cloudstack secured

Download CloudStack Secured

Post on 20-Aug-2015




4 download

Embed Size (px)


  1. 1. CloudStack SecuredJohn Kinsella @johnlkinsella Apache CloudStack PPMC Founder, Stratosec Inc.
  2. 2. Overview Code Review Incident response Stratosec extras Whats next
  4. 4. Manual review Process of combing code looking for flaws Targeted manual review can becheaper, easier Grepping for known patterns can quickly pointto issues in code crypt password FIXME this is a hack
  5. 5. This is a hack
  6. 6. Manual review, cont Once we find an area where theres a smell,we investigate closer.
  7. 7. Static analysis Automated! Automation good, right? But tools usually not cheap.
  8. 8. FoD Overview
  9. 9. Fod Source
  10. 10. FoD Trace
  11. 11. FoD Suspicious
  12. 12. What does this get us?So far, not much. No critical findings discovered Low issues possible(eg raw error message displayed in UI)
  13. 13. Good guys vs bad guys governments $$ Malicious user Community
  14. 14. Email from customer
  15. 15. Incident response Report findings to ACS security team (PPMC) We strive to investigate and respond ASAP Verified issues Pre-4.0 issues are forwarded to Citrix Pre-notification list for critical vendors (Gizoogle cloudstack security response)
  17. 17. SSL ACS Ships with SSL disabled. Instructions in ACS wiki under CloudStackSecurity
  18. 18. VPNs SSL is nice, but we like OpenVPN for anyadministrative access Con: iOS doesnt like OpenVPN* *Jailbroken iOS does like OpenVPN
  19. 19. Tighter firewalling If you place unprotected hypervisors on publicInternet, after several days, you will find VMsat a grub prompt Firewall everything. Use VPN, but firewall thattoo.
  20. 20. Testing Vulnerability scanning Penetration testing Important monitoring for changes
  21. 21. IDS Run snort on hypervisors monitoring bridges Run OSSEC, monitoring anything sensitive /etc AntiVirus? Shouldnt have to
  22. 22. Two Factor Authentication Becoming more and more common Passwords arent enough Guessable Stealable Sniffable, when youre not using SSL/VPN
  23. 23. 2FA any day now WiKID Systems 2 factor auth Mutual HTTPS Authentication Code seems to be working, just need to tweakbuild
  24. 24. Whats next Admin login notification KVM + SELinux Working on it not production ready After SELinux, auditd Goal: Provide users with transparency
  25. 25. Logging We collect/analyze logs from All IDS Network firewalls Web application firewalls Syslog (Management, node, AND VM) collectedcentrally
  26. 26. Wed love help Security Frameworks Security plugins (authentication, monitoring) grsecurity support? Further xen hardening? Ideas?
  27. 27. Thanks! Questions?John Kinsella@johnlkinsella