Priti Desai, profile picture
Uploaded byPriti Desai
PPTX, PDF1,029 views

Secure Keystone Deployment

The document discusses best practices for deploying a secure Keystone in OpenStack, highlighting the critical nature of Keystone security in managing access to cloud services. It covers risks such as credential theft and insecure file permissions, along with mitigation strategies, including secure communication, restricting file access, and managing admin privileges. Key vulnerabilities identified include denial of service attacks and leaking sensitive information, which can be addressed through configuration changes and upgrades.

Embed presentation

Downloaded 41 times
Secure Keystone Deployment: Lessons Learned and Best Practices Priti Desai Sr. Software Engineer Secure Keystone Deployment 1
The Symantec Team • Cloud Platform Engineering – We are building a consolidated cloud platform that provides infrastructure and platform services for next generation Symantec products and services • Me – In Security for over 6 years – Symantec Insight - Reputation Based Security – Symantec Data Analytics Platform – OpenStack Engineer - Keystone – OpenStack Security Group – Cop Open Source Secure Keystone Deployment 2
OpenStack Security Group Secure Keystone Deployment 3 security notes Retrieved from http://www.openstack.orgRetrieved from http://docs.openstack.org
Secure Keystone Deployment Why is Keystone security critical? What is Keystone? How is Authentication process implemented in Keystone? How is Authorization mechanism implemented in OpenStack?
AuthN Overview Secure Keystone Deployment 5 Cloud User Cloud User Identity (SQL/LDAP) Keystone Token (SQL) Identity (SQL/LDAP) Keystone Token (SQL) Request sent with Username and Password Verify username and password (hash of password) Successful verification Request metadata for user tenant relationship Assignment (SQL) Assignment (SQL) User tenant relationship information Request to generate new token Response with new token Response with token
AuthZ Overview Secure Keystone Deployment 6 Cloud User Cloud User Keystone OpenStack Service Keystone OpenStack Service Request sent with session token Verify session token Successful verification Is this token correct? Does it allow the service usage? Service executes the request Response with success
Secure Keystone Deployment Why is Keystone security critical? Does it store/transmit any sensitive information? What kind of cloud asset does it store? Is any type of attack possible on Keystone? Can it bring down the entire cloud?
Keystone Security is Critical Secure Keystone Deployment 8 • Gatekeeper • Access to OpenStack Cloud • Assets • Users • Passwords • Tokens • Roles • Catalog • Vulnerable to DoS Retrieved from http://internet.phillipmartin.info Retrieved from http://blogs.citypages.com Retrieved from http://assets.nydailynews.com
What was our approach to identifying key vulnerabilities? Secure Keystone Deployment 9
Security Risks Secure Keystone Deployment 10 • Global Security Office  Threat Model  Penetration Tests  Traceability Matrix Retrieved from http://www.technetics.com.au
Threat Model Secure Keystone Deployment 11
Secure Keystone Deployment 12 Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privileges Threat Model
What kind of security deficiencies did we discover? Secure Keystone Deployment 13
Secure Keystone Deployment 14 Attack: Keystone user credential theft Attack: Insecure file permissions on Keystone.conf Keystone.conf Attack: Access to cloud admin privileges for almost free Attack: Leaking sensitive data in log messages Attack: DoS – Authentication chaining - Havana Attack: Unauthorized access to MySQL database Many more …
