # encrypt temporary filesystems yum install -y cryptsetup-luks # swap space # (use "cryptsetup status /dev/mapper/swap" after reboot) echo 'swap /dev/mapper/VolGroup-lv_swap /dev/urandom cipher=aes-cbc-essiv:sha256,size=128,swap' > /etc/crypttab sed -i 's/.*swap.*//dev/mapper/swap swap swap defaults 0 0/' /etc/fstab # temporary file systems echo 'none /tmp tmpfs defaults,size=64m 0 0' >> /etc/fstab echo 'none /var/tmp tmpfs defaults,size=128m 0 0' >> /etc/fstab […] # home directory encryption # fuse-2.8.3-1.el6 works, fuse-2.8.3-3.el6_1 "fusermount -u" does not work. yum install -y fuse-2.8.3-1.el6 fuse-encfs-1.7.4-1.el6.i686 pwgen • Firewall • Nfs/autofs/fuse-encfs • Encrypted /tmp & swap • Openssh-ldap • Syslog Open Cloud Day
  15. 15. Netcetera | 15 Takeaways… • remote desktop w/“big data in the cloud” • automated immutable system images • not-too-inconvenient encryption everywhere Open Cloud Day github.com/netceteragroup/esa-ciop-sandbox-image-proto jason.brazile@netcetera.com remi.locherer@netcetera.com ronnie.brunner@netcetera.com

×