Presentation on theme: "Security, Open Stack, Quantum, Software Defined Clouds"— Presentation transcript:
1Security, Open Stack, Quantum, Software Defined Clouds Roy Campbell Lecture 9
2Cloud ServicesWhat cloud services can you think of?
3Security as a Service Origins: Email Spam Today Naming: SaaS FilteringWeb Content FilteringVulnerability ManagementIdentity Management as a serviceEtc.Naming: SaaSNOT to be confused with Software as a Service!SecaaS: Security as a Service (Cloud Security Alliance)https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf
4SaaS Categorization by CSA CSA: Cloud Security AllianceIdentity and Access ManagementData Loss PreventionWeb SecuritySecuritySecurity AssessmentsIntrusion ManagementSecurity Information and Event Management (SIEM)EncryptionBusiness Continuity and Disaster RecoveryNetwork Security
6Data Loss PreventionMonitoring, protecting, and verifying the security of databy running as a client on desktops / servers and running rules“No FTP” or “No uploads” to web sites“No documents with numbers that look like credit cards can be ed”“Anything saved to USB storage is automatically encrypted and can only be unencrypted on another office owned machine with a correctly installed DLP client”“Only clients with functioning DLP software can open files from the fileserver”Related to IAMThreats AddressedData loss/leakage, Unauthorized access, Malicious compromises of data integrity, Data sovereignty issues, Regulatory sanctions and fines
7Web Security Real-time protection On-premise through software/appliance installationProxying or redirecting web traffic to the cloud providerPrevent malware from entering the enterprise via activities such as web browsingMail Server, Anti-virus, Anti-spam, Web Filtering, Web Monitoring, Vulnerability Management, Anti-phishingThreats addressedKeyloggers, Domain Content, Malware, Spyware, Bot Network, Phishing, Virus, Bandwidth consumption, Data Loss Prevention, Spam
8Email Security Control over inbound and outbound email Enforce corporate polices such as acceptable use and spamPolicy-based encryption of sDigital signatures enabling identification and non-repudiationServicesContent security, Anti- virus/Anti-malware, Spam filtering, encryption, DLP for outbound , Web mail, Anti-phishingThreats addressedPhishing, Intrusion, Malware, Spam, Address spoofing
9Security AssessmentsThird-party audits of cloud services or assessments of local systems via cloud-provided solutionsWell defined and supported by multiple standards such as NIST, ISO, and CISAdditional Cloud ChallengesVirtualization awareness of the toolSupport for common web frameworks in PaaS applicationsCompliance Controls for IaaS, PaaS, and SaaS platformsServicesInternal and / or external penetration test, Application penetration test, Host and guest assessments, Firewall / IPS (security components of the infrastructure) assessments, Virtual infrastructure assessmentThreats addressedInaccurate inventory, Lack of continuous monitoring, Lack of correlation information, Lack of complete auditing, Failure to meet/prove adherence to Regulatory/Standards Compliance, Insecure / vulnerable configurations, Insecure architectures, Insecure processes / processes not being followed
10Intrusion ManagementUsing pattern recognition to detect and react to statistically unusual eventsIM tools are mature, howevervirtualization and massive multi-tenancy is creating new targets for intrusionraises many questions about the implementation of the same protection in cloud environmentsServicesPacket Inspection, Detection, PreventionThreats addressedIntrusion, Malware
11Security Information and Event Management (SIEM) Accept log and event informationCorrelate and analyze to provide real-time reporting and alerting on incidents / eventsServicesLog management, Event correlation, Security/Incident response, Scalability, Log and Event Storage, Interactive searching and parsing of log data, Logs immutable (for legal investigations)Threats addressedAbuse, Insecure Interfaces and APIs, Malicious Insiders, Shared Technology Issues, Data Loss and Leakage, Account or Service Hijacking, Unknown Risk Profile, Fraud
12EncryptionThe process of obfuscating/encoding data using cryptographic algorithmsAlgorithm(s) that are computationally difficult to breakServicesVPN services, Encryption Key Management, Virtual Storage Encryption, Communications Encryption, Application Encryption, Database Encryption, digital signatures, Integrity validationThreats addressedFailure to meet Regulatory Compliance requirements, Mitigating insider and external threats to data, Intercepted clear text network traffic, Clear text data on stolen / disposed of hardware, Reducing the risk or and potentially enabling cross-border business opportunities, Reducing perceived risks and thus enabling Cloud's Adoption by government
