Public Cloud Security DIY @ IGT 2013
-
Upload
fortycloud -
Category
Technology
-
view
480 -
download
0
description
Transcript of Public Cloud Security DIY @ IGT 2013
Public Cloud Security DIY
Amir Naftali, CTO FortyCloud
IaaS
IGT Meetup July 2013
1. What is a public cloud?2. Network architectures3. Two public cloud examples 4. Shared responsibility model5. Security risks and threats6. Network isolation techniques7. VPCs8. Secure access techniques9. VPN access DIY example10. Summary and Q&A
Agenda
IGT Meetup July 2013
IaaS
Wikipedia - A cloud is called a 'Public cloud'
when the services are rendered over a
network that is open for public use.
So What’s a Public Cloud
IGT Meetup July 2013
IaaS
• Datacenter (Infrastructure) as-a service
• Virtualized
• Shared
• Mostly Compute, but also storage services
• Access to resources is done over the Internet
• Service enrollment is instantaneous
using web-based console
• Other services like DB, LB as a service,
Object Store…
So What’s a Public Cloud (2)
$IGT Meetup July 2013
IaaS
In a Public Cloud • No infrastructure ownership• Pay Per Use (CPU hourly , storage size, network
usage, etc.)• Allocate resources at any given moment as much as
you need (e.g. adjust your resource allocation to current demand)
In a Private Cloud • Infrastructure is dedicated to you (including network
gear and software licenses)• Scale is limited to the physical amount of resources you
lease or buy.
These are different financial and operational models
Public Vs. Private Clouds
Regions and Datacenters
IGT Meetup July 2013
• Datacenters are called regions
• Regions are independent
• Amazon , Rackspace, Google, Azure, HP all have
regions around the world
Network Architecture
IGT Meetup July 2013
Usually, a Region has a shared internal service network and and a shared public internet access
Network Architecture Example - AWS
IGT Meetup July 2013
Network Architecture Example - Rackspace
IGT Meetup July 2013
Network Architecture
IGT Meetup July 2013
Basically, all VMs are reachable via the service network and the public Internet
IaaS
IGT Meetup July 2013
“…In turn, you assume responsibility and management of the guest operating system(including updates and securitypatches), other associated application software, as well as…”
“…It is possible foryou to enhance security and/or meet more stringent compliance
requirements by leveraging technology such as host‐based firewalls, host‐based intrusion detection/prevention, and
encryption...”
Sources:http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdfhttp://www.rackspace.com/security/
……..“security is a partnership”……
…“USERS MUST TAKE FULL RESPONSIBILITY FOR APPLICATION OF ANY SERVICES AND/OR PROCESSES MENTIONED HEREIN…”
Shared Responsibility Model
A Shared Responsibility Model in IaaS
IGT Meetup July 2013
Application
Hosted operating system
Virtualization layer
Physical infrastructure
Customer Responsibility
Cloud Provider Responsibility
Security Risks and Threats
IGT Meetup July 2013
If I can access my VMs remotely anyone else can access them too
• What TCP/IP ports are open on your cloud VMs?• What protocols/applications are you using to access
your VMs?• Are you using a secure protocol/application? Are you
using it in in a secure manner?
What can the bad guys do?• DoS• Steal or compromise your data• Use your VMs to launch attacks on 3rd parties
It’s a Jungle Out There
IGT Meetup July 2013
Simple measurementsperformed in a few public datacenters show the following results (per virtual server):
HTTP based attack vectors 40-200 per daySSH auth attempts 200-400 per dayNon HTTP/SSH based attacks 1000-4000 per day
It’s a Jungle Out There – Attack Example
IGT Meetup July 2013
Simple measurementsperformed in a few public datacenters show the following results (per virtual server):
A Typical Start-up Scenario
IGT Meetup July 2013
IGT Meetup July 2013
So what can be done to mitigate the threats?
