SlideShare ist ein Scribd-Unternehmen logo

Openstack: security beyond firewalls

GARL
GARL

Cloud infrastructure have changed both the way the attacks are made both the methodologies for its protection. In this workshop gave at OpenStack day Italy, Giuseppe Paternò, CTO at GARL, explores the components of OpenStack security and other measures to protect both the infrastructure itself and the applications hosted

Technologie
1 von 38
Downloaden Sie, um offline zu lesen
OpenStack: Security beyond firewalls MAKING THE CLOUD A SAFER SPACE Giuseppe “Gippa” Paternò, Network & Security NERD 30th May 2014 * OpenStackDay Italy Twitter: @gpaterno - Website: www.gpaterno.com
About me IT security products and virtualization services focused on identity protection on the Cloud, as the user is became the ultimate perimeter of a never ending distributed model. HQ based in Switzerland and whose servers are located in Switzerland. User privacy is protected by strict Swiss privacy regulations, no UE or US exceptions allowed. IT Architect and Security Expert with background in Open Source. Former Network and Security architect for Canonical, RedHat, Wind/ Infostrada, Sun Microsystems and IBM and Visiting Researcher at the University of Dublin Trinity College. Past projects: standard for J2ME Over-The-Air (OTA) provisioning along with Vodafone, the study of architecture and standards for the delivery of MHP applications for the digital terrestrial television (DTT) on behalf of DTT Lab (Telecom Italia/LA7) and implementation of HLR for Vodafone landline services. Lot of writings, mainly on computer security. CTO and Director of GARL, a multinational company based in Switzerland and UK, owner of SecurePass and SecureData. TM Secure Data beta BANK OF PASSWORDS
62% Increase breaches in 2013(1) 1 in 5 Organizations have experienced an APT attack (4) 3 Trillion$ Total global impact of cybercrime(3) 8 months Is the average time an advanced threat goes unnoticed on victim’s network(2) 2,5 billion Exposed records as results of a data breach in the past 5 years(5) 1,3,5: Increased cyber security can save global economy trillions, McKinsey/World Economic Forum, January 2014 2: M-Trends 2013: attack the security gap, Mandiant, March 2013 4: ISACA’s 2014 APT study, ISACA, April 2014. Source: ISACA Cyber Security Nexus Too many threats
Network APIs Identity Application OpenStack Domain Guest Domain OpenStack and Guest Security
Network Security (OpenStack built-in systems)
Linux Namespaces Used in OpenStack, widely adopted in Neutron, it was Originally created for Linux Control Groups (aka cgroups) PID namespaces isolate the process ID number space so that processes in different PID namespaces can have the same PID Network namespaces provide isolation of the system resources associated with networking User namespaces isolate the user and group ID number spaces. Mount namespaces isolate the set of filesystem mount points seen by a group of processes. Mentioning: IPC and Unix Time-Sharing (UTS) namespaces
Neutron Server runs on Controller, expose APIs, enforce network model, pass to Neutron Plugin Neutron Plugin runs on Controller, implements APIs, every vendor can create its own “implementation” (ex: Cisco, Juniper, ...) Plugin Agent, run on each compute node and connect instances to the virtual network Default implementation based on OpenVSwitch OpenFlow to be set as fundamental open protocol for building SDN OpenStack Neutron Software-Defined Network in OpenStack, it answer RESTful APIs. Still no “industry” standard for encapsulating VLANs over L3, VXLANs set to be a preferred choice but any vendor has its choice (ex: Juniper has MPLS over IP)
Namespaces enables multiple instances of a routing table to co-exist within the same Linux box Network namespaces make it possible to separate network domains (network interfaces, routing tables, iptables) into completely separate and independent virtual datacenters Advantage of namespaces implementation in Neutron is that tenants can create overlapping IP addresses and independent routing schema The neutron-l3-agent is designed to use network namespaces to provide multiple independent virtual routers per node. OpenStack Neutron and Network Namespaces
List Namespaces Show firewall rules in a virtual router Example of Network Namespaces # ip netns qrouter-a88f89b6-5505-4bc2-8993-57ae1f010895 qdhcp-bebd6bc8-2bd0-4bdd-890c-9657faf80444 # ip netns exec qrouter-a88f89b6-5505-4bc2-8993-57ae1f010895 iptables -L -vn Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
OpenStack Neutron L3 Agent
OpenStack Neutron FWaaS Firewall as a Service in Neutron Different from the Security Groups in the instance Default to IPtables support into tenant’s ip NameSpace
OpenStack Neutron VPNaaS Neutron has capability to handle per-tenant VPNs, named VPN-as-a-Service Based on IPSec, just implementing IKE with “PSK” authentication mode rather than using certificates Suited for site-to-site VPNs and provide Hybrid cloud Implemented on top of IP NameSpaces (“ip netns add vpn”) Draft exists on bringing OpenVPN to Neutron Not suited for “roadwarriors”, i.e. clients connection
OpenStack Neutron VPNaaS
APIs Security (OpenStack and Cloud Applications)
APIsApplication APIs APIs are your point of contact from external world, you must make them highly secure Firewall are not enough! Anything can be sent over HTTP/ HTTPS. REST, XML-RPC, ... Web-based APIs
Usernames and passwords, session tokens and API keys must never appear in the URL (Proxy caching and logging) Allow only selected HTTP methods Protect privileged actions and sensitive resource collections Validate inputs and enforce typing of values Validate incoming Content-Type and other headers Encrypt data in transit Validation also apply to payload: JSON, XML or whatsoever General APIs best practices
