SlideShare a Scribd company logo

_Solve Cloud Packet Mysteries_4

L
Laura Taylor
1 of 20
Download to read offline
Solve Cloud Packet Mysteries Laura Taylor, ltaylor@relevanttechnologies.com March 24, 2014
Bad Problem: Packets Can Leak from One Tenant to Another Copyright 2014 Relevant Technologies 2
Worse Problem: Malicious code can circumvent tenant isolation methods (Challenge 15) Copyright 2014 Relevant Technologies Make it look like they accidentally let their packets leak. 3
Tenant 1 Tenant 2 Tenant 3 1 2 3 Virtual Switch Tenant 4 Tenant 5 34 Virtual Interface 5 Virtual Tap Packet Collector Packets Leaking Span Port Physical HostPhysical NIC Copyright 2014 Relevant Technologies 4
Tenant 1 Tenant 2 Tenant 3 1 2 3 Virtual Switch Tenant 4 Tenant 5 34 Virtual Interface 5 Virtual Tap Packet Collector Span Port Physical HostPhysical NIC Copyright 2014 Relevant Technologies 5
• Trojans and virtual machine-based rootkits • Misconfigured routers • Misconfigured virtual switches • Misconfigured live migrations • Hypervisor abstraction leaks (bugs) • Network Address Translation limitations • Switch address tables, unable to scale to network traffic, can overflow leading to flooding of unknown destination frames What makes packets leak to other tenants? Copyright 2014 Relevant Technologies 6
It is cost prohibitive for network administrators to isolate tenants each on their own network domain -- so tenants are mixed together on shared networks. A common problem is that each tenant may independently assign MAC addresses and VLAN IDs leading to potential duplication of these on the physical network. Isolating tenants on Layer 3 is not ideal. Oh dear! What should we do? The most serious packet leaking scenario? Copyright 2014 Relevant Technologies 7
But wait. Before we fix this problem, think about how it will effect a forensic investigation? • In a forensic investigation, even if you have captured the packets using a full packet capture appliance, how will you know which tenant they came from? • If you can’t prove which tenant the packets came from, how can you build a forensics case? Copyright 2014 Relevant Technologies 8
What should CSPs do? Copyright 2014 Relevant Technologies 9
• Test for leaks before initiating tenant provisioning. • Don’t allow guest virtual machines direct access to the physical hardware. • Don’t connect the guest virtual machine to the physical network via a bridge/router. • Maintain the integrity of guest operating systems offered to consumers and protect the kernel using standard procedures for disabling unneeded modules. What should CSPs do? Copyright 2014 Relevant Technologies 10
• Use Single Root I/O Virtualization (SR-iOV) • Use Virtual eXtensible Local Area Network (VXLAN) overlay networks (new IETF standard) How do we do this? Copyright 2014 Relevant Technologies 11
A • SR-iOV (Single Root I/O Virtualization) • A PCI SIG standard ( www.pcisig.com ) • Modern physical NIC is virtualized at the PCI level • Virtual machine binds directly to a virtual function within the NIC bypassing the hypervisor vswitch entirely • One to one assignment from virtual function to virtual switch • Cisco calls this Data Center Ethernet (DCE) • Most of the rest of the SAN industry (and IBM) call this Converged Enhanced Ethernet (CCE) What is SR-iOV? Copyright 2014 Relevant Technologies 12
A SR-iOV Illustrated Copyright 2014 Relevant Technologies 13 Source: Intel 1) Packet arrives at NIC 2) Packet sent to Layer 2 sorter 3) Packet queued to target virtual function 4) Direct memory access operation (DMA) initialized 5) DMA operation completes, packet now in vm memory 6) NIC fires interrupt indicating packet has arrived 7) VMM fires interrupt to vm to announce arrival
A • Virtual eXtensible Local Area Network • An overlay network and a new IETF standard • Enables hypervisor hide references to local resources by using encapsulation • Encapsulates the packets at the point in time when the guest frames leave the guest network stack and enter the hypervisor -- prior to sending the layer 2 frames. What is VXLAN? Copyright 2014 Relevant Technologies 14
A VXLAN Illustrated Copyright 2014 Relevant Technologies 15 Outer MAC DA Outer MAC SA Outer 8021.Q Outer IP DA Outer IP SA Outer UDP VXLAN Header Inner MAC DA Inner MAC SA Optional Inner 8021.Q Original Ethernet Payload CRC VXLAN Encapsulation Original Ethernet Frame
What should tenants do? Copyright 2014 Relevant Technologies 16
• Ask your CSP what controls they have put in place to isolate tenants • Ask your CSP what they did to test for packet leaks between tenants • Ask CSP if the switches they are using support SR-iOV or VXLAN • Assume your CSP might not be isolating tenants correctly - Put a virtual tap (vtap) on your virtual interface - Use the vtap to start collecting packets and look for packet leaks. Your CSP might not be aware of existing packet leaks so tenants might need to watch out for this themselves. - Report packet leaks to the CSP as a security incident What should CSP tenants do? Copyright 2014 Relevant Technologies 17
• If you use the wrong technologies, and/or if the cloud is not configured correctly, it could become nearly impossible to prove which tenants the packets came from, therefore making it extremely challenging to build a forensics case. The Takeaway Copyright 2014 Relevant Technologies 18
Landau, D. Hadas, M. Ben-Yehuda, Plugging the Hypervisor Abstraction Leaks Caused by Virtual Networking, IBM, April 2010 Rutkowska, Security Challenges in Virtualized Environments, Invisible Things Lab, April 2008 King, P. Chen, Y. Wang, C. Verbowski, H. Wang, J. Lorch, SubVirt: Implementing malware with virtual machines, IEEE Symposium on Security and Privacy, March 2006 Mahalingam, Dutt et al., IETF Draft, VXLAN: A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks (Expires 8/3/2014) Sridharan, et al., IETF Draft, Network Virtualization using Generic Routing Encapsulation (Expires 8/14) Ormandy, An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments, Google, April 2007 Garfinkel, M. Rosenblum, When Virtual Is Harder Than Real: Security Challenges in Virtual Machine-Based Computing Environments, Stanford University, August 2005 Hooda, S. Kapadia; P. Krishnan, Using TRILL, FabricPath, and VXLAN: Designing Massively Scalable Data Centers (MSDC) with Overlays, Cisco Press, February 6, 2014 PCI-SIG SR-IOV Primer, An Introduction to SR-IOV Technology, Intel, January 2011 References 19
ltaylor@relevanttechnologies.com Questions? 20