13Business Continuity and Disaster Recovery Ensure operational resiliency in the event of any service interruptionsFlexible and reliable failoverUtilize cloud’s flexibility to minimize cost and maximize benefitsServicesFile recovery provider, File backup provider, Cold site, Warm site, Hot site, Insurance, Business partner agreements, Replication (e.g. Databases)Threats addressedNatural disaster, Fire, Power outage, Terrorism/sabotage, Data corruption, Data deletion, Pandemic/biohazard
14Network SecurityServices that allocate access, distribute, monitor, and protect the underlying resource servicesAddress security controls at the network in aggregate, OrSpecifically address at the individual network of each underlying resourceIn Clouds, likely to be provided by virtual devices alongside traditional physical devicesTight integration with the hypervisor to ensure full visibility of all traffic on the virtual network layer is keyServicesFirewall (perimeter and server tier), Web application firewall, DDOS protection/mitigation, DLP, IR management, IDS / IPSThreats addressedData Threats, Access Control Threats, Application Vulnerabilities, Cloud Platform Threats, Regulatory, Compliance & Law Enforcement
15Network Security of IaaS IaaS is provided by Open StackNatural question: How is the network organized?AnswerSoftware defined networksNetwork as a Service (API to describe network services)Combination of both
16What is OpenFlow? OpenFlow is an API Control how packets are forwarded Implemented on hardware or software switchesControllerOpenFlow FirmwareSoftware LayerOpenFlow SwitchPCFlow TableMACsrcdstIPSrcDstTCPsportdportActionOFProtocolHardware Layeror Vswitch1st packetrouting*port 1port 1port 2port 3port 4following packetsroutingPKTPKTIP dst:
17Switches Control packets Network links The Stanford Clean Slate Program
18The Stanford Clean Slate Program http://cleanslate.stanford.edu
19Quantum: Network as a Service Quantum is a “virtual network service”, similar to how Nova is a “virtual machine service”.NovaQuantum
20Quantum: Network as a Service Quantum is a “virtual network service”, similar to how Nova is a “virtual machine service”.Create VMsNovaVM1VM2VM3Quantum
21Quantum: Network as a Service Quantum is a “virtual network service”, similar to how Nova is a “virtual machine service”.Create VMsNovaVM1VM2VM3Create NetworksQuantumNet1Net2
22Quantum: Network as a Service Quantum is a “virtual network service”, similar to how Nova is a “virtual machine service”.Create VMsNovaVM1VM2VM3Create NetworksQuantumNet1Net2AttachInterfaces
23What is Quantum? A standalone Openstack service Provides network connectivity between a set of network “interfaces” from other services (e.g., vNICs from compute service, interfaces on a load-balancer service).Exposes API of logical abstractions for describing network connectivity + policy between interfaces.Uses a “plug-in” architecture, so multiple technologies can implement the logical abstractions.Provides a “building block” for sophisticated cloud network topologies.Does NOT provide advanced services like load-balancers, firewalls, etc. These things can “plug” into a network offered by Quantum.
24Example Architecture: Two Services Tenant APIQuantum ServiceQuantum PluginInternal PluginCommunicationphysicalswitchvswitchvswitchNetwork Edge:Point at which a service “plugs” into the network.FWFWFWVMVMVMVMFirewall ServiceCompute ServiceTenant APITenant API
25Virtual Network Abstractions (1) Services (e.g., nova, atlas) expose interface-IDs via their own tenant APIs to represent any device from that service that can be “plugged” into a virtual network.Example: nova.foo.com/<tenant-id>/server/<server-id>/eth0Tenants use Quantum API to create networks, get back UUID:Example: quantum.foo.com/<tenant-id>/network/<network-id>Tenants can create ports on a network, get a UUID, and associate config with those ports (APIs for advanced port config are TBD, initially ports give L2 connectivity):Example: quantum.foo.com/<tenant-id>/network/<network-id>/port/<port-id>Tenants can “plug” an interface into a port by setting the attachment of a port to be the appropriate interface-id.Example: set quantum.foo.com/<tenant-id>/network/<network-id>/port/<port-id>/attach to value “nova.foo.com/<tenant-id>/server/<server-id>/eth0” .
