SlideShare ist ein Scribd-Unternehmen logo

Secure Keystone Deployment

Als PPTX, PDF herunterladen
Priti Desai
Priti Desai

In the Juno summit, Symantec presented it's perspective on securing Keystone. Security is really a mindset and process. We proposed a layered security approach starting with the process for securing Keystone architecture, followed by securing the environment where Keystone is deployed and configured. Since then we have been implementing those security measures in our production environment. In this talk, we will discuss exactly how we have made our Keystone deployment secure and what we have learnt along the way.

Ingenieurwesen
1 von 30
Secure Keystone Deployment: Lessons Learned and Best Practices Priti Desai Sr. Software Engineer Secure Keystone Deployment 1
The Symantec Team • Cloud Platform Engineering – We are building a consolidated cloud platform that provides infrastructure and platform services for next generation Symantec products and services • Me – In Security for over 6 years – Symantec Insight - Reputation Based Security – Symantec Data Analytics Platform – OpenStack Engineer - Keystone – OpenStack Security Group – Cop Open Source Secure Keystone Deployment 2
OpenStack Security Group Secure Keystone Deployment 3 security notes Retrieved from http://www.openstack.orgRetrieved from http://docs.openstack.org
Secure Keystone Deployment Why is Keystone security critical? What is Keystone? How is Authentication process implemented in Keystone? How is Authorization mechanism implemented in OpenStack?
AuthN Overview Secure Keystone Deployment 5 Cloud User Cloud User Identity (SQL/LDAP) Keystone Token (SQL) Identity (SQL/LDAP) Keystone Token (SQL) Request sent with Username and Password Verify username and password (hash of password) Successful verification Request metadata for user tenant relationship Assignment (SQL) Assignment (SQL) User tenant relationship information Request to generate new token Response with new token Response with token
AuthZ Overview Secure Keystone Deployment 6 Cloud User Cloud User Keystone OpenStack Service Keystone OpenStack Service Request sent with session token Verify session token Successful verification Is this token correct? Does it allow the service usage? Service executes the request Response with success
Secure Keystone Deployment Why is Keystone security critical? Does it store/transmit any sensitive information? What kind of cloud asset does it store? Is any type of attack possible on Keystone? Can it bring down the entire cloud?
Keystone Security is Critical Secure Keystone Deployment 8 • Gatekeeper • Access to OpenStack Cloud • Assets • Users • Passwords • Tokens • Roles • Catalog • Vulnerable to DoS Retrieved from http://internet.phillipmartin.info Retrieved from http://blogs.citypages.com Retrieved from http://assets.nydailynews.com
What was our approach to identifying key vulnerabilities? Secure Keystone Deployment 9
Security Risks Secure Keystone Deployment 10 • Global Security Office  Threat Model  Penetration Tests  Traceability Matrix Retrieved from http://www.technetics.com.au
Threat Model Secure Keystone Deployment 11
Secure Keystone Deployment 12 Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privileges Threat Model
What kind of security deficiencies did we discover? Secure Keystone Deployment 13
Secure Keystone Deployment 14 Attack: Keystone user credential theft Attack: Insecure file permissions on Keystone.conf Keystone.conf Attack: Access to cloud admin privileges for almost free Attack: Leaking sensitive data in log messages Attack: DoS – Authentication chaining - Havana Attack: Unauthorized access to MySQL database Many more …
