SlideShare a Scribd company logo

security report

Download as DOCX, PDF
J
jitendra sharma
1 of 18
National College of Ireland Project Submission Sheet – 2013/2014 School of Computing Student Name: GAURAV LAKHANI and JITENDRA KUMAR SHARMA ……………………………………………………………………………………………………………… Student ID: X14111284 and x01315057……………………………………………………………………………………………………………… Programme: M.sc Cloud Computing……………………………………………………………… Year: 2014……………………… Module: Cloud Security …………………………………………………………………………………………………………… Lecturer: Mikhail Timofeev……………………………………………………………………………………………………………… Submission Due Date: 14-Dec-2014……………………………………………………………………………………………………………… Project Title: CLOUD SECURITY REPORT ……………………………………………………………………………………………………………… Word Count: 2,411 WORDS………………………………………………………………………………………………………………
I hereby certify that the information contained in this (my submission) is information pertaining to research I conducted for this project. All information other than my own contribution will be fully referenced and listed in the relevant bibliography section at the rear of the project. ALL internet material must be referenced in the bibliography section. Students are encouraged to use the Harvard Referencing Standard supplied by the Library. To use other author's written or electronic work is illegal (plagiarism) and may result in disciplinary action. Students may be required to undergo a viva (oral examination) if there is suspicion about the validity of their submitted work. Signature: GAURAV LAKHANI……………………………………………………………………………………………………………… Date: 14-DEC- 2014……………………………………………………………………………………………………………… PLEASE READ THE FOLLOWING INSTRUCTIONS: 1. Please attach a completed copy of this sheet to each project (including multiple copies). 2. You must ensure that you retain a HARD COPY of ALL projects, both for your own reference and incase a projectislostor mislaid. Itisnotsufficienttokeepacopyon computer. Please do not bind projects or place in covers unless specifically requested. 3 Assignmentsthat are submitted to the Programme Coordinator office must be placed into the assignment box located outside the office.
Office Use Only Signature: Date: Penalty Applied (if applicable):
Cloud Security Report (Jitendra Kumar Sharma, Gaurav Lakhani) by Gaurav Lakhani
Cloud Security Project Report 1) Approach and Project Planning Securing a Hybrid Cloud The implementationof Hybridcloudbetween VMware and Amazon web services includes a great deal of hardware and software resources. The VMware private cloud is made of one or more hypervisors (referredashost) onwhichvirtual machines (referred here as guest) are created. The vCenter server is used to manage this hypervisor and a management tool called vSphere client is used to access this managementserver. And talking about the Amazon Web Services, it serves as the public cloud for our project. We use a Amazon's AWS connector to connect our VMware private cloud to AWS. A general layout of our infrastructure and constituent resources are as depicted below.
Strongimportance hasbeengivenfromthe beginningforsecuringthisinfrastructurethatstrictlyfollows OWASP recommendations. In the private cloud it deals with securing at three levels- security at the hypervisor level, security at the guest OS level and security at the network level. Task and Dependencies This section outlines the tasks and dependencies to attain a detailed level of security in the project. Some of the details are as listed below.  Task: Identifying the constituent resources which need to be secured. Dependencies: We have to segregate our infrastructure in logical segments based on their functionality and accessibility to target audience which needs to be secured for identity and access management,networktraffic,permissions, data integrity etc. Some of these have been achieved by integrating the cloud infrastructure with a domain controller.  Task: Identification and implementation of appropriate security threat model. Dependencies:Asthere is no one distinct threat model defined specifically for cloud security, We need to identify one that suits best as per our infrastructure and use other best practices and recommendations for cloud security.  Task: Testing the infrastructure to validate the application of security features and identify loopholes if any. Dependencies: After hardening the infrastructure, it needs to be tested to validate the implementations.Thiscanbe tested using different test cases manually or by using third party tools that can suggest robustness of our cloud environment. 2) Selection of Tools / Methodologies / Frameworks / Benchmarking The securitythreatmodel followedis The Australian/NewZealandStandardAS/NZS4360 along with the securitybestpracticesandrecommendationsfromENISA.The AS/NZS4360 model givesthe freedom to identify your own risk domains based on the structure of your infrastructure and manage them in a traditional way. It uses likelihood and consequences to determine overall risk. The five stepsof the AS/NZS 4360 processare: 1. EstablishContext: Establishthe riskdomain,i.e.,whichassets/systemsare important? Inthis stepwe identifiedanddividedourriskdomaininfourgroupsthat needstobe secured.  Hypervisor(Host)  Virtual Machines(Guest)  Network  Publiccloud(AWS) 2. Identifythe Risks: Withinthe riskdomain,whatspecificrisksare apparent? - We evaluated all the riskdomainslistedabove andidentifiedfew commonriskslike unauthorized access,IdentityManagement,Spoofing,DataTamperingandDOS.
