out of 27
Post on 20-Aug-2015
Embed Size (px)
- 1. CloudStack SecuredJohn Kinsella @johnlkinsella Apache CloudStack PPMC Founder, Stratosec Inc.
- 2. Overview Code Review Incident response Stratosec extras Whats next
- 3. LOOKING FOR WEAKNESSES IN ACS
- 4. Manual review Process of combing code looking for flaws Targeted manual review can becheaper, easier Grepping for known patterns can quickly pointto issues in code crypt password FIXME this is a hack
- 5. This is a hack
- 6. Manual review, cont Once we find an area where theres a smell,we investigate closer.
- 7. Static analysis Automated! Automation good, right? But tools usually not cheap.
- 8. FoD Overview
- 9. Fod Source
- 10. FoD Trace
- 11. FoD Suspicious
- 12. What does this get us?So far, not much. No critical findings discovered Low issues possible(eg raw error message displayed in UI)
- 13. Good guys vs bad guys governments $$ Malicious user Community
- 14. Email from customer
- 15. Incident response Report findings to ACS security team (PPMC) We strive to investigate and respond ASAP Verified issues Pre-4.0 issues are forwarded to Citrix Pre-notification list for critical vendors (Gizoogle cloudstack security response)
- 16. STRATOSEC EXTRAS
- 17. SSL ACS Ships with SSL disabled. Instructions in ACS wiki under CloudStackSecurity
- 18. VPNs SSL is nice, but we like OpenVPN for anyadministrative access Con: iOS doesnt like OpenVPN* *Jailbroken iOS does like OpenVPN
- 19. Tighter firewalling If you place unprotected hypervisors on publicInternet, after several days, you will find VMsat a grub prompt Firewall everything. Use VPN, but firewall thattoo.
- 20. Testing Vulnerability scanning Penetration testing Important monitoring for changes
- 21. IDS Run snort on hypervisors monitoring bridges Run OSSEC, monitoring anything sensitive /etc AntiVirus? Shouldnt have to
- 22. Two Factor Authentication Becoming more and more common Passwords arent enough Guessable Stealable Sniffable, when youre not using SSL/VPN
- 23. 2FA any day now WiKID Systems 2 factor auth Mutual HTTPS Authentication Code seems to be working, just need to tweakbuild
- 24. Whats next Admin login notification KVM + SELinux Working on it not production ready After SELinux, auditd Goal: Provide users with transparency
- 25. Logging We collect/analyze logs from All IDS Network firewalls Web application firewalls Syslog (Management, node, AND VM) collectedcentrally
- 26. Wed love help Security Frameworks Security plugins (authentication, monitoring) grsecurity support? Further xen hardening? Ideas?http://cloudstack.org
- 27. Thanks! Questions?John Kinsella@johnlkinsella http://www.slideshare.net/jlkinsel/
View more >