SlideShare uma empresa Scribd logo

OpenStack: Security Beyond Firewalls

Giuseppe Paterno'
Giuseppe Paterno'

OpenStack security is a huge topic. In these slides I presented at the OpenStack Day, I analyzed cloud security the network to the application layer, going through specific layers, some in common between OpenStack itself and the applications.

SoftwareTecnologia
1 de 38
Baixar para ler offline
OpenStack: Security beyond firewalls MAKING THE CLOUD A SAFER SPACE Giuseppe “Gippa” Paternò, Network & Security NERD 30th May 2014 * OpenStackDay Italy Twitter: @gpaterno - Website: www.gpaterno.com
About me IT security products and virtualization services focused on identity protection on the Cloud, as the user is became the ultimate perimeter of a never ending distributed model. HQ based in Switzerland and whose servers are located in Switzerland. User privacy is protected by strict Swiss privacy regulations, no UE or US exceptions allowed. IT Architect and Security Expert with background in Open Source. Former Network and Security architect for Canonical, RedHat, Wind/ Infostrada, Sun Microsystems and IBM and Visiting Researcher at the University of Dublin Trinity College. Past projects: standard for J2ME Over-The-Air (OTA) provisioning along with Vodafone, the study of architecture and standards for the delivery of MHP applications for the digital terrestrial television (DTT) on behalf of DTT Lab (Telecom Italia/LA7) and implementation of HLR for Vodafone landline services. Lot of writings, mainly on computer security. CTO and Director of GARL, a multinational company based in Switzerland and UK, owner of SecurePass and SecureData. TM Secure Data beta BANK OF PASSWORDS
62% Increase breaches in 2013(1) 1 in 5 Organizations have experienced an APT attack (4) 3 Trillion$ Total global impact of cybercrime(3) 8 months Is the average time an advanced threat goes unnoticed on victim’s network(2) 2,5 billion Exposed records as results of a data breach in the past 5 years(5) 1,3,5: Increased cyber security can save global economy trillions, McKinsey/World Economic Forum, January 2014 2: M-Trends 2013: attack the security gap, Mandiant, March 2013 4: ISACA’s 2014 APT study, ISACA, April 2014. Source: ISACA Cyber Security Nexus Too many threats
Network APIs Identity Application OpenStack Domain Guest Domain OpenStack and Guest Security
Network Security (OpenStack built-in systems)
Linux Namespaces Used in OpenStack, widely adopted in Neutron, it was Originally created for Linux Control Groups (aka cgroups) PID namespaces isolate the process ID number space so that processes in different PID namespaces can have the same PID Network namespaces provide isolation of the system resources associated with networking User namespaces isolate the user and group ID number spaces. Mount namespaces isolate the set of filesystem mount points seen by a group of processes. Mentioning: IPC and Unix Time-Sharing (UTS) namespaces
Neutron Server runs on Controller, expose APIs, enforce network model, pass to Neutron Plugin Neutron Plugin runs on Controller, implements APIs, every vendor can create its own “implementation” (ex: Cisco, Juniper, ...) Plugin Agent, run on each compute node and connect instances to the virtual network Default implementation based on OpenVSwitch OpenFlow to be set as fundamental open protocol for building SDN OpenStack Neutron Software-Defined Network in OpenStack, it answer RESTful APIs. Still no “industry” standard for encapsulating VLANs over L3, VXLANs set to be a preferred choice but any vendor has its choice (ex: Juniper has MPLS over IP)
Namespaces enables multiple instances of a routing table to co-exist within the same Linux box Network namespaces make it possible to separate network domains (network interfaces, routing tables, iptables) into completely separate and independent virtual datacenters Advantage of namespaces implementation in Neutron is that tenants can create overlapping IP addresses and independent routing schema The neutron-l3-agent is designed to use network namespaces to provide multiple independent virtual routers per node. OpenStack Neutron and Network Namespaces
List Namespaces Show firewall rules in a virtual router Example of Network Namespaces # ip netns qrouter-a88f89b6-5505-4bc2-8993-57ae1f010895 qdhcp-bebd6bc8-2bd0-4bdd-890c-9657faf80444 # ip netns exec qrouter-a88f89b6-5505-4bc2-8993-57ae1f010895 iptables -L -vn Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
OpenStack Neutron L3 Agent
OpenStack Neutron FWaaS Firewall as a Service in Neutron Different from the Security Groups in the instance Default to IPtables support into tenant’s ip NameSpace
OpenStack Neutron VPNaaS Neutron has capability to handle per-tenant VPNs, named VPN-as-a-Service Based on IPSec, just implementing IKE with “PSK” authentication mode rather than using certificates Suited for site-to-site VPNs and provide Hybrid cloud Implemented on top of IP NameSpaces (“ip netns add vpn”) Draft exists on bringing OpenVPN to Neutron Not suited for “roadwarriors”, i.e. clients connection
OpenStack Neutron VPNaaS
APIs Security (OpenStack and Cloud Applications)
APIsApplication APIs APIs are your point of contact from external world, you must make them highly secure Firewall are not enough! Anything can be sent over HTTP/ HTTPS. REST, XML-RPC, ... Web-based APIs
Usernames and passwords, session tokens and API keys must never appear in the URL (Proxy caching and logging) Allow only selected HTTP methods Protect privileged actions and sensitive resource collections Validate inputs and enforce typing of values Validate incoming Content-Type and other headers Encrypt data in transit Validation also apply to payload: JSON, XML or whatsoever General APIs best practices
