02/05/2023

1

Open Source Private Cloud Management with OpenStack and Security Evaluation with Intrusion Detection/Prevention Systems

Penetration Testing for Evaluation of Cloud’s Security

02/05/2023

2

Taking a sneak peek on cloud computing definition•Key technology for sharing resources

•Web as a space where computing has been preinstalled and exists as a service

Data centres, storage, operating systems, applications and processing power ALL shared on the web.

02/05/2023

3

Virtualization in Cloud Systems•Almost complete simulation of the actual

Hardware to allow Software to run unmodified

•Example: We have a desktop computer with Ubuntu OS and with virtualization technology we can run another Ubuntu OS, inside the Host machine, as a complete fully functional second desktop computer inside ours

02/05/2023

4

How is cloud connected to virtualization?•Easy to understand. Cloud Computing

provides: on-demand resources and dynamically

Virtualization provides : on-demand resources (you can create a virtual machine whenever you need or delete one) and dynamically (change your resources as you like, example 1) CPU, 2) CPUs, 3) CPUs

02/05/2023

5

Our Project’s Goal !•Create a Cloud using virtualization

Hardware•Specifically Using OpenStack Cloud

Management System•Secure our Cloud System with Security

software and tools

02/05/2023

6

Architecture of our Cloud System(1)•Initial plan •3 virtualized OpenStack nodes •1 OSSEC server monitoring the physical

network and servers, plus the virtualized network and servers

•Deployment of Fortification/security measures on the physical and virtualized Servers

•Testing by means of offense

02/05/2023

7

•OpenStack Networking (Neutron) Architecture

•OSSEC server-client architecture

02/05/2023

8

Architecture of our Cloud Systems(2)•Final plan:

•1 virtualized OpenStack node

•1virtualized OSSEC server

•Deployment of Fortification/security measures on the physical and virtualized Servers

•Testing by means of offense

02/05/2023

9

•DevStack OpenStack Cloud Management Architecture

•OSSEC server-client architecture

02/05/2023

10

OSSEC Features•File integrity checking•Log Monitoring •Rootkit Detection•Active Response

02/05/2023

11

OSSEC Compliance Requirements•Detect + AlertsReasons :•Unauthorized filesystem modifications•Malicious behaviour in log files

02/05/2023

12

Fortification/security measures of servers•SSH configurations for high security •Firewall rules modifications for inbound

traffic•Iptables rules modifications•Apache server security hardening with

Mod Security•Logwatch for the operating systems•Rkhunter rootkit scanner

02/05/2023

13

Attacking Scenario No.1•Sqlmap toolset. •This tool focuses primarily on exploiting

an SQL database. •The Goal of this test was to check if our

Cloud has any vulnerabilities against SQL attack methods, like SQL injections.

•Example attack command: •python sqlmap.py -u

"http://www.site.com/section.php?id=51"

02/05/2023

14

•The next method of attack is by sqlmap again trying to reach any database entries from the Dashboard (Horizon)

•The example command is:•Sqlmap –u “http://192.168.100.50” --db

02/05/2023

15

Attacking Scenario No.2•THC Hydra toolset • This tool focuses on cracking login

information •It supports quite plenty of protocols, such as

HTTP, HTTPS, SFTP, SSH (v1 and v2) SSHKEY, POSTGRE and etc.

•A first method of attack is by trying to attempt logging in as a root user on an SSH server.

•#hydra –l root –P /usr/share/wordlists/metasploit/unix_passwords.txt –t 6 ssh://192.168.100.50

02/05/2023

16

Security Evaluation of our Cloud•It endured any attack from the two scenarios. •This means the fortification is quite satisfying•Unfortunately there were not more attacking

methods in order to cover a larger area of security issues.

The result is : Our Private DevStack Cloud has achieved to stand against threats.

GOALS ACHIEVED!

02/05/2023

17

Conclusions•There is no “Best Security Strategy” for a

Cloud System.•To secure a Cloud we shall:

Be open-minded, adopt and other security products, methods used by others.

Fuse our strategy with other existing effective strategies.

Bear in mind, one wooden stick can be broken, 20 wooden sticks, will never be broken, or even worse, bend.

02/05/2023

18

Conclusions•Securing the Cloud’s infrastructure is sensible.•Securing the probable Servers hosting Cloud’s

components is sensible. •INSENSIBLE would be if only securing one of

these two. •Nevertheless, our project scope was to deploy

security measures on the Servers of the Cloud. •However, future work, shall be to research,

design and deploy the security technologies on the Cloud’s platform.

02/05/2023

19

Conclusions•Final step : Deploy and implement complementary

security technologies on the Cloud too. At last, after a lot of effort, it shall be

ready for migration to real environment.