cloudstack secured
Post on 20-Aug-2015
1.304 Views
Preview:
TRANSCRIPT
CloudStack Secured
John Kinsella@johnlkinsella
Apache CloudStack PPMCFounder, Stratosec Inc.
Overview
• Code Review• Incident response• Stratosec extras• What’s next
LOOKING FOR WEAKNESSES IN ACS
Manual review
• Process of combing code looking for flaws• “Targeted” manual review can be cheaper,
easier• Grepping for known patterns can quickly point
to issues in code– “crypt”– “password”– “FIXME”– “this is a hack”
This is a hack
Manual review, cont
• Once we find an area where there’s a “smell,” we investigate closer.
Static analysis
• Automated!• Automation good, right?• But tools usually not cheap.
FoD Overview
Fod Source
FoD Trace
FoD Suspicious
What does this get us?
So far, not much.
• No critical findings discovered• Low issues possible
(eg raw error message displayed in UI)
Good guys vs bad guys
$$
Community
Malicious user
governments
Email from customer
Incident response
• Report findings to ACS security team (PPMC)• We strive to investigate and respond ASAP• Verified issues • Pre-4.0 issues are forwarded to Citrix• Pre-notification list for critical vendors
(Gizoogle cloudstack security response)
STRATOSEC EXTRAS
SSL
• ACS Ships with SSL disabled.• Instructions in ACS wiki under “CloudStack
Security”
VPNs
• SSL is nice, but we like OpenVPN for any administrative access
• Con: iOS doesn’t like OpenVPN*
*Jailbroken iOS does like OpenVPN
Tighter firewalling
• If you place unprotected hypervisors on public Internet, after several days, you will find VMs at a grub prompt
• Firewall everything. Use VPN, but firewall that too.
Testing
• Vulnerability scanning• Penetration testing• Important – monitoring for changes
IDS
• Run snort on hypervisors monitoring bridges• Run OSSEC, monitoring anything sensitive– /etc
• AntiVirus? Shouldn’t have to…
Two Factor Authentication
• Becoming more and more common• Passwords aren’t enough– Guessable– Stealable– Sniffable, when you’re not using SSL/VPN
2FA any day now…
• WiKID Systems 2 factor auth• “Mutual HTTPS Authentication”• Code seems to be working, just need to tweak
build
What’s next
• Admin login notification• KVM + SELinux– Working on it – not production ready
• After SELinux, auditd• Goal: Provide users with transparency
Logging
• We collect/analyze logs from– All IDS– Network firewalls– Web application firewalls– Syslog (Management, node, AND VM) collected
centrally
We’d love help
• Security Frameworks• Security plugins (authentication, monitoring)• grsecurity support?• Further xen hardening?• Ideas?
http://cloudstack.org
Thanks! Questions?
John Kinsella@johnlkinsella
http://www.slideshare.net/jlkinsel/
top related