OpenStack APIs All OpenStack software is based on APIs, consumed from End customers and tools to access the platform programmatically Among OpenStack components, is a way of decoupling components implementations Easily from “curl” tools OpenStack Command Line tools REST clients OpenStack Software Development Kit (SDK) RESTFUL API
OpenStack APIs EndPoints
1. Obtain a Token curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens 2. Consume the API (through the obtained token): curl -i -X GET http://localhost:35357/v2.0/tenants -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: token" OpenStack APIs Workflow
The token request will reveal the endpoints URLs: Compute/Nova, S3,Image/ Glance, Volume/Cinder, EC2, Identity/Keystone Revealing the EndPoints
Isolate API endpoint processes, especially those that reside within the public security domain should be isolated as much as possible. API endpoints should be deployed on separate hosts for increased isolation. Apply Defense-in-Depth concept: configure services, host-based firewalls, local policy (SELinux or AppArmor), and optionally global network policy. Use Linux namespaces to assign processes into independent domains Use network ACLs and IDS technologies to enforce explicit point to point communication between network services (ex: wire-level ACLs in L3 switches) OpenStack APIs best practices
Isolate API endpoint processes from each other and other processes on a machine. Use Mandatory Access Controls (MAC) on top of Discretionary Access Controls to segregate processes, ex: SE-Linux Objective: containment and escalation of API endpoint security breaches. Use of MACs at the OS level severely limit access to resources and provide earlier alerting on such events. Mandatory Access Control in APIs
RESTful APIs, mixture of POST (in request) and JSON (in response), Channel encrypted with TLS high cypher, Based on APP ID and APP Secret Example: /api/v1/users/info Ex: SecurePass NG (Dreamliner) APIs Security in functionalities, APP ID read-only or read-write in network, APP ID can be limited to a given IPv4/IPv6 in domain, APP ID is linked to only a specific realm/ domain
Identity Security (OpenStack and Cloud Applications)
User management: keep tracks of users, roles and permissions Service catalog: Provide a catalog of what services are available and where the OpenStack APIs EndPoint are located OpenStack Keystone Provides Identity, Token, Catalog and policy services for uses inside the OpenStack family and implements OpenStack’s Identity APIs
Users A user represent a human user and has associated information such as username, password and e-mail Tenants A tenant can represent a customer, organization or a group. Roles A role is what operations a user is permitted to perform in a given tenant OpenStack Identity Management Keystone permit the following back-ends for IDMs: SQL Backend (SQLAlchemy, it’s python), PAM, LDAP and custom plugins
Catching username and passwords means reveal the whole OpenStack infrastructure and control it! $ curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/ tokens OpenStack Keystone
10 millionsof victims of identity theft in USA in 2008 (Javelin Strategy and Research, 2009) 221 billions $lost every year due to identity theft (Aberdeen Group) 35 billioncorporate and government records compromised in 2010 (Aberdeen Group) 2 years of a working resource to correct damages due to identity theft (ITRC Aftermath Study, 2004) 2 billions $damages reported in Italy in 2009 (Ricerca ABI) The victims of identity theft
Security must be simple and transparent to the end user, otherwise it will be circumvented! Identity best practices in applications Strong authentication of the users GeoIP Patches, patches and patches! Secure application programming
Hosted Apps Need of a central Cloud Control Cloud Orchestrator 2FA/SSO
<Directory /srv/www/myapp> AllowOverride None Order allow,deny allow from all AuthType CAS require spgroup mygroup@company.com </Directory> Example of Web identity protection Require access through the SecurePass SSO portal with 2FA Restrict to a dynamic group (with GeoIP)
Real-life example (aka Case Study)
My accountant has his desktop computer broken, he has no time to change it, need something “always available” and in a restricted budget He needs Windows for his accounting software He has no office and works from home sometimes, he needs to access his desktop from ideally from his TV He wants to connect from his customers’, but not always a computer available for him He need emergency way of accessing the desktop from customers’ or from Internet Cafes (ex: on holidays) Must provide a secure access as he holds very confidential data Case Study: Overview & Requirements
From home, access the platform with an Android Mini-PC on existing HDMI TV, keyboard and a VPN with Mikrotik device (Equipment ~120 EUR) When at customer, access the platform with the existing Samsung Android tablet. Added bluetooth Keyboard + Mouse and OpenVPN (K+M ~60 EUR) Emergency access provided with an RDP HTML5 gateway OpenStack as the operational platform SecurePass as a security mechanism to protect access to his virtual desktop Case Study: Solution Virtualize his existing desktop system
Case Study: Overall Schema
2FA RDP over HTML5 OpenVPN Windows Machine (RDP) Web Browser OpenVPN on Android + RDP Client Appliance details
Acknowledgments TM Demo hosted by powered by teuto.net www.ostack.de Security provided by www.secure-pass.net
Thank you MAKING THE CLOUD A SAFER SPACE

