SlideShare ist ein Scribd-Unternehmen logo

Project Skylab: Helping You Get Your Cloud On

‱
‱
C
craigbalding

Presented at BruCON by Craig Balding, founder of cloudsecurity.org, this presentation outlines the design and implementation of Skylab - an on-demand security test lab. Relying solely on OSS components and making use of Infrastructure as a Service cloud services, you'll learn what you need to create inflatable test labs - spin up, down when you need it.

Technologie
1 von 56
Downloaden Sie, um offline zu lesen
Project Skylab: Helping You Get Your Cloud On Craig Balding Founder, cloudsecurity.org 1
Disclaimer The views and opinions expressed here are those of Craig Balding only and in no way represent the views, positions or opinions - expressed or implied - of my employer or anyone else. 2
3 Last year at Brucon, I talked about Cloud Security and broke new ground through using the Beer and Brewing as an analogy for cloud computing. The climax of that talk was signiïŹcant after-cloud.
4 But as I sat there in the speaker room as the make-up crew and hairstylists did the best they could in the circumstances, I made myself a promise. If I got selected to talk in 2010 I would take things more seriously.
No More Gimmicks 5 Cloud Security is not a laughing matter.
6 No more clowning around.
Sorry 7 But my apology is two-fold. My blatant lies about gimmicks to one side...
The Cloud Security Broken Record 8 I was starting to feel like a stuck record, going on about high level cloud security issues.
9 I became an “expert source” on all things cloud security and strangely enough: cloud.
Again, sorry... 10 I promise to mend my ways. Hence, the birth of my Skylab project. Rather than just talking about it, lets do something with it. Something useful, something that might just draw you into my cloud...
11 But I wasn’t just challenging myself with Skylab. I’m challenging you, my fellow infosec pros. Perhaps you’re ignoring cloud, hoping it will just ‘blow over’. Or maybe, you’re convinced yourself you’re so busy, you just don’t have time to ‘get into it’. Or perhaps, you just haven’t seen the writing on the wall or believe its another dot com bust in the making.
s/LUKE/CLOUD? 12 We tend to take apply a ‘DEFAULT DENY’ rule to new tech. In the case of cloud, its been DEFAULT DROP. As a community it sometimes seems like our reactions sometimes cloud our vision. Why do we feel the need to be anti-something and thus not examine it critically and carefully? I think we do a dis-service to our employers when we do that.
Cloud Is Coming 13 I’m not here to make predictions about cloud. Personally, I see writing on the wall, but I’m not trying to convince you of that. Rather, I want to ask you a question.
What Are You Doing To Keep Up? 14 What are you doing to keep up? Cloud is just the latest big thing. But before that we had virtualization, we had VoIP, we had converged networking. I think we all need to challenge ourselves a little more. Seek our own truths as it were. Stop paying attention and reacting to the endless media sound bites by people that clearly don’t get security. Do original research. Apply the new technologies for ourselves before the people that pay our wages do...
15 This boils down to something really simple. We have to ïŹnd our Droids. Each of have droids to seek out. What Droids are you looking for? How hard are you looking? What are you waiting for? Don’t wait til you feel you’re ‘good enough’ or until ‘you have more free time’. I hope to offer you something that may make you change your mind.
16 For me, I wanted to commit a little more to building something. I wanted to ïŹnd out what cloud technology I could use right now to do something useful for my own R&D purposes. There are many things that can get in your way, but one big one is....
F r i c t i o n 17 Friction is the enemy of your imagination. I don’t know about you, but for me its not having the right set up at the right time. I’m always trading one resource for another. My free disk space is *always* on the wrong machine. I can never run enough virtual machines... Not only that, I have whims. I also have a Wim (looks at Wim), but they are mostly 2 different things... I have kites I want to ïŹ‚y. I have ideas I want to quickly test. But most of them never see the light of day, which makes me feel sad and deprives me of valuable learning lessons. Why? Because of friction. Infrastructure friction. Changing my test network setup is a pain. I’ll have to shuffle resources around and make compromises as I don’t have an army of machines to play with. I’ll have to “make do” and collapse multiple workloads onto single machines. Virtual machines have certainly helped - they’ve given me more options than I had before. But at the same time virtual compute has highlighted that I can never own enough hardware (“I just want to run one more”). Plus I’ve got the virtual headache of managing an ever increasing stable of virtual machine images. I want my infrastructure to be malleable like code and my operations to be automated. Or to put it another way, I need some serious lubrication.
Prior Art 18 Along came project Skylab. This is my meta-idea. The idea that can help bring my other ideas to life. Skylab will help me fail faster and cheaper than I can today. This isn’t pessimism, this is how great ideas come to be - you just have to let all the bad ones get themselves out of you ïŹrst.
Motives Learn Get Practical Home Server RIP Geekin’ Out Open Source Community Project 19
# whoami Tech Security Lead @F500 UNIX Background Pen-Test Incident Response EuroTrash Security Podcast 20
3 Questions For You Do you use cloud storage? Have you booted a machine in a public cloud? Have you played with cloud network overlays? 21
