BUILDING A XENSERVER BASED SECURITY

APPLIANCE

Grant McWilliams – Lighthouse Engineer

About the Speaker

● Grant McWilliams

● Computer Science Professor● Consultant to Fortune 500 Corporations● Regular Contributor to Xen Wiki● Active on Xen mailing lists● Member of Xenapi Admin Project documenting all

430 XE subcommands● Moderator for unofficial Xenserver/XCP Google

Community with 200 members

About his company

● Sound Linux Training and Consulting

● Established 22 years ago● Probably before most of the companies at this event.● Obviously our focus wasn't on Linux in 1991 so

later when Linux became popular we did a trade name change.

● Seattle Washington based● Research and Development, product development

and training.● Currently only focused on Linux and Open Source

Solutions.

Coalfire Systems

Coalfire Systems is an IT Audit and Compliance company...

Coalfire Systems is an IT Audit and Compliance company...

Which means they hack other people's networks...*

* For the purpose of making them more secure..

Coalfire Systems is an IT Audit and Compliance company...

Which means they hack other people's networks...*

AND THEY GET PAID!

* For the purpose of making them more secure..

Coalfire Systems is an IT Audit and Compliance company...

Which means they hack other people's networks...*

AND THEY GET PAID!

Not like some other folks (ahem) ->

* For the purpose of making them more secure..

Coalfire had been using my Xenserver/XCP tutorials from grantmcwilliams.com.

They asked me....

“Can you come in and give us some advice?”

Coalfire had been using my Xenserver/XCP tutorials from grantmcwilliams.com.

They asked me....

“Can you come in and give us some advice?”build this device?

Lighthouse G2 Overview

FunctionalityPortable solid state deviceDrop into customers networkDevice opens VPN connection to Coalfire SystemsSecurity Auditors do their job to find vulnerabilities (ie. hack the network)Customer gets reports

Deployment700 physical boxes (by the end of 2013)2100 Virtual MachinesThousands of cloud versions - no Meelions!

Network Overview

Lighthouse G2 Overview

Why we chose Xenserver/XCPXen API which is one of the nicer APIs out thereFree AND OpensourceGreat documentation thanks to the wiki and the Xenapi Admin Project (shameless plug)

Advantages of using Xenserver with VMs over a single OS:Multiple products on one physical device

Scan testersPenetration testersDatabase testersHenchmen with bad teeth (and fembots with a penchant for evil)

= World Domination! (if only we had minions) More about that later ^

Issues with Xenserver in this role

1. A headless appliance with a big Power Button just begging to be pushed while VM's are running results in havoc.

2. No disk encryption by default so customer data could be accessible if the device went wandering.

3. Not designed to be run on small platforms with limited disk and memory footprints.4. No real thought about secure remote access to the Control Domain itself (as apposed

to forwarding encrypted traffic to a VM)5. Not really designed to be quick provisioned outside of PXE.6. Xenserver really isn't that silent on the wire

rootfs, tmp, varswap

Space reservedFor upgrades

Storage Repository(thin provisioning for snapshots - LVM)

Rootfs(nearly

read-only)

Cryptedvar

Storage Repository(thin provisioning for disks - EXT)

Cryptedvar2

Cryptedswap

tmp(ram)

Stock Xenserver Disk Layout

Modified Xenserver Disk Layout

Disk Solution

Remote Access

● OpenVPN Access Server

● Tech support is horrible

● Things don't quite work right concerning iptables

● Replacing parts as we go (firewall rule creation, load balancing, key creation, user management)

● Unless Angels from OpenVPN start singing from heaven soon we're probably moving off it to opensource openvpn with our own toolset.

Provisioning

● Chef

– Good, scalable but not so nice to write recipes for

– Previous experience with it

● Puppet

– More difficult to scale (yes I know you can do it)

– After spending a few weeks replacing the slow parts we asked ourselves why?

Provisioning

● And on the 7th day God made Salt – he saw it, and it was good.

– Very light

– Excellent scalability

– Remote execution built in

– Minions!!!

How can you fault a system with Minions?

Questions?

Contact Me:

● grantmcwilliams.com

● gplus.to/grantmcwilliams

● twitter.com/grantmcwilliams

● xenapiadmin.com