OpenStack APIs All OpenStack software is based on APIs, consumed from End customers and tools to access the platform programmatically Among OpenStack components, is a way of decoupling components implementations Easily from “curl” tools OpenStack Command Line tools REST clients OpenStack Software Development Kit (SDK) RESTFUL API
OpenStack APIs EndPoints
1. Obtain a Token curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens 2. Consume the API (through the obtained token): curl -i -X GET http://localhost:35357/v2.0/tenants -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: token" OpenStack APIs Workflow
The token request will reveal the endpoints URLs: Compute/Nova, S3,Image/ Glance, Volume/Cinder, EC2, Identity/Keystone Revealing the EndPoints
Isolate API endpoint processes, especially those that reside within the public security domain should be isolated as much as possible. API endpoints should be deployed on separate hosts for increased isolation. Apply Defense-in-Depth concept: configure services, host-based firewalls, local policy (SELinux or AppArmor), and optionally global network policy. Use Linux namespaces to assign processes into independent domains Use network ACLs and IDS technologies to enforce explicit point to point communication between network services (ex: wire-level ACLs in L3 switches) OpenStack APIs best practices
Isolate API endpoint processes from each other and other processes on a machine. Use Mandatory Access Controls (MAC) on top of Discretionary Access Controls to segregate processes, ex: SE-Linux Objective: containment and escalation of API endpoint security breaches. Use of MACs at the OS level severely limit access to resources and provide earlier alerting on such events. Mandatory Access Control in APIs
RESTful APIs, mixture of POST (in request) and JSON (in response), Channel encrypted with TLS high cypher, Based on APP ID and APP Secret Example: /api/v1/users/info Ex: SecurePass NG (Dreamliner) APIs Security in functionalities, APP ID read-only or read-write in network, APP ID can be limited to a given IPv4/IPv6 in domain, APP ID is linked to only a specific realm/ domain
Identity Security (OpenStack and Cloud Applications)
User management: keep tracks of users, roles and permissions Service catalog: Provide a catalog of what services are available and where the OpenStack APIs EndPoint are located OpenStack Keystone Provides Identity, Token, Catalog and policy services for uses inside the OpenStack family and implements OpenStack’s Identity APIs
Users A user represent a human user and has associated information such as username, password and e-mail Tenants A tenant can represent a customer, organization or a group. Roles A role is what operations a user is permitted to perform in a given tenant OpenStack Identity Management Keystone permit the following back-ends for IDMs: SQL Backend (SQLAlchemy, it’s python), PAM, LDAP and custom plugins
Catching username and passwords means reveal the whole OpenStack infrastructure and control it! $ curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/ tokens OpenStack Keystone
10 millionsof victims of identity theft in USA in 2008 (Javelin Strategy and Research, 2009) 221 billions $lost every year due to identity theft (Aberdeen Group) 35 billioncorporate and government records compromised in 2010 (Aberdeen Group) 2 years of a working resource to correct damages due to identity theft (ITRC Aftermath Study, 2004) 2 billions $damages reported in Italy in 2009 (Ricerca ABI) The victims of identity theft
Security must be simple and transparent to the end user, otherwise it will be circumvented! Identity best practices in applications Strong authentication of the users GeoIP Patches, patches and patches! Secure application programming
Hosted Apps Need of a central Cloud Control Cloud Orchestrator 2FA/SSO
<Directory /srv/www/myapp> AllowOverride None Order allow,deny allow from all AuthType CAS require spgroup mygroup@company.com </Directory> Example of Web identity protection Require access through the SecurePass SSO portal with 2FA Restrict to a dynamic group (with GeoIP)
Real-life example (aka Case Study)
My accountant has his desktop computer broken, he has no time to change it, need something “always available” and in a restricted budget He needs Windows for his accounting software He has no office and works from home sometimes, he needs to access his desktop from ideally from his TV He wants to connect from his customers’, but not always a computer available for him He need emergency way of accessing the desktop from customers’ or from Internet Cafes (ex: on holidays) Must provide a secure access as he holds very confidential data Case Study: Overview & Requirements
From home, access the platform with an Android Mini-PC on existing HDMI TV, keyboard and a VPN with Mikrotik device (Equipment ~120 EUR) When at customer, access the platform with the existing Samsung Android tablet. Added bluetooth Keyboard + Mouse and OpenVPN (K+M ~60 EUR) Emergency access provided with an RDP HTML5 gateway OpenStack as the operational platform SecurePass as a security mechanism to protect access to his virtual desktop Case Study: Solution Virtualize his existing desktop system
Case Study: Overall Schema
2FA RDP over HTML5 OpenVPN Windows Machine (RDP) Web Browser OpenVPN on Android + RDP Client Appliance details
Acknowledgments TM Demo hosted by powered by teuto.net www.ostack.de Security provided by www.secure-pass.net
Thank you MAKING THE CLOUD A SAFER SPACE