Recomendados

Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Brief
openfly
 
Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013
brian_chong
 
OpenStack Security Project
OpenStack Security ProjectOpenStack Security Project
OpenStack Security Project
Travis McPeak
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Security
openstackindia
 
Security Issues in OpenStack
Security Issues in OpenStackSecurity Issues in OpenStack
Security Issues in OpenStack
oldbam
 
Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack Clouds
Major Hayden
 
CIS13: OpenStack API Security
CIS13: OpenStack API SecurityCIS13: OpenStack API Security
CIS13: OpenStack API Security
CloudIDSummit
 
Openstack 101
Openstack 101Openstack 101
Openstack 101
Kamesh Pemmaraju
 

Recomendados

Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Brief
openfly
 
Openstack security presentation 2013
Openstack security presentation 2013Openstack security presentation 2013
Openstack security presentation 2013
brian_chong
 
OpenStack Security Project
OpenStack Security ProjectOpenStack Security Project
OpenStack Security Project
Travis McPeak
 
OpenStack Security
OpenStack SecurityOpenStack Security
OpenStack Security
openstackindia
 
Security Issues in OpenStack
Security Issues in OpenStackSecurity Issues in OpenStack
Security Issues in OpenStack
oldbam
 
Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack Clouds
Major Hayden
 
CIS13: OpenStack API Security
CIS13: OpenStack API SecurityCIS13: OpenStack API Security
CIS13: OpenStack API Security
CloudIDSummit
 
Openstack 101
Openstack 101Openstack 101
Openstack 101
Kamesh Pemmaraju
 
Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architecture
Toni Ramirez
 
Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administration
Ashish Sharma
 
Introduction to OpenStack (Juno)
Introduction to OpenStack (Juno)Introduction to OpenStack (Juno)
Introduction to OpenStack (Juno)
Krunal Jain
 
OpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical OverviewOpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical Overview
Thang Man
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
Mirantis
 
Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"
CREATE-NET
 
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
Giuseppe Paterno'
 
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer BangladeshOpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
Mobarak Hossain
 
Introduction to OpenStack Architecture (Grizzly Edition)
Introduction to OpenStack Architecture (Grizzly Edition)Introduction to OpenStack Architecture (Grizzly Edition)
Introduction to OpenStack Architecture (Grizzly Edition)
Ken Pepple
 
OpenStack - Infrastructure as a service
OpenStack - Infrastructure as a serviceOpenStack - Infrastructure as a service
OpenStack - Infrastructure as a service
Denis Cavalcante
 
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...
Edureka!
 