3. Analyze the Risks: Lookat the risksand determineif there are anysupportingcontrolsinplace. - Thisstep helpedustoidentify the contributingfactorsforbreachandremedial controls. 4. Evaluate the Risks: Determine the residual risk. -Here we calculate the impactof the risk 5. Treat the Risks: Describe the methodtotreat the risksso that risksselectedbythe businesswill be mitigated. -Thisinvolvesthe detail of all the stepswe performedtosecure ourhybridcloud.  We usedfewof the ENISA recommendationsandbestpracticestosecure ourrisk domains. The detailedstepstosecure ourhybridcloudare as follows:- 2.1) Hypervisor (Host) Security 1. Enable Lock down: Once lockdownmode isenabled,the hostcanbe accessedonlythrougha managementservervCenterserver.NoSSH,putty or Telnetallowed. 2. Integrationwith Active Directory: As lockdownmode isenabledonhypervisor,Itwill be accessed onlythroughitsmanagementservervCenterserver.We integratedvCenterserverwithourDomain controllersothat no local systemusercan log into it.Onlyauthorizeddomainuserswill have accessto vCenterserverandthe hypervisorsregisteredinit.
3. Role based Access to Hypervisors (Hosts): Although vCenter server is integrated with Domain controller,notall userswill be able tologintoit.The users who will have login rights will be assigned a role and can perform task specific to that role instead of having full rights. This helps to manage the workload better among different users with a track of who is doing what. For example, domain administratorwill have full rights and can manage hosts as well as VM’s though other user 'Gaurav' has virtual machine power users right and can manage VM's but not hosts. 4. ESXi Firewall: ESXi firewall gives us features to allow or restrict all the access to our host. We have enabledfirewall and have allowed access to our host only from a network 192.168.0.0/24 and any attempt to connect from other network is blocked.
5. Securing the Log Files- Log files have been directed to a shared NFS store instead of local ESXi hard disk so that they can be accessed even in case of ESXi Failure. 6. Failover Cluster: ESXi hosts have been configured in a HA cluster to protect them against Failures. 2.2) Guest OS Security Once the Hypervisorishardened,we needtosecure the GuestOSrunningon it. In our hybrid cloud, we have a Red hat Linux Guest OS running. We performed the below mentioned steps to secure it. 1. Security Patch: The guest OS centOS6.6 has been patched to download all the critical security updates. This has been achieved and verified by running below commands on the console- #yum --security check-update- To check available security updates #yum --security update: To download and install available security updates 2. Grub-Crypt: The Boot loader of the guest OS has been password protected so as to restrict unauthorizedaccesstothe operatingsystem.Alsothe boot loader password has been encrypted using md5 instead of using a plain text password. The command used to encrypt the password is: #grub-md5-crypt: Enter the password to encrypt it to MD5 hash. The Password has been encrypted and entry for same has been made in /etc/grub.conf so that the password command in boot loader configuration file knows where it has to look for the password. #vim /etc/grub.conf password --encrypted <encrypted password>
3. Key based SSH Authentication:KeyBasedSSH Authentication- Everytime a user wants to secure SSH connection,he needstoenterthe password.Thismayputitin riskif the channel between the host and server is compromised and can result in leak of the password. In our infrastructure we have replaced password based SSH authentication with Key based authentication. Once SSH established, the SSH serverwill keepa record of the client machine and will not recognize it next time if it tries to connect. In the screenshotbelow, we have shown SSH session for two users, 'jeet' and 'admin'. For user 'jeet' it asks for a password every time however for user 'admin' it does not as the SSH key for 'admin' has already been copied to the SSH server as shown in the picture above.
4. Disable root login for SSH This is a good feature to secure SSH server as no user will be able to access it with root credential and will need to use their own user credential. 5. Enable Firewall Run #setup to enable the Firewall which will filter out unnecessary network traffic.
6. Port blocking Using IPtable: IPtable rules has been used to block all the ports accept for SSH. 7. Password expirationpolicy:A 30 day passwordexpirationpolicyhasbeen set for all the users on the machine so as to enforce a compulsory password change 8. User account Lockout: Guest OS has been configured to lock the user in case of 3 failed login attempts. Administrator access would be required to unlock the account again. To enable user lockout on failed login, below entries has been made on the guest OS file. /etc/pam.d/system.auth Same entry needs to be made in /etc/pam.d/password.auth. 9. Data Encryption (LUKS):The hard drive hasbeenencryptedwithLUKS (LINUX unifiedkeysetup) so as to restrict unauthorized access to the data on the hard drive 10. Advanced Intrusion Detection Environment- AIDE has been setup on the guest OS to monitor changes in the file and permission metadeta of the file. Below given files have been set to be monitored by making entry in the file- /etc/aide.conf
2.3) Network Security 1. VLANid: A VLAN has beencreatedtoisolate tenants from each other. The guest OS has been placed inVLAN separated from management network which is completely isolated on a different port group. 2. Network Policy: The ESXi host has been configured to reject the promiscuous mode, MAC address change and Forged Transmits.
