GARL, profile picture
Uploaded byGARL
PDF, PPTX639 views

Openstack: security beyond firewalls

The document discusses strategies for enhancing security in OpenStack environments, focusing on user identity protection in a distributed cloud model. It highlights the need for robust API security practices, the implementation of network namespaces for isolate services, and the necessity of strong authentication methods to guard against identity theft and cybercrime. A case study illustrates a practical application of these security measures for a user needing secure access to their virtual desktop from various locations.

Embed presentation

Download as PDF, PPTX
OpenStack: Security beyond firewalls MAKING THE CLOUD A SAFER SPACE Giuseppe “Gippa” Paternò, Network & Security NERD 30th May 2014 * OpenStackDay Italy Twitter: @gpaterno - Website: www.gpaterno.com
About me IT security products and virtualization services focused on identity protection on the Cloud, as the user is became the ultimate perimeter of a never ending distributed model. HQ based in Switzerland and whose servers are located in Switzerland. User privacy is protected by strict Swiss privacy regulations, no UE or US exceptions allowed. IT Architect and Security Expert with background in Open Source. Former Network and Security architect for Canonical, RedHat, Wind/ Infostrada, Sun Microsystems and IBM and Visiting Researcher at the University of Dublin Trinity College. Past projects: standard for J2ME Over-The-Air (OTA) provisioning along with Vodafone, the study of architecture and standards for the delivery of MHP applications for the digital terrestrial television (DTT) on behalf of DTT Lab (Telecom Italia/LA7) and implementation of HLR for Vodafone landline services. Lot of writings, mainly on computer security. CTO and Director of GARL, a multinational company based in Switzerland and UK, owner of SecurePass and SecureData. TM Secure Data beta BANK OF PASSWORDS
62% Increase breaches in 2013(1) 1 in 5 Organizations have experienced an APT attack (4) 3 Trillion$ Total global impact of cybercrime(3) 8 months Is the average time an advanced threat goes unnoticed on victim’s network(2) 2,5 billion Exposed records as results of a data breach in the past 5 years(5) 1,3,5: Increased cyber security can save global economy trillions, McKinsey/World Economic Forum, January 2014 2: M-Trends 2013: attack the security gap, Mandiant, March 2013 4: ISACA’s 2014 APT study, ISACA, April 2014. Source: ISACA Cyber Security Nexus Too many threats
Network APIs Identity Application OpenStack Domain Guest Domain OpenStack and Guest Security
Network Security (OpenStack built-in systems)
Linux Namespaces Used in OpenStack, widely adopted in Neutron, it was Originally created for Linux Control Groups (aka cgroups) PID namespaces isolate the process ID number space so that processes in different PID namespaces can have the same PID Network namespaces provide isolation of the system resources associated with networking User namespaces isolate the user and group ID number spaces. Mount namespaces isolate the set of filesystem mount points seen by a group of processes. Mentioning: IPC and Unix Time-Sharing (UTS) namespaces
Neutron Server runs on Controller, expose APIs, enforce network model, pass to Neutron Plugin Neutron Plugin runs on Controller, implements APIs, every vendor can create its own “implementation” (ex: Cisco, Juniper, ...) Plugin Agent, run on each compute node and connect instances to the virtual network Default implementation based on OpenVSwitch OpenFlow to be set as fundamental open protocol for building SDN OpenStack Neutron Software-Defined Network in OpenStack, it answer RESTful APIs. Still no “industry” standard for encapsulating VLANs over L3, VXLANs set to be a preferred choice but any vendor has its choice (ex: Juniper has MPLS over IP)