Traceability Matrix Secure Keystone Deployment 15 ✖ ✖ ✖
Keystone User Credential Theft Secure Keystone Deployment 16
Mitigate: Secure Communication - SSL Secure Keystone Deployment 17 Hardware Load Balancer Hardware Load Balancer Keystone KeystoneKeystone SSL Client SSL Server SSL Client SSL Server mod_ssl 35357/SSL 5000/SSL mod_ssl 35357/SSL 5000/SSL mod_ssl 35357/SSL 5000/SSL Public API Admin API
Insecure file permissions on Keystone.conf Secure Keystone Deployment 18 Mitigate: • Restrict ownership to service user - chown keystone:keystone /etc/keystone/keystone.conf • Restrict to read and write by the owner - chmod 640 /etc/keystone/keystone.conf hostnameabc hostnameabc hostnameabcuser user user
Access to admin privileges is almost free Secure Keystone Deployment 19 • Service Token • Bootstrap Keystone • Cloud admin privileges • Register bad service/endpoints
Mitigate: Disable Service Token • Comment out admin_token from /etc/keystone/keystone.conf: admin_token=e2112effd3ff05b8c88ad14e096e6615 • Remove admin token auth middleware from /etc/keystone/keystone-paste.ini: [filter:admin_token_auth] paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory Secure Keystone Deployment 20
Who is the cloud admin now? Secure Keystone Deployment 21
Create Cloud Admin • Leveraging Keystone Domain • Before disabling service token: • Create a domain “cloud_admin_domain” • Grant “admin” role to appropriate user “Bob Smith” • Update keystone policy.json file: • Replace: "cloud_admin": [["rule:admin_required", "domain_id:admin_domain_id"]], • With: "cloud_admin”: [["rule:admin_required”,"domain_id:<cloud_admin_domain_id>"]], Secure Keystone Deployment 22
Leaking Sensitive Information in Log Messages • Debug mode include plaintext request logging • Passwords • Tokens • Mitigate: • Disable debug mode in keystone.conf with: • With debug mode ON, upgrade keystone client: • python-keystoneclient >= 0.10.1 (OSSN-0024) Secure Keystone Deployment 23 [DEFAULT] debug=False
Leaking Sensitive Information in Log Messages Identity API V2 - INFO level logs contains auth tokens (OSSN-0023) Mitigate: • Set the log level to WARN in logging.conf: Secure Keystone Deployment 24 [handler_file] class = FileHandler Level = WARN
Keystone DoS Attack Identity API V3 – Authentication Chaining – CVE-2014-2828 Secure Keystone Deployment 25
Keystone DoS Attack Mitigate: • Impacted Versions: from 2013.1 to 2013.2.3 • Patch applied during IceHouse rc2 • Upgrade Keystone >= 2013.2.4 Secure Keystone Deployment 26
Q&A Let’s talk… Secure Keystone Deployment 27
Thank You Priti Desai Priti_Desai@symantec.com @pritidesai8
References • http://docs.openstack.org/developer/keystone/ • https://blog-nkinder.rhcloud.com/?p=7 • https://blueprints.launchpad.net/keystone/+spec/service-scoped- tokens • http://docs.openstack.org/sec/ • http://www.florentflament.com/blog/setting-keystone-v3- domains.html • https://wiki.openstack.org/wiki/Security_Notes Secure Keystone Deployment 29
References (Images) • Crime Identity Theft: http://internet.phillipmartin.info/crime_identity_theft.gif • Computer Theft: http://blogs.citypages.com/blotter/Computer%20theft.gif • Mickey Washington ID: http://assets.nydailynews.com/polopoly_fs/1.1864391!/img/httpImage/image.jpg_gen/de rivatives/article_970/mickey13n-1-web.jpg • Threat, Asset, and Vulnerability: http://www.technetics.com.au/images/easyblog_images/79/b2ap3_thumbnail_manage_y our_risk_400_20140924-122014_1.jpg • Openstack security Notes: http://www.openstack.org/assets/openstack-logo/openstack- one-color-alt.pdf • OpenStack security Guide: http://docs.openstack.org/common/images/openstack- security-guide.jpg Secure Keystone Deployment 30