26Virtual Network Abstractions (2) Note: At no time does the customer see details of how a network is implemented (e.g., VLANs).Association of interfaces with network is an explicit step.Plugins can expose API extensions to introduce more complex functionality (e.g., QoS). Extension support is query-iable, so a customer can “discover” capabilities.API extensions that represent common functionality across many plug-ins can become part of the core API.Core API for diablo is simple, focused on connectivity. Core API will evolve.
27Why Quantum?API gives ability to create interesting network topologies.Example: create multi-tier applicationsProvide way to connect interconnect multiple Openstack services (*-aaS).Example: Nova VM + Atlas LB on same private network.Open the floodgates to let anyone build services (open or closed) that plug into Openstack networks.Examples: VPN-aaS, firewall-aaS, IDS-aaS.Allows innovation plugins that overcomes common cloud networking problemsExample: avoid VLAN limits, provide strong QoS
28Quantum +OVSwitch Demo Quantum running Open vSwitch PluginNova uses QEMU w/libvirt for computeExperimental Nova Quantum NetManagerSingle-node setup, with automated script, derived from Vish’s nova.sh script.Uses “simple quantum orchestrator” script(sqo.py) that speaks to Quantum/Nova APIs
29Demo Scenario Other tips: Example Orchestrator (sqo.py) Commands: create-network public-netcreate-network private-netcreate-server web1=public-net,private-netcreate-server web2=public-net,private-netcreate-server db1=private-netOther tips:To view allocated IPs run “show” cmd.VMs can be reached directly using SSH or VNC (root password is “password”)To clear all existing setup, run “delete” cmd.web1db1public-netPrivate-netweb2
30Running the Demo To run the demo yourself, see: Requires a 64-bit Ubuntu Natty VM.Installation + setup is completely automated.
31Virtual Cloud Can build virtual switching topologies using openflow Can create networking services – firewalls, load balancers, secure interconnects…Can create IaaS stacksCan connect SDNetworks to SDStacks at various levels of abstraction (SaaS, PaaS…)Define SD Cloud architectures for security, and other purposes
33Back to Network Security Policies about the configurations of the infrastructure are used for specifying security and availability requirementsA critical device should be placed within a security perimeterUnprotected devices should not communicate with machines running critical servicesComputation on confidential data must performed on hosts under the control of DoDPolicy-driven approach has been taken by FISMA, PCI-DSS, NERCScalabilityReal-time detection of violationsRequirementsMonitoring itself needs to be secureInformation needs to be shared across cloud providers
34Middleware for Assured Clouds Policy DistributionReaction AgentOdessa AgentNetOdessa AgentDORA SubsystemTrustworthiness of WorkflowsTrust Calculation ModuleExternalEventAggregatorFormal Design and analysis of Assured Mission Critical ComputationsEvaluation on a distributed networkedtest-bedDistance from Compliance CalculationRisk Assessment Modules
35Reaction Agents are part of the Middleware When a policy violation is detectedSecurity, availability, or timeliness requirements might not be satisfiedWe need to reconfigure the systemWe implemented a cloud-based OpenFlow reaction agentOpenFlowcontrollerFlow informationviolationreconfigurationsReactionAgent
36To Read FurtherRoy H. Campbell, Mirko Montanari, Reza Farivar, Middleware for Assured Clouds, Journal of Internet Services and Applications, 2011 [pdf]Mirko Montanari, Roy H. Campbell, Attack-resilient Compliance Monitoring for Large Distributed Infrastructure Systems, IEEE International Conference on Network and System Security (NSS), Sept 2011. [pdf]Mirko Montanari, Ellick Chan, Kevin Larson, Wucherl Yoo, Roy H. Campbell, "Distributed Security Policy Conformance," IFIP SEC 2011, Lucerne, Switzerland, June 2011. [pdf]