Use Case : Cloud Security Design and Implementation

1 Copyright © 2011, Oracle and/or its affiliates. All rights

reserved.

Use Case : Cloud Security

Design and Implementation

Orgad Kimchi

ISV Engineering

Oracle Solaris 11


reserved.


reserved.

Insert Information Protection Policy Classification from Slide 8

The following is intended to outline our general product direction. It is intended

for information purposes only, and may not be incorporated into any contract. It

is not a commitment to deliver any material, code, or functionality, and should

not be relied upon in making purchasing decisions. The development, release,

and timing of any features or functionality described for Oracle ’s products

remains at the sole discretion of Oracle.


reserved.

Security Challenges

• Securing Data At Rest, In Transit, and In Use

• Minimize operating system attack surface

• Prevent denial of service attacks against their infrastructure

• Segregate network traffic between different cloud users

• Disable hostile code (e.g.’ rootkit’ attacks)

• Secure data deletions once we have done with our project


reserved.

Concerns With Public Cloud computing

Source : http://blogs.gartner.com/neil_macdonald/2010/12/16/security-is-the-top-concern-for-public-cloud-but-what-does-that-really-mean/


reserved.

Oracle Solaris Remote Lab

•Solaris Network Virtualization

– Segregate network traffic & secure VLAN per user

• Solaris Zones

– Isolates partner VMs in a secure environment

• Solaris ZFS

– Rapid & secure deployment of images in partner VMs

• Secure Global Desktop

– Separates communications channels

A secure cloud environment built on Solaris technologies

Now in the Cloud


reserved.

Cryptography


reserved.


reserved.

Cryptographic Acceleration Oracle SPARC T4 Processor

• Scalable Performance – On-core, unprivileged, cryptographic instructions

– OpenSSL 5x faster than IBM POWER7

– ZFS encryption is 3x faster than Intel

• Most Industry Standard Algorithms – Public Key Encryption: RSA, DSA, ECC, DH

– Symmetric Key Encryption: AES, 3DES, DES, Kasumi, Camellia

– Message Digests: CRC32c, MD5, SHA-1, SHA-224, SHA-256,

SHA-384, SHA-512

– Random number generation (FIPS 140-2 compliant)


reserved.

SPARC T4 Cryptographic Acceleration Significant Performance Gains for SSL

• Two-way SSL

• RSA-2048

• AES-256


reserved.

ZFS: Next Generation File System

• Immense Capacity (128-bit)

• ZFS capacity: 256 quadrillion ZB (1ZB = 1 billion TB)

• Exceeds quantum limit of Earth-based storage.

• Dynamic Metadata

• No limits on files, directory entries, snapshots, etc.

• No tuning parameters to enable expansion.

• Parallel, constant-time directory operations.

• Pooled design – continuous future growth

Scalability


reserved.

ZFS Encryption

• Encryption policy is set at the ZFS data set level

• Supports delegation of key management operations

• Leverages a dual key model: wrapping vs. encryption key

• Variety of options for format/location of the wrapping key

• Wrapping key inherited by child data sets


reserved.

ZFS Encryption Example

# zfs create -o encryption=on -o dedup=on -o compression=on \

rpool/scratch

Enter passphrase for 'rpool/scratch':

Enter again:

# zfs get encryption,keysource,dedup,compression rpool/scratch

NAME PROPERTY VALUE SOURCE

rpool/scratch encryption on local

rpool/scratch keysource passphrase,prompt local

rpool/scratch dedup on local

rpool/scratch compression on local

# zfs key -u rpool/scratch

# zfs mount rpool/scratch



reserved.

Assured Deletion with ZFS Encryption

# zfs create -o encryption=on rpool/scratch


Enter again:

# zfs key -c -o keysource=raw,file:///dev/random rpool/scratch

# zfs get keysource rpool/scratch

NAME PROPERTY VALUE SOURCE

rpool/scratch keysource raw,file:///dev/random local

# zfs key –u rpool/scratch

# zfs destroy rpool/scratch


reserved.

Encrypted Swap and /tmp

$ awk '($4 == "swap") { print; }' /etc/vfstab

/dev/zvol/dsk/rpool/swap - - swap - no encrypted

$ swap –l

swapfile dev swaplo blocks free

/dev/lofi/1 145,1 8 2097128 2097128

$ lofiadm

Block Device File Options

/dev/lofi/1 /devices/pseudo/zfs@0:2 Encrypted


reserved.