2.4) Public Cloud Security (AWS) We have used Amazon web Services as our public cloud where in most of the security challenges are dealtbyAWS. Theyprovide well secured infrastructure by extensive network and security monitoring system. Some of the security features provided by AWS are as mentioned below: These systemsprovide basicbutimportantsecuritymeasuressuchasdistributeddenial of service (DDos) protectionandpasswordbrute-force detectiononAWSAccounts.Additional securitymeasures include: Secure access – Customeraccesspoints, also called API endpoints, allow secure HTTP access (HTTPS) so that you can establish secure communication sessions with your AWS services using SSL/TLS. Built-in firewalls – You can control how accessible your instances are by configuring built-in firewall rules– from totallypublicto completely private, or somewhere in between. And when your instances reside within a Virtual Private Cloud (VPC) subnet, you can control egress as well as ingress. Unique users– The AWS IdentityandAccessManagement (IAM) tool allows you to control the level of access your own users have to your AWS infrastructure services. With AWS IAM, each user can have unique securitycredentials,eliminatingthe needforsharedpasswordsorkeysandallowingthe security best practices of role separation and least privilege. Multi-factor authentication (MFA) – AWS provides built-in support for multi-factor authentication (MFA) for use with your root AWS Account as well as individual IAMuser accounts under it. Private Subnets – The AWS Virtual Private Cloud (VPC) service allows you to add another layer of network security to your instances by creating private subnets and even adding an IPsec VPN tunnel between your home network and your AWS VPC. Encrypted data storage – Customers can have the data and objects they store in Amazon EBS, Amazon S3, Glacier,Redshift,andOracle andSQL ServerRDSencryptedautomaticallyusingAdvancedEncryption Standard (AES) 256, a secure symmetric-key encryption standard using 256-bit encryption keys. Selection of Tools We have used few open source tools like NMAP, putty ,NIKTO,OPENVAS and NESSUS etc to run a pen test on our infrastructure to validate the security implementations and check loopholes if any. 3) Testing Approach We carried out several manual and automated tests on our infrastructure to identify the security vulnerability ranging from finding OS version to open ports, pings and SSH to apache issues. Some of the test scenarios are: 1. Checkif ESXi can be SSHed: We usedputty to establishaSSH connectiononESXi.Aswe have enabled lockdown mode so it should not allow SSH. Given below is the test result.
2. Check if guest OS can be SSHed with root account: We have disabled the root SSH on guest OS for better security so it should not allow root SSH. Given below is the test result. 3. Check if guest OS can be SSHed with non-root account: As we have not disabled non root SSH to guestOS,we shouldbe able to connect. We tried to putty our centos guest operating system with user 'admin' and it connected well. Given below is the finding. 4. Check the open ports on ESXi: We used open source tool nmap to scan our ESXi server to find the open ports. It found that only those ports are open which are required for communication with the management server and client are open and rest are blocked. Here is the result of nmap scan. #nmap 192.168.0.20
5. Check the open ports on guest OS: We have used IPtable to block all the ports except SSH on guest OS. Here is the scan result from nmap. 4. Findings and Risk Ratings, Challenges and limitations 1. Running scan with Nikto on vCenter server shows that there are web component installed but may not be secure as no measures has been taken to secure the web server on vCenter server 2. Running nmap scan on guest OS reveals the OS version running on it which may make it prone to targeted attacks.
5) Outcome While doing the security project we have come across following results. We have been successful in securing our hybrid cloud infrastructure which consists of security at four levels namely hypervisor, guestOS,networkandpubliccloud.We have acquiredknowledge aboutthe risksandthreatsassociated withthe infrastructure andaccordinglyselectedtoolsandmethodologies to alleviate the security risks. While doing that, we learned about different kinds of threat models and different risks and threats associated to it. We have followed AS/NZS 4360 and ENISA threat model under OWASP recommendationsandlearnedaboutvariousaspectsof securityinourhybridcloudinfrastructure.Using some of the featureswhile implementing AS/NZS 4360 we came to know how we can identify, analyze and treat the risks and affect user experience. 6) Conclusion With all our security implementation and testing approach we have come to a conclusion that inbuilt securityfeaturesof the cloudsoftware/platformcanbe combinedtogetherwith third party software to achieve betterlevel of security.We cannotrelyjustonthe inbuiltsecurityfeatures of the platform for a full proof infrastructure. In our implementation, we secured our guest OS with all the inbuilt server hardening features and functionsthoughthere stillwere few vulnerabilitiesexposedwhichcould be controlled using some third party software. We have identified that more work needs to be done in our future implementations. 7) References AmazonWebServices,Inc.,(2014). AWSSecurity Center.[online] Available at: http://aws.amazon.com/security/[Accessed11Dec. 2014]. Cyberciti.biz,(2014). Top 30 Nmap Command ExamplesForSys/NetworkAdmins.[online] Available at: http://www.cyberciti.biz/networking/nmap-command-examples-tutorials/[Accessed11Dec. 2014].
Kali.org,(2014). [online] Available at:https://www.kali.org/official-documentation/ [Accessed11Dec. 2014]. Owasp.org,(2014). ThreatRisk Modeling - OWASP.[online] Availableat: https://www.owasp.org/index.php/Threat_Risk_Modeling[Accessed5Dec. 2014]. Putty.org,(2014). Download PuTTY- a free SSH and telnet client forWindows.[online] Availableat: http://www.putty.org/[Accessed12Dec.2014]. vSphere Security.(2014).1st ed.[ebook] Available at:https://pubs.vmware.com/vsphere- 50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf [Accessed8 Dec. 2014].