Empfohlen

Provisioning Datadog with Terraform
Provisioning Datadog with TerraformProvisioning Datadog with Terraform
Provisioning Datadog with TerraformMatt Spurlin
 
Oracle database 12c data masking and subsetting guide
Oracle database 12c data masking and subsetting guideOracle database 12c data masking and subsetting guide
Oracle database 12c data masking and subsetting guidebupbechanhgmail
 
How to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata EnvironmentsHow to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata EnvironmentsSandesh Rao
 
New Generation Oracle RAC Performance
New Generation Oracle RAC PerformanceNew Generation Oracle RAC Performance
New Generation Oracle RAC PerformanceAnil Nair
 
Less05 asm instance
Less05 asm instanceLess05 asm instance
Less05 asm instanceAmit Bhalla
 
Stop the Chaos! Get Real Oracle Performance by Query Tuning Part 1
Stop the Chaos! Get Real Oracle Performance by Query Tuning Part 1Stop the Chaos! Get Real Oracle Performance by Query Tuning Part 1
Stop the Chaos! Get Real Oracle Performance by Query Tuning Part 1SolarWinds
 
Introducing the eDB360 Tool
Introducing the eDB360 ToolIntroducing the eDB360 Tool
Introducing the eDB360 ToolCarlos Sierra
 
Oracle applications r12.2.0 installation on linux
Oracle applications r12.2.0 installation on linuxOracle applications r12.2.0 installation on linux
Oracle applications r12.2.0 installation on linuxRavi Kumar Lanke
 

Empfohlen

Provisioning Datadog with Terraform
Provisioning Datadog with TerraformProvisioning Datadog with Terraform
Provisioning Datadog with TerraformMatt Spurlin
 
Oracle database 12c data masking and subsetting guide
Oracle database 12c data masking and subsetting guideOracle database 12c data masking and subsetting guide
Oracle database 12c data masking and subsetting guidebupbechanhgmail
 
How to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata EnvironmentsHow to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata EnvironmentsSandesh Rao
 
New Generation Oracle RAC Performance
New Generation Oracle RAC PerformanceNew Generation Oracle RAC Performance
New Generation Oracle RAC PerformanceAnil Nair
 
Less05 asm instance
Less05 asm instanceLess05 asm instance
Less05 asm instanceAmit Bhalla
 
Stop the Chaos! Get Real Oracle Performance by Query Tuning Part 1
Stop the Chaos! Get Real Oracle Performance by Query Tuning Part 1Stop the Chaos! Get Real Oracle Performance by Query Tuning Part 1
Stop the Chaos! Get Real Oracle Performance by Query Tuning Part 1SolarWinds
 
Introducing the eDB360 Tool
Introducing the eDB360 ToolIntroducing the eDB360 Tool
Introducing the eDB360 ToolCarlos Sierra
 
Oracle applications r12.2.0 installation on linux
Oracle applications r12.2.0 installation on linuxOracle applications r12.2.0 installation on linux
Oracle applications r12.2.0 installation on linuxRavi Kumar Lanke
 
SQL Server Health Check
SQL Server Health CheckSQL Server Health Check
SQL Server Health CheckFrancisco Javier García Racionero
 
IT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdfIT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdfAlan McSweeney
 
SQL Server 2016 - Always On.pptx
SQL Server 2016 - Always On.pptxSQL Server 2016 - Always On.pptx
SQL Server 2016 - Always On.pptxQuyVo27
 
Oracle Cloud Infrastructure:2021年5月度サービス・アップデート
Oracle Cloud Infrastructure:2021年5月度サービス・アップデートOracle Cloud Infrastructure:2021年5月度サービス・アップデート
Oracle Cloud Infrastructure:2021年5月度サービス・アップデートオラクルエンジニア通信
 
Solution architecture
Solution architectureSolution architecture
Solution architectureiasaglobal
 
Analytics and Lakehouse Integration Options for Oracle Applications
Analytics and Lakehouse Integration Options for Oracle ApplicationsAnalytics and Lakehouse Integration Options for Oracle Applications
Analytics and Lakehouse Integration Options for Oracle ApplicationsRay Février
 
Delta Lake with Azure Databricks
Delta Lake with Azure DatabricksDelta Lake with Azure Databricks
Delta Lake with Azure DatabricksDustin Vannoy
 
Pipelines and Packages: Introduction to Azure Data Factory (24HOP)
Pipelines and Packages: Introduction to Azure Data Factory (24HOP)Pipelines and Packages: Introduction to Azure Data Factory (24HOP)
Pipelines and Packages: Introduction to Azure Data Factory (24HOP)Cathrine Wilhelmsen
 
Deep Dive on Amazon Aurora MySQL Performance Tuning (DAT429-R1) - AWS re:Inve...
Deep Dive on Amazon Aurora MySQL Performance Tuning (DAT429-R1) - AWS re:Inve...Deep Dive on Amazon Aurora MySQL Performance Tuning (DAT429-R1) - AWS re:Inve...
Deep Dive on Amazon Aurora MySQL Performance Tuning (DAT429-R1) - AWS re:Inve...Amazon Web Services
 