Namespaces enables multiple instances of a routing table to co-exist within the same Linux box Network namespaces make it possible to separate network domains (network interfaces, routing tables, iptables) into completely separate and independent virtual datacenters Advantage of namespaces implementation in Neutron is that tenants can create overlapping IP addresses and independent routing schema The neutron-l3-agent is designed to use network namespaces to provide multiple independent virtual routers per node. OpenStack Neutron and Network Namespaces
List Namespaces Show firewall rules in a virtual router Example of Network Namespaces # ip netns qrouter-a88f89b6-5505-4bc2-8993-57ae1f010895 qdhcp-bebd6bc8-2bd0-4bdd-890c-9657faf80444 # ip netns exec qrouter-a88f89b6-5505-4bc2-8993-57ae1f010895 iptables -L -vn Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
OpenStack Neutron L3 Agent
OpenStack Neutron FWaaS Firewall as a Service in Neutron Different from the Security Groups in the instance Default to IPtables support into tenant’s ip NameSpace
OpenStack Neutron VPNaaS Neutron has capability to handle per-tenant VPNs, named VPN-as-a-Service Based on IPSec, just implementing IKE with “PSK” authentication mode rather than using certificates Suited for site-to-site VPNs and provide Hybrid cloud Implemented on top of IP NameSpaces (“ip netns add vpn”) Draft exists on bringing OpenVPN to Neutron Not suited for “roadwarriors”, i.e. clients connection
OpenStack Neutron VPNaaS
APIs Security (OpenStack and Cloud Applications)
APIsApplication APIs APIs are your point of contact from external world, you must make them highly secure Firewall are not enough! Anything can be sent over HTTP/ HTTPS. REST, XML-RPC, ... Web-based APIs
Usernames and passwords, session tokens and API keys must never appear in the URL (Proxy caching and logging) Allow only selected HTTP methods Protect privileged actions and sensitive resource collections Validate inputs and enforce typing of values Validate incoming Content-Type and other headers Encrypt data in transit Validation also apply to payload: JSON, XML or whatsoever General APIs best practices
OpenStack APIs All OpenStack software is based on APIs, consumed from End customers and tools to access the platform programmatically Among OpenStack components, is a way of decoupling components implementations Easily from “curl” tools OpenStack Command Line tools REST clients OpenStack Software Development Kit (SDK) RESTFUL API
OpenStack APIs EndPoints
1. Obtain a Token curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens 2. Consume the API (through the obtained token): curl -i -X GET http://localhost:35357/v2.0/tenants -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: token" OpenStack APIs Workflow
The token request will reveal the endpoints URLs: Compute/Nova, S3,Image/ Glance, Volume/Cinder, EC2, Identity/Keystone Revealing the EndPoints
Isolate API endpoint processes, especially those that reside within the public security domain should be isolated as much as possible. API endpoints should be deployed on separate hosts for increased isolation. Apply Defense-in-Depth concept: configure services, host-based firewalls, local policy (SELinux or AppArmor), and optionally global network policy. Use Linux namespaces to assign processes into independent domains Use network ACLs and IDS technologies to enforce explicit point to point communication between network services (ex: wire-level ACLs in L3 switches) OpenStack APIs best practices
Isolate API endpoint processes from each other and other processes on a machine. Use Mandatory Access Controls (MAC) on top of Discretionary Access Controls to segregate processes, ex: SE-Linux Objective: containment and escalation of API endpoint security breaches. Use of MACs at the OS level severely limit access to resources and provide earlier alerting on such events. Mandatory Access Control in APIs
