Use Case : Cloud Security Design and Implementation

1 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Use Case : Cloud Security
Design and Implementation
Orgad Kimchi
ISV Engineering
Oracle Solaris 11

reserved.
reserved.
Insert Information Protection Policy Classification from Slide 8
The following is intended to outline our general product direction. It is intended
for information purposes only, and may not be incorporated into any contract. It
is not a commitment to deliver any material, code, or functionality, and should
not be relied upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle’s products
remains at the sole discretion of Oracle.

reserved.
Security Challenges
• Securing Data At Rest, In Transit, and In Use
• Minimize operating system attack surface
• Prevent denial of service attacks against their infrastructure
• Segregate network traffic between different cloud users
• Disable hostile code (e.g.’ rootkit’ attacks)
• Secure data deletions once we have done with our project

reserved.
Concerns With Public Cloud computing
Source : http://blogs.gartner.com/neil_macdonald/2010/12/16/security-is-the-top-concern-for-public-cloud-but-what-does-that-really-mean/

reserved.
Oracle Solaris Remote Lab
•Solaris Network Virtualization
– Segregate network traffic & secure VLAN per user
• Solaris Zones
– Isolates partner VMs in a secure environment
• Solaris ZFS
– Rapid & secure deployment of images in partner VMs
• Secure Global Desktop
– Separates communications channels
A secure cloud environment built on Solaris technologies
Now in the Cloud

reserved.
Cryptography

reserved.

reserved.
Cryptographic Acceleration
Oracle SPARC T4 Processor
• Scalable Performance
– On-core, unprivileged, cryptographic instructions
– OpenSSL 5x faster than IBM POWER7
– ZFS encryption is 3x faster than Intel
• Most Industry Standard Algorithms
– Public Key Encryption: RSA, DSA, ECC, DH
– Symmetric Key Encryption: AES, 3DES, DES, Kasumi, Camellia
– Message Digests: CRC32c, MD5, SHA-1, SHA-224, SHA-256,
SHA-384, SHA-512
– Random number generation (FIPS 140-2 compliant)

reserved.
SPARC T4 Cryptographic Acceleration
Significant Performance Gains for SSL
• Two-way SSL
• RSA-2048
• AES-256

reserved.
ZFS: Next Generation File System
• Immense Capacity (128-bit)
• ZFS capacity: 256 quadrillion ZB (1ZB = 1 billion TB)
• Exceeds quantum limit of Earth-based storage.
• Dynamic Metadata
• No limits on files, directory entries, snapshots, etc.
• No tuning parameters to enable expansion.
• Parallel, constant-time directory operations.
• Pooled design – continuous future growth
Scalability

reserved.
ZFS Encryption
• Encryption policy is set at the ZFS data set level
• Supports delegation of key management operations
• Leverages a dual key model: wrapping vs. encryption key
• Variety of options for format/location of the wrapping key
• Wrapping key inherited by child data sets

reserved.
ZFS Encryption Example
# zfs create -o encryption=on -o dedup=on -o compression=on
rpool/scratch
Enter passphrase for 'rpool/scratch':
Enter again:
# zfs get encryption,keysource,dedup,compression rpool/scratch
NAME PROPERTY VALUE SOURCE
rpool/scratch encryption on local
rpool/scratch keysource passphrase,prompt local
rpool/scratch dedup on local
rpool/scratch compression on local
# zfs key -u rpool/scratch
# zfs mount rpool/scratch

reserved.
Assured Deletion with ZFS Encryption
# zfs create -o encryption=on rpool/scratch
Enter again:
# zfs key -c -o keysource=raw,file:///dev/random rpool/scratch
# zfs get keysource rpool/scratch
NAME PROPERTY VALUE SOURCE
rpool/scratch keysource raw,file:///dev/random local
# zfs key –u rpool/scratch
# zfs destroy rpool/scratch

reserved.
Encrypted Swap and /tmp
$ awk '($4 == "swap") { print; }' /etc/vfstab
/dev/zvol/dsk/rpool/swap - - swap - no encrypted
$ swap –l
swapfile dev swaplo blocks free
/dev/lofi/1 145,1 8 2097128 2097128
$ lofiadm
Block Device File Options
/dev/lofi/1 /devices/pseudo/zfs@0:2 Encrypted

