Make your OpenStack Cloud
Self-Defending with VESPA!
OpenStack Summit
Paris, November 5, 2014.
Marc Lacoste Aurélien Wailly
Orange Labs
Motivation and Approach
VESPA : Principle and Architecture
A Typical Use Case
The VESPA Project
Perspectives & KeyTake Aways
Agenda
What's Wrong with IaaS Today?
THREAT proliferation
system threats network threats
cross-layer security end-to-end security
STRONG security
Perform 360° security supervision Design open security architecture
COMPLEXITY of security
management
SIMPLE security
Ease administration Reduce OPEX Increase efficiency
Diverse mechanisms
Manual configuration
nightmare
Security administration
Static management
Low reactivity
Our Approach
Lighter administration.
Increased reactivity.
Lower operational costs.
Graduated response.
Security supervision enabler.
Autonomous security management makes cloud protection simpler and stronger.
IaaS Clouds with Self-Defense Capabilities
What is VESPA?
= Virtual Environments Self-Protecting Architecture
An automated security supervision framework for IaaS and multi-DC infrastructures
APPLICATIONS
CLOUD PROVIDER
IaaS monitoring
Anti-malware.
Anti-DDoS.
End-to-end security.
CUSTOMERS
SecaaS
appliances
STRONG SECURITY
Cross-layer security: detect / respond
to overall extent of attack.
Open architecture: mitigate new threats,
integrate legacy counter-measures.
SIMPLE SECURITY
Automated security supervision:
choose in-layer, cross-layer, multi-DC.
Tuneable defense patterns: orchestrate
multiple loops for rich defense strategy.
Design principles
VESPA System Architecture
HO
Resource
Plane
Security
Plane
Agent
Plane
Orchestration
Plane
VM
Hypervisor
Physical
VO
HO
Detection Manager
DETECTION
Detection Agent
DECISION
Reaction Manager
REACTION
Reaction Agent
RESOURCES
VESPA System Architecture
HO
Resource
Plane
Security
Plane
Agent
Plane
Orchestration
Plane
VM
Hypervisor
Physical
Intra-Layer
Self-Protection
VO
HO
Detection Manager
DETECTION
Detection Agent
DECISION
Reaction Manager
REACTION
Reaction Agent
RESOURCES
VESPA System Architecture
HO
Resource
Plane
Security
Plane
Agent
Plane
Orchestration
Plane
Cross-Layer
Self-Protection
VM
Hypervisor
Physical
VO
HO
Detection Manager
DETECTION
Detection Agent
DECISION
Reaction Manager
REACTION
Reaction Agent
RESOURCES
Three levels of self-protection:
Extension to other OpenStack services (e.g., Nova, Neutron, Ceph/Glance,
KeyStone) using dedicated agents for mediation.
A VESPA Implementation
Research results :
Framework [ICAC’12].
A. Wailly, M. Lacoste, H. Debar. “VESPA: Multi-Layered Self-Protection for Cloud Resources”.
ACM International Conference on Autonomic Computing (ICAC), San José, USA, September 2012.
Extensions:
Network management (SDN approach).
Mobile cloud SLAs: Orange MC2 [UCC’13].
VMM self-protection: KungFuVisor [EURODW’12], self-stabilization [DSS’14].
Keynotes [SSS’11], panels [IM’11, NOMS’14], tutorials [ICAR’13, MOBILECLOUD’14].
Code available at : https://github.com/Orange-OpenSource/vespa-core
The VESPA Project
RESULTS
Framework: supervision of single cloud and multi-DC security.
Available in open source.
Different applications demonstrating
viability of self-defending cloud concept.
So far CURRENT VESPA FUNCTIONALITIES
VESPA = core + security plug-ins.
Supported In progress
Anti-virus Integration with Heat + Horizon
Hypervisor control Network zones
Firewall vSwitch management (SDN)
Log analysis
Perspectives
Next steps
Hardened code base,
push in more features: Deployment of components.
Administration console.
IDS plug-in.
Secure communications.
Perimetric defense…
More advanced functionalities: Security policy / SLA management.
Hypervisor defense.
Integration within OpenStack: Blueprint submission.
Extension to Nova? Neutron? Others?
Standalone OpenStack project?
Going multi-cloud
For distributed clouds
For edge clouds
For convergence with
SDN/NFV security
Key Take Aways
= a framework for supervising security of IaaS infrastructures.
Fills a gap among existing security solutions.
brings cloud security supervision intelligence :
Simple security: rich levels of security automation.
Strong security: multi-level protection + a fully open design to integrate
existing security solutions.
may come in several deployment modes :
VESPA-ready IaaS to protect infrastructure and/or customer VMs.
Security appliance.
SaaS (security supervision enabler).
Taking it to the next level :
Compatibility with architecture and mechanisms.
Looking for feedback from community to integrate new releases!