RESTful APIs, mixture of POST (in request) and JSON (in response), Channel encrypted with TLS high cypher, Based on APP ID and APP Secret Example: /api/v1/users/info Ex: SecurePass NG (Dreamliner) APIs Security in functionalities, APP ID read-only or read-write in network, APP ID can be limited to a given IPv4/IPv6 in domain, APP ID is linked to only a specific realm/ domain
Identity Security (OpenStack and Cloud Applications)
User management: keep tracks of users, roles and permissions Service catalog: Provide a catalog of what services are available and where the OpenStack APIs EndPoint are located OpenStack Keystone Provides Identity, Token, Catalog and policy services for uses inside the OpenStack family and implements OpenStack’s Identity APIs
Users A user represent a human user and has associated information such as username, password and e-mail Tenants A tenant can represent a customer, organization or a group. Roles A role is what operations a user is permitted to perform in a given tenant OpenStack Identity Management Keystone permit the following back-ends for IDMs: SQL Backend (SQLAlchemy, it’s python), PAM, LDAP and custom plugins
Catching username and passwords means reveal the whole OpenStack infrastructure and control it! $ curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/ tokens OpenStack Keystone
10 millionsof victims of identity theft in USA in 2008 (Javelin Strategy and Research, 2009) 221 billions $lost every year due to identity theft (Aberdeen Group) 35 billioncorporate and government records compromised in 2010 (Aberdeen Group) 2 years of a working resource to correct damages due to identity theft (ITRC Aftermath Study, 2004) 2 billions $damages reported in Italy in 2009 (Ricerca ABI) The victims of identity theft
Security must be simple and transparent to the end user, otherwise it will be circumvented! Identity best practices in applications Strong authentication of the users GeoIP Patches, patches and patches! Secure application programming
Hosted Apps Need of a central Cloud Control Cloud Orchestrator 2FA/SSO
<Directory /srv/www/myapp> AllowOverride None Order allow,deny allow from all AuthType CAS require spgroup mygroup@company.com </Directory> Example of Web identity protection Require access through the SecurePass SSO portal with 2FA Restrict to a dynamic group (with GeoIP)
Real-life example (aka Case Study)
My accountant has his desktop computer broken, he has no time to change it, need something “always available” and in a restricted budget He needs Windows for his accounting software He has no office and works from home sometimes, he needs to access his desktop from ideally from his TV He wants to connect from his customers’, but not always a computer available for him He need emergency way of accessing the desktop from customers’ or from Internet Cafes (ex: on holidays) Must provide a secure access as he holds very confidential data Case Study: Overview & Requirements
From home, access the platform with an Android Mini-PC on existing HDMI TV, keyboard and a VPN with Mikrotik device (Equipment ~120 EUR) When at customer, access the platform with the existing Samsung Android tablet. Added bluetooth Keyboard + Mouse and OpenVPN (K+M ~60 EUR) Emergency access provided with an RDP HTML5 gateway OpenStack as the operational platform SecurePass as a security mechanism to protect access to his virtual desktop Case Study: Solution Virtualize his existing desktop system
Case Study: Overall Schema
2FA RDP over HTML5 OpenVPN Windows Machine (RDP) Web Browser OpenVPN on Android + RDP Client Appliance details
Acknowledgments TM Demo hosted by powered by teuto.net www.ostack.de Security provided by www.secure-pass.net
Thank you MAKING THE CLOUD A SAFER SPACE