Recommended

How to configure esx to pass an audit
How to configure esx to pass an auditHow to configure esx to pass an audit
How to configure esx to pass an auditConcentrated Technology
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyDr. Emin İslam Tatlı
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...Paula Januszkiewicz
 
Cassandra Security Configuration
Cassandra Security ConfigurationCassandra Security Configuration
Cassandra Security ConfigurationBraja Krishna Das
 
Red team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deploymentRed team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deploymentenigma0x3
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 

Recommended

How to configure esx to pass an audit
How to configure esx to pass an auditHow to configure esx to pass an audit
How to configure esx to pass an auditConcentrated Technology
 
MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...MS Cloud day - Understanding and implementation on Windows Azure platform sec...
MS Cloud day - Understanding and implementation on Windows Azure platform sec...Spiffy
 
Analysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyAnalysis of HTTP Security Headers in Turkey
Analysis of HTTP Security Headers in TurkeyDr. Emin İslam Tatlı
 
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...Paula Januszkiewicz
 
Cassandra Security Configuration
Cassandra Security ConfigurationCassandra Security Configuration
Cassandra Security ConfigurationBraja Krishna Das
 
Red team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deploymentRed team upgrades using sccm for malware deployment
Red team upgrades using sccm for malware deploymentenigma0x3
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
 
SafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual InfrastructureSafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual InfrastructureLETA IT-company
 
Alternatives for-securing-virtual-networks
Alternatives for-securing-virtual-networksAlternatives for-securing-virtual-networks
Alternatives for-securing-virtual-networksJustin Cletus
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingPaula Januszkiewicz
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat Security Conference
 
Java Security Overview
Java Security OverviewJava Security Overview
Java Security Overviewwhite paper
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016Anthony Chow
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-OwnedWill Schroeder
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Cohesive Networks Support Docs: VNS3:turret NIDS Guide
Cohesive Networks Support Docs: VNS3:turret NIDS GuideCohesive Networks Support Docs: VNS3:turret NIDS Guide
Cohesive Networks Support Docs: VNS3:turret NIDS GuideCohesive Networks
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL ServerGeorgi Kodinov
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksFaraz Ahmed
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckPaula Januszkiewicz
 
Jsse
JsseJsse
Jssevantinhkhuc
 
Avanan Platform.pdf
Avanan Platform.pdfAvanan Platform.pdf
Avanan Platform.pdfpraveen830370
 
Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Lucy Huh Kerner
 
Presentation on Top Cloud Computing Technologies
Presentation on Top Cloud Computing TechnologiesPresentation on Top Cloud Computing Technologies
Presentation on Top Cloud Computing TechnologiesAbu Hasnat Md. Shakik Prodhan
 
CloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and TroubleshootingCloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and TroubleshootingShapeBlue
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentCryptzone
 

More Related Content

What's hot

How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
 
SafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual InfrastructureSafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual InfrastructureLETA IT-company
 
Alternatives for-securing-virtual-networks
Alternatives for-securing-virtual-networksAlternatives for-securing-virtual-networks
Alternatives for-securing-virtual-networksJustin Cletus
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingPaula Januszkiewicz
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat Security Conference
 
Java Security Overview
Java Security OverviewJava Security Overview
Java Security Overviewwhite paper
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016Anthony Chow
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Cohesive Networks Support Docs: VNS3:turret NIDS Guide
Cohesive Networks Support Docs: VNS3:turret NIDS GuideCohesive Networks Support Docs: VNS3:turret NIDS Guide
Cohesive Networks Support Docs: VNS3:turret NIDS GuideCohesive Networks
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes ClusterSuman Chakraborty
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL ServerGeorgi Kodinov
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksFaraz Ahmed
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckPaula Januszkiewicz
 

What's hot (16)

How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
 
SafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual InfrastructureSafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual Infrastructure
 
Alternatives for-securing-virtual-networks
Alternatives for-securing-virtual-networksAlternatives for-securing-virtual-networks
Alternatives for-securing-virtual-networks
 
