View
1.282
Download
3
Category
Preview:
Citation preview
© 2012 CloudPassage Inc.
Securing Your Cloud Servers with Halo NetSecRand WackerVP of Productsrand@cloudpassage.com@randwacker
© 2012 CloudPassage Inc.
CloudPassage Halo was purpose-built to
deliver real security for servers in the cloud.
© 2012 CloudPassage Inc.
What does CloudPassage do?
Firewall Management
Server Configurations
Server account Management
Compromise & intrusion alerting
Security & compliance auditing
Vulnerability Management
Security for virtual servers running in public and private
clouds
© 2012 CloudPassage Inc.
CloudPassage Halo Packages
Halo BasicFree security for initial cloud migrations
Halo NetSecFull perimeter protection and security
integration
Halo ProfessionalComprehensive security and compliance
controls
NEW
© 2012 CloudPassage Inc.
Cloud Requires A New Approach to Security
© 2012 CloudPassage Inc.
www-1 www-2 www-3 www-4
Cloud Security Is Newprivate datacenter
public cloud
www-1 www-2 www-3 www-4
© 2012 CloudPassage Inc.
www-4
Cloud Security Is Differentprivate datacenter
public cloud
www-1 www-2 www-3
www-4
www-4
© 2012 CloudPassage Inc.
Cloud Security Is Complex
Cloud Provider A
www-7
www-4
www-8
www-5
www-9
www-6
www-10
Cloud Provider B
www-7 www-8 www-9 www-10
Private Datacenter
www-1 www-2 www-3 www-4
© 2012 CloudPassage Inc.
Security Products Aren’t Adapting
Cloud Provider A
www-4 www-5 www-6 Cloud Provider B
www-7 www-8 www-9 www-10
Private Datacenter
www-1 www-2 www-3
Temporary & Elastic Deployments
Multiple CloudEnvironments
Metered Usage
© 2012 CloudPassage Inc.
Cloud Security Responsibility
© 2012 CloudPassage Inc.
Cloud Security Responsibility
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
Cu
sto
mer
Resp
on
sib
ilityP
rovid
er
Resp
on
sib
ility
“…the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...”
“it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.”
Amazon Web Services: Overview of Security Processes
AWS Shared Responsibility Model
© 2012 CloudPassage Inc.
Survey: Cloud Providers
Amazon EC2 Rackspace Terramark GoGrid Other
30%
16%
9%6%
50%
Source: CloudPassage CloudSec Community Survey
Question: Which cloud hosting providers do you use?
© 2012 CloudPassage Inc.
Survey: Cloud Security Practices
Open source or custom-de-veloped tools
Commercial Tool
My provider does it for me
Amazon Security Group
We're not securing our cloud servers
Source: CloudPassage CloudSec Community Survey
Question: How do you secure your cloud servers today?
© 2012 CloudPassage Inc.
Survey: Cloud Security Concerns
Enterprise security tools don't work in the cloud
Provider access to guest servers
Achieving compliance with PCI or other standards
Multi-tenancy of infrastructure or applications
Lack of perimeter defenses and/or network control
23%
24%
26%
40%
44%
Multiple Choice
Source: CloudPassage CloudSec Community Survey
Question: What security concerns are most important to you regarding public cloud computing?
© 2012 CloudPassage Inc.
Introducing Halo NetSec
© 2012 CloudPassage Inc.
Halo NetSec provides firewalling, 2-factor
authentication, and full automation for the protection of cloud
servers.
© 2012 CloudPassage Inc.
Halo NetSec:Dynamic Cloud Firewall
© 2012 CloudPassage Inc.
Traditional Perimeter Securityprivate datacenter
DB
Firewall
Load Balancer
App Server
App Server
Load Balancer
App Server
App Server
DB
© 2012 CloudPassage Inc.
Dynamic Cloud Firewall
public cloud
Load Balancer
Halo
FW
App Server
Halo
FW
App Server
Halo
FW
DB Master
Halo
FW
© 2012 CloudPassage Inc.
Dynamic Cloud Firewall
public cloud
Load Balancer
Halo
FW
App Server
Halo
FW
App Server
Halo
FW
Load Balancer
Halo
FW
App Server
Halo
FW
DB Master
Halo
FW
DB Slave
Halo
FW
© 2012 CloudPassage Inc.
App Server
IP
Dynamic Cloud Firewall
public cloud
Load Balancer
Halo
FW
App Server
Halo
FW
App Server
Halo
FW
Load Balancer
Halo
FW
App Server
Halo
FW
DB Master
Halo
FW
DB Slave
Halo
FW
© 2012 CloudPassage Inc.
Dynamic Cloud Firewall
public cloud
Load Balancer
Halo
FW
App Server
Halo
FW
App Server
Halo
FW
Load Balancer
Halo
FW
DB Master
Halo
FW
DB Slave
Halo
FW
App Server
IP
© 2012 CloudPassage Inc.
Multi-Cloud Firewall
US West Cloud
Private Datacenter
App Server
Halo
FW
App Server
Halo
FW
US East Cloud
App Server
Halo
FW
App Server
Halo
FW
DB
Halo
FW
DB
Halo
DB
Halo
Firewall
DB
Halo
FW
© 2012 CloudPassage Inc.