Wannabe Cloudtroopers 22 Come to the darkside my friends. Embrace the cloud. Or at least dip your toe in it so you can backup whatever opinion you profer. If that doesn’t convince you, I’m offering free sea- shell hats for cloud converts.
On Demand Test Labs 23 So Skylabs is about on demand test labs. I’m sure you can think of times when you having an inïŹ‚atable test lab that you can spin up and shutdown when you want could be pretty darn handy
Target practice Testing new/updated too NIDS/NIPS testing Exploit testing 24 On the offense side of security, there is target practice. Don’t be a dummy and ride exploits bareback. Tut tut. Always practice in a lab. For every action there is a reaction. Observe, learn, practice, proïŹt. For your career with not be cut-short... But its not just pen-test labs...Capture the Flag, Hands-on Practicals when hiring so-called experienced pen-testers etc.
Assurance Testing Package Golden Image as AMI Upload, launch [1...n] Apply patches, workarounds & run tests 25 Then on the defensive side of the house, what about someone to test your mitigating controls...or heaven forbid, patches! Deploying new security tools? Again, good to have a lab. Or 3. Or 7.
During a Pen-Test? 26 Need a disposable IP? Need to run a phishing scam? The latest svn update from the Social Engineer Toolkit burning a hole in your toolkit?
What’s your use case? 27
It’s a Commodity 28 The key to remember when thinking about cloud is that its a commodity. You get what you pay for. But sometimes, commodity is just what you want.
Infrastructure as a Service 29 So what are we talking about? We’re talking about using infrastructure as a service to create on-demand test labs. We’re intentionally conïŹning ourselves to just 1 layer of the cloud services model: we’re ignoring Platform as a Service and Software as a Service. In fact, Skylab itself will have attributes of platform and software as a service in terms of doing some of the heavy lifting for you.
Design 30 Lets touch on some design principles
Design Principles Hit common use cases On demand Infrastructure as code ("agility") Cost-conscious Hardware reuse: bring your own lab, or not 31 Need a disposable IP? Need to run a phishing scam? The latest svn update from the Social Engineer Toolkit burning a hole in your toolkit?
Design Principles Hypervisor agnostic: Xen, kvm, VMware Security test lab "features" Freedom: open source Pragmatic: don't reinvent infrastructure wheels Scriptable & Fun 32 Need a disposable IP? Need to run a phishing scam? The latest svn update from the Social Engineer Toolkit burning a hole in your toolkit?
Shopping for a Cloud Platform 33
OPEN? API Core Source Development Decision Making 34
Private/Public/Hybrid 35
Private 36
Hybrid 37
RH Delta-cloud 38 Turbo charge your hybrid cloud with RedHats Delta Cloud...access more cloud providers
Don’t Forget 39 Leaving cloud compute instances running at the cloud provider does actually cost money. It is surprisingly easy to do though. Do it once and you’ll feel stupid, do it twice and you’ll ïŹnd yourself writing a script to remind you not to feel stupid :)
Terms of Service 40 Know the terms of service of your hosting and/or cloud provider. Check clauses about introduction of malware in particular.
Cloud Networking 41
Public Cloud Networking 101 One NIC Per VM Limited Routing Basic Firewalls 42 Use cases
Overlay Networks An overlay network is a computer network which is built on top of another network. Nodes in the overlay can be thought of as being connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network 43 Use cases
Amazon VPC 44 Amazon recently opened up their Virtual Private Cloud, currently beta This is a cloud provider speciïŹc network overlay Hook up your existing network. Software VPN on your side, Hardware on their side. All traffic traverses the customer gateway - no Internet access from within VPC Can use existing AMIs and Elastic Block Storage Amazon rapidly innovating - keep up with release details!
VPNCubed 45 The ïŹrst overlay network service for the cloud market. Based on OpenVPN, uses CohesiveFT created VMs as cloud VPN endpoints Supports multicast. Cross connect clouds, extend your home/business network Supports Amazon EC2 and gogrid
ConïŹg Management 46
Chef from Opscode 47
The Practical Bit (wakey, wakey) 48
DEMO: Sneak Peek 49
TO DO Establish Amazon VPC Connection Build Visibility VM (Splunk + extras) Chef Recipes for Security Extras & CM Build Range of Victim/Enterprise VMs Create easy “DC Creator” front-end script 50
Futures Beyond x86 Multi-provider Documentation VMware Support Enhanced routing Explore ecosystem Improved Automation DeïŹne more Use Cases More Security Related AMIs 51
cloudsecurity.org 52 Check out cloudsecurity.org/resources for recommended reading on cloud security.
Project Updates 53 Recently created the cloud security forum (cloudsecurity.org/forum)- an independent hang out for IT and IT security people to discuss cloud security issues Topic areas out as per CSA security domains There’s a dedicated forum for Skylab which I’ll be posting to with progress updates. If you have suggestions for Skylab, please share with me there.
Credits Stormtroopers: Stefan http://stormtroopers365.com/ Creators of KVM, Xen, Qemu, libvirt, OpenNebula, DeltaCloud, Chef, libcloud 54 Stefan made some great images and all credit is due to him. I’m also extremely grateful for all the open source software I’m gluing together for this project. Skylab would have been very difficult, it not impossible, for a sole person to piece together without all the effort from numerous developers.
Questions? craig@cloudsecurity.org / @craigbalding 55
56