Empfohlen

Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Briefopenfly
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsGiuseppe Paterno'
 
Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013brian_chong
 
Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsMajor Hayden
 
IPsec with AH
IPsec with AHIPsec with AH
IPsec with AHjtlevesque
 
Intro to the FIWARE Lab
Intro to the FIWARE LabIntro to the FIWARE Lab
Intro to the FIWARE LabFIWARE
 
I psec cisco
I psec ciscoI psec cisco
I psec ciscoDeepak296
 
HP Helion Webinar #5 - Security Beyond Firewalls
HP Helion Webinar #5 - Security Beyond FirewallsHP Helion Webinar #5 - Security Beyond Firewalls
HP Helion Webinar #5 - Security Beyond FirewallsBeMyApp
 

Empfohlen

Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Briefopenfly
 
OpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsOpenStack: Security Beyond Firewalls
OpenStack: Security Beyond FirewallsGiuseppe Paterno'
 
Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013brian_chong
 
Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsMajor Hayden
 
IPsec with AH
IPsec with AHIPsec with AH
IPsec with AHjtlevesque
 
Intro to the FIWARE Lab
Intro to the FIWARE LabIntro to the FIWARE Lab
Intro to the FIWARE LabFIWARE
 
I psec cisco
I psec ciscoI psec cisco
I psec ciscoDeepak296
 
HP Helion Webinar #5 - Security Beyond Firewalls
HP Helion Webinar #5 - Security Beyond FirewallsHP Helion Webinar #5 - Security Beyond Firewalls
HP Helion Webinar #5 - Security Beyond FirewallsBeMyApp
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Securityopenstackindia
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpnsharetech
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2Sourabh Badve
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS NetProtocol Xpert
 
Ipsec
IpsecIpsec
IpsecBaidyanath Dutta
 
9(1)
9(1)9(1)
9(1)sruthi c
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guidewensheng wei
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
Developing an IoT System FIWARE Based from the Scratch
Developing an IoT System FIWARE Based from the ScratchDeveloping an IoT System FIWARE Based from the Scratch
Developing an IoT System FIWARE Based from the ScratchFIWARE
 
Setting up your virtual infrastructure using FIWARE Lab Cloud
Setting up your virtual infrastructure using FIWARE Lab CloudSetting up your virtual infrastructure using FIWARE Lab Cloud
Setting up your virtual infrastructure using FIWARE Lab CloudFernando Lopez Aguilar
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1Sankaranarayanan Subramanian
 
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1Abdallah Abuouf
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
Join FIWARE Lab
Join FIWARE LabJoin FIWARE Lab
Join FIWARE LabFederico Michele Facca
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange ProtocolPrateek Singh Bapna
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationdborsan
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecuritySarthak Patel
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
Workshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationWorkshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationJayaprakash R
 
Openstack workshop @ Kalasalingam
Openstack workshop @ KalasalingamOpenstack workshop @ Kalasalingam
Openstack workshop @ KalasalingamBeny Raja
 

Weitere ähnliche Inhalte

Was ist angesagt?

IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols NetProtocol Xpert
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS NetProtocol Xpert
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guidewensheng wei
 
Developing an IoT System FIWARE Based from the Scratch
Developing an IoT System FIWARE Based from the ScratchDeveloping an IoT System FIWARE Based from the Scratch
Developing an IoT System FIWARE Based from the ScratchFIWARE
 
Setting up your virtual infrastructure using FIWARE Lab Cloud
Setting up your virtual infrastructure using FIWARE Lab CloudSetting up your virtual infrastructure using FIWARE Lab Cloud
Setting up your virtual infrastructure using FIWARE Lab CloudFernando Lopez Aguilar
 
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1Abdallah Abuouf
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationdborsan
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecuritySarthak Patel
 

Was ist angesagt? (19)

OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Security
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
 
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
 
Ipsec 2
Ipsec 2Ipsec 2
Ipsec 2
 
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
SITE TO SITE IPSEC VPN TUNNEL B/W CISCO ROUTERS
 
Ipsec
IpsecIpsec
Ipsec
 
9(1)
9(1)9(1)
9(1)
 
Linux Security Quick Reference Guide
Linux Security Quick Reference GuideLinux Security Quick Reference Guide
Linux Security Quick Reference Guide
 
Ip security
Ip security Ip security
Ip security
 
Developing an IoT System FIWARE Based from the Scratch
Developing an IoT System FIWARE Based from the ScratchDeveloping an IoT System FIWARE Based from the Scratch
Developing an IoT System FIWARE Based from the Scratch
 
Setting up your virtual infrastructure using FIWARE Lab Cloud
Setting up your virtual infrastructure using FIWARE Lab CloudSetting up your virtual infrastructure using FIWARE Lab Cloud
Setting up your virtual infrastructure using FIWARE Lab Cloud
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
 
IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1IPSec VPN Tutorial Part1
IPSec VPN Tutorial Part1
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
 
Join FIWARE Lab
Join FIWARE LabJoin FIWARE Lab
Join FIWARE Lab
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange Protocol
 
Crypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configurationCrypto map based IPsec VPN fundamentals - negotiation and configuration
Crypto map based IPsec VPN fundamentals - negotiation and configuration
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email Security
 
Ipsec
IpsecIpsec
Ipsec
 

Ähnlich wie Openstack: security beyond firewalls

OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
Workshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationWorkshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationJayaprakash R
 
Openstack workshop @ Kalasalingam
Openstack workshop @ KalasalingamOpenstack workshop @ Kalasalingam
Openstack workshop @ KalasalingamBeny Raja
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeCybera Inc.
 
OpenStack Neutron Havana Overview - Oct 2013
OpenStack Neutron Havana Overview - Oct 2013OpenStack Neutron Havana Overview - Oct 2013
OpenStack Neutron Havana Overview - Oct 2013Edgar Magana
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaLorenzo Carnevale
 
Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...Joel W. King
 
7 - Introduction to OpenStack & SDN by Ady Saputra
7 - Introduction to OpenStack & SDN by Ady Saputra7 - Introduction to OpenStack & SDN by Ady Saputra
7 - Introduction to OpenStack & SDN by Ady SaputraSDNRG ITB
 
Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Joel W. King
 
Operate with an openstack deployment by code
Operate with an openstack deployment by codeOperate with an openstack deployment by code
Operate with an openstack deployment by codeAlessandro Martellone
 
New and smart way to develop microservice for istio with micro profile
New and smart way to develop microservice for istio with micro profileNew and smart way to develop microservice for istio with micro profile
New and smart way to develop microservice for istio with micro profileEmily Jiang
 
OpenStack hands-on (All-in-One)
OpenStack hands-on (All-in-One)OpenStack hands-on (All-in-One)
OpenStack hands-on (All-in-One)JeSam Kim
 
Aptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity serviceAptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity serviceOpenStack
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenesinbroker
 
Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administrationAshish Sharma
 
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation Ecosystem
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation EcosystemHow APIs are Transforming Cisco Solutions and Catalyzing an Innovation Ecosystem
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation EcosystemCisco DevNet
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity serviceopenstackindia
 
neutron_icehouse_update
neutron_icehouse_updateneutron_icehouse_update
neutron_icehouse_updateAkihiro Motoki
 
OpenStack Security Project
OpenStack Security ProjectOpenStack Security Project
OpenStack Security ProjectTravis McPeak
 
GDL OpenStack Community - Openstack Introduction
GDL OpenStack Community - Openstack IntroductionGDL OpenStack Community - Openstack Introduction
GDL OpenStack Community - Openstack IntroductionVictor Morales
 

Ähnlich wie Openstack: security beyond firewalls (20)

OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
 
Workshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationWorkshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, Virtualization
 
Openstack workshop @ Kalasalingam
Openstack workshop @ KalasalingamOpenstack workshop @ Kalasalingam
Openstack workshop @ Kalasalingam
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
 
OpenStack Neutron Havana Overview - Oct 2013
OpenStack Neutron Havana Overview - Oct 2013OpenStack Neutron Havana Overview - Oct 2013
OpenStack Neutron Havana Overview - Oct 2013
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
 
Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...
 
7 - Introduction to OpenStack & SDN by Ady Saputra
7 - Introduction to OpenStack & SDN by Ady Saputra7 - Introduction to OpenStack & SDN by Ady Saputra
7 - Introduction to OpenStack & SDN by Ady Saputra
 
Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...
 
Operate with an openstack deployment by code
Operate with an openstack deployment by codeOperate with an openstack deployment by code
Operate with an openstack deployment by code
 
New and smart way to develop microservice for istio with micro profile
New and smart way to develop microservice for istio with micro profileNew and smart way to develop microservice for istio with micro profile
New and smart way to develop microservice for istio with micro profile
 
OpenStack hands-on (All-in-One)
OpenStack hands-on (All-in-One)OpenStack hands-on (All-in-One)
OpenStack hands-on (All-in-One)
 
Aptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity serviceAptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity service
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenes
 
Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administration
 
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation Ecosystem
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation EcosystemHow APIs are Transforming Cisco Solutions and Catalyzing an Innovation Ecosystem
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation Ecosystem
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
neutron_icehouse_update
neutron_icehouse_updateneutron_icehouse_update
neutron_icehouse_update
 
OpenStack Security Project
OpenStack Security ProjectOpenStack Security Project
OpenStack Security Project
 
GDL OpenStack Community - Openstack Introduction
GDL OpenStack Community - Openstack IntroductionGDL OpenStack Community - Openstack Introduction
GDL OpenStack Community - Openstack Introduction
 

Kürzlich hochgeladen

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

Kürzlich hochgeladen (20)

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Openstack: security beyond firewalls