Traceability Matrix Secure Keystone Deployment 15 ✖ ✖ ✖
Keystone User Credential Theft Secure Keystone Deployment 16
Mitigate: Secure Communication - SSL Secure Keystone Deployment 17 Hardware Load Balancer Hardware Load Balancer Keystone KeystoneKeystone SSL Client SSL Server SSL Client SSL Server mod_ssl 35357/SSL 5000/SSL mod_ssl 35357/SSL 5000/SSL mod_ssl 35357/SSL 5000/SSL Public API Admin API
Insecure file permissions on Keystone.conf Secure Keystone Deployment 18 Mitigate: • Restrict ownership to service user - chown keystone:keystone /etc/keystone/keystone.conf • Restrict to read and write by the owner - chmod 640 /etc/keystone/keystone.conf hostnameabc hostnameabc hostnameabcuser user user
Access to admin privileges is almost free Secure Keystone Deployment 19 • Service Token • Bootstrap Keystone • Cloud admin privileges • Register bad service/endpoints
Mitigate: Disable Service Token • Comment out admin_token from /etc/keystone/keystone.conf: admin_token=e2112effd3ff05b8c88ad14e096e6615 • Remove admin token auth middleware from /etc/keystone/keystone-paste.ini: [filter:admin_token_auth] paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory Secure Keystone Deployment 20
Who is the cloud admin now? Secure Keystone Deployment 21
Create Cloud Admin • Leveraging Keystone Domain • Before disabling service token: • Create a domain “cloud_admin_domain” • Grant “admin” role to appropriate user “Bob Smith” • Update keystone policy.json file: • Replace: "cloud_admin": [["rule:admin_required", "domain_id:admin_domain_id"]], • With: "cloud_admin”: [["rule:admin_required”,"domain_id:<cloud_admin_domain_id>"]], Secure Keystone Deployment 22
Leaking Sensitive Information in Log Messages • Debug mode include plaintext request logging • Passwords • Tokens • Mitigate: • Disable debug mode in keystone.conf with: • With debug mode ON, upgrade keystone client: • python-keystoneclient >= 0.10.1 (OSSN-0024) Secure Keystone Deployment 23 [DEFAULT] debug=False
Leaking Sensitive Information in Log Messages Identity API V2 - INFO level logs contains auth tokens (OSSN-0023) Mitigate: • Set the log level to WARN in logging.conf: Secure Keystone Deployment 24 [handler_file] class = FileHandler Level = WARN
Keystone DoS Attack Identity API V3 – Authentication Chaining – CVE-2014-2828 Secure Keystone Deployment 25
Keystone DoS Attack Mitigate: • Impacted Versions: from 2013.1 to 2013.2.3 • Patch applied during IceHouse rc2 • Upgrade Keystone >= 2013.2.4 Secure Keystone Deployment 26
Q&A Let’s talk… Secure Keystone Deployment 27
Thank You Priti Desai Priti_Desai@symantec.com @pritidesai8
References • http://docs.openstack.org/developer/keystone/ • https://blog-nkinder.rhcloud.com/?p=7 • https://blueprints.launchpad.net/keystone/+spec/service-scoped- tokens • http://docs.openstack.org/sec/ • http://www.florentflament.com/blog/setting-keystone-v3- domains.html • https://wiki.openstack.org/wiki/Security_Notes Secure Keystone Deployment 29
References (Images) • Crime Identity Theft: http://internet.phillipmartin.info/crime_identity_theft.gif • Computer Theft: http://blogs.citypages.com/blotter/Computer%20theft.gif • Mickey Washington ID: http://assets.nydailynews.com/polopoly_fs/1.1864391!/img/httpImage/image.jpg_gen/de rivatives/article_970/mickey13n-1-web.jpg • Threat, Asset, and Vulnerability: http://www.technetics.com.au/images/easyblog_images/79/b2ap3_thumbnail_manage_y our_risk_400_20140924-122014_1.jpg • Openstack security Notes: http://www.openstack.org/assets/openstack-logo/openstack- one-color-alt.pdf • OpenStack security Guide: http://docs.openstack.org/common/images/openstack- security-guide.jpg Secure Keystone Deployment 30