More Related Content

PPT
Shmoocon 2013 - OpenStack Security Brief
byopenfly
 
PDF
OpenStack: Security Beyond Firewalls
byGiuseppe Paterno'
 
PPTX
Openstack security presentation 2013
bybrian_chong
 
PDF
Holistic Security for OpenStack Clouds
byMajor Hayden
 
PPTX
IPsec with AH
byjtlevesque
 
PPTX
Intro to the FIWARE Lab
byFIWARE
 
PDF
I psec cisco
byDeepak296
 
PDF
HP Helion Webinar #5 - Security Beyond Firewalls
byBeMyApp
 
Shmoocon 2013 - OpenStack Security Brief
byopenfly
 
OpenStack: Security Beyond Firewalls
byGiuseppe Paterno'
 
Openstack security presentation 2013
bybrian_chong
 
Holistic Security for OpenStack Clouds
byMajor Hayden
 
IPsec with AH
byjtlevesque
 
Intro to the FIWARE Lab
byFIWARE
 
I psec cisco
byDeepak296
 
HP Helion Webinar #5 - Security Beyond Firewalls
byBeMyApp
 

What's hot

PDF
OpenStack Security
byopenstackindia
 
PPTX
IPsec vpn
bysharetech
 
PPTX
IPSec VPN & IPSec Protocols
byNetProtocol Xpert
 
PPTX
Ipsec 2
bySourabh Badve
 
PPTX
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
byNetProtocol Xpert
 
PPT
Ipsec
byBaidyanath Dutta
 
PDF
9(1)
bysruthi c
 
PDF
Linux Security Quick Reference Guide
bywensheng wei
 
PPTX
Ip security
byNaveen Dubey
 
PPTX
Developing an IoT System FIWARE Based from the Scratch
byFIWARE
 
PPTX
Setting up your virtual infrastructure using FIWARE Lab Cloud
byFernando Lopez Aguilar
 
PPT
Ipsec vpn v0.1
bySankaranarayanan Subramanian
 
PDF
IPSec VPN Tutorial Part1
byAbdallah Abuouf
 
PPT
Ip sec and ssl
byMohd Arif
 
PDF
Join FIWARE Lab
byFederico Michele Facca
 
PPTX
Internet Key Exchange Protocol
byPrateek Singh Bapna
 
DOCX
Crypto map based IPsec VPN fundamentals - negotiation and configuration
bydborsan
 
PDF
IS Unit 8_IP Security and Email Security
bySarthak Patel
 
PPT
Ipsec
byRupesh Mishra
 
OpenStack Security
byopenstackindia
 
IPsec vpn
bysharetech
 
IPSec VPN & IPSec Protocols
byNetProtocol Xpert
 
Ipsec 2
bySourabh Badve
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
byNetProtocol Xpert
 
Ipsec
byBaidyanath Dutta
 
9(1)
bysruthi c
 
Linux Security Quick Reference Guide
bywensheng wei
 
Ip security
byNaveen Dubey
 
Developing an IoT System FIWARE Based from the Scratch
byFIWARE
 
Setting up your virtual infrastructure using FIWARE Lab Cloud
byFernando Lopez Aguilar
 
Ipsec vpn v0.1
bySankaranarayanan Subramanian
 
IPSec VPN Tutorial Part1
byAbdallah Abuouf
 
Ip sec and ssl
byMohd Arif
 
Join FIWARE Lab
byFederico Michele Facca
 
Internet Key Exchange Protocol
byPrateek Singh Bapna
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
bydborsan
 
IS Unit 8_IP Security and Email Security
bySarthak Patel
 
Ipsec
byRupesh Mishra
 

Similar to Openstack: security beyond firewalls

PDF
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
byLorenzo Carnevale
 
PPTX
Building IAM for OpenStack
bySteve Martinelli
 
PPT
Openstack presentation
bySankalp Jain
 
PPTX
Workshop - Openstack, Cloud Computing, Virtualization
byJayaprakash R
 
PPTX
Openstack workshop @ Kalasalingam
byBeny Raja
 
PPTX
Some Advanced OpenStack Overview Document
byTrungPhamVan10
 
PDF
Cloud Architect Alliance #15: Openstack
byMicrosoft
 
PDF
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
bySadique Puthen
 
PDF
Openstackinsideoutv10 140222065532-phpapp01
bysprdd
 
PDF
OpenStack: Inside Out
byEtsuji Nakai
 
PPT
OpenStack - Security Professionals Information Exchange
byCybera Inc.
 
PDF
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
bymarkmcclain
 
PPTX
Aptira presents OpenStack keystone identity service
byOpenStack
 
PPT
OpenStack - An Overview
bygraziol
 
PDF
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
byLorenzo Carnevale
 
PDF
NaaS in OpenStack - CloudCamp Moscow
byIlya Alekseyev
 
PDF
Chef and OpenStack Workshop from ChefConf 2013
byMatt Ray
 
PPTX
Power of OpenStack & Hadoop
byTuan Yang
 
PPTX
Openstack: starter level
byAlessandro Martellone
 
PPTX
7 - Introduction to OpenStack & SDN by Ady Saputra
bySDNRG ITB
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
byLorenzo Carnevale
 
