Upload
joshua-mckenty
View
1.525
Download
1
Tags:
Embed Size (px)
Citation preview
OpenStack SecurityA Primer
Me: Joshua McKentyTwitter: @jmckentyEmail: [email protected]
Former Chief Architect, NASA NebulaFounding Member, OpenStackOpenStack Project Policy Board
“If you think technology can solve your security problems,
then you don’t understand the problems and you don’t
understand the technology.” – Bruce Schneier
Theatre
“Proof”
Real Security
The Three Pillars of Security
“Bonus” Security Pillar
Theatre
“Proof”Real
Security
Forensics
Real Security
Assume everything goes wrong, even impossible things.
FIPS 199 Definition: Confidentiality Integrity Availability
Defining Security
Defining Vulnerability
Build on “Shared Nothing” to achieve “Trust No One” Also known as “Defense in Depth”
AUTOMATE EVERYTHING “Fat Fingers” == Plausible Deniability Automated == non-repudiable change control
Build to the OSI 7-layer model
Layer 1
Lock your doors Do your background checks Use separate physical networks for admin Network model and management
Use RFC 1918 address space when appropriate Use VLANs if necessary
Firewall every machine (ebtables, iptables) Border firewalls (port and protocol level)
Layer 1, 2 and 3
Never assume it’s bilateral
Control system access Best case: no host-based shell access AT ALL. Second-best: federated AUTH with 2-factor,
keys only Worst case: Host-level root login with
passwords Run IDS – on hosts and guests Scan Continuously – hosts and guests, on all
networks Proactively defend – Fail2Ban, etc. ( F2B-a-a-
S)
Layer 4, 5, 6 and 7
Don't trust the hypervisor (TXT / TPM) Conversely, don't trust the VM (blue-pill
exploits, etc.) Host-based FW within the VM (CloudPassage
"Halo") Access-control for VMs – same approaches
apply (Auth-as-a-Service)
Layer ‘V’
“Proof” and PolicyIn God We Trust – All Others, Bring Data.
Classic best practices – redundant, off-site log servers
Log aggregation and analysis / event detection
Logging-as-a-Service
Log early, log often
Make and verify your assertions (Coming soon…)
CloudAudit
Did you remember to delete his account?
Security Theatre
“Given enough hand-waving, all systems are secure.”
Crypto is useless – if keys are stored with the data
Private networks are useless – if doors aren’t locked
Certification only proves that you’re doing, what you said you were going to do. You can still be wrong.
Forget “Trust, but verify”. Just don’t trust.
Don’t get confused!
Bonus: ForensicsIt’s not an “If” – it’s a “When”
Have a chaos-monkey of compromise Can you perform forensics and remediation,
without impacting other users of your cloud? Spanning ports and extra storage “Graveyard” for recently deleted images,
instances
Bonus Section: Forensics
What’s in the CloudPipe?
“We can only see a short distance ahead, but we can see plenty there that needs to be done.”
– Alan Turing
The MachineAka “Sneaky Monkey”
Continuous Integration of penetration and vulnerability testing.
We’re doing “stuff” No… really.
Hardening
Outfoxing the fox Intel is working with many companies within
OpenStack, including Piston.
Trusted Execution
Questions?
Matt Linton – Nebula CSO Jesse Andrews – AnsoLabs Founder Soo Choi – 7120.7 Nazi Matt Chew- Spence – FIPS 199 Guru Keith Shackleford and James Williams Chris Kemp Bobby Cates, Dave Swagger, E. Lopez, Grace
De Leon, Guy with Gun #1, Guy with Gun #2…
Credits