Networking


reserved.

Network Secure by Default

• Expose only required services to the network

– Reduce the operating system network foot print

– Most services are disabled; a few are set to “local only”

• Integrated with Service Management Facility

– Common administrative model for all service operations

– Fully customizable based upon unique site requirements

• Foundation for Additional Protections and Configuration


reserved.

Network Architecture Strategies


reserved.

Network Virtualization

• Using network VLANs

• Combine with physical switches

• Layer 2 segregation

• # dladm create-vnic -l net0 vnic2 -v 2

Network segregation


reserved.

IP Filters

• Ability to configure what ports

are open between system

• Simple to configure and SMF

service

• Can configure direction as

well as ports


reserved.

Network Resource Management

• Introducing network resource control

– Bandwidth control

– Flow control

• Split up large network pipes

• Guarantee types of network traffic for

your applications

• In the following example we limit the SSL traffic to 100Mb

on the vnic0 network interface

# dladm create-vnic vnic0 –l net0

# flowadm add-flow -l vnic0 –a \

transport=TCP,local_port=443 https-flow

# flowadm set-flowprop -p maxbw=100M https-flow

Control the Un-Controlable


reserved.

Data Link Protection

# dladm show-linkprop -p protection net0

LINK PROPERTY PERM VALUE DEFAULT POSSIBLE

net0 protection rw -- -- mac-nospoof,

restricted,

ip-nospoof,

dhcp-nospoof

# dladm set-linkprop -p allowed-ips=10.0.2.15

# dladm set-linkprop -p protection=mac-nospoof,ip-nospoof,\

restricted net0

# ping 10.0.2.2

10.0.2.2 is alive

[set IP address manually to something other than 10.0.2.15.]

# ping 10.0.2.2

no answer from 10.0.2.2


reserved.

Designed-in Virtualization

Oracle Solaris Zones


reserved.

Integrated Virtualization

Security

Automated Install

Packaging Zones

Networking

ZFS


reserved.

Oracle Solaris Zones

• Built-in solution for

application deployment

• Compatibility environments

• Solaris 10 only

• Zones now more complete

• Delegated administration

• Observability

• NFS shares

• Network virtualization


reserved.

• Restricted In-Zone Operations

– Individual operating system hardening, RBAC, auditing, etc.

– Prohibited from directly accessing kernel (modules), raw memory

• External Enforcement of Zone Configuration

– Configurable privileges, immutability, devices, file systems,

resource controls, virtual network security controls, etc.

• Observability with Integrity

– Protected audit trails, file integrity verification, global zone has

complete introspection capabilities

Solaris Zones Security Benefits


reserved.

Immutable Zones Example (1/2)

# zonecfg -z myzone 'set file-mac-profile=fixed-configuration’

# zoneadm -z myzone boot

# zlogin myzone

[Connected to zone 'myzone' pts/3]

myzone# rm /etc/passwd

rm: /etc/passwd: override protection 644 (yes/no)? y

rm: /etc/passwd not removed: Read-only file system

myzone# pkg install emacs

pkg install: Could not complete the operation on /var/pkg/lock:

read-only filesystem.

myzone# rm /usr/bin/vi

rm: /usr/bin/vi not removed: Read-only file system


reserved.

Immutable Zones Example (2/2)

myzone# touch /var/tmp/foo

myzone# touch /tmp/bar

myzone# svcadm disable ssh

root@solaris:~# svcs ssh

STATE STIME FMRI

disabled 6:52:53 svc:/network/ssh:default


reserved.

Data Architecture Strategies


reserved.

ZFS Zone Root Encryption

# pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=zoneroot

Enter PIN for Sun Software PKCS#11 softtoken:

# zfs create -o encryption=on -o keysource=raw,pkcs11:object=zoneroot \

rpool/zones

Enter PKCS#11 token PIN for 'rpool/zones':

# zonecfg -z myzone 'create; set zonepath=/rpool/zones/myzone’

# zoneadm –z myzone install

[… once install completes, the system is rebooted]

# zfs key -l rpool/zones

Enter PKCS#11 token PIN for 'rpool/zones':

# zfs mount –a

# zoneadm -z myzone boot


reserved.

Auditing


reserved.

Solaris Auditing

• Kernel-based, fine-grained introspection

• Captures commands, syscalls, admin. Actions

• Flexible audit policy for global and non-global zones

• Several audit trail formats: binary, text, XML, etc.