Recommended

Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11b
Sreekanth GS
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11b
guestd7b627
 
woot15-paper-novella
woot15-paper-novellawoot15-paper-novella
woot15-paper-novella
Eduardo Novella
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
Vishal Agarwal
 
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Dr. Amarjeet Singh
 
Wireless Network security
Wireless Network securityWireless Network security
Wireless Network security
Fathima Rahaman
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Security
SAHEEL FAL DESAI
 
Futex ppt
Futex pptFutex ppt
Futex ppt
OECLIB Odisha Electronics Control Library
 

Recommended

Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11b
Sreekanth GS
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11b
guestd7b627
 
woot15-paper-novella
woot15-paper-novellawoot15-paper-novella
woot15-paper-novella
Eduardo Novella
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
Vishal Agarwal
 
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Solving Downgrade and DoS Attack Due to the Four Ways Handshake Vulnerabiliti...
Dr. Amarjeet Singh
 
Wireless Network security
Wireless Network securityWireless Network security
Wireless Network security
Fathima Rahaman
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Security
SAHEEL FAL DESAI
 
Futex ppt
Futex pptFutex ppt
Futex ppt
OECLIB Odisha Electronics Control Library
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
vanhoefm
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Security
Gyana Ranjana
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
Lancope, Inc.
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
Shahid Beheshti University
 
Ch20 Wireless Security
Ch20 Wireless SecurityCh20 Wireless Security
Ch20 Wireless Security
phanleson
 
Blug Talk
Blug TalkBlug Talk
Blug Talk
guestb9d7f98
 
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
Open Networking Perú (Opennetsoft)
 
A Rouge Relay Node Attack Detection and Prevention in 4G Multihop Wireless N...
A Rouge Relay Node Attack Detection and Prevention in 4G Multihop Wireless N...A Rouge Relay Node Attack Detection and Prevention in 4G Multihop Wireless N...
A Rouge Relay Node Attack Detection and Prevention in 4G Multihop Wireless N...
IRJET Journal
 