Oracle Cloud Infrastructure:2021年11月度サービス・アップデート
Oracle Cloud Infrastructure:2021年11月度サービス・アップデートOracle Cloud Infrastructure:2021年11月度サービス・アップデート
Oracle Cloud Infrastructure:2021年11月度サービス・アップデートオラクルエンジニア通信
 
Oracle AHF Insights 23c - Deeper Diagnostic Insights for your Oracle Database...
Oracle AHF Insights 23c - Deeper Diagnostic Insights for your Oracle Database...Oracle AHF Insights 23c - Deeper Diagnostic Insights for your Oracle Database...
Oracle AHF Insights 23c - Deeper Diagnostic Insights for your Oracle Database...Sandesh Rao
 
Part5 sql tune
Part5 sql tunePart5 sql tune
Part5 sql tuneMaria Colgan
 
"It can always get worse!" – Lessons Learned in over 20 years working with Or...
"It can always get worse!" – Lessons Learned in over 20 years working with Or..."It can always get worse!" – Lessons Learned in over 20 years working with Or...
"It can always get worse!" – Lessons Learned in over 20 years working with Or...Markus Michalewicz
 
Oracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesOracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesMarkus Flechtner
 
Spline: Apache Spark Lineage not Only for the Banking Industry with Marek Nov...
Spline: Apache Spark Lineage not Only for the Banking Industry with Marek Nov...Spline: Apache Spark Lineage not Only for the Banking Industry with Marek Nov...
Spline: Apache Spark Lineage not Only for the Banking Industry with Marek Nov...Spark Summit
 
Oracle Extended Clusters for Oracle RAC
Oracle Extended Clusters for Oracle RACOracle Extended Clusters for Oracle RAC
Oracle Extended Clusters for Oracle RACMarkus Michalewicz
 
Make Your Application “Oracle RAC Ready” & Test For It
Make Your Application “Oracle RAC Ready” & Test For ItMake Your Application “Oracle RAC Ready” & Test For It
Make Your Application “Oracle RAC Ready” & Test For ItMarkus Michalewicz
 
Power BI for Big Data and the New Look of Big Data Solutions
Power BI for Big Data and the New Look of Big Data SolutionsPower BI for Big Data and the New Look of Big Data Solutions
Power BI for Big Data and the New Look of Big Data SolutionsJames Serra
 
TFA Collector - what can one do with it
TFA Collector - what can one do with it TFA Collector - what can one do with it
TFA Collector - what can one do with it Sandesh Rao
 
Introduction to Enterprise Architecture
Introduction to Enterprise Architecture Introduction to Enterprise Architecture
Introduction to Enterprise Architecture Leo Shuster
 
Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeCybera Inc.
 

Weitere ähnliche Inhalte

Was ist angesagt?

IT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdfIT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdfAlan McSweeney
 
SQL Server 2016 - Always On.pptx
SQL Server 2016 - Always On.pptxSQL Server 2016 - Always On.pptx
SQL Server 2016 - Always On.pptxQuyVo27
 
Oracle Cloud Infrastructure:2021年5月度サービス・アップデート
Oracle Cloud Infrastructure:2021年5月度サービス・アップデートOracle Cloud Infrastructure:2021年5月度サービス・アップデート
Oracle Cloud Infrastructure:2021年5月度サービス・アップデートオラクルエンジニア通信
 
Solution architecture
Solution architectureSolution architecture
Solution architectureiasaglobal
 
Analytics and Lakehouse Integration Options for Oracle Applications
Analytics and Lakehouse Integration Options for Oracle ApplicationsAnalytics and Lakehouse Integration Options for Oracle Applications
Analytics and Lakehouse Integration Options for Oracle ApplicationsRay Février
 
Delta Lake with Azure Databricks
Delta Lake with Azure DatabricksDelta Lake with Azure Databricks
Delta Lake with Azure DatabricksDustin Vannoy
 
Pipelines and Packages: Introduction to Azure Data Factory (24HOP)
Pipelines and Packages: Introduction to Azure Data Factory (24HOP)Pipelines and Packages: Introduction to Azure Data Factory (24HOP)
Pipelines and Packages: Introduction to Azure Data Factory (24HOP)Cathrine Wilhelmsen
 
