“Remote Desktop for big data + DevOps + Encryption Everywhere”Deploying trusted developer sandboxes in Amazon’s cloud

Jason Brazile, Remi Locherer, Ronnie Brunner 10 June 2014

Open Cloud Day

Netcetera | 2

A case for…• remote desktop w/“big data in the cloud”

• automated immutable system images

• not-too-inconvenient encryption everywhere

Open Cloud Day

Netcetera | 3

ESA Study: 2009-2011potential use-cases:• …• Cloud for free* data

access• Cloud for remote

development• …

Background:

(*)https://www.google.com/?q=ESA+Earth+Observation+Data+Policy ESRIN/Contract Nr. 227700/09/I-SB final report (245 pages)

Open Cloud Day

Netcetera | 4

• Big, free-ish, Data• Distinct, proprietary,

software devs• Slow test data

distribution to code developers

• Devs nervous about their code leaking

ESA CIOP

Proprietary Algorithm A dev’d by X

Proprietary Algorithm B dev’d by Y

Instead, bring the devs to the data

(in the cloud)Soln?

Open Cloud Day

Netcetera | 5

• hacking science data• brand damage• Leaking developer’s

algorithms Summary• Data = not sensitive• Dev’s Code = sensitive• Soln à easy for devs

(non-)Priorities…Zzz

Open Cloud Day

Netcetera | 6

1. Hide in the network (Tor)2. Encrypt communications3. Encrypt data 4. Be suspicious of commercial

encryption from large vendors5. Use public-domain encryption

Schneier’s “NSA” Recommendations

Open Cloud Day

http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance

Image source: Wikipedia

w/ESA CIOP 4 of 5 are

built-in to system

Netcetera | 7

/data

sandbox a

/home/a

sandbox b

sandbox c

portal

catalog

ESA private net

ESA/CIOP DMZ

NFS ldap

encfs sshd

encfs sshd

encfs sshd

user a

Admin

user b

user c

Existing X.509 certsCloud Sandbox Prototype

X.509 derivedssh key

ldap config limits user c to sandbox c

nfs mount of encfsencrypted /home/a

sandbox images basically read-only

Open Cloud Day

/home/b

/home/c

knows no CIOP secrets

Netcetera | 8

Getting big data into the cloud

Open Cloud Day

http://aws.amazon.com/importexport/faqs/

http://calculator.s3.amazonaws.com/index.html?s=importexport

http://docs.aws.amazon.com/AWSImportExport/latest/DG/GSCreateSampleEBSImportRequest.html

1. Net or Post?2. Est. Cost3. Submit job

Netcetera | 9

Easy? First Time Usage Single encfspassphrase

decrypts both dev’s /home and shared /validate

Open Cloud Day

ssh identity derived from

existing X.509 certificate

1.

2.

Netcetera | 10|

Easy? Daily Usage

ssh identity derived from

existing X.509 certificate

Single encfspassphrase

decrypts both dev’s /home and shared /validate

ldap directory centralized access control to machines

and nfs mounts Open Cloud Day

1.

2.

Netcetera | 11

Details:Encrypted File systemchoices SL6

Open Cloud Day

Netcetera | 12

name: fedora-xfcesummary: Fedora with xfceos:

name: fedoraversion: 16

hardware:partitions:

"/":size: 5

packages:- @base- @base-x- @fonts- @xfce-desktop- @critical-path-xfce

access_key: yourawsaccesskeysecret_access_key: youawssecretkeyaccount_number: youramazonaccountnumbercert_file: /root/.ec2/yourcertificate.pemkey_file: /root/.ec2/yourprivatekey.pem

Details: just the OS

The only change needed:name: slversion: 6

Note: boxgrinder is “sleeping”. Now we use appliance-creator(~150 line shell script)

Open Cloud Dayhttps://github.com/netceteragroup/esa-beam/blob/master/beam-3dveglab-vlab/src/main/scripts/build_fedora_virtual_image.sh

Netcetera | 13

Details: server script (~500 lines)# local firewall rules for inbound trafficlokkit --nostart --enabled \--service=ssh \--port=111:tcp \--port=111:udp \--port=514:tcp \--port=636:tcp \--port=662:tcp \--port=662:udp \--port=2049:tcp \--port=2049:udp \--port=32803:tcp \--port=32769:udp

# 111 rpc (for nfs)# ldap-ssl (port 636)# 514 rsyslog# 662 statd (for nfs) # 2049 nfs4# 32803,32769 lockd (for nfs)

Nice-to-have: rsyslog à TLS rsyslog

# ldap configurationyum install -y openldap-clients openldap-servers nss-pam-ldapd

# prepare ldap certcd /etc/openldap/cacertsopenssl genrsa -out cert.key 2048…openssl req -new -key cert.key -out cert.csr -subj \"/C=IT/L=Default City/O=Default Company Ltd/CN=192.168.11.10"

…/usr/sbin/cacertdir_rehash /export/certs/

cat <<EOF> /etc/openldap/slapd.d/cn=config.ldif…cat <<EOF> /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif…cat <<EOF> /etc/openldap/slapd.d/cn=config/cn=schema/cn={12}autofs.ldif…cat <<EOF> /etc/openldap/slapd.d/cn=config/cn=schema/cn={14}ldappubkey.ldif…cat <<EOF> /etc/openldap/g-pod.ldif…slapadd -l /etc/openldap/g-pod.ldif

• Firewall• Nfs/autofs• Certificates• Ldap• Syslog

Open Cloud Day

Netcetera | 14

Details: sandbox script (~250 lines)…chmod +x /etc/profile.d/encfs.sh

# load fuse kernel module at bootcat <<EOF> /etc/sysconfig/modules/encfs.modules#!/bin/bashexec /sbin/modprobe fuse >/dev/null 2>&1EOFchmod +x /etc/sysconfig/modules/encfs.modules

yum install -y openssh-ldapecho 'AuthorizedKeysCommand \/usr/libexec/openssh/ssh-ldap-wrapper' >> /etc/ssh/sshd_config

# for ssh-ldap-helperln -s /etc/openldap/ldap.conf /etc/ssh/ldap.conf

# encrypt temporary filesystemsyum install -y cryptsetup-luks# swap space# (use "cryptsetup status /dev/mapper/swap" after reboot)echo 'swap /dev/mapper/VolGroup-lv_swap /dev/urandom \cipher=aes-cbc-essiv:sha256,size=128,swap' > /etc/crypttabsed -i 's/.*swap.*/\/dev\/mapper\/swap swap swap defaults 0 0/' /etc/fstab# temporary file systemsecho 'none /tmp tmpfs defaults,size=64m 0 0' >> /etc/fstabecho 'none /var/tmp tmpfs defaults,size=128m 0 0' >> /etc/fstab

[…]

# home directory encryption# fuse-2.8.3-1.el6 works, fuse-2.8.3-3.el6_1 "fusermount -u" does not work.yum install -y \fuse-2.8.3-1.el6 \fuse-encfs-1.7.4-1.el6.i686 \pwgen

• Firewall• Nfs/autofs/fuse-encfs• Encrypted /tmp & swap• Openssh-ldap• Syslog

Open Cloud Day

Netcetera | 15

Takeaways…• remote desktop w/“big data in the cloud”

• automated immutable system images

• not-too-inconvenient encryption everywhere

Open Cloud Day

github.com/netceteragroup/esa-ciop-sandbox-image-proto

jason.brazile@netcetera.com

remi.locherer@netcetera.com

ronnie.brunner@netcetera.com