Empfohlen

Don't Panic: A Hitchhiker's Guide to WordPress Hosting 08 25-2012
Don't Panic: A Hitchhiker's Guide to WordPress Hosting 08 25-2012Don't Panic: A Hitchhiker's Guide to WordPress Hosting 08 25-2012
Don't Panic: A Hitchhiker's Guide to WordPress Hosting 08 25-2012Trafton Esler
 
01 introduction print out
01 introduction print out01 introduction print out
01 introduction print outGordon Lourdes
 
Togetherlearn Learntrends
Togetherlearn LearntrendsTogetherlearn Learntrends
Togetherlearn LearntrendsLearnTrends
 
Accenture Cloud Platform: Control, Manage and Govern the Enterprise Cloud
Accenture Cloud Platform: Control, Manage and Govern the Enterprise CloudAccenture Cloud Platform: Control, Manage and Govern the Enterprise Cloud
Accenture Cloud Platform: Control, Manage and Govern the Enterprise Cloudaccenture
 
The cloud is my laboratory, Adam Friedman
The cloud is my laboratory, Adam FriedmanThe cloud is my laboratory, Adam Friedman
The cloud is my laboratory, Adam FriedmanStephen Wallace
 
The cloud is my laboratory
The cloud is my laboratoryThe cloud is my laboratory
The cloud is my laboratoryAdam Friedman
 
A journey through an INFOSEC labyrinth
A journey through an INFOSEC labyrinthA journey through an INFOSEC labyrinth
A journey through an INFOSEC labyrinthAvădănei Andrei
 
Cloud Park Adventures 1
Cloud Park Adventures 1Cloud Park Adventures 1
Cloud Park Adventures 1CloudNSci
 

Empfohlen

Don't Panic: A Hitchhiker's Guide to WordPress Hosting 08 25-2012
Don't Panic: A Hitchhiker's Guide to WordPress Hosting 08 25-2012Don't Panic: A Hitchhiker's Guide to WordPress Hosting 08 25-2012
Don't Panic: A Hitchhiker's Guide to WordPress Hosting 08 25-2012Trafton Esler
 
01 introduction print out
01 introduction print out01 introduction print out
01 introduction print outGordon Lourdes
 
Togetherlearn Learntrends
Togetherlearn LearntrendsTogetherlearn Learntrends
Togetherlearn LearntrendsLearnTrends
 
Accenture Cloud Platform: Control, Manage and Govern the Enterprise Cloud
Accenture Cloud Platform: Control, Manage and Govern the Enterprise CloudAccenture Cloud Platform: Control, Manage and Govern the Enterprise Cloud
Accenture Cloud Platform: Control, Manage and Govern the Enterprise Cloudaccenture
 
The cloud is my laboratory, Adam Friedman
The cloud is my laboratory, Adam FriedmanThe cloud is my laboratory, Adam Friedman
The cloud is my laboratory, Adam FriedmanStephen Wallace
 
The cloud is my laboratory
The cloud is my laboratoryThe cloud is my laboratory
The cloud is my laboratoryAdam Friedman
 
A journey through an INFOSEC labyrinth
A journey through an INFOSEC labyrinthA journey through an INFOSEC labyrinth
A journey through an INFOSEC labyrinthAvădănei Andrei
 
Cloud Park Adventures 1
Cloud Park Adventures 1Cloud Park Adventures 1
Cloud Park Adventures 1CloudNSci
 
Open for Business: A Quick Guide to Starting Your Venture in the Cloud
Open for Business: A Quick Guide to Starting Your Venture in the CloudOpen for Business: A Quick Guide to Starting Your Venture in the Cloud
Open for Business: A Quick Guide to Starting Your Venture in the CloudKasey Bayne
 
Cloud Alchemy The Manifesto, Short Version
Cloud Alchemy The Manifesto, Short VersionCloud Alchemy The Manifesto, Short Version
Cloud Alchemy The Manifesto, Short VersionSuzanna Stinnett
 