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth takingTop 10 ways to make hackers excited: All about the shortcuts not worth taking
Top 10 ways to make hackers excited: All about the shortcuts not worth taking
 
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
BlueHat v17 || Don't Let Your Virtualization Fabric Become the Attack Vector
 
Java Security Overview
Java Security OverviewJava Security Overview
Java Security Overview
 
V brownbag sept-14-2016
V brownbag sept-14-2016V brownbag sept-14-2016
V brownbag sept-14-2016
 
Certified Pre-Owned
Certified Pre-OwnedCertified Pre-Owned
Certified Pre-Owned
 
Container security
Container securityContainer security
Container security
 
Cohesive Networks Support Docs: VNS3:turret NIDS Guide
Cohesive Networks Support Docs: VNS3:turret NIDS GuideCohesive Networks Support Docs: VNS3:turret NIDS Guide
Cohesive Networks Support Docs: VNS3:turret NIDS Guide
 
12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster12 Ways Not to get 'Hacked' your Kubernetes Cluster
12 Ways Not to get 'Hacked' your Kubernetes Cluster
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & Tricks
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
Dear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality CheckDear Hacker: Infrastructure Security Reality Check
Dear Hacker: Infrastructure Security Reality Check
 

Similar to security report

Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Lucy Huh Kerner
 
CloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and TroubleshootingCloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and TroubleshootingShapeBlue
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentCryptzone
 
How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...
How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...
How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...Cloudian
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
IRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET Journal
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber SecurityCedar Consulting
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
Security compute services_whitepaper
Security compute services_whitepaperSecurity compute services_whitepaper
Security compute services_whitepapersaifam
 
Tlu introduction-to-cloud
Tlu introduction-to-cloudTlu introduction-to-cloud
Tlu introduction-to-cloudVan Phuc
 
Providing user security guarantees
Providing user security guaranteesProviding user security guarantees
Providing user security guaranteesKamal Spring
 
Providing user security guarantees
Providing user security guaranteesProviding user security guarantees
Providing user security guaranteesKamal Spring
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide Array Networks
 

Similar to security report (20)

Jsse
JsseJsse
Jsse
 
Avanan Platform.pdf
Avanan Platform.pdfAvanan Platform.pdf
Avanan Platform.pdf
 
Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...Automating security compliance for physical, virtual, cloud, and container en...
Automating security compliance for physical, virtual, cloud, and container en...
 
Presentation on Top Cloud Computing Technologies
Presentation on Top Cloud Computing TechnologiesPresentation on Top Cloud Computing Technologies
Presentation on Top Cloud Computing Technologies
 
CloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and TroubleshootingCloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and Troubleshooting
 
Operational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS EnvironmentOperational Complexity: The Biggest Security Threat to Your AWS Environment
Operational Complexity: The Biggest Security Threat to Your AWS Environment
 
How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...
How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...
How to become cloud backup provider with Cloudian HyperStore and CloudBerry L...
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Mastering VMware Datacenter - 15 Modules
Mastering VMware Datacenter - 15 ModulesMastering VMware Datacenter - 15 Modules
Mastering VMware Datacenter - 15 Modules
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
VMware
VMwareVMware
VMware
 
IRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud Environment
 
13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security13. Neville Varnham - PeopleSoft Cyber Security
13. Neville Varnham - PeopleSoft Cyber Security
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
Security compute services_whitepaper
Security compute services_whitepaperSecurity compute services_whitepaper
Security compute services_whitepaper
 
Tlu introduction-to-cloud
Tlu introduction-to-cloudTlu introduction-to-cloud
Tlu introduction-to-cloud
 
Providing user security guarantees
Providing user security guaranteesProviding user security guarantees
Providing user security guarantees
 
Providing user security guarantees
Providing user security guaranteesProviding user security guarantees
Providing user security guarantees
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
SSL VPN Evaluation Guide
SSL VPN Evaluation GuideSSL VPN Evaluation Guide
SSL VPN Evaluation Guide
 