Building IAM for OpenStack
bySteve Martinelli
 
Openstack presentation
bySankalp Jain
 
Workshop - Openstack, Cloud Computing, Virtualization
byJayaprakash R
 
Openstack workshop @ Kalasalingam
byBeny Raja
 
Some Advanced OpenStack Overview Document
byTrungPhamVan10
 
Cloud Architect Alliance #15: Openstack
byMicrosoft
 
Openstack on Fedora, Fedora on Openstack: An Introduction to cloud IaaS
bySadique Puthen
 
Openstackinsideoutv10 140222065532-phpapp01
bysprdd
 
OpenStack: Inside Out
byEtsuji Nakai
 
OpenStack - Security Professionals Information Exchange
byCybera Inc.
 
ONUG Tutorial: Bridges and Tunnels Drive Through OpenStack Networking
bymarkmcclain
 
Aptira presents OpenStack keystone identity service
byOpenStack
 
OpenStack - An Overview
bygraziol
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
byLorenzo Carnevale
 
NaaS in OpenStack - CloudCamp Moscow
byIlya Alekseyev
 
Chef and OpenStack Workshop from ChefConf 2013
byMatt Ray
 
Power of OpenStack & Hadoop
byTuan Yang
 
Openstack: starter level
byAlessandro Martellone
 
7 - Introduction to OpenStack & SDN by Ady Saputra
bySDNRG ITB
 

Recently uploaded

PDF
December Patch Tuesday
byIvanti
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
December Patch Tuesday
byIvanti
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
ElyriaSoftware — Powering the Future with Blockchain Innovation
byElyria Software
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 