  • 1. OpenStack: Security beyond firewalls MAKING THE CLOUD A SAFER SPACE Giuseppe “Gippa” Paternò, Network & Security NERD 30th May 2014 * OpenStackDay Italy Twitter: @gpaterno - Website: www.gpaterno.com
  • 2. About me IT security products and virtualization services focused on identity protection on the Cloud, as the user is became the ultimate perimeter of a never ending distributed model. HQ based in Switzerland and whose servers are located in Switzerland. User privacy is protected by strict Swiss privacy regulations, no UE or US exceptions allowed. IT Architect and Security Expert with background in Open Source. Former Network and Security architect for Canonical, RedHat, Wind/ Infostrada, Sun Microsystems and IBM and Visiting Researcher at the University of Dublin Trinity College. Past projects: standard for J2ME Over-The-Air (OTA) provisioning along with Vodafone, the study of architecture and standards for the delivery of MHP applications for the digital terrestrial television (DTT) on behalf of DTT Lab (Telecom Italia/LA7) and implementation of HLR for Vodafone landline services. Lot of writings, mainly on computer security. CTO and Director of GARL, a multinational company based in Switzerland and UK, owner of SecurePass and SecureData. TM Secure Data beta BANK OF PASSWORDS
  • 3. 62% Increase breaches in 2013(1) 1 in 5 Organizations have experienced an APT attack (4) 3 Trillion$ Total global impact of cybercrime(3) 8 months Is the average time an advanced threat goes unnoticed on victim’s network(2) 2,5 billion Exposed records as results of a data breach in the past 5 years(5) 1,3,5: Increased cyber security can save global economy trillions, McKinsey/World Economic Forum, January 2014 2: M-Trends 2013: attack the security gap, Mandiant, March 2013 4: ISACA’s 2014 APT study, ISACA, April 2014. Source: ISACA Cyber Security Nexus Too many threats
  • 4. Network APIs Identity Application OpenStack Domain Guest Domain OpenStack and Guest Security
  • 6. Linux Namespaces Used in OpenStack, widely adopted in Neutron, it was Originally created for Linux Control Groups (aka cgroups) PID namespaces isolate the process ID number space so that processes in different PID namespaces can have the same PID Network namespaces provide isolation of the system resources associated with networking User namespaces isolate the user and group ID number spaces. Mount namespaces isolate the set of filesystem mount points seen by a group of processes. Mentioning: IPC and Unix Time-Sharing (UTS) namespaces
  • 7. Neutron Server runs on Controller, expose APIs, enforce network model, pass to Neutron Plugin Neutron Plugin runs on Controller, implements APIs, every vendor can create its own “implementation” (ex: Cisco, Juniper, ...) Plugin Agent, run on each compute node and connect instances to the virtual network Default implementation based on OpenVSwitch OpenFlow to be set as fundamental open protocol for building SDN OpenStack Neutron Software-Defined Network in OpenStack, it answer RESTful APIs. Still no “industry” standard for encapsulating VLANs over L3, VXLANs set to be a preferred choice but any vendor has its choice (ex: Juniper has MPLS over IP)
  • 8. Namespaces enables multiple instances of a routing table to co-exist within the same Linux box Network namespaces make it possible to separate network domains (network interfaces, routing tables, iptables) into completely separate and independent virtual datacenters Advantage of namespaces implementation in Neutron is that tenants can create overlapping IP addresses and independent routing schema The neutron-l3-agent is designed to use network namespaces to provide multiple independent virtual routers per node. OpenStack Neutron and Network Namespaces
  • 9. List Namespaces Show firewall rules in a virtual router Example of Network Namespaces # ip netns qrouter-a88f89b6-5505-4bc2-8993-57ae1f010895 qdhcp-bebd6bc8-2bd0-4bdd-890c-9657faf80444 # ip netns exec qrouter-a88f89b6-5505-4bc2-8993-57ae1f010895 iptables -L -vn Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
  • 11. OpenStack Neutron FWaaS Firewall as a Service in Neutron Different from the Security Groups in the instance Default to IPtables support into tenant’s ip NameSpace
  • 12. OpenStack Neutron VPNaaS Neutron has capability to handle per-tenant VPNs, named VPN-as-a-Service Based on IPSec, just implementing IKE with “PSK” authentication mode rather than using certificates Suited for site-to-site VPNs and provide Hybrid cloud Implemented on top of IP NameSpaces (“ip netns add vpn”) Draft exists on bringing OpenVPN to Neutron Not suited for “roadwarriors”, i.e. clients connection
  • 14. APIs Security (OpenStack and Cloud Applications)
  • 15. APIsApplication APIs APIs are your point of contact from external world, you must make them highly secure Firewall are not enough! Anything can be sent over HTTP/ HTTPS. REST, XML-RPC, ... Web-based APIs
  • 16. Usernames and passwords, session tokens and API keys must never appear in the URL (Proxy caching and logging) Allow only selected HTTP methods Protect privileged actions and sensitive resource collections Validate inputs and enforce typing of values Validate incoming Content-Type and other headers Encrypt data in transit Validation also apply to payload: JSON, XML or whatsoever General APIs best practices