Web appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasersWeb appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasersAmiga Utomo
 
/dev/fort: you can build it in a week @emw
/dev/fort: you can build it in a week @emw/dev/fort: you can build it in a week @emw
/dev/fort: you can build it in a week @emwJames Aylett
 
OSDC 2013 | Deconstructing the Cloud by Nicholas Mailer
OSDC 2013 | Deconstructing the Cloud by Nicholas MailerOSDC 2013 | Deconstructing the Cloud by Nicholas Mailer
OSDC 2013 | Deconstructing the Cloud by Nicholas MailerNETWAYS
 
A Big Dashboard of Problems.pdf
A Big Dashboard of Problems.pdfA Big Dashboard of Problems.pdf
A Big Dashboard of Problems.pdfTravisMcPeak1
 
Know your cirrus from your cumulus (with notes)
Know your cirrus from your cumulus (with notes)Know your cirrus from your cumulus (with notes)
Know your cirrus from your cumulus (with notes)Andrew Phillips
 
Michael Abrash's "What VR could, should, and almost certainly will be within ...
Michael Abrash's "What VR could, should, and almost certainly will be within ...Michael Abrash's "What VR could, should, and almost certainly will be within ...
Michael Abrash's "What VR could, should, and almost certainly will be within ...SteamDB
 
Putting Great KM Ideas into Practice
Putting Great KM Ideas into PracticePutting Great KM Ideas into Practice
Putting Great KM Ideas into PracticeKate Simpson
 
2011.04.08 startup-sauna-stockholm
2011.04.08 startup-sauna-stockholm2011.04.08 startup-sauna-stockholm
2011.04.08 startup-sauna-stockholmAke Edlund
 
The Business Of Open Source
The Business Of Open SourceThe Business Of Open Source
The Business Of Open SourceLiza Kindred
 
Building Installations in Five Days (and a bit) at Ignite London 4
Building Installations in Five Days (and a bit) at Ignite London 4Building Installations in Five Days (and a bit) at Ignite London 4
Building Installations in Five Days (and a bit) at Ignite London 4Mark Wubben
 
13 Tips for Getting the Most Out of Your Next Hackathon
13 Tips for Getting the Most Out of Your Next Hackathon13 Tips for Getting the Most Out of Your Next Hackathon
13 Tips for Getting the Most Out of Your Next HackathonJoe Chernov
 
Designing for Complexity by Nadine Schaeffer
Designing for Complexity by Nadine SchaefferDesigning for Complexity by Nadine Schaeffer
Designing for Complexity by Nadine SchaefferNadine Schaeffer
 
The Togetherlearn Story
The Togetherlearn StoryThe Togetherlearn Story
The Togetherlearn StoryJay Cross
 
Cloud Security Alliance - Cloud Summit Keynote
Cloud Security Alliance - Cloud Summit KeynoteCloud Security Alliance - Cloud Summit Keynote
Cloud Security Alliance - Cloud Summit KeynoteChristofer Hoff
 
Open Clouds: The New Primitives in Enterprise IT & Mobile Networks
Open Clouds: The New Primitives in Enterprise IT & Mobile NetworksOpen Clouds: The New Primitives in Enterprise IT & Mobile Networks
Open Clouds: The New Primitives in Enterprise IT & Mobile NetworksMark Voelker
 
Open Clouds: The New Primitives in Enterprise IT and Mobile Networks
Open Clouds: The New Primitives in Enterprise IT and Mobile NetworksOpen Clouds: The New Primitives in Enterprise IT and Mobile Networks
Open Clouds: The New Primitives in Enterprise IT and Mobile NetworksAll Things Open
 
The prestige of being a web developer
The prestige of being a web developerThe prestige of being a web developer
The prestige of being a web developerChristian Heilmann
 
Codemash 2.0.1.4: Tech Trends and Pwning Your Pwn Career
Codemash 2.0.1.4: Tech Trends and Pwning Your Pwn CareerCodemash 2.0.1.4: Tech Trends and Pwning Your Pwn Career
Codemash 2.0.1.4: Tech Trends and Pwning Your Pwn CareerKevin Davis
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Weitere Àhnliche Inhalte

Ähnlich wie Project Skylab: Helping You Get Your Cloud On

Open for Business: A Quick Guide to Starting Your Venture in the Cloud
Open for Business: A Quick Guide to Starting Your Venture in the CloudOpen for Business: A Quick Guide to Starting Your Venture in the Cloud
Open for Business: A Quick Guide to Starting Your Venture in the CloudKasey Bayne
 
