Presented at BruCON by Craig Balding, founder of cloudsecurity.org, this presentation outlines the design and implementation of Skylab - an on-demand security test lab. Relying solely on OSS components and making use of Infrastructure as a Service cloud services, you'll learn what you need to create inflatable test labs - spin up, down when you need it.
2. Disclaimer
The views and opinions expressed here are
those of Craig Balding only and in no way
represent the views, positions or opinions -
expressed or implied - of my employer or
anyone else.
2
3. 3
Last year at Brucon, I talked about Cloud Security and broke new ground through using the
Beer and Brewing as an analogy for cloud computing. The climax of that talk was signiïŹcant
after-cloud.
4. 4
But as I sat there in the speaker room as the make-up crew and hairstylists did the best they
could in the circumstances, I made myself a promise. If I got selected to talk in 2010 I would
take things more seriously.
7. Sorry
7
But my apology is two-fold. My blatant lies about gimmicks to one side...
8. The Cloud Security Broken Record
8
I was starting to feel like a stuck record, going on about high level cloud security issues.
9. 9
I became an âexpert sourceâ on all things cloud security and strangely enough: cloud.
10. Again, sorry...
10
I promise to mend my ways. Hence, the birth of my Skylab project. Rather than just talking
about it, lets do something with it. Something useful, something that might just draw you
into my cloud...
11. 11
But I wasnât just challenging myself with Skylab. Iâm challenging you, my fellow infosec pros.
Perhaps youâre ignoring cloud, hoping it will just âblow overâ. Or maybe, youâre convinced
yourself youâre so busy, you just donât have time to âget into itâ. Or perhaps, you just havenât
seen the writing on the wall or believe its another dot com bust in the making.
12. s/LUKE/CLOUD?
12
We tend to take apply a âDEFAULT DENYâ rule to new tech. In the case of cloud, its been
DEFAULT DROP. As a community it sometimes seems like our reactions sometimes cloud our
vision. Why do we feel the need to be anti-something and thus not examine it critically and
carefully? I think we do a dis-service to our employers when we do that.
13. Cloud Is Coming
13
Iâm not here to make predictions about cloud. Personally, I see writing on the wall, but Iâm
not trying to convince you of that. Rather, I want to ask you a question.
14. What
Are
You
Doing
To
Keep
Up?
14
What are you doing to keep up? Cloud is just the latest big thing. But before that we had
virtualization, we had VoIP, we had converged networking. I think we all need to challenge
ourselves a little more. Seek our own truths as it were. Stop paying attention and reacting to
the endless media sound bites by people that clearly donât get security. Do original research.
Apply the new technologies for ourselves before the people that pay our wages do...
15. 15
This boils down to something really simple. We have to ïŹnd our Droids. Each of have droids
to seek out. What Droids are you looking for? How hard are you looking? What are you
waiting for? Donât wait til you feel youâre âgood enoughâ or until âyou have more free timeâ. I
hope to offer you something that may make you change your mind.
16. 16
For me, I wanted to commit a little more to building something. I wanted to ïŹnd out what
cloud technology I could use right now to do something useful for my own R&D purposes.
There are many things that can get in your way, but one big one is....
17. F r i c t i o n
17
Friction is the enemy of your imagination. I donât know about you, but for me its not having
the right set up at the right time. Iâm always trading one resource for another. My free disk
space is *always* on the wrong machine. I can never run enough virtual machines... Not only
that, I have whims. I also have a Wim (looks at Wim), but they are mostly 2 different things...
I have kites I want to ïŹy. I have ideas I want to quickly test. But most of them never see the
light of day, which makes me feel sad and deprives me of valuable learning lessons. Why?
Because of friction. Infrastructure friction. Changing my test network setup is a pain. Iâll
have to shuffle resources around and make compromises as I donât have an army of machines
to play with. Iâll have to âmake doâ and collapse multiple workloads onto single machines.
Virtual machines have certainly helped - theyâve given me more options than I had before.
But at the same time virtual compute has highlighted that I can never own enough hardware
(âI just want to run one moreâ). Plus Iâve got the virtual headache of managing an ever
increasing stable of virtual machine images. I want my infrastructure to be malleable like
code and my operations to be automated. Or to put it another way, I need some serious
lubrication.
18. Prior Art
18
Along came project Skylab. This is my meta-idea. The idea that can help bring my other
ideas to life. Skylab will help me fail faster and cheaper than I can today. This isnât
pessimism, this is how great ideas come to be - you just have to let all the bad ones get
themselves out of you ïŹrst.
21. 3 Questions For You
Do you use cloud storage?
Have you booted a machine
in a public cloud?
Have you played with cloud
network overlays?
21
22. Wannabe Cloudtroopers
22
Come to the darkside my friends. Embrace the cloud. Or at least dip your toe in it so you
can backup whatever opinion you profer. If that doesnât convince you, Iâm offering free sea-
shell hats for cloud converts.