Openstack: security beyond firewalls

  • 1.
    OpenStack: Security beyondfirewalls MAKING THE CLOUD A SAFER SPACE Giuseppe “Gippa” Paternò, Network & Security NERD 30th May 2014 * OpenStackDay Italy Twitter: @gpaterno - Website: www.gpaterno.com
  • 2.
    About me IT securityproducts and virtualization services focused on identity protection on the Cloud, as the user is became the ultimate perimeter of a never ending distributed model. HQ based in Switzerland and whose servers are located in Switzerland. User privacy is protected by strict Swiss privacy regulations, no UE or US exceptions allowed. IT Architect and Security Expert with background in Open Source. Former Network and Security architect for Canonical, RedHat, Wind/ Infostrada, Sun Microsystems and IBM and Visiting Researcher at the University of Dublin Trinity College. Past projects: standard for J2ME Over-The-Air (OTA) provisioning along with Vodafone, the study of architecture and standards for the delivery of MHP applications for the digital terrestrial television (DTT) on behalf of DTT Lab (Telecom Italia/LA7) and implementation of HLR for Vodafone landline services. Lot of writings, mainly on computer security. CTO and Director of GARL, a multinational company based in Switzerland and UK, owner of SecurePass and SecureData. TM Secure Data beta BANK OF PASSWORDS
  • 3.
    62% Increase breaches in 2013(1) 1in 5 Organizations have experienced an APT attack (4) 3 Trillion$ Total global impact of cybercrime(3) 8 months Is the average time an advanced threat goes unnoticed on victim’s network(2) 2,5 billion Exposed records as results of a data breach in the past 5 years(5) 1,3,5: Increased cyber security can save global economy trillions, McKinsey/World Economic Forum, January 2014 2: M-Trends 2013: attack the security gap, Mandiant, March 2013 4: ISACA’s 2014 APT study, ISACA, April 2014. Source: ISACA Cyber Security Nexus Too many threats
  • 4.
    Network APIs IdentityApplication OpenStack Domain Guest Domain OpenStack and Guest Security
  • 5.
  • 6.
    Linux Namespaces Used inOpenStack, widely adopted in Neutron, it was Originally created for Linux Control Groups (aka cgroups) PID namespaces isolate the process ID number space so that processes in different PID namespaces can have the same PID Network namespaces provide isolation of the system resources associated with networking User namespaces isolate the user and group ID number spaces. Mount namespaces isolate the set of filesystem mount points seen by a group of processes. Mentioning: IPC and Unix Time-Sharing (UTS) namespaces
  • 7.
    Neutron Server runson Controller, expose APIs, enforce network model, pass to Neutron Plugin Neutron Plugin runs on Controller, implements APIs, every vendor can create its own “implementation” (ex: Cisco, Juniper, ...) Plugin Agent, run on each compute node and connect instances to the virtual network Default implementation based on OpenVSwitch OpenFlow to be set as fundamental open protocol for building SDN OpenStack Neutron Software-Defined Network in OpenStack, it answer RESTful APIs. Still no “industry” standard for encapsulating VLANs over L3, VXLANs set to be a preferred choice but any vendor has its choice (ex: Juniper has MPLS over IP)
  • 8.
    Namespaces enables multiple instancesof a routing table to co-exist within the same Linux box Network namespaces make it possible to separate network domains (network interfaces, routing tables, iptables) into completely separate and independent virtual datacenters Advantage of namespaces implementation in Neutron is that tenants can create overlapping IP addresses and independent routing schema The neutron-l3-agent is designed to use network namespaces to provide multiple independent virtual routers per node. OpenStack Neutron and Network Namespaces
  • 9.
    List Namespaces Show firewallrules in a virtual router Example of Network Namespaces # ip netns qrouter-a88f89b6-5505-4bc2-8993-57ae1f010895 qdhcp-bebd6bc8-2bd0-4bdd-890c-9657faf80444 # ip netns exec qrouter-a88f89b6-5505-4bc2-8993-57ae1f010895 iptables -L -vn Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
  • 10.
  • 11.
    OpenStack Neutron FWaaS Firewallas a Service in Neutron Different from the Security Groups in the instance Default to IPtables support into tenant’s ip NameSpace
  • 12.
    OpenStack Neutron VPNaaS Neutronhas capability to handle per-tenant VPNs, named VPN-as-a-Service Based on IPSec, just implementing IKE with “PSK” authentication mode rather than using certificates Suited for site-to-site VPNs and provide Hybrid cloud Implemented on top of IP NameSpaces (“ip netns add vpn”) Draft exists on bringing OpenVPN to Neutron Not suited for “roadwarriors”, i.e. clients connection
  • 13.
  • 14.
    APIs Security (OpenStack andCloud Applications)
  • 15.
    APIsApplication APIs APIs are yourpoint of contact from external world, you must make them highly secure Firewall are not enough! Anything can be sent over HTTP/ HTTPS. REST, XML-RPC, ... Web-based APIs
  • 16.
    Usernames and passwords,session tokens and API keys must never appear in the URL (Proxy caching and logging) Allow only selected HTTP methods Protect privileged actions and sensitive resource collections Validate inputs and enforce typing of values Validate incoming Content-Type and other headers Encrypt data in transit Validation also apply to payload: JSON, XML or whatsoever General APIs best practices
  • 17.