Introduction To OpenStack
Introduction To OpenStackIntroduction To OpenStack
Introduction To OpenStack
Haim Ateya
 
Openstack Architecture
Openstack ArchitectureOpenstack Architecture
Openstack Architecture
SrbIT
 
Openstack architure part 1
Openstack architure part 1Openstack architure part 1
Openstack architure part 1
Nhan Cao Thanh
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
Keith Tobin
 
OpenStack- A ringside view of Services and Architecture
OpenStack- A ringside view of Services and ArchitectureOpenStack- A ringside view of Services and Architecture
OpenStack- A ringside view of Services and Architecture
Ritesh Somani
 
Getting started with OpenStack
Getting started with OpenStackGetting started with OpenStack
Getting started with OpenStack
Knoldus Inc.
 
Cloud and OpenStack
Cloud and OpenStackCloud and OpenStack
Cloud and OpenStack
Seyed Ehsan Beheshtian
 
Openstack training material
Openstack training materialOpenstack training material
Openstack training material
chenvi123
 
Intro to the FIWARE Lab
Intro to the FIWARE LabIntro to the FIWARE Lab
Intro to the FIWARE Lab
FIWARE
 
HP Helion Webinar #5 - Security Beyond Firewalls
HP Helion Webinar #5 - Security Beyond FirewallsHP Helion Webinar #5 - Security Beyond Firewalls
HP Helion Webinar #5 - Security Beyond Firewalls
BeMyApp
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
Lorenzo Carnevale
 

Mais conteúdo relacionado

Mais procurados

Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administration
Ashish Sharma
 
Introduction to OpenStack (Juno)
Introduction to OpenStack (Juno)Introduction to OpenStack (Juno)
Introduction to OpenStack (Juno)
Krunal Jain
 
OpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical OverviewOpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical Overview
Thang Man
 
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
Giuseppe Paterno'
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
Keith Tobin
 

Mais procurados (20)

Quick overview of Openstack architecture
Quick overview of Openstack architectureQuick overview of Openstack architecture
Quick overview of Openstack architecture
 
Openstack_administration
Openstack_administrationOpenstack_administration
Openstack_administration
 
Introduction to OpenStack (Juno)
Introduction to OpenStack (Juno)Introduction to OpenStack (Juno)
Introduction to OpenStack (Juno)
 
OpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical OverviewOpenStack 101: Introduction & Technical Overview
OpenStack 101: Introduction & Technical Overview
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"Webinar "Introduction to OpenStack"
Webinar "Introduction to OpenStack"
 
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...OpenStack Explained: Learn OpenStack architecture and the secret of a success...
OpenStack Explained: Learn OpenStack architecture and the secret of a success...
 
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer BangladeshOpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
OpenStack Administration by Mobarak Hossain Group Organizer Bangladesh
 
Introduction to OpenStack Architecture (Grizzly Edition)
Introduction to OpenStack Architecture (Grizzly Edition)Introduction to OpenStack Architecture (Grizzly Edition)
Introduction to OpenStack Architecture (Grizzly Edition)
 
OpenStack - Infrastructure as a service
OpenStack - Infrastructure as a serviceOpenStack - Infrastructure as a service
OpenStack - Infrastructure as a service
 
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...
 
Introduction To OpenStack
Introduction To OpenStackIntroduction To OpenStack
Introduction To OpenStack
 
Openstack Architecture
Openstack ArchitectureOpenstack Architecture
Openstack Architecture
 
Openstack architure part 1
Openstack architure part 1Openstack architure part 1
Openstack architure part 1
 
Architecture Openstack for the Enterprise
Architecture Openstack for the EnterpriseArchitecture Openstack for the Enterprise
Architecture Openstack for the Enterprise
 
OpenStack- A ringside view of Services and Architecture
OpenStack- A ringside view of Services and ArchitectureOpenStack- A ringside view of Services and Architecture
OpenStack- A ringside view of Services and Architecture
 