More Related Content

PDF
Keystone: Federated
byjamielennox
 
PPTX
OpenStack Toronto Meetup - Keystone 101
bySteve Martinelli
 
ODP
OpenStack keystone identity service
byopenstackindia
 
PPTX
Building IAM for OpenStack
bySteve Martinelli
 
PPTX
Deep Dive into Keystone Tokens and Lessons Learned
byPriti Desai
 
PPTX
OpenStack Keystone
byDeepti Ramakrishna
 
PPTX
Keystone - Openstack Identity Service
byPrasad Mukhedkar
 
PDF
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
byLorenzo Carnevale
 
Keystone: Federated
byjamielennox
 
OpenStack Toronto Meetup - Keystone 101
bySteve Martinelli
 
OpenStack keystone identity service
byopenstackindia
 
Building IAM for OpenStack
bySteve Martinelli
 
Deep Dive into Keystone Tokens and Lessons Learned
byPriti Desai
 
OpenStack Keystone
byDeepti Ramakrishna
 
Keystone - Openstack Identity Service
byPrasad Mukhedkar
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
byLorenzo Carnevale
 

What's hot

PPTX
OpenStack GDL : Hacking keystone | 20 Octubre 2014
byVictor Morales
 
PDF
OpenStack keystone identity service
byopenstackindia
 
PPTX
Integrating OpenStack with Active Directory
bycjellick
 
PDF
Keystone Federation
byopenstackindia
 
PPTX
Security_of_openstack_keystone
byUT, San Antonio
 
PDF
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
byLorenzo Carnevale
 
PDF
CIS 2015- Building IAM for OpenStack- Steve Martinelli
byCloudIDSummit
 
PDF
Keystone deep dive 1
byJsonr4
 
PDF
OpenStack Security
byopenstackindia
 
PDF
CIS13: OpenStack API Security
byCloudIDSummit
 
PDF
Openstack Keystone
byKamesh Pemmaraju
 
PPTX
OpenStack Glance
byopenstackstl
 
PPTX
Various Types of OpenSSL Commands and Keytool
byCheapSSLsecurity
 
PDF
Openstack_administration
byAshish Sharma
 
PPTX
Types of ssl commands and keytool
byCheapSSLsecurity
 
PPTX
Leveraging the strength of OSGi to deliver a convergent IoT Ecosystem - O Log...
bymfrancis
 
PDF
Attacking and Defending Kubernetes - Nithin Jois
byOWASP Hacker Thursday
 
PDF
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
byLucidworks
 
PDF
Shield talk elasticsearch meetup Zurich 27.05.2015
byem_mu
 
PPTX
Fiware cloud developers week brussels
byFernando Lopez Aguilar
 
OpenStack GDL : Hacking keystone | 20 Octubre 2014
byVictor Morales
 
OpenStack keystone identity service
byopenstackindia
 
Integrating OpenStack with Active Directory
bycjellick
 
Keystone Federation
byopenstackindia
 
Security_of_openstack_keystone
byUT, San Antonio
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
byLorenzo Carnevale
 
CIS 2015- Building IAM for OpenStack- Steve Martinelli
byCloudIDSummit
 
Keystone deep dive 1
byJsonr4
 
OpenStack Security
byopenstackindia
 
CIS13: OpenStack API Security
byCloudIDSummit
 
Openstack Keystone
byKamesh Pemmaraju
 
OpenStack Glance
byopenstackstl
 
Various Types of OpenSSL Commands and Keytool
byCheapSSLsecurity
 
Openstack_administration
byAshish Sharma
 
Types of ssl commands and keytool
byCheapSSLsecurity
 
Leveraging the strength of OSGi to deliver a convergent IoT Ecosystem - O Log...
bymfrancis
 
Attacking and Defending Kubernetes - Nithin Jois
byOWASP Hacker Thursday
 
State of Solr Security 2016: Presented by Ishan Chattopadhyaya, Lucidworks
byLucidworks
 
Shield talk elasticsearch meetup Zurich 27.05.2015
byem_mu
 
Fiware cloud developers week brussels
byFernando Lopez Aguilar
 

Similar to Secure Keystone Deployment

PPTX
Openstack security presentation 2013
bybrian_chong
 
PDF
Open stack identity project update (havana) (1)
byDolph Mathews
 
PPTX
Aptira presents OpenStack keystone identity service
byOpenStack
 
PPTX
Identity service keystone ppt
byuniversity of Gujrat, pakistan
 
PPTX
Identity in Openstack Icehouse
byDavid Waite
 
PDF
DCSF19 Container Security: Theory & Practice at Netflix
byDocker, Inc.
 
PDF
Keystone at openstack multi sites
byVietnam Open Infrastructure User Group
 
PDF
Nebula Webinar | Private Cloud Security: Practical Solutions for a Challengin...
byNebulaInc
 
PPTX
PKI token as a secure mechanism of Keystone authentication system for OpenStack
byshaerraezzaty
 
PDF
OpenStack: Security Beyond Firewalls
byGiuseppe Paterno'
 
PDF
Openstack: security beyond firewalls
byGARL
 
PPT
OpenStack - Security Professionals Information Exchange
byCybera Inc.
 
PDF
Holistic Security for OpenStack Clouds
byMajor Hayden
 
PDF
Keystone project onboarding
byColleen_Murphy
 
PPTX
Europe Cloud Summit - Security hardening of public cloud services
byRuncy Oommen
 
PDF
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
byNoNameCon
 
PDF
UKC - Msc Project - Providing Moonshot access to OpenStack
byVincent Giersch
 
PPT
Shmoocon 2013 - OpenStack Security Brief
byopenfly
 
PPTX
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
bynitinscribd
 
PDF
Securing your telco cloud
byOPNFV
 
Openstack security presentation 2013
bybrian_chong
 
Open stack identity project update (havana) (1)
byDolph Mathews
 
Aptira presents OpenStack keystone identity service
byOpenStack
 
Identity service keystone ppt
byuniversity of Gujrat, pakistan
 
Identity in Openstack Icehouse
byDavid Waite
 
DCSF19 Container Security: Theory & Practice at Netflix
byDocker, Inc.
 