Multi-Cloud Firewall
US West Cloud
Private Datacenter
App Server
Halo
FW
App Server
Halo
FW
US East Cloud
App Server
Halo
FW
App Server
Halo
FW
DB
Halo
FW
DB
Halo
DB
Halo
Firewall
DB
Halo
FW
© 2012 CloudPassage Inc.
Halo NetSec:GhostPorts 2-Factor Authentication
© 2012 CloudPassage Inc.
GhostPorts 2-Factor Auth
YubiKey-generated one-time password
USB token contains no batteries or moving parts
Prevent brute force attacks on SSH and web
applications
© 2012 CloudPassage Inc.
GhostPorts 2-Factor Auth
ssh
DB Server
Halo
FW
© 2012 CloudPassage Inc.
GhostPorts 2-Factor Auth
Halo Grid
Clo
ud
Passa
ge H
alo
https
DB Server
Halo
FW
© 2012 CloudPassage Inc.
GhostPorts 2-Factor Auth
ssh
Halo Grid
https
Clo
ud
Passa
ge H
alo
DB Server
Halo
FW
© 2012 CloudPassage Inc.
GhostPorts 2-Factor Auth
ssh
ssh
DB Server
Halo
FW
© 2012 CloudPassage Inc.
© 2012 CloudPassage Inc.
Halo NetSec:Integration API
© 2012 CloudPassage Inc.
Halo Reduces Your Workload
Things you DON’T need to script with CloudPassage Halo
Managed Automatically
• Add new server to policy group
• Remove firewall policies when servers are retired
• Scan for vulnerabilities of installed software packages
• Many, many more…
Monitored Continually
• Verify firewall rules match policy
• Alert administrators of missing servers
• Monitor critical server configuration files for security posture
• Many, many more…
© 2012 CloudPassage Inc.
Adding New Server Accounts
Halo Grid
Clo
ud
Passa
ge H
alo
RESTful API Gateway
private datacenter
Corporate Directory
Enterprise
Provisioning
System
Security Operation
sPortal
https
www-1
Halo
www-2
Halo
public cloud
GhostPorts Access, Local Server Accounts
© 2012 CloudPassage Inc.
Other Cool Halo/API Tricks• Set password reset requirements for a server user account.• Find server accounts that don't have passwords (it happens)• Find those spooky root-owned setuid files.• Generate alerts if PID files go missing.• Generate an alert if someone is in a group they shouldn't be in (like wheel).• Generate massively detailed reports of server configuration status for auditors
(keep 'em busy for weeks).• Get a report of every server that a user *does not* have an account on.• Get a report of every server that a user has an account on.• Get alerted if a new cloud server gets created.• Learn what process that TCP/IP port is bound to.• Make sure that init.d startup scripts can't be tampered with by non-root users.• Make sure that services are not running with excessive privileges.• Monitor servers to detect old user accounts that should have been cleaned up,
but might have gotten missed.
Many, many more at community.cloudpassage.com
© 2012 CloudPassage Inc.
CloudPassage Halo Architecture
© 2012 CloudPassage Inc.
How It Works
Halo Grid
• Halo Daemon– Ultra light-weight software
– Installed on server image
– Automatically provisioned
• Halo Grid– Elastic compute grid
– Hosted by CloudPassage
– Does the heavy lifting for the Halo Daemons
www-1
www-1
Halo
Halo Daemon
© 2012 CloudPassage Inc.
www-4
Halo
www-3
Halo
Alerts, Reports and Trending
www-1
ComputeGrid
UserPortal
https
RESTful API Gateway
https
Clo
udPa
ssag
e
Halo
Policies,Commands, Reports
www-1
Halo
www-2
Halo
© 2012 CloudPassage Inc.
Getting Started
© 2012 CloudPassage Inc.
CloudPassage Halo Packages
Halo BasicFree security for initial cloud migrations
Halo NetSecFull perimeter protection and security
integration
Halo ProfessionalComprehensive security and compliance
controls
NEW
Features and PricingBasic NetSec Pro
Network Security
Host Firewall Management ✔ ✔ ✔
GhostPorts Multi-Factor Authentication ✔ ✔
Host Security
Server Exposure Monitoring ✔ ✔ ✔
Software Vulnerability Monitoring ✔ ✔ ✔
Account & Access Scanning ✔ ✔ ✔
Cloud Server Event Logging & Alerting ✔ ✔ ✔
File Integrity Monitoring ✔
Data Storage One day Two years(FW events)
Two years(All scans)
Maximum Scanning Frequency Daily Daily Hourly
Integration, Management Support
Web Management Portal ✔ ✔ ✔
RESTful API Access ✔ ✔
Technical Support Community
Professional
Professional
Servers Protected Up to 25 Unlimited Unlimited
Pricing FREE3.5¢/hour
10¢/hour
New!
© 2012 CloudPassage Inc.
FREE 5 Minute Setup
Register at cloudpassage.com/regis
ter
Configure security policies in Halo web
portal
Install daemons on cloud servers
© 2012 CloudPassage Inc.
Summary
Cloud deployments require a new approach to security
Halo is the only security platform purpose-built for
the cloud
All you need to secure your cloud servers
© 2012 CloudPassage Inc.
Q&A Rand Wackerrand@cloudpassage.com@randwacker
© 2012 CloudPassage Inc.
Thank You!For more information:
info@cloudpassage.com
Recommended