Network Isolation Techniques
IGT Meetup July 2013
• IP Based filtering
• Server based Firewall
• Security Groups
• Private network (virtually)
• AWS VPC
• SDN solutions
EC2 Security Groups – The Basics
IGT Meetup July 2013
• Protocol and port based filtering
• Incoming traffic only
• Supports only TCP, UDP and ICMP
• White list - Everything is filtered unless declared open
• A single EC2 Security Group contains a list of rules
• Security Group serves also as a role that can be used as
source address in rules
• An instance can be associated with Multiple Security Groups
• Supports a REST based API
EC2 Security Groups – The Basics
IGT Meetup July 2013
Example:
EC2 Security Groups
IGT Meetup July 2013
• Provide IP Based filtering – your first line of defense• Simple and easy to use (Role based, management console, API)• Can add/delete rules anytime• The only means to secure internal communication with
EC2 services like RDS, LB …. • Platform independent (e.g. Windows, Linux)
• For management access, servers are still exposed to public Internet
• Control incoming traffic only (output policy is ‘allow all’ based on stateful inspection)
• Doesn’t protect against IP spoofing. • Is hard or sometimes impossible to associate with identity (probably
not the right tool for Access Control). • Security Groups are only associated with private addresses (when
used as source address) • Can’t add/delete groups after lunching an instance• No logs
What is a VPC?
A VPC solution should provide us with an ‘enterprise-like’ environment where:
1. Cloud resources are isolated from public access (access is via a DMZ)
2. Secure access for remote users (e.g. employees, contractors, etc.)
3. Access control mechanism
IGT Meetup July 2013
AWS and Rackspace Examples
IGT Meetup July 2013
User-defined private subnets Additional network configuration
Cloud Providers’ VPC Implementation Discussed
IGT Meetup July 2013
• AWS provides the EC2 VPC solution a public cloud but with a VLAN like network isolation.
• Rackspace has an SDN solution (based on OpenStack Quantum)
Using an isolated network may have some challenges • Can’t just simply move an existing resource to VPC, must
recreate them.• Network architecture is different, configuration is not
straightforward (might impact design)• Integration with provider’s services should be revisited• Does not extend across regions (and vendors) • Access control and identity management solutions may still
need to be integrated by customer
Secure Access Techniques
IGT Meetup July 2013
• Access servers directly using a secure protocol and local/central
user store
• Servers are still exposed to the public internet
• Centralized access control – access your cloud via a VPN Gateway
• Servers are not exposed to public internet
VPN Access DIY
Using Open Source
The Before picture
IGT Meetup July 2013
The After picture
IGT Meetup July 2013
VPN access - the DIY toolkit
• Cloud Access • Linux with packet forwarding capability• VPN gateway is based on OpenSwan
(can also use StrongSwan, OpenVPN, Racoon)• xl2tpd (L2TP server) for user authentication and dynamic IP
allocation (along with IPSec)• NAT based on IP Tables all traffic flowing from users
to servers• Intra Cloud protection – IP Based FW
• EC2 Security Groups
VPN Access DIY - EC2 example (Before)
This is how my servers’ SG look like before the change
IGT Meetup July 2013
VPN Access DIY - EC2 example (After)
Only my GW is open to the public Internet
My Servers are open only to the GW
IGT Meetup July 2013
VPN Access DIY - EC2 example (After)
Live Demo
What have we accomplished ?
• All IP Traffic from user to the public cloud is encrypted AND
secured (not protocol specific)
• Simple user based access and VPN
• No direct access to servers from the public internet
• Audit user access via Gateway’s logs
Improving security w/o
affecting agility
Many companies have other challenges as well
IGT Meetup July 2013
• Deployment-wise• Using several regions at the same time• Using several clouds at the same time • Must enable secure access to 3rd parties• High Availability
• Security-wise• Filtering is not good enough, complete isolation
required• Must encrypt all traffic even within the region• Stronger authentication (OTP based 2 factor auth.)
required
• Compliance (e.g. PCI, HIPAA, etc.)
• You can find detailed DIY examples on our blog and site
www.fortycloud.com
www.fortycloud.com/blog/
• Feel free to send us any cloud related security question to
[email protected] and we will do our best to answer.
• Join a free trial of our cloud security solution at
www.fortycloud.com/free-sign-up/