Cloud Alchemy The Manifesto, Short Version
Cloud Alchemy The Manifesto, Short VersionCloud Alchemy The Manifesto, Short Version
Cloud Alchemy The Manifesto, Short VersionSuzanna Stinnett
 
Web appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasersWeb appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasersAmiga Utomo
 
/dev/fort: you can build it in a week @emw
/dev/fort: you can build it in a week @emw/dev/fort: you can build it in a week @emw
/dev/fort: you can build it in a week @emwJames Aylett
 
OSDC 2013 | Deconstructing the Cloud by Nicholas Mailer
OSDC 2013 | Deconstructing the Cloud by Nicholas MailerOSDC 2013 | Deconstructing the Cloud by Nicholas Mailer
OSDC 2013 | Deconstructing the Cloud by Nicholas MailerNETWAYS
 
A Big Dashboard of Problems.pdf
A Big Dashboard of Problems.pdfA Big Dashboard of Problems.pdf
A Big Dashboard of Problems.pdfTravisMcPeak1
 
Know your cirrus from your cumulus (with notes)
Know your cirrus from your cumulus (with notes)Know your cirrus from your cumulus (with notes)
Know your cirrus from your cumulus (with notes)Andrew Phillips
 
Michael Abrash's "What VR could, should, and almost certainly will be within ...
Michael Abrash's "What VR could, should, and almost certainly will be within ...Michael Abrash's "What VR could, should, and almost certainly will be within ...
Michael Abrash's "What VR could, should, and almost certainly will be within ...SteamDB
 
Putting Great KM Ideas into Practice
Putting Great KM Ideas into PracticePutting Great KM Ideas into Practice
Putting Great KM Ideas into PracticeKate Simpson
 
2011.04.08 startup-sauna-stockholm
2011.04.08 startup-sauna-stockholm2011.04.08 startup-sauna-stockholm
2011.04.08 startup-sauna-stockholmAke Edlund
 
The Business Of Open Source
The Business Of Open SourceThe Business Of Open Source
The Business Of Open SourceLiza Kindred
 
Building Installations in Five Days (and a bit) at Ignite London 4
Building Installations in Five Days (and a bit) at Ignite London 4Building Installations in Five Days (and a bit) at Ignite London 4
Building Installations in Five Days (and a bit) at Ignite London 4Mark Wubben
 
13 Tips for Getting the Most Out of Your Next Hackathon
13 Tips for Getting the Most Out of Your Next Hackathon13 Tips for Getting the Most Out of Your Next Hackathon
13 Tips for Getting the Most Out of Your Next HackathonJoe Chernov
 
Designing for Complexity by Nadine Schaeffer
Designing for Complexity by Nadine SchaefferDesigning for Complexity by Nadine Schaeffer
Designing for Complexity by Nadine SchaefferNadine Schaeffer
 
The Togetherlearn Story
The Togetherlearn StoryThe Togetherlearn Story
The Togetherlearn StoryJay Cross
 
Cloud Security Alliance - Cloud Summit Keynote
Cloud Security Alliance - Cloud Summit KeynoteCloud Security Alliance - Cloud Summit Keynote
Cloud Security Alliance - Cloud Summit KeynoteChristofer Hoff
 
Open Clouds: The New Primitives in Enterprise IT & Mobile Networks
Open Clouds: The New Primitives in Enterprise IT & Mobile NetworksOpen Clouds: The New Primitives in Enterprise IT & Mobile Networks
Open Clouds: The New Primitives in Enterprise IT & Mobile NetworksMark Voelker
 
Open Clouds: The New Primitives in Enterprise IT and Mobile Networks
Open Clouds: The New Primitives in Enterprise IT and Mobile NetworksOpen Clouds: The New Primitives in Enterprise IT and Mobile Networks
Open Clouds: The New Primitives in Enterprise IT and Mobile NetworksAll Things Open
 
The prestige of being a web developer
The prestige of being a web developerThe prestige of being a web developer
The prestige of being a web developerChristian Heilmann
 
Codemash 2.0.1.4: Tech Trends and Pwning Your Pwn Career
Codemash 2.0.1.4: Tech Trends and Pwning Your Pwn CareerCodemash 2.0.1.4: Tech Trends and Pwning Your Pwn Career
Codemash 2.0.1.4: Tech Trends and Pwning Your Pwn CareerKevin Davis
 

Ähnlich wie Project Skylab: Helping You Get Your Cloud On (20)

Open for Business: A Quick Guide to Starting Your Venture in the Cloud
Open for Business: A Quick Guide to Starting Your Venture in the CloudOpen for Business: A Quick Guide to Starting Your Venture in the Cloud
Open for Business: A Quick Guide to Starting Your Venture in the Cloud
 
Cloud Alchemy The Manifesto, Short Version
Cloud Alchemy The Manifesto, Short VersionCloud Alchemy The Manifesto, Short Version
Cloud Alchemy The Manifesto, Short Version
 