Keystone at openstack multi sites
byVietnam Open Infrastructure User Group
 
Nebula Webinar | Private Cloud Security: Practical Solutions for a Challengin...
byNebulaInc
 
PKI token as a secure mechanism of Keystone authentication system for OpenStack
byshaerraezzaty
 
OpenStack: Security Beyond Firewalls
byGiuseppe Paterno'
 
Openstack: security beyond firewalls
byGARL
 
OpenStack - Security Professionals Information Exchange
byCybera Inc.
 
Holistic Security for OpenStack Clouds
byMajor Hayden
 
Keystone project onboarding
byColleen_Murphy
 
Europe Cloud Summit - Security hardening of public cloud services
byRuncy Oommen
 
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
byNoNameCon
 
UKC - Msc Project - Providing Moonshot access to OpenStack
byVincent Giersch
 
Shmoocon 2013 - OpenStack Security Brief
byopenfly
 
001 - Get acquainted with the AWS platform -- hide01.ir.pptx
bynitinscribd
 
Securing your telco cloud
byOPNFV
 

Recently uploaded

PPTX
Fitting Infiltration Models to Infiltration using Excel (1).pptx
byTomNickoRivera1
 
PDF
AWS Re:Invent 2025 Recap by FivexL - Guilherme, Vladimir, Andrey
byAndrey Devyatkin
 
PDF
Shear Strength of Soil/Mohr Coulomb Failure Criteria-1.pdf
byMahmoodKhalid11
 
PDF
Shear Strength of Soil (Direct shear test).pdf
byMahmoodKhalid11
 
PDF
CME397 SURFACE ENGINEERING UNIT 2 FULL NOTES
bykarthi keyan
 
PDF
Applications of AI in Civil Engineering - Dr. Rohan Dasgupta
byRohan Dasgupta
 
PDF
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 3.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
PDF
Model QP 2025 scheme Q &A- Module 1 and 2.pdf
bySURESHA V
 
PPTX
How Does LNG Regasification Work | INOXCVA
byINOXCVA
 
PPTX
What Green Hydrogen Is Definition: Hydrogen produced via electrolysis of wate...
byThit57
 
PDF
Module 4 python programming-1BPLCK105B-2025 by Dr.SV.pdf
bySURESHA V
 
PDF
Rajesh Prasad- Brief Profile with educational, professional highlights
byRajesh Prasad
 
PPTX
ME3592 - Metrology and Measurements - Unit - 1 - Lecture Notes
bypprakash21252
 
PPTX
1.Module 4-Clamping of jigs and fixtures for manufacturing.pptx
bycondieki
 
PDF
Infinite Sequence and Series: It Includes basic Sequence and Series
byDynamicDomain1
 
PDF
Industrial Tools Manufacturers In India : Torso Tools
bytorsotools8
 
PPT
Momentum and collisions in physics or engineering
byazizrahmanhakimi
 
PPTX
Why TPM Succeeds in Some Plants and Struggles in Others | MaintWiz
byMaintWiz Technologies Private Limited
 
PPTX
Day 3 Module 5_Optical fiber Network (operation and management).pptx
bySachayaG
 
PDF
Plasticity and Structure of Soil/Atterberg Limits.pdf
byMahmoodKhalid11
 
Fitting Infiltration Models to Infiltration using Excel (1).pptx
byTomNickoRivera1
 
AWS Re:Invent 2025 Recap by FivexL - Guilherme, Vladimir, Andrey
byAndrey Devyatkin
 
Shear Strength of Soil/Mohr Coulomb Failure Criteria-1.pdf
byMahmoodKhalid11
 
Shear Strength of Soil (Direct shear test).pdf
byMahmoodKhalid11
 
CME397 SURFACE ENGINEERING UNIT 2 FULL NOTES
bykarthi keyan
 
Applications of AI in Civil Engineering - Dr. Rohan Dasgupta
byRohan Dasgupta
 
PROBLEM SLOVING AND PYTHON PROGRAMMING UNIT 3.pdf
byA R SIVANESH M.E., QIP-PG (Cyber Security)., (Ph.D)
 
