CloudStack Secured

John Kinsella@johnlkinsella

Apache CloudStack PPMCFounder, Stratosec Inc.

Overview

• Code Review• Incident response• Stratosec extras• What’s next

LOOKING FOR WEAKNESSES IN ACS

Manual review

• Process of combing code looking for flaws• “Targeted” manual review can be cheaper,

easier• Grepping for known patterns can quickly point

to issues in code– “crypt”– “password”– “FIXME”– “this is a hack”

This is a hack

Manual review, cont

• Once we find an area where there’s a “smell,” we investigate closer.

Static analysis

• Automated!• Automation good, right?• But tools usually not cheap.

FoD Overview

Fod Source

FoD Trace

FoD Suspicious

What does this get us?

So far, not much.

• No critical findings discovered• Low issues possible

(eg raw error message displayed in UI)

Good guys vs bad guys

$$

Community

Malicious user

governments

Email from customer

Incident response

• Report findings to ACS security team (PPMC)• We strive to investigate and respond ASAP• Verified issues • Pre-4.0 issues are forwarded to Citrix• Pre-notification list for critical vendors

(Gizoogle cloudstack security response)

STRATOSEC EXTRAS

SSL

• ACS Ships with SSL disabled.• Instructions in ACS wiki under “CloudStack

Security”

VPNs

• SSL is nice, but we like OpenVPN for any administrative access

• Con: iOS doesn’t like OpenVPN*

*Jailbroken iOS does like OpenVPN

Tighter firewalling

• If you place unprotected hypervisors on public Internet, after several days, you will find VMs at a grub prompt

• Firewall everything. Use VPN, but firewall that too.

Testing

• Vulnerability scanning• Penetration testing• Important – monitoring for changes

IDS

• Run snort on hypervisors monitoring bridges• Run OSSEC, monitoring anything sensitive– /etc

• AntiVirus? Shouldn’t have to…

Two Factor Authentication

• Becoming more and more common• Passwords aren’t enough– Guessable– Stealable– Sniffable, when you’re not using SSL/VPN

2FA any day now…

• WiKID Systems 2 factor auth• “Mutual HTTPS Authentication”• Code seems to be working, just need to tweak

build

What’s next

• Admin login notification• KVM + SELinux– Working on it – not production ready

• After SELinux, auditd• Goal: Provide users with transparency

Logging

• We collect/analyze logs from– All IDS– Network firewalls– Web application firewalls– Syslog (Management, node, AND VM) collected

centrally

We’d love help

• Security Frameworks• Security plugins (authentication, monitoring)• grsecurity support?• Further xen hardening?• Ideas?

http://cloudstack.org

Thanks! Questions?

John Kinsella@johnlkinsella

http://www.slideshare.net/jlkinsel/