Web appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasersWeb appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasers
 
/dev/fort: you can build it in a week @emw
/dev/fort: you can build it in a week @emw/dev/fort: you can build it in a week @emw
/dev/fort: you can build it in a week @emw
 
OSDC 2013 | Deconstructing the Cloud by Nicholas Mailer
OSDC 2013 | Deconstructing the Cloud by Nicholas MailerOSDC 2013 | Deconstructing the Cloud by Nicholas Mailer
OSDC 2013 | Deconstructing the Cloud by Nicholas Mailer
 
A Big Dashboard of Problems.pdf
A Big Dashboard of Problems.pdfA Big Dashboard of Problems.pdf
A Big Dashboard of Problems.pdf
 
Know your cirrus from your cumulus (with notes)
Know your cirrus from your cumulus (with notes)Know your cirrus from your cumulus (with notes)
Know your cirrus from your cumulus (with notes)
 
Michael Abrash's "What VR could, should, and almost certainly will be within ...
Michael Abrash's "What VR could, should, and almost certainly will be within ...Michael Abrash's "What VR could, should, and almost certainly will be within ...
Michael Abrash's "What VR could, should, and almost certainly will be within ...
 
Putting Great KM Ideas into Practice
Putting Great KM Ideas into PracticePutting Great KM Ideas into Practice
Putting Great KM Ideas into Practice
 
2011.04.08 startup-sauna-stockholm
2011.04.08 startup-sauna-stockholm2011.04.08 startup-sauna-stockholm
2011.04.08 startup-sauna-stockholm
 
The Business Of Open Source
The Business Of Open SourceThe Business Of Open Source
The Business Of Open Source
 
Building Installations in Five Days (and a bit) at Ignite London 4
Building Installations in Five Days (and a bit) at Ignite London 4Building Installations in Five Days (and a bit) at Ignite London 4
Building Installations in Five Days (and a bit) at Ignite London 4
 
13 Tips for Getting the Most Out of Your Next Hackathon
13 Tips for Getting the Most Out of Your Next Hackathon13 Tips for Getting the Most Out of Your Next Hackathon
13 Tips for Getting the Most Out of Your Next Hackathon
 
Designing for Complexity by Nadine Schaeffer
Designing for Complexity by Nadine SchaefferDesigning for Complexity by Nadine Schaeffer
Designing for Complexity by Nadine Schaeffer
 
The Togetherlearn Story
The Togetherlearn StoryThe Togetherlearn Story
The Togetherlearn Story
 
Cloud Security Alliance - Cloud Summit Keynote
Cloud Security Alliance - Cloud Summit KeynoteCloud Security Alliance - Cloud Summit Keynote
Cloud Security Alliance - Cloud Summit Keynote
 
Open Clouds: The New Primitives in Enterprise IT & Mobile Networks
Open Clouds: The New Primitives in Enterprise IT & Mobile NetworksOpen Clouds: The New Primitives in Enterprise IT & Mobile Networks
Open Clouds: The New Primitives in Enterprise IT & Mobile Networks
 
Open Clouds: The New Primitives in Enterprise IT and Mobile Networks
Open Clouds: The New Primitives in Enterprise IT and Mobile NetworksOpen Clouds: The New Primitives in Enterprise IT and Mobile Networks
Open Clouds: The New Primitives in Enterprise IT and Mobile Networks
 
The prestige of being a web developer
The prestige of being a web developerThe prestige of being a web developer
The prestige of being a web developer
 
Codemash 2.0.1.4: Tech Trends and Pwning Your Pwn Career
Codemash 2.0.1.4: Tech Trends and Pwning Your Pwn CareerCodemash 2.0.1.4: Tech Trends and Pwning Your Pwn Career
Codemash 2.0.1.4: Tech Trends and Pwning Your Pwn Career
 

KĂŒrzlich hochgeladen

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

KĂŒrzlich hochgeladen (20)

Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Project Skylab: Helping You Get Your Cloud On