Pro Viva Emmanuel
Pro Viva EmmanuelPro Viva Emmanuel
Pro Viva Emmanuel
Emmanuel Emegha
 
complete_thesis
complete_thesiscomplete_thesis
complete_thesis
Mohammed Aldod
 
Security & Privacy in WLAN - A Primer and Case Study
Security & Privacy in WLAN - A Primer and Case StudySecurity & Privacy in WLAN - A Primer and Case Study
Security & Privacy in WLAN - A Primer and Case Study
Mohammad Mahmud Kabir
 
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
IDES Editor
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentation
Muhammad Zia
 
SPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor NetworksSPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor Networks
Abhijeet Awade
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and Protection
Chandrak Trivedi
 
Viable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be JeopardizedViable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be Jeopardized
IRJET Journal
 
Virtual security gateways at network edge are key to protecting ultra broadba...
Virtual security gateways at network edge are key to protecting ultra broadba...Virtual security gateways at network edge are key to protecting ultra broadba...
Virtual security gateways at network edge are key to protecting ultra broadba...
Paul Stevens
 
Securing wireless network
Securing wireless networkSecuring wireless network
Securing wireless network
Syed Ubaid Ali Jafri
 
MeshDynamics Disruption Tolerant Networks
MeshDynamics Disruption Tolerant NetworksMeshDynamics Disruption Tolerant Networks
MeshDynamics Disruption Tolerant Networks
MeshDynamics
 
Sdn&security
Sdn&securitySdn&security
Sdn&security
Cristiano Monteiro
 
REFERENCIA 1
REFERENCIA 1 REFERENCIA 1
REFERENCIA 1
sergio fonseca
 
Anegats
AnegatsAnegats
Anegats
petrapico
 

More Related Content

What's hot

Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
Lancope, Inc.
 
Ch20 Wireless Security
Ch20 Wireless SecurityCh20 Wireless Security
Ch20 Wireless Security
phanleson
 
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
Open Networking Perú (Opennetsoft)
 
Virtual security gateways at network edge are key to protecting ultra broadba...
Virtual security gateways at network edge are key to protecting ultra broadba...Virtual security gateways at network edge are key to protecting ultra broadba...
Virtual security gateways at network edge are key to protecting ultra broadba...
Paul Stevens
 
MeshDynamics Disruption Tolerant Networks
MeshDynamics Disruption Tolerant NetworksMeshDynamics Disruption Tolerant Networks
MeshDynamics Disruption Tolerant Networks
MeshDynamics
 

What's hot (20)

Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Security
 
Solving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective SecuritySolving the Visibility Gap for Effective Security
Solving the Visibility Gap for Effective Security
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
Ch20 Wireless Security
Ch20 Wireless SecurityCh20 Wireless Security
Ch20 Wireless Security
 
Blug Talk
Blug TalkBlug Talk
Blug Talk
 
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
IntelFlow: Toward adding Cyber Threat Intelligence to Software Defined Networ...
 
A Rouge Relay Node Attack Detection and Prevention in 4G Multihop Wireless N...
A Rouge Relay Node Attack Detection and Prevention in 4G Multihop Wireless N...A Rouge Relay Node Attack Detection and Prevention in 4G Multihop Wireless N...
A Rouge Relay Node Attack Detection and Prevention in 4G Multihop Wireless N...
 
Pro Viva Emmanuel
Pro Viva EmmanuelPro Viva Emmanuel
Pro Viva Emmanuel
 
complete_thesis
complete_thesiscomplete_thesis
complete_thesis
 
Security & Privacy in WLAN - A Primer and Case Study
Security & Privacy in WLAN - A Primer and Case StudySecurity & Privacy in WLAN - A Primer and Case Study
Security & Privacy in WLAN - A Primer and Case Study
 
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
Attack Robustness and Security Enhancement with Improved Wired Equivalent Pro...
 