Model QP 2025 scheme Q &A- Module 1 and 2.pdf
bySURESHA V
 
How Does LNG Regasification Work | INOXCVA
byINOXCVA
 
What Green Hydrogen Is Definition: Hydrogen produced via electrolysis of wate...
byThit57
 
Module 4 python programming-1BPLCK105B-2025 by Dr.SV.pdf
bySURESHA V
 
Rajesh Prasad- Brief Profile with educational, professional highlights
byRajesh Prasad
 
ME3592 - Metrology and Measurements - Unit - 1 - Lecture Notes
bypprakash21252
 
1.Module 4-Clamping of jigs and fixtures for manufacturing.pptx
bycondieki
 
Infinite Sequence and Series: It Includes basic Sequence and Series
byDynamicDomain1
 
Industrial Tools Manufacturers In India : Torso Tools
bytorsotools8
 
Momentum and collisions in physics or engineering
byazizrahmanhakimi
 
Why TPM Succeeds in Some Plants and Struggles in Others | MaintWiz
byMaintWiz Technologies Private Limited
 
Day 3 Module 5_Optical fiber Network (operation and management).pptx
bySachayaG
 
Plasticity and Structure of Soil/Atterberg Limits.pdf
byMahmoodKhalid11
 

Secure Keystone Deployment

  • 1.
    Secure Keystone Deployment: LessonsLearned and Best Practices Priti Desai Sr. Software Engineer Secure Keystone Deployment 1
  • 2.
    The Symantec Team •Cloud Platform Engineering – We are building a consolidated cloud platform that provides infrastructure and platform services for next generation Symantec products and services • Me – In Security for over 6 years – Symantec Insight - Reputation Based Security – Symantec Data Analytics Platform – OpenStack Engineer - Keystone – OpenStack Security Group – Cop Open Source Secure Keystone Deployment 2
  • 3.
    OpenStack Security Group SecureKeystone Deployment 3 security notes Retrieved from http://www.openstack.orgRetrieved from http://docs.openstack.org
  • 4.
    Secure Keystone Deployment Whyis Keystone security critical? What is Keystone? How is Authentication process implemented in Keystone? How is Authorization mechanism implemented in OpenStack?
  • 5.
    AuthN Overview Secure KeystoneDeployment 5 Cloud User Cloud User Identity (SQL/LDAP) Keystone Token (SQL) Identity (SQL/LDAP) Keystone Token (SQL) Request sent with Username and Password Verify username and password (hash of password) Successful verification Request metadata for user tenant relationship Assignment (SQL) Assignment (SQL) User tenant relationship information Request to generate new token Response with new token Response with token
  • 6.
    AuthZ Overview Secure KeystoneDeployment 6 Cloud User Cloud User Keystone OpenStack Service Keystone OpenStack Service Request sent with session token Verify session token Successful verification Is this token correct? Does it allow the service usage? Service executes the request Response with success
  • 7.
    Secure Keystone Deployment Whyis Keystone security critical? Does it store/transmit any sensitive information? What kind of cloud asset does it store? Is any type of attack possible on Keystone? Can it bring down the entire cloud?
  • 8.
    Keystone Security isCritical Secure Keystone Deployment 8 • Gatekeeper • Access to OpenStack Cloud • Assets • Users • Passwords • Tokens • Roles • Catalog • Vulnerable to DoS Retrieved from http://internet.phillipmartin.info Retrieved from http://blogs.citypages.com Retrieved from http://assets.nydailynews.com
  • 9.
    What was ourapproach to identifying key vulnerabilities? Secure Keystone Deployment 9
  • 10.
    Security Risks Secure KeystoneDeployment 10 • Global Security Office  Threat Model  Penetration Tests  Traceability Matrix Retrieved from http://www.technetics.com.au
  • 11.
  • 12.
    Secure Keystone Deployment 12 Spoofing Tampering Repudiation InformationDisclosure Denial of Service Elevation of Privileges Threat Model
  • 13.
    What kind ofsecurity deficiencies did we discover? Secure Keystone Deployment 13
  • 14.