  • 17. OpenStack APIs All OpenStack software is based on APIs, consumed from End customers and tools to access the platform programmatically Among OpenStack components, is a way of decoupling components implementations Easily from “curl” tools OpenStack Command Line tools REST clients OpenStack Software Development Kit (SDK) RESTFUL API
  • 19. 1. Obtain a Token curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens 2. Consume the API (through the obtained token): curl -i -X GET http://localhost:35357/v2.0/tenants -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: token" OpenStack APIs Workflow
  • 20. The token request will reveal the endpoints URLs: Compute/Nova, S3,Image/ Glance, Volume/Cinder, EC2, Identity/Keystone Revealing the EndPoints
  • 21. Isolate API endpoint processes, especially those that reside within the public security domain should be isolated as much as possible. API endpoints should be deployed on separate hosts for increased isolation. Apply Defense-in-Depth concept: configure services, host-based firewalls, local policy (SELinux or AppArmor), and optionally global network policy. Use Linux namespaces to assign processes into independent domains Use network ACLs and IDS technologies to enforce explicit point to point communication between network services (ex: wire-level ACLs in L3 switches) OpenStack APIs best practices
  • 22. Isolate API endpoint processes from each other and other processes on a machine. Use Mandatory Access Controls (MAC) on top of Discretionary Access Controls to segregate processes, ex: SE-Linux Objective: containment and escalation of API endpoint security breaches. Use of MACs at the OS level severely limit access to resources and provide earlier alerting on such events. Mandatory Access Control in APIs
  • 23. RESTful APIs, mixture of POST (in request) and JSON (in response), Channel encrypted with TLS high cypher, Based on APP ID and APP Secret Example: /api/v1/users/info Ex: SecurePass NG (Dreamliner) APIs Security in functionalities, APP ID read-only or read-write in network, APP ID can be limited to a given IPv4/IPv6 in domain, APP ID is linked to only a specific realm/ domain
  • 24. Identity Security (OpenStack and Cloud Applications)
  • 25. User management: keep tracks of users, roles and permissions Service catalog: Provide a catalog of what services are available and where the OpenStack APIs EndPoint are located OpenStack Keystone Provides Identity, Token, Catalog and policy services for uses inside the OpenStack family and implements OpenStack’s Identity APIs
  • 26. Users A user represent a human user and has associated information such as username, password and e-mail Tenants A tenant can represent a customer, organization or a group. Roles A role is what operations a user is permitted to perform in a given tenant OpenStack Identity Management Keystone permit the following back-ends for IDMs: SQL Backend (SQLAlchemy, it’s python), PAM, LDAP and custom plugins
  • 27. Catching username and passwords means reveal the whole OpenStack infrastructure and control it! $ curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/ tokens OpenStack Keystone
  • 28. 10 millionsof victims of identity theft in USA in 2008 (Javelin Strategy and Research, 2009) 221 billions $lost every year due to identity theft (Aberdeen Group) 35 billioncorporate and government records compromised in 2010 (Aberdeen Group) 2 years of a working resource to correct damages due to identity theft (ITRC Aftermath Study, 2004) 2 billions $damages reported in Italy in 2009 (Ricerca ABI) The victims of identity theft
  • 29. Security must be simple and transparent to the end user, otherwise it will be circumvented! Identity best practices in applications Strong authentication of the users GeoIP Patches, patches and patches! Secure application programming
  • 30. Hosted Apps Need of a central Cloud Control Cloud Orchestrator 2FA/SSO
  • 31. <Directory /srv/www/myapp> AllowOverride None Order allow,deny allow from all AuthType CAS require spgroup mygroup@company.com </Directory> Example of Web identity protection Require access through the SecurePass SSO portal with 2FA Restrict to a dynamic group (with GeoIP)
  • 33. My accountant has his desktop computer broken, he has no time to change it, need something “always available” and in a restricted budget He needs Windows for his accounting software He has no office and works from home sometimes, he needs to access his desktop from ideally from his TV He wants to connect from his customers’, but not always a computer available for him He need emergency way of accessing the desktop from customers’ or from Internet Cafes (ex: on holidays) Must provide a secure access as he holds very confidential data Case Study: Overview & Requirements
  • 34. From home, access the platform with an Android Mini-PC on existing HDMI TV, keyboard and a VPN with Mikrotik device (Equipment ~120 EUR) When at customer, access the platform with the existing Samsung Android tablet. Added bluetooth Keyboard + Mouse and OpenVPN (K+M ~60 EUR) Emergency access provided with an RDP HTML5 gateway OpenStack as the operational platform SecurePass as a security mechanism to protect access to his virtual desktop Case Study: Solution Virtualize his existing desktop system
  • 37. Acknowledgments TM Demo hosted by powered by teuto.net www.ostack.de Security provided by www.secure-pass.net
  • 38. Thank you MAKING THE CLOUD A SAFER SPACE