Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoulders" of OpenNebula - Dmytro Korzhevin - Crytek

34 views

Published on

A Video gaming Edge Implementation "on the shoulders" of OpenNebula

Published in: Software
  • Be the first to comment

OpenNebulaConf2019 - Crytek: A Video gaming Edge Implementation "on the shoulders" of OpenNebula - Dmytro Korzhevin - Crytek

  1. 1. Disaggregated Data Centers on a shoulders of OpenNebula Dmytro Korzhevin
  2. 2. About the speaker
  3. 3. About the speaker Crytek Chief Information Security Officer, Head of Crytek CERT (crytek.com)
  4. 4. About the speaker eLearnSecurity: eCPPT, eMAPT, eNDP, eWDP, eJPT EC-Council: LPT (Master), CSCU, CND, CEH, CEH (Master), CEH (Practical), ECIH, ECSA, EC-Council E|CND Item Writer, EC-Council E|CIH Review Board member, ECSA Item Writers Group Linux Foundation: LFCSA, LFCE Hewlett-Packard: HP ATA Architect, HP ATA Servers and Storage, HP ATA Designing and Deploying Cloud Solutions, HP ATA Devices, HP ATA Networks Symantec Hacker Academy: Hacking, Client Attacks, Digital Forensics, Pen Test, Debugging, Web App Attacks, Network Attacks, Pen Test Management, Server Attacks. PentesterLab: Intercept Bage, White Bage, Serialize Badge, Capture-The-Flag Badge NATO Cooperative Cyber Defence Centre of Excelence (Tallin Estonia): Rapid Reaction Expert Training, Satellite Operations, European Security and Defence Policy (ESDP), Strategic Communications, Critical Infrastructure Awareness, Information Security, Digital Communications, Cyber Defence. USDHS: Offensive and Defensive Network Operations, Linux Operating System Security, Threat Hunting Teams, Cloud Computing Security, CISM 2013, CDM, Cyber Risk Management, Cyber Security Investigations, ISACA Certified Information Systems Auditor (CISA) Prep, (ISC)2 (TM) CISSP (R) Prep, Penetration Testing, Securing Infrastructure Devices, Securing the Network Perimeter. Canonical: Ubuntu System Builder (2008) ISACA: CSX ISO/IEC: 27001:2013, 19011:2011
  5. 5. COMPANY OVERVIEW
  6. 6. FACTS Crytek is a leading, internationally operating developer and publisher of video games Known for world class IPs and products such as the original Far Cry, the Crysis franchise, Ryse: Son of Rome and game–service Warface and HUNT SHOWDOWN All Crytek games are built with the proprietary game development solution CRYENGINE® CRYENGINE is perfect for rich VR worlds and the new hardware is now capable of bringing our ideas to life.
  7. 7. Crytek Games
  8. 8. CRYENGINE® is Crytek’s key differentiator for success World leading game development software for sophisticated computer and video games Highest graphics quality and unique Realtime-3D-Technology Innovation leadership as a result of 15 years of development know-how Licensed by numerous third-party game developers and publishers Sole integrated all-in-one solution for games on platforms of the current and future generation: CRYENGINE
  9. 9. CRYENGINE
  10. 10. ● https://www.cryengine.com/ ● https://youtu.be/GN5c3B6RqaI ● CRYENGINE 5.6 Tech Trailer ● https://www.youtube.com/watch?v=ObAqK8a-W9w Showcase
  11. 11. https://github.com/crytek https://github.com/CRYTEK/CRYENGINE CRYENGINE
  12. 12. Game Approaches
  13. 13. Game Approaches and tools ● Visual Studio ● .NET ● mono ● dotnetcore ● perforce IMPORTANT: CPU cores usage and HT
  14. 14. Crytek Approach
  15. 15. Crytek Approach ● dotnetcore - official ● Minimize attack surface from beginning ● IntelliTrace, software transactional memory (STM) and Pex ● Isolation and White Box Unit Testing ● Workflow - CERT
  16. 16. Showcase
  17. 17. Behind the Game