Getting started with OpenStack
Getting started with OpenStackGetting started with OpenStack
Getting started with OpenStack
 
Cloud and OpenStack
Cloud and OpenStackCloud and OpenStack
Cloud and OpenStack
 
Openstack training material
Openstack training materialOpenstack training material
Openstack training material
 
Intro to the FIWARE Lab
Intro to the FIWARE LabIntro to the FIWARE Lab
Intro to the FIWARE Lab
 

Semelhante a OpenStack: Security Beyond Firewalls

Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...
Joel W. King
 
Aptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity serviceAptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity service
OpenStack
 
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation Ecosystem
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation EcosystemHow APIs are Transforming Cisco Solutions and Catalyzing an Innovation Ecosystem
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation Ecosystem
Cisco DevNet
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
openstackindia
 

Semelhante a OpenStack: Security Beyond Firewalls (20)

HP Helion Webinar #5 - Security Beyond Firewalls
HP Helion Webinar #5 - Security Beyond FirewallsHP Helion Webinar #5 - Security Beyond Firewalls
HP Helion Webinar #5 - Security Beyond Firewalls
 
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (liberty) by Lorenzo Carnevale and Silvio Tavilla
 
Workshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, VirtualizationWorkshop - Openstack, Cloud Computing, Virtualization
Workshop - Openstack, Cloud Computing, Virtualization
 
Openstack workshop @ Kalasalingam
Openstack workshop @ KalasalingamOpenstack workshop @ Kalasalingam
Openstack workshop @ Kalasalingam
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
 
OpenStack Neutron Havana Overview - Oct 2013
OpenStack Neutron Havana Overview - Oct 2013OpenStack Neutron Havana Overview - Oct 2013
OpenStack Neutron Havana Overview - Oct 2013
 
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio TavillaOpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
OpenStack Identity - Keystone (kilo) by Lorenzo Carnevale and Silvio Tavilla
 
Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...Using Ansible Tower to implement security policies and telemetry streaming fo...
Using Ansible Tower to implement security policies and telemetry streaming fo...
 
7 - Introduction to OpenStack & SDN by Ady Saputra
7 - Introduction to OpenStack & SDN by Ady Saputra7 - Introduction to OpenStack & SDN by Ady Saputra
7 - Introduction to OpenStack & SDN by Ady Saputra
 
Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...Using Tetration for application security and policy enforcement in multi-vend...
Using Tetration for application security and policy enforcement in multi-vend...
 
Operate with an openstack deployment by code
Operate with an openstack deployment by codeOperate with an openstack deployment by code
Operate with an openstack deployment by code
 
New and smart way to develop microservice for istio with micro profile
New and smart way to develop microservice for istio with micro profileNew and smart way to develop microservice for istio with micro profile
New and smart way to develop microservice for istio with micro profile
 
OpenStack hands-on (All-in-One)
OpenStack hands-on (All-in-One)OpenStack hands-on (All-in-One)
OpenStack hands-on (All-in-One)
 
Aptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity serviceAptira presents OpenStack keystone identity service
Aptira presents OpenStack keystone identity service
 
Neutron behind the scenes
Neutron behind the scenesNeutron behind the scenes
Neutron behind the scenes
 
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation Ecosystem
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation EcosystemHow APIs are Transforming Cisco Solutions and Catalyzing an Innovation Ecosystem
How APIs are Transforming Cisco Solutions and Catalyzing an Innovation Ecosystem
 
OpenStack keystone identity service
OpenStack keystone identity serviceOpenStack keystone identity service
OpenStack keystone identity service
 
neutron_icehouse_update
neutron_icehouse_updateneutron_icehouse_update
neutron_icehouse_update
 
GDL OpenStack Community - Openstack Introduction
GDL OpenStack Community - Openstack IntroductionGDL OpenStack Community - Openstack Introduction
GDL OpenStack Community - Openstack Introduction
 
OpenStack for VMware Administrators
OpenStack for VMware AdministratorsOpenStack for VMware Administrators
OpenStack for VMware Administrators
 

Mais de Giuseppe Paterno'

Let's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudLet's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloud
Giuseppe Paterno'
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
Giuseppe Paterno'
 
