Keystone Security – OpenStack Summit Atlanta 1 Keystone Security A Symantec Perspective on...
-
Upload
braxton-wiggin -
Category
Documents
-
view
217 -
download
3
Transcript of Keystone Security – OpenStack Summit Atlanta 1 Keystone Security A Symantec Perspective on...
Keystone Security – OpenStack Summit Atlanta 1
Keystone SecurityA Symantec Perspective on Securing Keystone
Keith NewstadtCloud Services Architect
Symantec’s Cloud Platform Engineering Objectives• We are building a consolidated cloud platform that provides infrastructure and
platform services for next generation Symantec products and services– An exciting “greenfield” opportunity to re-invent our cloud infrastructure with strong executive
leadership and support
– Building a global team in the US, Europe, and Asia of top-notch, open source minded engineers in the areas of cloud and big data
• Our development model is to use open source components as building blocks– Identify capability gaps and contribute back to the community
• We have selected OpenStack as one of the underlying infrastructure services layer• We plan to analyze and help improve the overall security posture of OpenStack
components• We are starting small, but will scale to thousands of nodes across multiple data
centers2OpenStack Summit - Atlanta
The Symantec Team• Me
– In Security for nearly 15 years
– Norton Web Services• Including the Norton Identity Provider• Billions of requests, 100M+ users, 100M+ endpoints• Under constant attack
– Now working on Symantec’s next generation cloud, using OpenStack
• The team– Cloud Platform Engineering
– Symantec Compliance Suite
– Symantec Validation and ID Production (VIP)
– Symantec Product Security Group
– Global Security Organization (InfoSec)
Keystone Security – OpenStack Summit Atlanta 3
Keystone Security – OpenStack Summit Atlanta 4
Brief Keystone Overview
OpenStack ServiceKeystone
Authenticate
Identity token
Identity token
Validate Identity Single point of auth for all OpenStack services.
Single sign on to OpenStack services
Reduces exposure of credentials
Common API layer on top of various authentication protocols
and more…
Keystone Security is Critical
Keystone Security – OpenStack Summit Atlanta 5
Passwords
Keys
Certs
Tokens
DoS
Symantec’s Approach to Securing Keystone
Keystone Security – OpenStack Summit Atlanta 6
Application
Environment
ProcessThreat Modeling
Security Scans
Compliance
Infrastructure
Operating System
Auditing
Threat Resilience
Multifactor Authentication
Identity Standards
Keystone Security – OpenStack Summit Atlanta 8
What am I trying to protect?
What are my assets?
Is my particular deployment secure?
Where am I likely to be attacked?
Threat Modeling
Keystone Security – OpenStack Summit Atlanta 9
SpoofingCould someone spoof the LDAP server?
Mitigation option: LDAP server authentication
Tampering
Repudiation
Information Disclosure
Denial of Service
Elevation of Privileges
Keystone Security – OpenStack Summit Atlanta 10
Am I running what I think I’m running?
Did I get the right images and distros?
Could something malicious be injected into the deployment process?
Am I running the most secure patch level?
Supply Chain Management
Keystone Security – OpenStack Summit Atlanta 11
Download
Build
Deploy
Patch
Make sure it’s good.
Make sure it’s secure
Make sure you’ve validated
Stay on a secure patch levelWe’re using Symantec Control Compliance Suite
Others: Qualys, Nessus, etc.
Questions around third party component security is an unsolved problem.
It seems obvious, but…
Secu
rity
Keystone Security – OpenStack Summit Atlanta 13
Is my system hardened against attacks?
Can someone change my deployment?
What assets could be stolen from my environment?
Do I know what happened after I’ve been attacked?
Keystone Compliance
Keystone Security – OpenStack Summit Atlanta 14
HARDENING
AUDITING
We’re using Symantec Data Center Security for Linux and OpenStack compliance.
Other tools are out there as well: SELinux, Tripwire, etc.
Config Files
Log Files
Ports
Executables
Every deployment is different. Start by following the trail from keystone.conf
Environment
Keystone Security – OpenStack Summit Atlanta 15
Is my data secure while in motion?
What high value assets are being transmitted?
What would be the repercussions if these assets were intercepted or tampered with?
How much of my environment do I trust?
Security of Credentials on the Wire
Keystone Security – OpenStack Summit Atlanta 16
POST /tokens
Keystone Nova Cinder Swift …
Attack vectors on both internal and external networks.
Assets: credentials and tokens
Balance risk and cost.
Keystone Security – OpenStack Summit Atlanta 18
Will I know when I’m under attack?(and I will be…)
Who is attacking me?
What is their target?
How do I stop them?
Keystone Intrusion Detection
Keystone Security – OpenStack Summit Atlanta 19
ForensicsPrevention
What will you need after an attack?
Track users, token hashes, source IP addresses
Perform analytics, correlation
Security vs. privacy
How do you fend off an attack?
Rate limiting to impede brute force attacks
Blacklist malicious IPs
Detect and block anomalous user behavior
Add request logging and blocking at a proxy, load balancer, or in a Keystone filter
Challenges to foil automated attacks
Aggregate logs in a central location
Are passwords enough?
What additional kinds of auth should I support?
How should I implement it?
Keystone Security – OpenStack Summit Atlanta 20
Am I effectively validating my users?
Identity Provider
Authenticator
RADIUS Server
Backend Driver
Two Factor Auth
Keystone Security – OpenStack Summit Atlanta 21
Keystone
LDAP Driver
LDAP Server
SQL Driver
MySQL DB
RADIUS Driver
RSA SecureID
Symantec VIP Gateway …
LDAPServer
VIP Service
Keystone Security – OpenStack Summit Atlanta 22
How do my services and scripts authenticate themselves?
How do I delegate?
How do I control access scope?
What is the technical and management cost of a solution?
Autonomous Authentication
Keystone Security – OpenStack Summit Atlanta 23
Credentials ?
Service Token
Considerations:• Secure cached credentials• Limit scope• Expiration• Management
Delegation
Potential Solutions:• Cached passwords• EC2 key• Trusts• Keys• Certificates• ?
Keystone Nova
Keystone and Standard Protocols• Interest in industry standard Identity protocols for
OpenStack– Symantec has been through a migration like this before
– Community has already summited blueprints
• Benefits– Single sign on
– Improved integration
– Control over credentials
– Unified authentication experience
• Symantec will look to participate in this effortKeystone Security – OpenStack Summit Atlanta 2
5
Protect your credentials everywhere
Securing your use of Keystone is an ongoing process
Share
Keystone Security – OpenStack Summit Atlanta 26
Parting thoughts
Thank you!
Copyright © 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Keystone Security – OpenStack Summit Atlanta 28
Keith [email protected]