security report

  • 1. National College of Ireland Project Submission Sheet – 2013/2014 School of Computing Student Name: GAURAV LAKHANI and JITENDRA KUMAR SHARMA ……………………………………………………………………………………………………………… Student ID: X14111284 and x01315057……………………………………………………………………………………………………………… Programme: M.sc Cloud Computing……………………………………………………………… Year: 2014……………………… Module: Cloud Security …………………………………………………………………………………………………………… Lecturer: Mikhail Timofeev……………………………………………………………………………………………………………… Submission Due Date: 14-Dec-2014……………………………………………………………………………………………………………… Project Title: CLOUD SECURITY REPORT ……………………………………………………………………………………………………………… Word Count: 2,411 WORDS………………………………………………………………………………………………………………
  • 2. I hereby certify that the information contained in this (my submission) is information pertaining to research I conducted for this project. All information other than my own contribution will be fully referenced and listed in the relevant bibliography section at the rear of the project. ALL internet material must be referenced in the bibliography section. Students are encouraged to use the Harvard Referencing Standard supplied by the Library. To use other author's written or electronic work is illegal (plagiarism) and may result in disciplinary action. Students may be required to undergo a viva (oral examination) if there is suspicion about the validity of their submitted work. Signature: GAURAV LAKHANI……………………………………………………………………………………………………………… Date: 14-DEC- 2014……………………………………………………………………………………………………………… PLEASE READ THE FOLLOWING INSTRUCTIONS: 1. Please attach a completed copy of this sheet to each project (including multiple copies). 2. You must ensure that you retain a HARD COPY of ALL projects, both for your own reference and incase a projectislostor mislaid. Itisnotsufficienttokeepacopyon computer. Please do not bind projects or place in covers unless specifically requested. 3 Assignmentsthat are submitted to the Programme Coordinator office must be placed into the assignment box located outside the office.
  • 3. Office Use Only Signature: Date: Penalty Applied (if applicable):
  • 4. Cloud Security Report (Jitendra Kumar Sharma, Gaurav Lakhani) by Gaurav Lakhani
  • 5. Cloud Security Project Report 1) Approach and Project Planning Securing a Hybrid Cloud The implementationof Hybridcloudbetween VMware and Amazon web services includes a great deal of hardware and software resources. The VMware private cloud is made of one or more hypervisors (referredashost) onwhichvirtual machines (referred here as guest) are created. The vCenter server is used to manage this hypervisor and a management tool called vSphere client is used to access this managementserver. And talking about the Amazon Web Services, it serves as the public cloud for our project. We use a Amazon's AWS connector to connect our VMware private cloud to AWS. A general layout of our infrastructure and constituent resources are as depicted below.
  • 6. Strongimportance hasbeengivenfromthe beginningforsecuringthisinfrastructurethatstrictlyfollows OWASP recommendations. In the private cloud it deals with securing at three levels- security at the hypervisor level, security at the guest OS level and security at the network level. Task and Dependencies This section outlines the tasks and dependencies to attain a detailed level of security in the project. Some of the details are as listed below.  Task: Identifying the constituent resources which need to be secured. Dependencies: We have to segregate our infrastructure in logical segments based on their functionality and accessibility to target audience which needs to be secured for identity and access management,networktraffic,permissions, data integrity etc. Some of these have been achieved by integrating the cloud infrastructure with a domain controller.  Task: Identification and implementation of appropriate security threat model. Dependencies:Asthere is no one distinct threat model defined specifically for cloud security, We need to identify one that suits best as per our infrastructure and use other best practices and recommendations for cloud security.  Task: Testing the infrastructure to validate the application of security features and identify loopholes if any. Dependencies: After hardening the infrastructure, it needs to be tested to validate the implementations.Thiscanbe tested using different test cases manually or by using third party tools that can suggest robustness of our cloud environment. 2) Selection of Tools / Methodologies / Frameworks / Benchmarking The securitythreatmodel followedis The Australian/NewZealandStandardAS/NZS4360 along with the securitybestpracticesandrecommendationsfromENISA.The AS/NZS4360 model givesthe freedom to identify your own risk domains based on the structure of your infrastructure and manage them in a traditional way. It uses likelihood and consequences to determine overall risk. The five stepsof the AS/NZS 4360 processare: 1. EstablishContext: Establishthe riskdomain,i.e.,whichassets/systemsare important? Inthis stepwe identifiedanddividedourriskdomaininfourgroupsthat needstobe secured.  Hypervisor(Host)  Virtual Machines(Guest)  Network  Publiccloud(AWS) 2. Identifythe Risks: Withinthe riskdomain,whatspecificrisksare apparent? - We evaluated all the riskdomainslistedabove andidentifiedfew commonriskslike unauthorized access,IdentityManagement,Spoofing,DataTamperingandDOS.