    OpenStack APIs All OpenStacksoftware is based on APIs, consumed from End customers and tools to access the platform programmatically Among OpenStack components, is a way of decoupling components implementations Easily from “curl” tools OpenStack Command Line tools REST clients OpenStack Software Development Kit (SDK) RESTFUL API
  • 18.
  • 19.
    1. Obtain aToken curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens 2. Consume the API (through the obtained token): curl -i -X GET http://localhost:35357/v2.0/tenants -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: token" OpenStack APIs Workflow
  • 20.
    The token requestwill reveal the endpoints URLs: Compute/Nova, S3,Image/ Glance, Volume/Cinder, EC2, Identity/Keystone Revealing the EndPoints
  • 21.
    Isolate API endpoint processes,especially those that reside within the public security domain should be isolated as much as possible. API endpoints should be deployed on separate hosts for increased isolation. Apply Defense-in-Depth concept: configure services, host-based firewalls, local policy (SELinux or AppArmor), and optionally global network policy. Use Linux namespaces to assign processes into independent domains Use network ACLs and IDS technologies to enforce explicit point to point communication between network services (ex: wire-level ACLs in L3 switches) OpenStack APIs best practices
  • 22.
    Isolate API endpointprocesses from each other and other processes on a machine. Use Mandatory Access Controls (MAC) on top of Discretionary Access Controls to segregate processes, ex: SE-Linux Objective: containment and escalation of API endpoint security breaches. Use of MACs at the OS level severely limit access to resources and provide earlier alerting on such events. Mandatory Access Control in APIs
  • 23.
    RESTful APIs, mixtureof POST (in request) and JSON (in response), Channel encrypted with TLS high cypher, Based on APP ID and APP Secret Example: /api/v1/users/info Ex: SecurePass NG (Dreamliner) APIs Security in functionalities, APP ID read-only or read-write in network, APP ID can be limited to a given IPv4/IPv6 in domain, APP ID is linked to only a specific realm/ domain
  • 24.
  • 25.
    User management: keeptracks of users, roles and permissions Service catalog: Provide a catalog of what services are available and where the OpenStack APIs EndPoint are located OpenStack Keystone Provides Identity, Token, Catalog and policy services for uses inside the OpenStack family and implements OpenStack’s Identity APIs
  • 26.
    Users A user representa human user and has associated information such as username, password and e-mail Tenants A tenant can represent a customer, organization or a group. Roles A role is what operations a user is permitted to perform in a given tenant OpenStack Identity Management Keystone permit the following back-ends for IDMs: SQL Backend (SQLAlchemy, it’s python), PAM, LDAP and custom plugins
  • 27.
    Catching username and passwordsmeans reveal the whole OpenStack infrastructure and control it! $ curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/ tokens OpenStack Keystone
  • 28.
    10 millionsof victimsof identity theft in USA in 2008 (Javelin Strategy and Research, 2009) 221 billions $lost every year due to identity theft (Aberdeen Group) 35 billioncorporate and government records compromised in 2010 (Aberdeen Group) 2 years of a working resource to correct damages due to identity theft (ITRC Aftermath Study, 2004) 2 billions $damages reported in Italy in 2009 (Ricerca ABI) The victims of identity theft
  • 29.
    Security must be simpleand transparent to the end user, otherwise it will be circumvented! Identity best practices in applications Strong authentication of the users GeoIP Patches, patches and patches! Secure application programming
  • 30.
    Hosted Apps Need ofa central Cloud Control Cloud Orchestrator 2FA/SSO
  • 31.
    <Directory /srv/www/myapp> AllowOverride None Orderallow,deny allow from all AuthType CAS require spgroup mygroup@company.com </Directory> Example of Web identity protection Require access through the SecurePass SSO portal with 2FA Restrict to a dynamic group (with GeoIP)
  • 32.
  • 33.
    My accountant hashis desktop computer broken, he has no time to change it, need something “always available” and in a restricted budget He needs Windows for his accounting software He has no office and works from home sometimes, he needs to access his desktop from ideally from his TV He wants to connect from his customers’, but not always a computer available for him He need emergency way of accessing the desktop from customers’ or from Internet Cafes (ex: on holidays) Must provide a secure access as he holds very confidential data Case Study: Overview & Requirements
  • 34.
    From home, accessthe platform with an Android Mini-PC on existing HDMI TV, keyboard and a VPN with Mikrotik device (Equipment ~120 EUR) When at customer, access the platform with the existing Samsung Android tablet. Added bluetooth Keyboard + Mouse and OpenVPN (K+M ~60 EUR) Emergency access provided with an RDP HTML5 gateway OpenStack as the operational platform SecurePass as a security mechanism to protect access to his virtual desktop Case Study: Solution Virtualize his existing desktop system
  • 35.
  • 36.
  • 37.
    Acknowledgments TM Demo hosted by poweredby teuto.net www.ostack.de Security provided by www.secure-pass.net
  • 38.
    Thank you MAKING THECLOUD A SAFER SPACE