reserved.
Networking

reserved.
Network Secure by Default
• Expose only required services to the network
– Reduce the operating system network foot print
– Most services are disabled; a few are set to “local only”
• Integrated with Service Management Facility
– Common administrative model for all service operations
– Fully customizable based upon unique site requirements
• Foundation for Additional Protections and Configuration

reserved.
Network Architecture Strategies

reserved.
Network Virtualization
• Using network VLANs
• Combine with physical switches
• Layer 2 segregation
• # dladm create-vnic -l net0 vnic2 -v 2
Network segregation

reserved.
IP Filters
• Ability to configure what ports
are open between system
• Simple to configure and SMF
service
• Can configure direction as
well as ports

reserved.
Network Resource Management
• Introducing network resource control
– Bandwidth control
– Flow control
• Split up large network pipes
• Guarantee types of network traffic for
your applications
• In the following example we limit the SSL traffic to 100Mb
on the vnic0 network interface
# dladm create-vnic vnic0 –l net0
# flowadm add-flow -l vnic0 –a
transport=TCP,local_port=443 https-flow
# flowadm set-flowprop -p maxbw=100M https-flow
Control the Un-Controlable

reserved.
Data Link Protection
# dladm show-linkprop -p protection net0
LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
net0 protection rw -- -- mac-nospoof,
restricted,
ip-nospoof,
dhcp-nospoof
# dladm set-linkprop -p allowed-ips=10.0.2.15
# dladm set-linkprop -p protection=mac-nospoof,ip-nospoof,
restricted net0
# ping 10.0.2.2
10.0.2.2 is alive
[set IP address manually to something other than 10.0.2.15.]
# ping 10.0.2.2
no answer from 10.0.2.2

reserved.
Designed-in Virtualization
Oracle Solaris Zones

reserved.
Integrated Virtualization
Security
Automated Install
Packaging Zones
Networking
ZFS

reserved.
Oracle Solaris Zones
• Built-in solution for
application deployment
• Compatibility environments
• Solaris 10 only
• Zones now more complete
• Delegated administration
• Observability
• NFS shares
• Network virtualization

reserved.
• Restricted In-Zone Operations
– Individual operating system hardening, RBAC, auditing, etc.
– Prohibited from directly accessing kernel (modules), raw memory
• External Enforcement of Zone Configuration
– Configurable privileges, immutability, devices, file systems,
resource controls, virtual network security controls, etc.
• Observability with Integrity
– Protected audit trails, file integrity verification, global zone has
complete introspection capabilities
Solaris Zones Security Benefits

reserved.
Immutable Zones Example (1/2)
# zonecfg -z myzone 'set file-mac-profile=fixed-configuration’
# zoneadm -z myzone boot
# zlogin myzone
[Connected to zone 'myzone' pts/3]
myzone# rm /etc/passwd
rm: /etc/passwd: override protection 644 (yes/no)? y
rm: /etc/passwd not removed: Read-only file system
myzone# pkg install emacs
pkg install: Could not complete the operation on /var/pkg/lock:
read-only filesystem.
myzone# rm /usr/bin/vi
rm: /usr/bin/vi not removed: Read-only file system

reserved.
Immutable Zones Example (2/2)
myzone# touch /var/tmp/foo
myzone# touch /tmp/bar
myzone# svcadm disable ssh
root@solaris:~# svcs ssh
STATE STIME FMRI
disabled 6:52:53 svc:/network/ssh:default

reserved.
Data Architecture Strategies

reserved.
ZFS Zone Root Encryption
# pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=zoneroot
Enter PIN for Sun Software PKCS#11 softtoken:
# zfs create -o encryption=on -o keysource=raw,pkcs11:object=zoneroot
rpool/zones
Enter PKCS#11 token PIN for 'rpool/zones':
# zonecfg -z myzone 'create; set zonepath=/rpool/zones/myzone’
# zoneadm –z myzone install
[… once install completes, the system is rebooted]
# zfs key -l rpool/zones
Enter PKCS#11 token PIN for 'rpool/zones':
# zfs mount –a
# zoneadm -z myzone boot