Deep Dive on Amazon Aurora MySQL Performance Tuning (DAT429-R1) - AWS re:Inve...
Deep Dive on Amazon Aurora MySQL Performance Tuning (DAT429-R1) - AWS re:Inve...Deep Dive on Amazon Aurora MySQL Performance Tuning (DAT429-R1) - AWS re:Inve...
Deep Dive on Amazon Aurora MySQL Performance Tuning (DAT429-R1) - AWS re:Inve...Amazon Web Services
 
Oracle Cloud Infrastructure:2021年11月度サービス・アップデート
Oracle Cloud Infrastructure:2021年11月度サービス・アップデートOracle Cloud Infrastructure:2021年11月度サービス・アップデート
Oracle Cloud Infrastructure:2021年11月度サービス・アップデートオラクルエンジニア通信
 
Oracle AHF Insights 23c - Deeper Diagnostic Insights for your Oracle Database...
Oracle AHF Insights 23c - Deeper Diagnostic Insights for your Oracle Database...Oracle AHF Insights 23c - Deeper Diagnostic Insights for your Oracle Database...
Oracle AHF Insights 23c - Deeper Diagnostic Insights for your Oracle Database...Sandesh Rao
 
"It can always get worse!" – Lessons Learned in over 20 years working with Or...
"It can always get worse!" – Lessons Learned in over 20 years working with Or..."It can always get worse!" – Lessons Learned in over 20 years working with Or...
"It can always get worse!" – Lessons Learned in over 20 years working with Or...Markus Michalewicz
 
Oracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesOracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesMarkus Flechtner
 
Spline: Apache Spark Lineage not Only for the Banking Industry with Marek Nov...
Spline: Apache Spark Lineage not Only for the Banking Industry with Marek Nov...Spline: Apache Spark Lineage not Only for the Banking Industry with Marek Nov...
Spline: Apache Spark Lineage not Only for the Banking Industry with Marek Nov...Spark Summit
 
Oracle Extended Clusters for Oracle RAC
Oracle Extended Clusters for Oracle RACOracle Extended Clusters for Oracle RAC
Oracle Extended Clusters for Oracle RACMarkus Michalewicz
 
Make Your Application “Oracle RAC Ready” & Test For It
Make Your Application “Oracle RAC Ready” & Test For ItMake Your Application “Oracle RAC Ready” & Test For It
Make Your Application “Oracle RAC Ready” & Test For ItMarkus Michalewicz
 
Power BI for Big Data and the New Look of Big Data Solutions
Power BI for Big Data and the New Look of Big Data SolutionsPower BI for Big Data and the New Look of Big Data Solutions
Power BI for Big Data and the New Look of Big Data SolutionsJames Serra
 
TFA Collector - what can one do with it
TFA Collector - what can one do with it TFA Collector - what can one do with it
TFA Collector - what can one do with it Sandesh Rao
 
Introduction to Enterprise Architecture
Introduction to Enterprise Architecture Introduction to Enterprise Architecture
Introduction to Enterprise Architecture Leo Shuster
 

Was ist angesagt? (20)

SQL Server Health Check
SQL Server Health CheckSQL Server Health Check
SQL Server Health Check
 
IT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdfIT Architecture’s Role In Solving Technical Debt.pdf
IT Architecture’s Role In Solving Technical Debt.pdf
 
SQL Server 2016 - Always On.pptx
SQL Server 2016 - Always On.pptxSQL Server 2016 - Always On.pptx
SQL Server 2016 - Always On.pptx
 
Oracle Cloud Infrastructure:2021年5月度サービス・アップデート
Oracle Cloud Infrastructure:2021年5月度サービス・アップデートOracle Cloud Infrastructure:2021年5月度サービス・アップデート
Oracle Cloud Infrastructure:2021年5月度サービス・アップデート
 
Solution architecture
Solution architectureSolution architecture
Solution architecture
 
Analytics and Lakehouse Integration Options for Oracle Applications
Analytics and Lakehouse Integration Options for Oracle ApplicationsAnalytics and Lakehouse Integration Options for Oracle Applications
Analytics and Lakehouse Integration Options for Oracle Applications
 