  • 7. 3. Analyze the Risks: Lookat the risksand determineif there are anysupportingcontrolsinplace. - Thisstep helpedustoidentify the contributingfactorsforbreachandremedial controls. 4. Evaluate the Risks: Determine the residual risk. -Here we calculate the impactof the risk 5. Treat the Risks: Describe the methodtotreat the risksso that risksselectedbythe businesswill be mitigated. -Thisinvolvesthe detail of all the stepswe performedtosecure ourhybridcloud.  We usedfewof the ENISA recommendationsandbestpracticestosecure ourrisk domains. The detailedstepstosecure ourhybridcloudare as follows:- 2.1) Hypervisor (Host) Security 1. Enable Lock down: Once lockdownmode isenabled,the hostcanbe accessedonlythrougha managementservervCenterserver.NoSSH,putty or Telnetallowed. 2. Integrationwith Active Directory: As lockdownmode isenabledonhypervisor,Itwill be accessed onlythroughitsmanagementservervCenterserver.We integratedvCenterserverwithourDomain controllersothat no local systemusercan log into it.Onlyauthorizeddomainuserswill have accessto vCenterserverandthe hypervisorsregisteredinit.
  • 8. 3. Role based Access to Hypervisors (Hosts): Although vCenter server is integrated with Domain controller,notall userswill be able tologintoit.The users who will have login rights will be assigned a role and can perform task specific to that role instead of having full rights. This helps to manage the workload better among different users with a track of who is doing what. For example, domain administratorwill have full rights and can manage hosts as well as VM’s though other user 'Gaurav' has virtual machine power users right and can manage VM's but not hosts. 4. ESXi Firewall: ESXi firewall gives us features to allow or restrict all the access to our host. We have enabledfirewall and have allowed access to our host only from a network 192.168.0.0/24 and any attempt to connect from other network is blocked.
  • 9. 5. Securing the Log Files- Log files have been directed to a shared NFS store instead of local ESXi hard disk so that they can be accessed even in case of ESXi Failure. 6. Failover Cluster: ESXi hosts have been configured in a HA cluster to protect them against Failures. 2.2) Guest OS Security Once the Hypervisorishardened,we needtosecure the GuestOSrunningon it. In our hybrid cloud, we have a Red hat Linux Guest OS running. We performed the below mentioned steps to secure it. 1. Security Patch: The guest OS centOS6.6 has been patched to download all the critical security updates. This has been achieved and verified by running below commands on the console- #yum --security check-update- To check available security updates #yum --security update: To download and install available security updates 2. Grub-Crypt: The Boot loader of the guest OS has been password protected so as to restrict unauthorizedaccesstothe operatingsystem.Alsothe boot loader password has been encrypted using md5 instead of using a plain text password. The command used to encrypt the password is: #grub-md5-crypt: Enter the password to encrypt it to MD5 hash. The Password has been encrypted and entry for same has been made in /etc/grub.conf so that the password command in boot loader configuration file knows where it has to look for the password. #vim /etc/grub.conf password --encrypted <encrypted password>
  • 10. 3. Key based SSH Authentication:KeyBasedSSH Authentication- Everytime a user wants to secure SSH connection,he needstoenterthe password.Thismayputitin riskif the channel between the host and server is compromised and can result in leak of the password. In our infrastructure we have replaced password based SSH authentication with Key based authentication. Once SSH established, the SSH serverwill keepa record of the client machine and will not recognize it next time if it tries to connect. In the screenshotbelow, we have shown SSH session for two users, 'jeet' and 'admin'. For user 'jeet' it asks for a password every time however for user 'admin' it does not as the SSH key for 'admin' has already been copied to the SSH server as shown in the picture above.
  • 11. 4. Disable root login for SSH This is a good feature to secure SSH server as no user will be able to access it with root credential and will need to use their own user credential. 5. Enable Firewall Run #setup to enable the Firewall which will filter out unnecessary network traffic.
  • 12. 6. Port blocking Using IPtable: IPtable rules has been used to block all the ports accept for SSH. 7. Password expirationpolicy:A 30 day passwordexpirationpolicyhasbeen set for all the users on the machine so as to enforce a compulsory password change 8. User account Lockout: Guest OS has been configured to lock the user in case of 3 failed login attempts. Administrator access would be required to unlock the account again. To enable user lockout on failed login, below entries has been made on the guest OS file. /etc/pam.d/system.auth Same entry needs to be made in /etc/pam.d/password.auth. 9. Data Encryption (LUKS):The hard drive hasbeenencryptedwithLUKS (LINUX unifiedkeysetup) so as to restrict unauthorized access to the data on the hard drive 10. Advanced Intrusion Detection Environment- AIDE has been setup on the guest OS to monitor changes in the file and permission metadeta of the file. Below given files have been set to be monitored by making entry in the file- /etc/aide.conf
  • 13. 2.3) Network Security 1. VLANid: A VLAN has beencreatedtoisolate tenants from each other. The guest OS has been placed inVLAN separated from management network which is completely isolated on a different port group. 2. Network Policy: The ESXi host has been configured to reject the promiscuous mode, MAC address change and Forged Transmits.