  18. 18. Behind the game - OS ● Linux OS Standardization (according to req) ● Additional security configuration for repository signatures ● LVM configuration - different schemes per server purpose ● FDE / Partition encryption ● Ulimits settings ● Kernel / Network stack tuning ● CPU and IO schedulers patches and tuning Nice to read about: oomd, earlyoom, nohang
  19. 19. Behind the game - OS ● Spectre / Meltdown mitigations (retpoline) ● Latest CPU microcode ● Kernel mitigations ● GCC (fstack-clash-protection | mindirect-branch) ● Userspace (qemu / libvirt)
  20. 20. Behind the game - OS Linux Security Modules (LSM) AppArmor | SELinux | TOMOYO LoadPin Smack Yama SafeSetID
  21. 21. Monitoring ● Zabbix + Zabbix proxy + zabbix.dll (server integration) ● Zabbix autodiscovery for every HW server ● Vulns - CVE across installed packets - integration with Zabbix ● Kibana (ELK) ● Graphana ● Monit ● Graphite ● Graylog
  22. 22. Monitoring 2 ● rsyslog (official repos, not distro) ● Logwatch ● Gitlab for all configuration files (both game and /etc) ● cachet (for status page)
  23. 23. HW / Net capacity tracking ● OpenDCIM - racks map and interconnection ● IPAM - IP Address Management ● Eramba - GRC (+compliance)
  24. 24. Compliance ● DISA STIG’s ● NIST SP (800x) ● SCAP / OpenSCAP
  25. 25. Access ● freeIPA ● Only SSH keys (elliptic curve)
  26. 26. Security (SOC and CSIRT / CERT) ● Wazuh ● Samhain HIDS ● Prelude ● GRR (Remote Live Forensics For Incident Response) ● Red ELK ● TheHive ● Chef InSpec
  27. 27. Network and network services ● DNScrypt ● NtopNG / Suricata ● iperf points ● PerfSonar “measurement island” ● NDT and speedtest ● ipsec (StrongSwan ESP) + hardware acceleration ● P2P (torrent)
  28. 28. Datacenter APIs
  29. 29. Datacenter API How datacenter API should be provided (via official libraries): ● CLI ● Python ● Ruby ● Node.js ● PHP ● Go, etc...
  30. 30. Own integration Something like: ● Flask, Flask-RESTPlus and Swagger UI
  31. 31. Datacenter API Some unusual ways to use API: ● curl (testing only) ● Burpsuite / ZAP ● Metasploit module to interract with API
  32. 32. Datacenter Evaluation
  33. 33. Datacenter Evaluation ● PRICING QUESTIONS ● LOCATION QUESTIONS ● SPACE QUESTIONS ● NETWORK QUESTIONS ● POWER QUESTIONS ● COOLING QUESTIONS ● SECURITY QUESTIONS ● SUPPORT QUESTIONS ● CUSTOMER DEPLOYMENT QUESTIONS ● SERVICE LEVEL AGREEMENT QUESTIONS
  34. 34. Datacenter Evaluation ● ISO9001:2008, for quality management systems; ● ISO27001:2013, for information security; ● ISO14001:2004, for sustainability; ● PCI DSS 3.0, for information security for online payment; ● ISAE 3402 (comparable to SSAE 16) Type II, for service organization controls (SOC) reports; ● IX Certified Data Center; for carrier-neutral colocation and interconnection. ● SAS 70 (Type 1 / Type 2) ● SSAE 16 (Type 1 / Type 2) ● SOC 1 / SOC 2 (Type 1 / Type 2) / SOC 3
  35. 35. Locations
  36. 36. Locations Right near IX-points (AMS IX + Evoswitch DC as example) Reliable datacenters Close to users
  37. 37. Locations - Packet
  38. 38. Opennebula DDC (Disaggregated Data Centers)
  39. 39. Opennebula DDC A solution for: 1. Scalability (elasticity) problems 2. Human / configuration errors 3. Time save (big amount of data + configuration at once) 4. P2P 5. Best alternative for cold racks
  40. 40. Opennebula DDC Scalability types: 1. Predictable (Events) 2. Mixed or Emergency 3. Unpredictable
  41. 41. Opennebula DDC About predictable scalability Metrics, Agreements, Formulas, ELK, Graphana, ingame analytics
  42. 42. Opennebula DDC Mixed / Emergency scalability Outages, including unplanned + urgent updates
  43. 43. Opennebula DDC Unpredictable scalability Fast grows and significant exceedances of expected statistical data
  44. 44. Provision ● Oneprovision ● Provision templates (YAML) ● IPAM Driver
  45. 45. Behind the game
  46. 46. Behind the game
  47. 47. Behind the game
  48. 48. Behind the game
  49. 49. Thank You!

×