Delta Lake with Azure Databricks
Delta Lake with Azure DatabricksDelta Lake with Azure Databricks
Delta Lake with Azure Databricks
 
Pipelines and Packages: Introduction to Azure Data Factory (24HOP)
Pipelines and Packages: Introduction to Azure Data Factory (24HOP)Pipelines and Packages: Introduction to Azure Data Factory (24HOP)
Pipelines and Packages: Introduction to Azure Data Factory (24HOP)
 
Deep Dive on Amazon Aurora MySQL Performance Tuning (DAT429-R1) - AWS re:Inve...
Deep Dive on Amazon Aurora MySQL Performance Tuning (DAT429-R1) - AWS re:Inve...Deep Dive on Amazon Aurora MySQL Performance Tuning (DAT429-R1) - AWS re:Inve...
Deep Dive on Amazon Aurora MySQL Performance Tuning (DAT429-R1) - AWS re:Inve...
 
Oracle Cloud Infrastructure:2021年11月度サービス・アップデート
Oracle Cloud Infrastructure:2021年11月度サービス・アップデートOracle Cloud Infrastructure:2021年11月度サービス・アップデート
Oracle Cloud Infrastructure:2021年11月度サービス・アップデート
 
Oracle AHF Insights 23c - Deeper Diagnostic Insights for your Oracle Database...
Oracle AHF Insights 23c - Deeper Diagnostic Insights for your Oracle Database...Oracle AHF Insights 23c - Deeper Diagnostic Insights for your Oracle Database...
Oracle AHF Insights 23c - Deeper Diagnostic Insights for your Oracle Database...
 
Part5 sql tune
Part5 sql tunePart5 sql tune
Part5 sql tune
 
"It can always get worse!" – Lessons Learned in over 20 years working with Or...
"It can always get worse!" – Lessons Learned in over 20 years working with Or..."It can always get worse!" – Lessons Learned in over 20 years working with Or...
"It can always get worse!" – Lessons Learned in over 20 years working with Or...
 
Oracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection IssuesOracle Database: Checklist Connection Issues
Oracle Database: Checklist Connection Issues
 
Spline: Apache Spark Lineage not Only for the Banking Industry with Marek Nov...
Spline: Apache Spark Lineage not Only for the Banking Industry with Marek Nov...Spline: Apache Spark Lineage not Only for the Banking Industry with Marek Nov...
Spline: Apache Spark Lineage not Only for the Banking Industry with Marek Nov...
 
Oracle Extended Clusters for Oracle RAC
Oracle Extended Clusters for Oracle RACOracle Extended Clusters for Oracle RAC
Oracle Extended Clusters for Oracle RAC
 
Make Your Application “Oracle RAC Ready” & Test For It
Make Your Application “Oracle RAC Ready” & Test For ItMake Your Application “Oracle RAC Ready” & Test For It
Make Your Application “Oracle RAC Ready” & Test For It
 
Power BI for Big Data and the New Look of Big Data Solutions
Power BI for Big Data and the New Look of Big Data SolutionsPower BI for Big Data and the New Look of Big Data Solutions
Power BI for Big Data and the New Look of Big Data Solutions
 
TFA Collector - what can one do with it
TFA Collector - what can one do with it TFA Collector - what can one do with it
TFA Collector - what can one do with it
 
Introduction to Enterprise Architecture
Introduction to Enterprise Architecture Introduction to Enterprise Architecture
Introduction to Enterprise Architecture
 

Ähnlich wie Secure Keystone Deployment

Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications guest879f38
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeCybera Inc.
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013brian_chong
 
Masterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMasterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMalcolm Duncanson, CISSP
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPRafal Gancarz
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...Amazon Web Services
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld
 
DCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and ArchitectureDCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and ArchitectureDocker, Inc.
 
Cloud_Security_Final
Cloud_Security_FinalCloud_Security_Final
Cloud_Security_FinalBhavin Shah
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsUlf Mattsson
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...Duc Lai Trung Minh
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsRightScale
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
How to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GEHow to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GEFederico Fernández Moreno
 

Ähnlich wie Secure Keystone Deployment (20)

Creating Secure Applications
Creating Secure Applications Creating Secure Applications
Creating Secure Applications
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013
 
Masterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM RolesMasterless Puppet Using AWS S3 Buckets and IAM Roles
Masterless Puppet Using AWS S3 Buckets and IAM Roles
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
 
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
VMworld 2013: NSX PCI Reference Architecture Workshop Session 2 - Privileged ...
 
DCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and ArchitectureDCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and Architecture
 
Cloud_Security_Final
Cloud_Security_FinalCloud_Security_Final
Cloud_Security_Final
 
Integrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOpsIntegrate Security into DevOps - SecDevOps
Integrate Security into DevOps - SecDevOps
 
Fiware cloud developers week brussels
Fiware cloud developers week brusselsFiware cloud developers week brussels
Fiware cloud developers week brussels
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
Vietnam Global Azure Bootcamp 2019 - Security on Azure Kubernetes Services wi...
 
Securing Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid CloudsSecuring Servers in Public and Hybrid Clouds
Securing Servers in Public and Hybrid Clouds
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
How to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GEHow to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GE
 

Kürzlich hochgeladen

Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...tanu pandey
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01KreezheaRecto
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptMsecMca
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfKamal Acharya
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapRishantSharmaFr
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Christo Ananth
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 

Kürzlich hochgeladen (20)

Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 

Secure Keystone Deployment

  • 1. Secure Keystone Deployment: Lessons Learned and Best Practices Priti Desai Sr. Software Engineer Secure Keystone Deployment 1
  • 2. The Symantec Team • Cloud Platform Engineering – We are building a consolidated cloud platform that provides infrastructure and platform services for next generation Symantec products and services • Me – In Security for over 6 years – Symantec Insight - Reputation Based Security – Symantec Data Analytics Platform – OpenStack Engineer - Keystone – OpenStack Security Group – Cop Open Source Secure Keystone Deployment 2
  • 3. OpenStack Security Group Secure Keystone Deployment 3 security notes Retrieved from http://www.openstack.orgRetrieved from http://docs.openstack.org
  • 4. Secure Keystone Deployment Why is Keystone security critical? What is Keystone? How is Authentication process implemented in Keystone? How is Authorization mechanism implemented in OpenStack?
  • 5. AuthN Overview Secure Keystone Deployment 5 Cloud User Cloud User Identity (SQL/LDAP) Keystone Token (SQL) Identity (SQL/LDAP) Keystone Token (SQL) Request sent with Username and Password Verify username and password (hash of password) Successful verification Request metadata for user tenant relationship Assignment (SQL) Assignment (SQL) User tenant relationship information Request to generate new token Response with new token Response with token
  • 6. AuthZ Overview Secure Keystone Deployment 6 Cloud User Cloud User Keystone OpenStack Service Keystone OpenStack Service Request sent with session token Verify session token Successful verification Is this token correct? Does it allow the service usage? Service executes the request Response with success
  • 7. Secure Keystone Deployment Why is Keystone security critical? Does it store/transmit any sensitive information? What kind of cloud asset does it store? Is any type of attack possible on Keystone? Can it bring down the entire cloud?
  • 8. Keystone Security is Critical Secure Keystone Deployment 8 • Gatekeeper • Access to OpenStack Cloud • Assets • Users • Passwords • Tokens • Roles • Catalog • Vulnerable to DoS Retrieved from http://internet.phillipmartin.info Retrieved from http://blogs.citypages.com Retrieved from http://assets.nydailynews.com
  • 9. What was our approach to identifying key vulnerabilities? Secure Keystone Deployment 9
  • 10. Security Risks Secure Keystone Deployment 10 • Global Security Office  Threat Model  Penetration Tests  Traceability Matrix Retrieved from http://www.technetics.com.au
  • 12. Secure Keystone Deployment 12 Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privileges Threat Model