  • 1. Project Skylab: Helping You Get Your Cloud On Craig Balding Founder, cloudsecurity.org 1
  • 2. Disclaimer The views and opinions expressed here are those of Craig Balding only and in no way represent the views, positions or opinions - expressed or implied - of my employer or anyone else. 2
  • 3. 3 Last year at Brucon, I talked about Cloud Security and broke new ground through using the Beer and Brewing as an analogy for cloud computing. The climax of that talk was signiïŹcant after-cloud.
  • 4. 4 But as I sat there in the speaker room as the make-up crew and hairstylists did the best they could in the circumstances, I made myself a promise. If I got selected to talk in 2010 I would take things more seriously.
  • 5. No More Gimmicks 5 Cloud Security is not a laughing matter.
  • 7. Sorry 7 But my apology is two-fold. My blatant lies about gimmicks to one side...
  • 8. The Cloud Security Broken Record 8 I was starting to feel like a stuck record, going on about high level cloud security issues.
  • 9. 9 I became an “expert source” on all things cloud security and strangely enough: cloud.
  • 10. Again, sorry... 10 I promise to mend my ways. Hence, the birth of my Skylab project. Rather than just talking about it, lets do something with it. Something useful, something that might just draw you into my cloud...
  • 11. 11 But I wasn’t just challenging myself with Skylab. I’m challenging you, my fellow infosec pros. Perhaps you’re ignoring cloud, hoping it will just ‘blow over’. Or maybe, you’re convinced yourself you’re so busy, you just don’t have time to ‘get into it’. Or perhaps, you just haven’t seen the writing on the wall or believe its another dot com bust in the making.
  • 12. s/LUKE/CLOUD? 12 We tend to take apply a ‘DEFAULT DENY’ rule to new tech. In the case of cloud, its been DEFAULT DROP. As a community it sometimes seems like our reactions sometimes cloud our vision. Why do we feel the need to be anti-something and thus not examine it critically and carefully? I think we do a dis-service to our employers when we do that.
  • 13. Cloud Is Coming 13 I’m not here to make predictions about cloud. Personally, I see writing on the wall, but I’m not trying to convince you of that. Rather, I want to ask you a question.
  • 14. What Are You Doing To Keep Up? 14 What are you doing to keep up? Cloud is just the latest big thing. But before that we had virtualization, we had VoIP, we had converged networking. I think we all need to challenge ourselves a little more. Seek our own truths as it were. Stop paying attention and reacting to the endless media sound bites by people that clearly don’t get security. Do original research. Apply the new technologies for ourselves before the people that pay our wages do...
  • 15. 15 This boils down to something really simple. We have to ïŹnd our Droids. Each of have droids to seek out. What Droids are you looking for? How hard are you looking? What are you waiting for? Don’t wait til you feel you’re ‘good enough’ or until ‘you have more free time’. I hope to offer you something that may make you change your mind.
  • 16. 16 For me, I wanted to commit a little more to building something. I wanted to ïŹnd out what cloud technology I could use right now to do something useful for my own R&D purposes. There are many things that can get in your way, but one big one is....
  • 17. F r i c t i o n 17 Friction is the enemy of your imagination. I don’t know about you, but for me its not having the right set up at the right time. I’m always trading one resource for another. My free disk space is *always* on the wrong machine. I can never run enough virtual machines... Not only that, I have whims. I also have a Wim (looks at Wim), but they are mostly 2 different things... I have kites I want to ïŹ‚y. I have ideas I want to quickly test. But most of them never see the light of day, which makes me feel sad and deprives me of valuable learning lessons. Why? Because of friction. Infrastructure friction. Changing my test network setup is a pain. I’ll have to shuffle resources around and make compromises as I don’t have an army of machines to play with. I’ll have to “make do” and collapse multiple workloads onto single machines. Virtual machines have certainly helped - they’ve given me more options than I had before. But at the same time virtual compute has highlighted that I can never own enough hardware (“I just want to run one more”). Plus I’ve got the virtual headache of managing an ever increasing stable of virtual machine images. I want my infrastructure to be malleable like code and my operations to be automated. Or to put it another way, I need some serious lubrication.
  • 18. Prior Art 18 Along came project Skylab. This is my meta-idea. The idea that can help bring my other ideas to life. Skylab will help me fail faster and cheaper than I can today. This isn’t pessimism, this is how great ideas come to be - you just have to let all the bad ones get themselves out of you ïŹrst.
  • 19. Motives Learn Get Practical Home Server RIP Geekin’ Out Open Source Community Project 19
  • 20. # whoami Tech Security Lead @F500 UNIX Background Pen-Test Incident Response EuroTrash Security Podcast 20
  • 21. 3 Questions For You Do you use cloud storage? Have you booted a machine in a public cloud? Have you played with cloud network overlays? 21
  • 22. Wannabe Cloudtroopers 22 Come to the darkside my friends. Embrace the cloud. Or at least dip your toe in it so you can backup whatever opinion you profer. If that doesn’t convince you, I’m offering free sea- shell hats for cloud converts.