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Giuseppe Paterno'
 
How the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacentersHow the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacenters
Giuseppe Paterno'
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Giuseppe Paterno'
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free software
Giuseppe Paterno'
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
Giuseppe Paterno'
 
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiComparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Giuseppe Paterno'
 
Secure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and EtherpadSecure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and Etherpad
Giuseppe Paterno'
 

Mais de Giuseppe Paterno' (14)

OpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture ITOpenStack e le nuove Infrastrutture IT
OpenStack e le nuove Infrastrutture IT
 
Let's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloudLet's sleep better: programming techniques to face new security attacks in cloud
Let's sleep better: programming techniques to face new security attacks in cloud
 
SecurePass at OpenBrighton
SecurePass at OpenBrightonSecurePass at OpenBrighton
SecurePass at OpenBrighton
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identità nelle infrastrutture Cloud e possibili rimedi
 
How the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacentersHow the Post-PC era changed IT Ubuntu for next gen datacenters
How the Post-PC era changed IT Ubuntu for next gen datacenters
 
Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2Filesystem Comparison: NFS vs GFS2 vs OCFS2
Filesystem Comparison: NFS vs GFS2 vs OCFS2
 
Creating OTP with free software
Creating OTP with free softwareCreating OTP with free software
Creating OTP with free software
 
Protecting confidential files using SE-Linux
Protecting confidential files using SE-LinuxProtecting confidential files using SE-Linux
Protecting confidential files using SE-Linux
 
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s GanetiComparing IaaS: VMware vs OpenStack vs Google’s Ganeti
Comparing IaaS: VMware vs OpenStack vs Google’s Ganeti
 
La gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarieLa gestione delle identità per il controllo delle frodi bancarie
La gestione delle identità per il controllo delle frodi bancarie
 
Secure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and EtherpadSecure real-time collaboration with SecurePass and Etherpad
Secure real-time collaboration with SecurePass and Etherpad
 
Identity theft in the Cloud and remedies
Identity theft in the Cloud and remediesIdentity theft in the Cloud and remedies
Identity theft in the Cloud and remedies
 
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimediIl problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
Il problema dei furti di identita' nelle infrastrutture Cloud e possibili rimedi
 

Último

%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
masabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 

Último (20)

%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Toronto Psychic Readings, Attraction spells,Brin...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 