Wireless security presentation
Wireless security presentationWireless security presentation
Wireless security presentation
 
SPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor NetworksSPINS: Security Protocols for Sensor Networks
SPINS: Security Protocols for Sensor Networks
 
WLAN Attacks and Protection
WLAN Attacks and ProtectionWLAN Attacks and Protection
WLAN Attacks and Protection
 
Viable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be JeopardizedViable means using which Wireless Network Security can be Jeopardized
Viable means using which Wireless Network Security can be Jeopardized
 
Virtual security gateways at network edge are key to protecting ultra broadba...
Virtual security gateways at network edge are key to protecting ultra broadba...Virtual security gateways at network edge are key to protecting ultra broadba...
Virtual security gateways at network edge are key to protecting ultra broadba...
 
Securing wireless network
Securing wireless networkSecuring wireless network
Securing wireless network
 
MeshDynamics Disruption Tolerant Networks
MeshDynamics Disruption Tolerant NetworksMeshDynamics Disruption Tolerant Networks
MeshDynamics Disruption Tolerant Networks
 
Sdn&security
Sdn&securitySdn&security
Sdn&security
 

Viewers also liked

Grab a coffee and take 5 mins out
Grab a coffee and take 5 mins outGrab a coffee and take 5 mins out
Grab a coffee and take 5 mins out
Druantia
 
Ibrahim Mahmoud Qawasmeh CV
Ibrahim Mahmoud Qawasmeh CVIbrahim Mahmoud Qawasmeh CV
Ibrahim Mahmoud Qawasmeh CV
Ibrahim Qawasmeh
 
Communicative language teaching
Communicative language teachingCommunicative language teaching
Communicative language teaching
Mariam Bedraoui
 

Viewers also liked (16)

REFERENCIA 1
REFERENCIA 1 REFERENCIA 1
REFERENCIA 1
 
Anegats
AnegatsAnegats
Anegats
 
2574324 635757236057878750
2574324 6357572360578787502574324 635757236057878750
2574324 635757236057878750
 
Anegats
AnegatsAnegats
Anegats
 
Redaccion de articulos cientificos
Redaccion de articulos cientificosRedaccion de articulos cientificos
Redaccion de articulos cientificos
 
Resumenes act. 5
Resumenes act. 5Resumenes act. 5
Resumenes act. 5
 
Grab a coffee and take 5 mins out
Grab a coffee and take 5 mins outGrab a coffee and take 5 mins out
Grab a coffee and take 5 mins out
 
Resumen
ResumenResumen
Resumen
 
Referencia 1 actividad 9
Referencia 1 actividad 9Referencia 1 actividad 9
Referencia 1 actividad 9
 
Ibrahim Mahmoud Qawasmeh CV
Ibrahim Mahmoud Qawasmeh CVIbrahim Mahmoud Qawasmeh CV
Ibrahim Mahmoud Qawasmeh CV
 
Rúbrica para evaluar exposiciones orales
Rúbrica para evaluar exposiciones oralesRúbrica para evaluar exposiciones orales
Rúbrica para evaluar exposiciones orales
 
Power point method
Power point methodPower point method
Power point method
 
Communicative language teaching
Communicative language teachingCommunicative language teaching
Communicative language teaching
 
мартынов н.д. 2503
мартынов н.д. 2503мартынов н.д. 2503
мартынов н.д. 2503
 
06.84 JAVA SE_drawing graphics
06.84 JAVA SE_drawing graphics06.84 JAVA SE_drawing graphics
06.84 JAVA SE_drawing graphics
 
Paper1 jefri string
Paper1 jefri stringPaper1 jefri string
Paper1 jefri string
 

Similar to _Solve Cloud Packet Mysteries_4

Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Dan Mihai Dumitriu
 
Study Wireless Security Deployment - PKL
Study Wireless Security Deployment - PKLStudy Wireless Security Deployment - PKL
Study Wireless Security Deployment - PKL
Aaron ND Sawmadal
 
Detecting co residency with active traffic analysis techniques
Detecting co residency with active traffic analysis techniquesDetecting co residency with active traffic analysis techniques
Detecting co residency with active traffic analysis techniques
Yama Haku
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 

Similar to _Solve Cloud Packet Mysteries_4 (20)

Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
 
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERSVTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
 
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
Midokura OpenStack Day Korea Talk: MidoNet Open Source Network Virtualization...
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
 
IRJET- A Survey of Working on Virtual Private Networks
IRJET- A Survey of Working on Virtual Private NetworksIRJET- A Survey of Working on Virtual Private Networks
IRJET- A Survey of Working on Virtual Private Networks
 