reserved.
Auditing

reserved.
Solaris Auditing
• Kernel-based, fine-grained introspection
• Captures commands, syscalls, admin. Actions
• Flexible audit policy for global and non-global zones
• Several audit trail formats: binary, text, XML, etc.
• New in Solaris 11
– Auditing on by default with no performance penalty
– Supports secure remote storage of audit trails
– Greater visibility into system events with less “noise”

reserved.
Per-User Auditing Policy
# userattr audit_flags gbrunett
#
# usermod –K audit_flags=lo,ad,ex:lo gbrunett
# userattr audit_flags gbrunett
lo,ad,ex:no
# su – gbrunett
$ exit
# auditreduce -r baz -c lo /var/audit/*not_term* | praudit -s
header,97,2,AUE_su,,testhost,2012-11-13 06:33:21.514 -08:00
subject,testuser,baz,staff,baz,staff,5243,2804137368,0 0 testhost
return,success,0

reserved.
Putting it all together
with Solaris 11 Security!

reserved.
Oracle Solaris Remote Lab – Schematic

reserved.
OSRL - Data
• Single Zpool multiple
ZFS file systems
Resource
Sharing
• Data stored in ZFS SA
• Hybrid Storage
• Disk + SSD + RAM
• ZFS Cloning
Performance
• Encrypted ZFS
• Partner specific Key
• Each partner has their
own ZFS File System
Security
Create
Use
Delete
• Data isolated in VLAN
• Separate NFS server per
partner
• SGD - CDM
• All intra VM data
transfers self contained
in Blade chassis
• ZFS clones
- Share everything but the
changes
• ZFS Secure delete
• ZFS encrypt + Delete
almost instantaneous
operation

reserved.
OSRL - Virtual Machines (Zones)
• Zone cloning
• less than 18 MB of RAM
• less than 100 MB of Disk
Resource
Sharing
• ZFS + Zone cloning
• new zone in minutes
Performance
• ZFS encryption for zone
file system
• Exclusive IP stack +
VNIC
Security
Create
Use
Delete
• All Zones isolated in
non-routable VLAN
• Secure global desktop
access
• Resource allocation
• network bandwidth
• Memory
• CPU
• Zone shares all OS
resources
- Single kernel
- Single storage
• ZFS Secure delete
• ZFS encrypt + Delete
almost instantaneous
operation

reserved.
When 1 + 1 > 2
• Zone + ZFS
– Fast zone provisioning
– Very low overhead
– Encrypt file system as well as share resource
• Zones + Network virtualization
• Allows for sharing single physical network
• VLAN tagging allows for creating one VLAN/Partner
• Exclusive IP stack on shared physical network

reserved.
When 1 + 1 > 2
• Zones + ZFS + NFS
• Each NFS server is a zone
• Single data store
• Single Physical server
• Multiple NFS file systems shared with ZFS
• ZFS supports NFS sharing
• Encryption + Cloning reduces overhead
• Zones + IPS
• Global Zone has IPS proxy
• Single IPS repository accessible from non routable VLAN

reserved.
Additional Resources
• Solaris 11 Security Hardening Guidelines
http://docs.oracle.com/cd/E26502_01/html/E29014/index.html
• Solaris 11 Secure Coding Guidelines for Developers
http://docs.oracle.com/cd/E26502_01/html/E29016/scode-1.html
• Glenn Faden’s Solaris 11.1 Hands On Security Lab
https://blogs.oracle.com/gfaden/entry/solaris_11_1_is_available
• Darren Moffat’s Solaris Security Blog
https://blogs.oracle.com/darren/tags/solaris+security

reserved.
For More Information / Try Out Today
• Product overview and download
– oracle.com/solaris
• Oracle Technology Network
– oracle.com/technetwork/server-storage/solaris11
• System Administrators Community
– oracle.com/technetwork/systems
• @ORCL_Solaris
• facebook.com/oraclesolaris
• Oracle Solaris Insider
40

reserved.
Questions

reserved.
Acknowledgements
Special thanks to Darren Moffat and Glenn Faden, Angelo
Rajadurai and many others for sharing their ideas and
examples with the world.

reserved.

Use Case : Cloud Security Design and Implementation

Recomendados

Recomendados

Mais conteúdo relacionado

Último

Último (20)

Destaque

Destaque (20)

Use Case : Cloud Security Design and Implementation