OpenStack: Security Beyond Firewalls

  • 1. OpenStack: Security beyond firewalls MAKING THE CLOUD A SAFER SPACE Giuseppe “Gippa” Paternò, Network & Security NERD 30th May 2014 * OpenStackDay Italy Twitter: @gpaterno - Website: www.gpaterno.com
  • 2. About me IT security products and virtualization services focused on identity protection on the Cloud, as the user is became the ultimate perimeter of a never ending distributed model. HQ based in Switzerland and whose servers are located in Switzerland. User privacy is protected by strict Swiss privacy regulations, no UE or US exceptions allowed. IT Architect and Security Expert with background in Open Source. Former Network and Security architect for Canonical, RedHat, Wind/ Infostrada, Sun Microsystems and IBM and Visiting Researcher at the University of Dublin Trinity College. Past projects: standard for J2ME Over-The-Air (OTA) provisioning along with Vodafone, the study of architecture and standards for the delivery of MHP applications for the digital terrestrial television (DTT) on behalf of DTT Lab (Telecom Italia/LA7) and implementation of HLR for Vodafone landline services. Lot of writings, mainly on computer security. CTO and Director of GARL, a multinational company based in Switzerland and UK, owner of SecurePass and SecureData. TM Secure Data beta BANK OF PASSWORDS
  • 3. 62% Increase breaches in 2013(1) 1 in 5 Organizations have experienced an APT attack (4) 3 Trillion$ Total global impact of cybercrime(3) 8 months Is the average time an advanced threat goes unnoticed on victim’s network(2) 2,5 billion Exposed records as results of a data breach in the past 5 years(5) 1,3,5: Increased cyber security can save global economy trillions, McKinsey/World Economic Forum, January 2014 2: M-Trends 2013: attack the security gap, Mandiant, March 2013 4: ISACA’s 2014 APT study, ISACA, April 2014. Source: ISACA Cyber Security Nexus Too many threats
  • 4. Network APIs Identity Application OpenStack Domain Guest Domain OpenStack and Guest Security
  • 6. Linux Namespaces Used in OpenStack, widely adopted in Neutron, it was Originally created for Linux Control Groups (aka cgroups) PID namespaces isolate the process ID number space so that processes in different PID namespaces can have the same PID Network namespaces provide isolation of the system resources associated with networking User namespaces isolate the user and group ID number spaces. Mount namespaces isolate the set of filesystem mount points seen by a group of processes. Mentioning: IPC and Unix Time-Sharing (UTS) namespaces
  • 7. Neutron Server runs on Controller, expose APIs, enforce network model, pass to Neutron Plugin Neutron Plugin runs on Controller, implements APIs, every vendor can create its own “implementation” (ex: Cisco, Juniper, ...) Plugin Agent, run on each compute node and connect instances to the virtual network Default implementation based on OpenVSwitch OpenFlow to be set as fundamental open protocol for building SDN OpenStack Neutron Software-Defined Network in OpenStack, it answer RESTful APIs. Still no “industry” standard for encapsulating VLANs over L3, VXLANs set to be a preferred choice but any vendor has its choice (ex: Juniper has MPLS over IP)
  • 8. Namespaces enables multiple instances of a routing table to co-exist within the same Linux box Network namespaces make it possible to separate network domains (network interfaces, routing tables, iptables) into completely separate and independent virtual datacenters Advantage of namespaces implementation in Neutron is that tenants can create overlapping IP addresses and independent routing schema The neutron-l3-agent is designed to use network namespaces to provide multiple independent virtual routers per node. OpenStack Neutron and Network Namespaces
  • 9. List Namespaces Show firewall rules in a virtual router Example of Network Namespaces # ip netns qrouter-a88f89b6-5505-4bc2-8993-57ae1f010895 qdhcp-bebd6bc8-2bd0-4bdd-890c-9657faf80444 # ip netns exec qrouter-a88f89b6-5505-4bc2-8993-57ae1f010895 iptables -L -vn Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 neutron-l3-agent-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0
  • 11. OpenStack Neutron FWaaS Firewall as a Service in Neutron Different from the Security Groups in the instance Default to IPtables support into tenant’s ip NameSpace
  • 12. OpenStack Neutron VPNaaS Neutron has capability to handle per-tenant VPNs, named VPN-as-a-Service Based on IPSec, just implementing IKE with “PSK” authentication mode rather than using certificates Suited for site-to-site VPNs and provide Hybrid cloud Implemented on top of IP NameSpaces (“ip netns add vpn”) Draft exists on bringing OpenVPN to Neutron Not suited for “roadwarriors”, i.e. clients connection
  • 14. APIs Security (OpenStack and Cloud Applications)
  • 15. APIsApplication APIs APIs are your point of contact from external world, you must make them highly secure Firewall are not enough! Anything can be sent over HTTP/ HTTPS. REST, XML-RPC, ... Web-based APIs
  • 16. Usernames and passwords, session tokens and API keys must never appear in the URL (Proxy caching and logging) Allow only selected HTTP methods Protect privileged actions and sensitive resource collections Validate inputs and enforce typing of values Validate incoming Content-Type and other headers Encrypt data in transit Validation also apply to payload: JSON, XML or whatsoever General APIs best practices