Security in IoT
Security in IoTSecurity in IoT
Security in IoT
 
MidoNet gives OpenStack Neutron a Boost
MidoNet gives OpenStack Neutron a BoostMidoNet gives OpenStack Neutron a Boost
MidoNet gives OpenStack Neutron a Boost
 
Study Wireless Security Deployment - PKL
Study Wireless Security Deployment - PKLStudy Wireless Security Deployment - PKL
Study Wireless Security Deployment - PKL
 
Detecting co residency with active traffic analysis techniques
Detecting co residency with active traffic analysis techniquesDetecting co residency with active traffic analysis techniques
Detecting co residency with active traffic analysis techniques
 
Building the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetupBuilding the Internet of Things with Eclipse IoT - IoTBE meetup
Building the Internet of Things with Eclipse IoT - IoTBE meetup
 
IRATI Experimentation, US-EU FIRE Workshop
IRATI Experimentation, US-EU FIRE WorkshopIRATI Experimentation, US-EU FIRE Workshop
IRATI Experimentation, US-EU FIRE Workshop
 
ioT-SecurityECC-v1
ioT-SecurityECC-v1ioT-SecurityECC-v1
ioT-SecurityECC-v1
 
CCNA 1 Chapter 11 v5.0 2014
CCNA 1 Chapter 11 v5.0 2014CCNA 1 Chapter 11 v5.0 2014
CCNA 1 Chapter 11 v5.0 2014
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Network Telemetry: Pushing Boundaries
Network Telemetry: Pushing BoundariesNetwork Telemetry: Pushing Boundaries
Network Telemetry: Pushing Boundaries
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
 
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner MaiaIpv6 Security with Mikrotik RouterOS by Wardner Maia
Ipv6 Security with Mikrotik RouterOS by Wardner Maia
 