    Secure Keystone Deployment 14 Attack:Keystone user credential theft Attack: Insecure file permissions on Keystone.conf Keystone.conf Attack: Access to cloud admin privileges for almost free Attack: Leaking sensitive data in log messages Attack: DoS – Authentication chaining - Havana Attack: Unauthorized access to MySQL database Many more …
  • 15.
    Traceability Matrix Secure KeystoneDeployment 15 ✖ ✖ ✖
  • 16.
    Keystone User CredentialTheft Secure Keystone Deployment 16
  • 17.
    Mitigate: Secure Communication- SSL Secure Keystone Deployment 17 Hardware Load Balancer Hardware Load Balancer Keystone KeystoneKeystone SSL Client SSL Server SSL Client SSL Server mod_ssl 35357/SSL 5000/SSL mod_ssl 35357/SSL 5000/SSL mod_ssl 35357/SSL 5000/SSL Public API Admin API
  • 18.
    Insecure file permissionson Keystone.conf Secure Keystone Deployment 18 Mitigate: • Restrict ownership to service user - chown keystone:keystone /etc/keystone/keystone.conf • Restrict to read and write by the owner - chmod 640 /etc/keystone/keystone.conf hostnameabc hostnameabc hostnameabcuser user user
  • 19.
    Access to adminprivileges is almost free Secure Keystone Deployment 19 • Service Token • Bootstrap Keystone • Cloud admin privileges • Register bad service/endpoints
  • 20.
    Mitigate: Disable ServiceToken • Comment out admin_token from /etc/keystone/keystone.conf: admin_token=e2112effd3ff05b8c88ad14e096e6615 • Remove admin token auth middleware from /etc/keystone/keystone-paste.ini: [filter:admin_token_auth] paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory Secure Keystone Deployment 20
  • 21.
    Who is thecloud admin now? Secure Keystone Deployment 21
  • 22.
    Create Cloud Admin •Leveraging Keystone Domain • Before disabling service token: • Create a domain “cloud_admin_domain” • Grant “admin” role to appropriate user “Bob Smith” • Update keystone policy.json file: • Replace: "cloud_admin": [["rule:admin_required", "domain_id:admin_domain_id"]], • With: "cloud_admin”: [["rule:admin_required”,"domain_id:<cloud_admin_domain_id>"]], Secure Keystone Deployment 22
  • 23.
    Leaking Sensitive Informationin Log Messages • Debug mode include plaintext request logging • Passwords • Tokens • Mitigate: • Disable debug mode in keystone.conf with: • With debug mode ON, upgrade keystone client: • python-keystoneclient >= 0.10.1 (OSSN-0024) Secure Keystone Deployment 23 [DEFAULT] debug=False
  • 24.
    Leaking Sensitive Informationin Log Messages Identity API V2 - INFO level logs contains auth tokens (OSSN-0023) Mitigate: • Set the log level to WARN in logging.conf: Secure Keystone Deployment 24 [handler_file] class = FileHandler Level = WARN
  • 25.
    Keystone DoS Attack IdentityAPI V3 – Authentication Chaining – CVE-2014-2828 Secure Keystone Deployment 25
  • 26.
    Keystone DoS Attack Mitigate: •Impacted Versions: from 2013.1 to 2013.2.3 • Patch applied during IceHouse rc2 • Upgrade Keystone >= 2013.2.4 Secure Keystone Deployment 26
  • 27.
  • 28.
  • 29.
    References • http://docs.openstack.org/developer/keystone/ • https://blog-nkinder.rhcloud.com/?p=7 •https://blueprints.launchpad.net/keystone/+spec/service-scoped- tokens • http://docs.openstack.org/sec/ • http://www.florentflament.com/blog/setting-keystone-v3- domains.html • https://wiki.openstack.org/wiki/Security_Notes Secure Keystone Deployment 29
  • 30.
    References (Images) • CrimeIdentity Theft: http://internet.phillipmartin.info/crime_identity_theft.gif • Computer Theft: http://blogs.citypages.com/blotter/Computer%20theft.gif • Mickey Washington ID: http://assets.nydailynews.com/polopoly_fs/1.1864391!/img/httpImage/image.jpg_gen/de rivatives/article_970/mickey13n-1-web.jpg • Threat, Asset, and Vulnerability: http://www.technetics.com.au/images/easyblog_images/79/b2ap3_thumbnail_manage_y our_risk_400_20140924-122014_1.jpg • Openstack security Notes: http://www.openstack.org/assets/openstack-logo/openstack- one-color-alt.pdf • OpenStack security Guide: http://docs.openstack.org/common/images/openstack- security-guide.jpg Secure Keystone Deployment 30