  • 17. OpenStack APIs All OpenStack software is based on APIs, consumed from End customers and tools to access the platform programmatically Among OpenStack components, is a way of decoupling components implementations Easily from “curl” tools OpenStack Command Line tools REST clients OpenStack Software Development Kit (SDK) RESTFUL API
  • 19. 1. Obtain a Token curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens 2. Consume the API (through the obtained token): curl -i -X GET http://localhost:35357/v2.0/tenants -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: token" OpenStack APIs Workflow
  • 20. The token request will reveal the endpoints URLs: Compute/Nova, S3,Image/ Glance, Volume/Cinder, EC2, Identity/Keystone Revealing the EndPoints
  • 21. Isolate API endpoint processes, especially those that reside within the public security domain should be isolated as much as possible. API endpoints should be deployed on separate hosts for increased isolation. Apply Defense-in-Depth concept: configure services, host-based firewalls, local policy (SELinux or AppArmor), and optionally global network policy. Use Linux namespaces to assign processes into independent domains Use network ACLs and IDS technologies to enforce explicit point to point communication between network services (ex: wire-level ACLs in L3 switches) OpenStack APIs best practices
  • 22. Isolate API endpoint processes from each other and other processes on a machine. Use Mandatory Access Controls (MAC) on top of Discretionary Access Controls to segregate processes, ex: SE-Linux Objective: containment and escalation of API endpoint security breaches. Use of MACs at the OS level severely limit access to resources and provide earlier alerting on such events. Mandatory Access Control in APIs
  • 23. RESTful APIs, mixture of POST (in request) and JSON (in response), Channel encrypted with TLS high cypher, Based on APP ID and APP Secret Example: /api/v1/users/info Ex: SecurePass NG (Dreamliner) APIs Security in functionalities, APP ID read-only or read-write in network, APP ID can be limited to a given IPv4/IPv6 in domain, APP ID is linked to only a specific realm/ domain
  • 24. Identity Security (OpenStack and Cloud Applications)
  • 25. User management: keep tracks of users, roles and permissions Service catalog: Provide a catalog of what services are available and where the OpenStack APIs EndPoint are located OpenStack Keystone Provides Identity, Token, Catalog and policy services for uses inside the OpenStack family and implements OpenStack’s Identity APIs
  • 26. Users A user represent a human user and has associated information such as username, password and e-mail Tenants A tenant can represent a customer, organization or a group. Roles A role is what operations a user is permitted to perform in a given tenant OpenStack Identity Management Keystone permit the following back-ends for IDMs: SQL Backend (SQLAlchemy, it’s python), PAM, LDAP and custom plugins
  • 27. Catching username and passwords means reveal the whole OpenStack infrastructure and control it! $ curl -d '{"auth":{"tenantName": "customer-x", "passwordCredentials": {"username": "joeuser", "password": "secrete"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/ tokens OpenStack Keystone
  • 28. 10 millionsof victims of identity theft in USA in 2008 (Javelin Strategy and Research, 2009) 221 billions $lost every year due to identity theft (Aberdeen Group) 35 billioncorporate and government records compromised in 2010 (Aberdeen Group) 2 years of a working resource to correct damages due to identity theft (ITRC Aftermath Study, 2004) 2 billions $damages reported in Italy in 2009 (Ricerca ABI) The victims of identity theft
  • 29. Security must be simple and transparent to the end user, otherwise it will be circumvented! Identity best practices in applications Strong authentication of the users GeoIP Patches, patches and patches! Secure application programming
  • 30. Hosted Apps Need of a central Cloud Control Cloud Orchestrator 2FA/SSO
  • 31. <Directory /srv/www/myapp> AllowOverride None Order allow,deny allow from all AuthType CAS require spgroup mygroup@company.com </Directory> Example of Web identity protection Require access through the SecurePass SSO portal with 2FA Restrict to a dynamic group (with GeoIP)
  • 33. My accountant has his desktop computer broken, he has no time to change it, need something “always available” and in a restricted budget He needs Windows for his accounting software He has no office and works from home sometimes, he needs to access his desktop from ideally from his TV He wants to connect from his customers’, but not always a computer available for him He need emergency way of accessing the desktop from customers’ or from Internet Cafes (ex: on holidays) Must provide a secure access as he holds very confidential data Case Study: Overview & Requirements
  • 34. From home, access the platform with an Android Mini-PC on existing HDMI TV, keyboard and a VPN with Mikrotik device (Equipment ~120 EUR) When at customer, access the platform with the existing Samsung Android tablet. Added bluetooth Keyboard + Mouse and OpenVPN (K+M ~60 EUR) Emergency access provided with an RDP HTML5 gateway OpenStack as the operational platform SecurePass as a security mechanism to protect access to his virtual desktop Case Study: Solution Virtualize his existing desktop system
  • 37. Acknowledgments TM Demo hosted by powered by teuto.net www.ostack.de Security provided by www.secure-pass.net
  • 38. Thank you MAKING THE CLOUD A SAFER SPACE