  • 23. On Demand Test Labs 23 So Skylabs is about on demand test labs. I’m sure you can think of times when you having an inïŹ‚atable test lab that you can spin up and shutdown when you want could be pretty darn handy
  • 24. Target practice Testing new/updated too NIDS/NIPS testing Exploit testing 24 On the offense side of security, there is target practice. Don’t be a dummy and ride exploits bareback. Tut tut. Always practice in a lab. For every action there is a reaction. Observe, learn, practice, proïŹt. For your career with not be cut-short... But its not just pen-test labs...Capture the Flag, Hands-on Practicals when hiring so-called experienced pen-testers etc.
  • 25. Assurance Testing Package Golden Image as AMI Upload, launch [1...n] Apply patches, workarounds & run tests 25 Then on the defensive side of the house, what about someone to test your mitigating controls...or heaven forbid, patches! Deploying new security tools? Again, good to have a lab. Or 3. Or 7.
  • 26. During a Pen-Test? 26 Need a disposable IP? Need to run a phishing scam? The latest svn update from the Social Engineer Toolkit burning a hole in your toolkit?
  • 28. It’s a Commodity 28 The key to remember when thinking about cloud is that its a commodity. You get what you pay for. But sometimes, commodity is just what you want.
  • 29. Infrastructure as a Service 29 So what are we talking about? We’re talking about using infrastructure as a service to create on-demand test labs. We’re intentionally conïŹning ourselves to just 1 layer of the cloud services model: we’re ignoring Platform as a Service and Software as a Service. In fact, Skylab itself will have attributes of platform and software as a service in terms of doing some of the heavy lifting for you.
  • 30. Design 30 Lets touch on some design principles
  • 31. Design Principles Hit common use cases On demand Infrastructure as code ("agility") Cost-conscious Hardware reuse: bring your own lab, or not 31 Need a disposable IP? Need to run a phishing scam? The latest svn update from the Social Engineer Toolkit burning a hole in your toolkit?
  • 32. Design Principles Hypervisor agnostic: Xen, kvm, VMware Security test lab "features" Freedom: open source Pragmatic: don't reinvent infrastructure wheels Scriptable & Fun 32 Need a disposable IP? Need to run a phishing scam? The latest svn update from the Social Engineer Toolkit burning a hole in your toolkit?
  • 33. Shopping for a Cloud Platform 33
  • 34. OPEN? API Core Source Development Decision Making 34
  • 36. Private 36
  • 37. Hybrid 37
  • 38. RH Delta-cloud 38 Turbo charge your hybrid cloud with RedHats Delta Cloud...access more cloud providers
  • 39. Don’t Forget 39 Leaving cloud compute instances running at the cloud provider does actually cost money. It is surprisingly easy to do though. Do it once and you’ll feel stupid, do it twice and you’ll ïŹnd yourself writing a script to remind you not to feel stupid :)
  • 40. Terms of Service 40 Know the terms of service of your hosting and/or cloud provider. Check clauses about introduction of malware in particular.
  • 42. Public Cloud Networking 101 One NIC Per VM Limited Routing Basic Firewalls 42 Use cases
  • 43. Overlay Networks An overlay network is a computer network which is built on top of another network. Nodes in the overlay can be thought of as being connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network 43 Use cases
  • 44. Amazon VPC 44 Amazon recently opened up their Virtual Private Cloud, currently beta This is a cloud provider speciïŹc network overlay Hook up your existing network. Software VPN on your side, Hardware on their side. All traffic traverses the customer gateway - no Internet access from within VPC Can use existing AMIs and Elastic Block Storage Amazon rapidly innovating - keep up with release details!
  • 45. VPNCubed 45 The ïŹrst overlay network service for the cloud market. Based on OpenVPN, uses CohesiveFT created VMs as cloud VPN endpoints Supports multicast. Cross connect clouds, extend your home/business network Supports Amazon EC2 and gogrid
  • 48. The Practical Bit (wakey, wakey) 48
  • 50. TO DO Establish Amazon VPC Connection Build Visibility VM (Splunk + extras) Chef Recipes for Security Extras & CM Build Range of Victim/Enterprise VMs Create easy “DC Creator” front-end script 50
  • 51. Futures Beyond x86 Multi-provider Documentation VMware Support Enhanced routing Explore ecosystem Improved Automation DeïŹne more Use Cases More Security Related AMIs 51
  • 52. cloudsecurity.org 52 Check out cloudsecurity.org/resources for recommended reading on cloud security.
  • 53. Project Updates 53 Recently created the cloud security forum (cloudsecurity.org/forum)- an independent hang out for IT and IT security people to discuss cloud security issues Topic areas out as per CSA security domains There’s a dedicated forum for Skylab which I’ll be posting to with progress updates. If you have suggestions for Skylab, please share with me there.
  • 54. Credits Stormtroopers: Stefan http://stormtroopers365.com/ Creators of KVM, Xen, Qemu, libvirt, OpenNebula, DeltaCloud, Chef, libcloud 54 Stefan made some great images and all credit is due to him. I’m also extremely grateful for all the open source software I’m gluing together for this project. Skylab would have been very difficult, it not impossible, for a sole person to piece together without all the effort from numerous developers.
  • 56. 56