  • 13. What kind of security deficiencies did we discover? Secure Keystone Deployment 13
  • 14. Secure Keystone Deployment 14 Attack: Keystone user credential theft Attack: Insecure file permissions on Keystone.conf Keystone.conf Attack: Access to cloud admin privileges for almost free Attack: Leaking sensitive data in log messages Attack: DoS – Authentication chaining - Havana Attack: Unauthorized access to MySQL database Many more …
  • 15. Traceability Matrix Secure Keystone Deployment 15 ✖ ✖ ✖
  • 16. Keystone User Credential Theft Secure Keystone Deployment 16
  • 17. Mitigate: Secure Communication - SSL Secure Keystone Deployment 17 Hardware Load Balancer Hardware Load Balancer Keystone KeystoneKeystone SSL Client SSL Server SSL Client SSL Server mod_ssl 35357/SSL 5000/SSL mod_ssl 35357/SSL 5000/SSL mod_ssl 35357/SSL 5000/SSL Public API Admin API
  • 18. Insecure file permissions on Keystone.conf Secure Keystone Deployment 18 Mitigate: • Restrict ownership to service user - chown keystone:keystone /etc/keystone/keystone.conf • Restrict to read and write by the owner - chmod 640 /etc/keystone/keystone.conf hostnameabc hostnameabc hostnameabcuser user user
  • 19. Access to admin privileges is almost free Secure Keystone Deployment 19 • Service Token • Bootstrap Keystone • Cloud admin privileges • Register bad service/endpoints
  • 20. Mitigate: Disable Service Token • Comment out admin_token from /etc/keystone/keystone.conf: admin_token=e2112effd3ff05b8c88ad14e096e6615 • Remove admin token auth middleware from /etc/keystone/keystone-paste.ini: [filter:admin_token_auth] paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory Secure Keystone Deployment 20
  • 21. Who is the cloud admin now? Secure Keystone Deployment 21
  • 22. Create Cloud Admin • Leveraging Keystone Domain • Before disabling service token: • Create a domain “cloud_admin_domain” • Grant “admin” role to appropriate user “Bob Smith” • Update keystone policy.json file: • Replace: "cloud_admin": [["rule:admin_required", "domain_id:admin_domain_id"]], • With: "cloud_admin”: [["rule:admin_required”,"domain_id:<cloud_admin_domain_id>"]], Secure Keystone Deployment 22
  • 23. Leaking Sensitive Information in Log Messages • Debug mode include plaintext request logging • Passwords • Tokens • Mitigate: • Disable debug mode in keystone.conf with: • With debug mode ON, upgrade keystone client: • python-keystoneclient >= 0.10.1 (OSSN-0024) Secure Keystone Deployment 23 [DEFAULT] debug=False
  • 24. Leaking Sensitive Information in Log Messages Identity API V2 - INFO level logs contains auth tokens (OSSN-0023) Mitigate: • Set the log level to WARN in logging.conf: Secure Keystone Deployment 24 [handler_file] class = FileHandler Level = WARN
  • 25. Keystone DoS Attack Identity API V3 – Authentication Chaining – CVE-2014-2828 Secure Keystone Deployment 25
  • 26. Keystone DoS Attack Mitigate: • Impacted Versions: from 2013.1 to 2013.2.3 • Patch applied during IceHouse rc2 • Upgrade Keystone >= 2013.2.4 Secure Keystone Deployment 26
  • 29. References • http://docs.openstack.org/developer/keystone/ • https://blog-nkinder.rhcloud.com/?p=7 • https://blueprints.launchpad.net/keystone/+spec/service-scoped- tokens • http://docs.openstack.org/sec/ • http://www.florentflament.com/blog/setting-keystone-v3- domains.html • https://wiki.openstack.org/wiki/Security_Notes Secure Keystone Deployment 29
  • 30. References (Images) • Crime Identity Theft: http://internet.phillipmartin.info/crime_identity_theft.gif • Computer Theft: http://blogs.citypages.com/blotter/Computer%20theft.gif • Mickey Washington ID: http://assets.nydailynews.com/polopoly_fs/1.1864391!/img/httpImage/image.jpg_gen/de rivatives/article_970/mickey13n-1-web.jpg • Threat, Asset, and Vulnerability: http://www.technetics.com.au/images/easyblog_images/79/b2ap3_thumbnail_manage_y our_risk_400_20140924-122014_1.jpg • Openstack security Notes: http://www.openstack.org/assets/openstack-logo/openstack- one-color-alt.pdf • OpenStack security Guide: http://docs.openstack.org/common/images/openstack- security-guide.jpg Secure Keystone Deployment 30