  • 14. 2.4) Public Cloud Security (AWS) We have used Amazon web Services as our public cloud where in most of the security challenges are dealtbyAWS. Theyprovide well secured infrastructure by extensive network and security monitoring system. Some of the security features provided by AWS are as mentioned below: These systemsprovide basicbutimportantsecuritymeasuressuchasdistributeddenial of service (DDos) protectionandpasswordbrute-force detectiononAWSAccounts.Additional securitymeasures include: Secure access – Customeraccesspoints, also called API endpoints, allow secure HTTP access (HTTPS) so that you can establish secure communication sessions with your AWS services using SSL/TLS. Built-in firewalls – You can control how accessible your instances are by configuring built-in firewall rules– from totallypublicto completely private, or somewhere in between. And when your instances reside within a Virtual Private Cloud (VPC) subnet, you can control egress as well as ingress. Unique users– The AWS IdentityandAccessManagement (IAM) tool allows you to control the level of access your own users have to your AWS infrastructure services. With AWS IAM, each user can have unique securitycredentials,eliminatingthe needforsharedpasswordsorkeysandallowingthe security best practices of role separation and least privilege. Multi-factor authentication (MFA) – AWS provides built-in support for multi-factor authentication (MFA) for use with your root AWS Account as well as individual IAMuser accounts under it. Private Subnets – The AWS Virtual Private Cloud (VPC) service allows you to add another layer of network security to your instances by creating private subnets and even adding an IPsec VPN tunnel between your home network and your AWS VPC. Encrypted data storage – Customers can have the data and objects they store in Amazon EBS, Amazon S3, Glacier,Redshift,andOracle andSQL ServerRDSencryptedautomaticallyusingAdvancedEncryption Standard (AES) 256, a secure symmetric-key encryption standard using 256-bit encryption keys. Selection of Tools We have used few open source tools like NMAP, putty ,NIKTO,OPENVAS and NESSUS etc to run a pen test on our infrastructure to validate the security implementations and check loopholes if any. 3) Testing Approach We carried out several manual and automated tests on our infrastructure to identify the security vulnerability ranging from finding OS version to open ports, pings and SSH to apache issues. Some of the test scenarios are: 1. Checkif ESXi can be SSHed: We usedputty to establishaSSH connectiononESXi.Aswe have enabled lockdown mode so it should not allow SSH. Given below is the test result.
  • 15. 2. Check if guest OS can be SSHed with root account: We have disabled the root SSH on guest OS for better security so it should not allow root SSH. Given below is the test result. 3. Check if guest OS can be SSHed with non-root account: As we have not disabled non root SSH to guestOS,we shouldbe able to connect. We tried to putty our centos guest operating system with user 'admin' and it connected well. Given below is the finding. 4. Check the open ports on ESXi: We used open source tool nmap to scan our ESXi server to find the open ports. It found that only those ports are open which are required for communication with the management server and client are open and rest are blocked. Here is the result of nmap scan. #nmap 192.168.0.20
  • 16. 5. Check the open ports on guest OS: We have used IPtable to block all the ports except SSH on guest OS. Here is the scan result from nmap. 4. Findings and Risk Ratings, Challenges and limitations 1. Running scan with Nikto on vCenter server shows that there are web component installed but may not be secure as no measures has been taken to secure the web server on vCenter server 2. Running nmap scan on guest OS reveals the OS version running on it which may make it prone to targeted attacks.
  • 17. 5) Outcome While doing the security project we have come across following results. We have been successful in securing our hybrid cloud infrastructure which consists of security at four levels namely hypervisor, guestOS,networkandpubliccloud.We have acquiredknowledge aboutthe risksandthreatsassociated withthe infrastructure andaccordinglyselectedtoolsandmethodologies to alleviate the security risks. While doing that, we learned about different kinds of threat models and different risks and threats associated to it. We have followed AS/NZS 4360 and ENISA threat model under OWASP recommendationsandlearnedaboutvariousaspectsof securityinourhybridcloudinfrastructure.Using some of the featureswhile implementing AS/NZS 4360 we came to know how we can identify, analyze and treat the risks and affect user experience. 6) Conclusion With all our security implementation and testing approach we have come to a conclusion that inbuilt securityfeaturesof the cloudsoftware/platformcanbe combinedtogetherwith third party software to achieve betterlevel of security.We cannotrelyjustonthe inbuiltsecurityfeatures of the platform for a full proof infrastructure. In our implementation, we secured our guest OS with all the inbuilt server hardening features and functionsthoughthere stillwere few vulnerabilitiesexposedwhichcould be controlled using some third party software. We have identified that more work needs to be done in our future implementations. 7) References AmazonWebServices,Inc.,(2014). AWSSecurity Center.[online] Available at: http://aws.amazon.com/security/[Accessed11Dec. 2014]. Cyberciti.biz,(2014). Top 30 Nmap Command ExamplesForSys/NetworkAdmins.[online] Available at: http://www.cyberciti.biz/networking/nmap-command-examples-tutorials/[Accessed11Dec. 2014].
  • 18. Kali.org,(2014). [online] Available at:https://www.kali.org/official-documentation/ [Accessed11Dec. 2014]. Owasp.org,(2014). ThreatRisk Modeling - OWASP.[online] Availableat: https://www.owasp.org/index.php/Threat_Risk_Modeling[Accessed5Dec. 2014]. Putty.org,(2014). Download PuTTY- a free SSH and telnet client forWindows.[online] Availableat: http://www.putty.org/[Accessed12Dec.2014]. vSphere Security.(2014).1st ed.[ebook] Available at:https://pubs.vmware.com/vsphere- 50/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-50-security-guide.pdf [Accessed8 Dec. 2014].