_Solve Cloud Packet Mysteries_4

  • 1. Solve Cloud Packet Mysteries Laura Taylor, ltaylor@relevanttechnologies.com March 24, 2014
  • 2. Bad Problem: Packets Can Leak from One Tenant to Another Copyright 2014 Relevant Technologies 2
  • 3. Worse Problem: Malicious code can circumvent tenant isolation methods (Challenge 15) Copyright 2014 Relevant Technologies Make it look like they accidentally let their packets leak. 3
  • 4. Tenant 1 Tenant 2 Tenant 3 1 2 3 Virtual Switch Tenant 4 Tenant 5 34 Virtual Interface 5 Virtual Tap Packet Collector Packets Leaking Span Port Physical HostPhysical NIC Copyright 2014 Relevant Technologies 4
  • 5. Tenant 1 Tenant 2 Tenant 3 1 2 3 Virtual Switch Tenant 4 Tenant 5 34 Virtual Interface 5 Virtual Tap Packet Collector Span Port Physical HostPhysical NIC Copyright 2014 Relevant Technologies 5
  • 6. • Trojans and virtual machine-based rootkits • Misconfigured routers • Misconfigured virtual switches • Misconfigured live migrations • Hypervisor abstraction leaks (bugs) • Network Address Translation limitations • Switch address tables, unable to scale to network traffic, can overflow leading to flooding of unknown destination frames What makes packets leak to other tenants? Copyright 2014 Relevant Technologies 6
  • 7. It is cost prohibitive for network administrators to isolate tenants each on their own network domain -- so tenants are mixed together on shared networks. A common problem is that each tenant may independently assign MAC addresses and VLAN IDs leading to potential duplication of these on the physical network. Isolating tenants on Layer 3 is not ideal. Oh dear! What should we do? The most serious packet leaking scenario? Copyright 2014 Relevant Technologies 7
  • 8. But wait. Before we fix this problem, think about how it will effect a forensic investigation? • In a forensic investigation, even if you have captured the packets using a full packet capture appliance, how will you know which tenant they came from? • If you can’t prove which tenant the packets came from, how can you build a forensics case? Copyright 2014 Relevant Technologies 8
  • 9. What should CSPs do? Copyright 2014 Relevant Technologies 9
  • 10. • Test for leaks before initiating tenant provisioning. • Don’t allow guest virtual machines direct access to the physical hardware. • Don’t connect the guest virtual machine to the physical network via a bridge/router. • Maintain the integrity of guest operating systems offered to consumers and protect the kernel using standard procedures for disabling unneeded modules. What should CSPs do? Copyright 2014 Relevant Technologies 10
  • 11. • Use Single Root I/O Virtualization (SR-iOV) • Use Virtual eXtensible Local Area Network (VXLAN) overlay networks (new IETF standard) How do we do this? Copyright 2014 Relevant Technologies 11
  • 12. A • SR-iOV (Single Root I/O Virtualization) • A PCI SIG standard ( www.pcisig.com ) • Modern physical NIC is virtualized at the PCI level • Virtual machine binds directly to a virtual function within the NIC bypassing the hypervisor vswitch entirely • One to one assignment from virtual function to virtual switch • Cisco calls this Data Center Ethernet (DCE) • Most of the rest of the SAN industry (and IBM) call this Converged Enhanced Ethernet (CCE) What is SR-iOV? Copyright 2014 Relevant Technologies 12
  • 13. A SR-iOV Illustrated Copyright 2014 Relevant Technologies 13 Source: Intel 1) Packet arrives at NIC 2) Packet sent to Layer 2 sorter 3) Packet queued to target virtual function 4) Direct memory access operation (DMA) initialized 5) DMA operation completes, packet now in vm memory 6) NIC fires interrupt indicating packet has arrived 7) VMM fires interrupt to vm to announce arrival
  • 14. A • Virtual eXtensible Local Area Network • An overlay network and a new IETF standard • Enables hypervisor hide references to local resources by using encapsulation • Encapsulates the packets at the point in time when the guest frames leave the guest network stack and enter the hypervisor -- prior to sending the layer 2 frames. What is VXLAN? Copyright 2014 Relevant Technologies 14
  • 15. A VXLAN Illustrated Copyright 2014 Relevant Technologies 15 Outer MAC DA Outer MAC SA Outer 8021.Q Outer IP DA Outer IP SA Outer UDP VXLAN Header Inner MAC DA Inner MAC SA Optional Inner 8021.Q Original Ethernet Payload CRC VXLAN Encapsulation Original Ethernet Frame
  • 16. What should tenants do? Copyright 2014 Relevant Technologies 16
  • 17. • Ask your CSP what controls they have put in place to isolate tenants • Ask your CSP what they did to test for packet leaks between tenants • Ask CSP if the switches they are using support SR-iOV or VXLAN • Assume your CSP might not be isolating tenants correctly - Put a virtual tap (vtap) on your virtual interface - Use the vtap to start collecting packets and look for packet leaks. Your CSP might not be aware of existing packet leaks so tenants might need to watch out for this themselves. - Report packet leaks to the CSP as a security incident What should CSP tenants do? Copyright 2014 Relevant Technologies 17
  • 18. • If you use the wrong technologies, and/or if the cloud is not configured correctly, it could become nearly impossible to prove which tenants the packets came from, therefore making it extremely challenging to build a forensics case. The Takeaway Copyright 2014 Relevant Technologies 18
  • 19. Landau, D. Hadas, M. Ben-Yehuda, Plugging the Hypervisor Abstraction Leaks Caused by Virtual Networking, IBM, April 2010 Rutkowska, Security Challenges in Virtualized Environments, Invisible Things Lab, April 2008 King, P. Chen, Y. Wang, C. Verbowski, H. Wang, J. Lorch, SubVirt: Implementing malware with virtual machines, IEEE Symposium on Security and Privacy, March 2006 Mahalingam, Dutt et al., IETF Draft, VXLAN: A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks (Expires 8/3/2014) Sridharan, et al., IETF Draft, Network Virtualization using Generic Routing Encapsulation (Expires 8/14) Ormandy, An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments, Google, April 2007 Garfinkel, M. Rosenblum, When Virtual Is Harder Than Real: Security Challenges in Virtual Machine-Based Computing Environments, Stanford University, August 2005 Hooda, S. Kapadia; P. Krishnan, Using TRILL, FabricPath, and VXLAN: Designing Massively Scalable Data Centers (MSDC) with Overlays, Cisco Press, February 6, 2014 PCI-SIG SR-IOV Primer, An Introduction to SR-IOV Technology, Intel, January 2011 References 19