4. Manual review
• Process of combing code looking for flaws
• “Targeted” manual review can be
cheaper, easier
• Grepping for known patterns can quickly point
to issues in code
– “crypt”
– “password”
– “FIXME”
– “this is a hack”
15. Incident response
• Report findings to ACS security team (PPMC)
• We strive to investigate and respond ASAP
• Verified issues
• Pre-4.0 issues are forwarded to Citrix
• Pre-notification list for critical vendors
(Gizoogle cloudstack security response)
17. SSL
• ACS Ships with SSL disabled.
• Instructions in ACS wiki under “CloudStack
Security”
18. VPNs
• SSL is nice, but we like OpenVPN for any
administrative access
• Con: iOS doesn’t like OpenVPN*
*Jailbroken iOS does like OpenVPN
19. Tighter firewalling
• If you place unprotected hypervisors on public
Internet, after several days, you will find VMs
at a grub prompt
• Firewall everything. Use VPN, but firewall that
too.
21. IDS
• Run snort on hypervisors monitoring bridges
• Run OSSEC, monitoring anything sensitive
– /etc
• AntiVirus? Shouldn’t have to…
22. Two Factor Authentication
• Becoming more and more common
• Passwords aren’t enough
– Guessable
– Stealable
– Sniffable, when you’re not using SSL/VPN
23. 2FA any day now…
• WiKID Systems 2 factor auth
• “Mutual HTTPS Authentication”
• Code seems to be working, just need to tweak
build
24. What’s next
• Admin login notification
• KVM + SELinux
– Working on it – not production ready
• After SELinux, auditd
• Goal: Provide users with transparency
25. Logging
• We collect/analyze logs from
– All IDS
– Network firewalls
– Web application firewalls
– Syslog (Management, node, AND VM) collected
centrally
26. We’d love help
• Security Frameworks
• Security plugins (authentication, monitoring)
• grsecurity support?
• Further xen hardening?
• Ideas?
http://cloudstack.org
27. Thanks! Questions?
John Kinsella
@johnlkinsella
http://www.slideshare.net/jlkinsel/
Hinweis der Redaktion
Grepping is basically same as Fortify’s Semantic Analyzer