This document provides an overview of a CloudPassage Halo installfest event. It discusses security issues with infrastructure as a service (IaaS) cloud computing models including lack of firewall control, vulnerability management challenges, and difficulty detecting intrusions. It introduces CloudPassage Halo as a host-based security solution that can address these issues by providing firewall rules, vulnerability scanning, configuration monitoring, and event detection across virtual machines. The installfest will guide participants on installing and using CloudPassage Halo to gain security visibility and control over their cloud infrastructure.

1. CloudPassage Halo
Installfest
1

2. Quick Intro
• Thanks for coming out!
• Enjoy the free food ☺
• Focus on security issues with IaaS cloud
• Interweave that with installing Halo
• We’re here to help!
– Ask questions
– Staff will be handy if you need us
– Any and all feedback greatly appreciated
CloudPassage Halo Installfest 2

3. Where Can I Get
These Slides?
community.cloudpassage.com
CloudPassage Halo Installfest 3

4. Tonight’s Focus
• Infrastructure as a Service (IaaS)
– Can apply to PaaS and SaaS from a
provider’s perspective
• Mostly geared to public cloud
– Although applicable to private
• Tenant security concerns
– We’ll skip physical security
CloudPassage Halo Installfest 4

5. What You Need For The Labs
• Laptop or tablet
• Root equiv access to a Linux VM
– Local or public is fine
– Spin up now if needed
• Internet access
– Wifi settings: As Posted
CloudPassage Halo Installfest 5

6. Houston…
We Have a Problem
All network security benefits
Lost in migration:
• Firewall – Filter port level access
• Firewall – Control rootkit transfer
• Proxy – Control app level data
• NIDS – Inspect stream for attacks
• Sniffer – Audit trail of network traffic
CloudPassage Halo Installfest 6

7. Delineation of Responsibility
IaaS PaaS SaaS
Interface Interface Interface
Application Application Application
Solution Stack Solution Stack Solution Stack
Tenant Operating System Operating System Operating System
Hypervisor Hypervisor Hypervisor
Provider
Compute & Storage Compute & Storage Compute & Storage
Network Network Network
Facility Facility Facility
CloudPassage Halo Installfest 7

8. What Are My Options?
CloudPassage Halo Installfest 8

9. Issues to Address
• No firewall control
• Vulnerability management
• Provider image may not meet
corporate standards
– Configuration settings
– Accounts
• Detect intrusions
CloudPassage Halo Installfest 9

10. Extending The LAN
Into The Cloud
CloudPassage Halo Installfest 10

11. LAN Extended Challenges
• Increases load on corporate link
– Today we’re mobile
– Limits public cloud scaling
• Increase load on perimeter infrastructure
• Negates network benefits
– Provider load balancing
– Multi-peer points
– Geo-location DNS
– Higher latency
• No protection within virtual infrastructure
CloudPassage Halo Installfest 11

12. Virtual Appliance Management
CloudPassage Halo Installfest 12

13. Virtual Appliance Architecture
CloudPassage Halo Installfest 13

14. What About Introspection?
• Hypervisor based security
– Has visibility into all VMs
• Single point of control
– For a specific hypervisor deployment
• Public - Do you want other tenants to have
access to your hypervisor?
• Do you want your provider to have non-
auditable access to your VMs?
• Can break segregation of duties
CloudPassage Halo Installfest 14

15. Host-Based Architecture
Consistent architecture
(and risk abatement)
regardless of deployment
CloudPassage Halo Installfest 15

16. Why Host Based Firewalls?
• Tenant controlled
– Provider gains no additional access
• Mitigate potential risks from vswitch or VLANs
• Supported across all cloud infrastructures
– Consistent management regardless of deployment
• Security Is portable with the VM
• This is the model supported by Halo
CloudPassage Halo Installfest 16

17. Why restrict Admin Ports?
Dshield.org data
Green = # of IPs
looking for open
SSH ports
Red = # of IPs hit
by SSH scan
CloudPassage Halo Installfest 17

18. Halo Firewall Interface
Cloak the port till these users authenticate
CloudPassage Halo Installfest 18

19. Issues to Address
• No firewall control
• Vulnerability management
• Provider image may not meet
corporate standards
– Configuration settings
– Accounts
• Detect intrusions
CloudPassage Halo Installfest 19

20. Image Deployment
• Provider images usually not patched
• Some 3rd party images are pre-patched
– To the time of the image's release
– Which 3rd parties can you trust?
• Auto-patching usually disabled
• Some known vulnerabilities may not yet
be patched
– But it may be possible to mitigate risk is known
CloudPassage Halo Installfest 20

21. Vulnerability Wire Testing
• Some providers have restrictions
– May be limited by terms of service
– May be limited to specific products
• Targeting concerns
– What if your IP’s are not continuous?
– What if the IP changes?
• Does not detect local exploits
CloudPassage Halo Installfest 21

22. Host Based Vulnerability
Checking
• Validate compliances within the VM itself
• Can check remote and local vulnerabilities
• Typically lower cost to deploy
– Less billable utilization
• Can false negative if patch not loaded
– Kernel updates
• This is the model Halo uses
CloudPassage Halo Installfest 22

23. Halo Software Risks
CloudPassage Halo Installfest 23

24. Issues to Address
• No firewall control
• Vulnerability management
• Provider image may not meet
corporate standards
– Configuration settings
– Accounts
• Detect intrusions
CloudPassage Halo Installfest 24

25. Configuration Settings
• Are only required processes running?
– Are they securely configured?
• Is password aging enforced?
• Is root permitted direct SSH access?
• Proper permissions on critical files?
• Is sudo or wheel properly configured?
• Any changes since deployment?
CloudPassage Halo Installfest 25

26. Creating A Halo Check
CloudPassage Halo Installfest 26

27. Halo Check Results
CloudPassage Halo Installfest 27

28. System Accounts
• What accounts are on the system?
• Did the provider modify the default
accounts?
– ec2-user
• Which accounts have root level access?
• Who has accounts on which servers?
• How do you add/delete accounts for
many servers simultaneously?
CloudPassage Halo Installfest 28

29. Halo Server Access
CloudPassage Halo Installfest 29

30. Expanded Details
CloudPassage Halo Installfest 30

31. Issues to Address
• No firewall control
• Vulnerability management
• Provider image may not meet
corporate standards
– Configuration settings
– Accounts
• Detect intrusions
CloudPassage Halo Installfest 31

32. Clues To An Attack
• Some file changes indicate a compromise
• Static Web server files
• /etc/passwd has new account
• /etc/sudoers has new entries
• ssh_known_hosts has new entries
• authorized_keys has new entries
• Halo uses SHA-256 to detect changes
CloudPassage Halo Installfest 32

33. Define Files to Check
CloudPassage Halo Installfest 33

34. Halo FIM Reporting
CloudPassage Halo Installfest 34

35. Event Reporting
CloudPassage Halo Installfest 35

36. Alert Reporting
CloudPassage Halo Installfest 36

37. Lab Time
Let’s Install Halo!
CloudPassage Halo Installfest 37

38. Start Here to
Create an Account
CloudPassage Halo Installfest 38