building a xenserver based security applianceabout his company sound linux training and consulting...
TRANSCRIPT
BUILDING A XENSERVER BASED SECURITY
APPLIANCE
Grant McWilliams – Lighthouse Engineer
About the Speaker
● Grant McWilliams
● Computer Science Professor● Consultant to Fortune 500 Corporations● Regular Contributor to Xen Wiki● Active on Xen mailing lists● Member of Xenapi Admin Project documenting all
430 XE subcommands● Moderator for unofficial Xenserver/XCP Google
Community with 200 members
About his company
● Sound Linux Training and Consulting
● Established 22 years ago● Probably before most of the companies at this event.● Obviously our focus wasn't on Linux in 1991 so
later when Linux became popular we did a trade name change.
● Seattle Washington based● Research and Development, product development
and training.● Currently only focused on Linux and Open Source
Solutions.
Coalfire Systems
Coalfire Systems is an IT Audit and Compliance company...
Coalfire Systems is an IT Audit and Compliance company...
Which means they hack other people's networks...*
* For the purpose of making them more secure..
Coalfire Systems is an IT Audit and Compliance company...
Which means they hack other people's networks...*
AND THEY GET PAID!
* For the purpose of making them more secure..
Coalfire Systems is an IT Audit and Compliance company...
Which means they hack other people's networks...*
AND THEY GET PAID!
Not like some other folks (ahem) ->
* For the purpose of making them more secure..
Coalfire had been using my Xenserver/XCP tutorials from grantmcwilliams.com.
They asked me....
“Can you come in and give us some advice?”
Coalfire had been using my Xenserver/XCP tutorials from grantmcwilliams.com.
They asked me....
“Can you come in and give us some advice?”build this device?
Lighthouse G2 Overview
FunctionalityPortable solid state deviceDrop into customers networkDevice opens VPN connection to Coalfire SystemsSecurity Auditors do their job to find vulnerabilities (ie. hack the network)Customer gets reports
Deployment700 physical boxes (by the end of 2013)2100 Virtual MachinesThousands of cloud versions - no Meelions!
Network Overview
Lighthouse G2 Overview
Why we chose Xenserver/XCPXen API which is one of the nicer APIs out thereFree AND OpensourceGreat documentation thanks to the wiki and the Xenapi Admin Project (shameless plug)
Advantages of using Xenserver with VMs over a single OS:Multiple products on one physical device
Scan testersPenetration testersDatabase testersHenchmen with bad teeth (and fembots with a penchant for evil)
= World Domination! (if only we had minions) More about that later ^
Issues with Xenserver in this role
1. A headless appliance with a big Power Button just begging to be pushed while VM's are running results in havoc.
2. No disk encryption by default so customer data could be accessible if the device went wandering.
3. Not designed to be run on small platforms with limited disk and memory footprints.4. No real thought about secure remote access to the Control Domain itself (as apposed
to forwarding encrypted traffic to a VM)5. Not really designed to be quick provisioned outside of PXE.6. Xenserver really isn't that silent on the wire
rootfs, tmp, varswap
Space reservedFor upgrades
Storage Repository(thin provisioning for snapshots - LVM)
Rootfs(nearly
read-only)
Cryptedvar
Storage Repository(thin provisioning for disks - EXT)
Cryptedvar2
Cryptedswap
tmp(ram)
Stock Xenserver Disk Layout
Modified Xenserver Disk Layout
Disk Solution
Remote Access
● OpenVPN Access Server
● Tech support is horrible
● Things don't quite work right concerning iptables
● Replacing parts as we go (firewall rule creation, load balancing, key creation, user management)
● Unless Angels from OpenVPN start singing from heaven soon we're probably moving off it to opensource openvpn with our own toolset.
Provisioning
● Chef
– Good, scalable but not so nice to write recipes for
– Previous experience with it
● Puppet
– More difficult to scale (yes I know you can do it)
– After spending a few weeks replacing the slow parts we asked ourselves why?
Provisioning
● And on the 7th day God made Salt – he saw it, and it was good.
– Very light
– Excellent scalability
– Remote execution built in
– Minions!!!
How can you fault a system with Minions?
Questions?
Contact Me:
● grantmcwilliams.com
● gplus.to/grantmcwilliams
● twitter.com/grantmcwilliams
● xenapiadmin.com