23. On Demand Test Labs
23
So Skylabs is about on demand test labs. Iâm sure you can think of times when you having an
inïŹatable test lab that you can spin up and shutdown when you want could be pretty darn
handy
24. Target practice Testing new/updated too
NIDS/NIPS testing
Exploit testing
24
On the offense side of security, there is target practice. Donât be a dummy and ride exploits
bareback. Tut tut. Always practice in a lab. For every action there is a reaction. Observe,
learn, practice, proïŹt. For your career with not be cut-short... But its not just pen-test
labs...Capture the Flag, Hands-on Practicals when hiring so-called experienced pen-testers
etc.
25. Assurance Testing
Package Golden
Image as AMI
Upload, launch [1...n]
Apply patches,
workarounds
& run tests
25
Then on the defensive side of the house, what about someone to test your mitigating
controls...or heaven forbid, patches! Deploying new security tools? Again, good to have a
lab. Or 3. Or 7.
26. During a
Pen-Test?
26
Need a disposable IP?
Need to run a phishing scam?
The latest svn update from the Social Engineer Toolkit burning a hole in your toolkit?
28. Itâs a Commodity
28
The key to remember when thinking about cloud is that its a commodity. You get what you
pay for. But sometimes, commodity is just what you want.
29. Infrastructure as a
Service
29
So what are we talking about? Weâre talking about using infrastructure as a service to create
on-demand test labs. Weâre intentionally conïŹning ourselves to just 1 layer of the cloud
services model: weâre ignoring Platform as a Service and Software as a Service. In fact, Skylab
itself will have attributes of platform and software as a service in terms of doing some of the
heavy lifting for you.
30. Design
30
Lets touch on some design principles
31. Design Principles
Hit common use cases
On demand
Infrastructure as code
("agility")
Cost-conscious
Hardware reuse: bring
your own lab, or not
31
Need a disposable IP?
Need to run a phishing scam?
The latest svn update from the Social Engineer Toolkit burning a hole in your toolkit?
32. Design Principles
Hypervisor agnostic: Xen,
kvm, VMware
Security test lab "features"
Freedom: open source
Pragmatic: don't reinvent
infrastructure wheels
Scriptable & Fun
32
Need a disposable IP?
Need to run a phishing scam?
The latest svn update from the Social Engineer Toolkit burning a hole in your toolkit?
38. RH Delta-cloud
38
Turbo charge your hybrid cloud with RedHats Delta Cloud...access more cloud providers
39. Donât Forget
39
Leaving cloud compute instances running at the cloud provider does actually cost money. It
is surprisingly easy to do though. Do it once and youâll feel stupid, do it twice and youâll ïŹnd
yourself writing a script to remind you not to feel stupid :)
40. Terms of Service
40
Know the terms of service of your hosting and/or cloud provider. Check clauses about
introduction of malware in particular.
42. Public Cloud
Networking 101
One NIC Per VM
Limited Routing
Basic Firewalls
42
Use cases
43. Overlay Networks
An overlay network is a computer network
which is built on top of another network.
Nodes in the overlay can be thought of as
being connected by virtual or logical links,
each of which corresponds to a path,
perhaps through many physical links, in the
underlying network
43
Use cases
44. Amazon VPC
44
Amazon recently opened up their Virtual Private Cloud, currently beta
This is a cloud provider speciïŹc network overlay
Hook up your existing network. Software VPN on your side, Hardware on their side.
All traffic traverses the customer gateway - no Internet access from within VPC
Can use existing AMIs and Elastic Block Storage
Amazon rapidly innovating - keep up with release details!
45. VPNCubed
45
The ïŹrst overlay network service for the cloud market.
Based on OpenVPN, uses CohesiveFT created VMs as cloud VPN endpoints
Supports multicast.
Cross connect clouds, extend your home/business network
Supports Amazon EC2 and gogrid
50. TO DO
Establish Amazon VPC Connection
Build Visibility VM (Splunk + extras)
Chef Recipes for Security Extras & CM
Build Range of Victim/Enterprise VMs
Create easy âDC Creatorâ front-end script
50
51. Futures
Beyond x86
Multi-provider
Documentation
VMware Support
Enhanced routing
Explore ecosystem
Improved Automation
DeïŹne more Use Cases
More Security Related AMIs
51
52. cloudsecurity.org
52
Check out cloudsecurity.org/resources for recommended reading on cloud security.
53. Project Updates
53
Recently created the cloud security forum (cloudsecurity.org/forum)- an independent hang
out for IT and IT security people to discuss cloud security issues
Topic areas out as per CSA security domains
Thereâs a dedicated forum for Skylab which Iâll be posting to with progress updates.
If you have suggestions for Skylab, please share with me there.
54. Credits
Stormtroopers: Stefan
http://stormtroopers365.com/
Creators of KVM, Xen, Qemu,
libvirt, OpenNebula,
DeltaCloud, Chef, libcloud
54
Stefan made some great images and all credit is due to him.
Iâm also extremely grateful for all the open source software Iâm gluing together for this
project. Skylab would have been very difficult, it not impossible, for a sole person to piece
together without all the effort from numerous developers.