• New in Solaris 11

– Auditing on by default with no performance penalty

– Supports secure remote storage of audit trails

– Greater visibility into system events with less “noise”


reserved.

Per-User Auditing Policy

# userattr audit_flags gbrunett

#

# usermod –K audit_flags=lo,ad,ex:lo gbrunett

# userattr audit_flags gbrunett

lo,ad,ex:no

# su – gbrunett

$ exit

# auditreduce -r baz -c lo /var/audit/*not_term* | praudit -s

header,97,2,AUE_su,,testhost,2012-11-13 06:33:21.514 -08:00

subject,testuser,baz,staff,baz,staff,5243,2804137368,0 0 testhost

return,success,0


reserved.

Putting it all together

with Solaris 11 Security!


reserved.

Oracle Solaris Remote Lab – Schematic


reserved.

OSRL - Data

• Single Zpool multiple

ZFS file systems

Resource Sharing

• Data stored in ZFS SA

• Hybrid Storage

• Disk + SSD + RAM

• ZFS Cloning

Performance

• Encrypted ZFS

• Partner specific Key

• Each partner has their

own ZFS File System

Security

Create

Use

Delete

• Data isolated in VLAN

• Separate NFS server per

partner

• SGD - CDM

• All intra VM data

transfers self contained

in Blade chassis

• ZFS clones

- Share everything but the

changes

• ZFS Secure delete

• ZFS encrypt + Delete

almost instantaneous

operation


reserved.

OSRL - Virtual Machines (Zones)

• Zone cloning

• less than 18 MB of RAM

• less than 100 MB of Disk

Resource Sharing

• ZFS + Zone cloning

• new zone in minutes

Performance

• ZFS encryption for zone

file system

• Exclusive IP stack +

VNIC

Security

Create

Use

Delete

• All Zones isolated in

non-routable VLAN

• Secure global desktop

access

• Resource allocation

• network bandwidth

• Memory

• CPU

• Zone shares all OS

resources

- Single kernel

- Single storage

• ZFS Secure delete

• ZFS encrypt + Delete

almost instantaneous

operation


reserved.

When 1 + 1 > 2

• Zone + ZFS

– Fast zone provisioning

– Very low overhead

– Encrypt file system as well as share resource

• Zones + Network virtualization

• Allows for sharing single physical network

• VLAN tagging allows for creating one VLAN/Partner

• Exclusive IP stack on shared physical network


reserved.

When 1 + 1 > 2

• Zones + ZFS + NFS

• Each NFS server is a zone

• Single data store

• Single Physical server

• Multiple NFS file systems shared with ZFS

• ZFS supports NFS sharing

• Encryption + Cloning reduces overhead

• Zones + IPS

• Global Zone has IPS proxy

• Single IPS repository accessible from non routable VLAN


reserved.

Additional Resources

• Solaris 11 Security Hardening Guidelines http://docs.oracle.com/cd/E26502_01/html/E29014/index.html

• Solaris 11 Secure Coding Guidelines for Developers http://docs.oracle.com/cd/E26502_01/html/E29016/scode-1.html

• Glenn Faden’s Solaris 11.1 Hands On Security Lab https://blogs.oracle.com/gfaden/entry/solaris_11_1_is_available

• Darren Moffat’s Solaris Security Blog https://blogs.oracle.com/darren/tags/solaris+security

http://docs.oracle.com/cd/E26502_01/html/E29014/index.html




http://docs.oracle.com/cd/E26502_01/html/E29016/scode-1.html




https://blogs.oracle.com/gfaden/entry/solaris_11_1_is_available

https://blogs.oracle.com/darren/en_GB/tags/solaris+security





reserved.

For More Information / Try Out Today

• Product overview and download

– oracle.com/solaris

• Oracle Technology Network

– oracle.com/technetwork/server-storage/solaris11

• System Administrators Community

– oracle.com/technetwork/systems

• @ORCL_Solaris

• facebook.com/oraclesolaris

• Oracle Solaris Insider

40


reserved.

Questions


reserved.

Acknowledgements

Special thanks to Darren Moffat and Glenn Faden, Angelo

Rajadurai and many others for sharing their ideas and

examples with the world.


reserved.

Use Case : Cloud Security Design and Implementation

Technology

Transcript of Use Case : Cloud Security Design and Implementation