Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security, Open Stack, Quantum, Software Defined Clouds

Similar presentations

Presentation on theme: "Security, Open Stack, Quantum, Software Defined Clouds"— Presentation transcript:

1 Security, Open Stack, Quantum, Software Defined Clouds
Roy Campbell Lecture 9

2 Cloud Services What cloud services can you think of?

3 Security as a Service Origins: Email Spam Today Naming: SaaS
Filtering Web Content Filtering Vulnerability Management Identity Management as a service Etc. Naming: SaaS NOT to be confused with Software as a Service! SecaaS: Security as a Service (Cloud Security Alliance)

4 SaaS Categorization by CSA
CSA: Cloud Security Alliance Identity and Access Management Data Loss Prevention Web Security Security Security Assessments Intrusion Management Security Information and Event Management (SIEM) Encryption Business Continuity and Disaster Recovery Network Security

5 Identity and Access Management (IAM)
SAML, SPML, XACML, (MOF/ECORE), OAuth, OpenID, Active Directory Federated Services (ADFS2), WS- Federation Commercial Cloud Examples CA Arcot Webfort CyberArk Software Privileged Identity Manager Novell Cloud Security Services ObjectSecurity OpenPMF (authorization policy automation, for private cloud only) Symplified Threats addressed Identity theft, Unauthorized access, Privilege escalation, Insider threat, Non-repudiation, Excess privileges / Excessive access, Delegation of authorizations / Entitlements, Fraud

6 Data Loss Prevention Monitoring, protecting, and verifying the security of data by running as a client on desktops / servers and running rules “No FTP” or “No uploads” to web sites “No documents with numbers that look like credit cards can be ed” “Anything saved to USB storage is automatically encrypted and can only be unencrypted on another office owned machine with a correctly installed DLP client” “Only clients with functioning DLP software can open files from the fileserver” Related to IAM Threats Addressed Data loss/leakage, Unauthorized access, Malicious compromises of data integrity, Data sovereignty issues, Regulatory sanctions and fines

7 Web Security Real-time protection
On-premise through software/appliance installation Proxying or redirecting web traffic to the cloud provider Prevent malware from entering the enterprise via activities such as web browsing Mail Server, Anti-virus, Anti-spam, Web Filtering, Web Monitoring, Vulnerability Management, Anti-phishing Threats addressed Keyloggers, Domain Content, Malware, Spyware, Bot Network, Phishing, Virus, Bandwidth consumption, Data Loss Prevention, Spam

8 Email Security Control over inbound and outbound email
Enforce corporate polices such as acceptable use and spam Policy-based encryption of s Digital signatures enabling identification and non-repudiation Services Content security, Anti- virus/Anti-malware, Spam filtering, encryption, DLP for outbound , Web mail, Anti-phishing Threats addressed Phishing, Intrusion, Malware, Spam, Address spoofing

9 Security Assessments Third-party audits of cloud services or assessments of local systems via cloud-provided solutions Well defined and supported by multiple standards such as NIST, ISO, and CIS Additional Cloud Challenges Virtualization awareness of the tool Support for common web frameworks in PaaS applications Compliance Controls for IaaS, PaaS, and SaaS platforms Services Internal and / or external penetration test, Application penetration test, Host and guest assessments, Firewall / IPS (security components of the infrastructure) assessments, Virtual infrastructure assessment Threats addressed Inaccurate inventory, Lack of continuous monitoring, Lack of correlation information, Lack of complete auditing, Failure to meet/prove adherence to Regulatory/Standards Compliance, Insecure / vulnerable configurations, Insecure architectures, Insecure processes / processes not being followed

10 Intrusion Management Using pattern recognition to detect and react to statistically unusual events IM tools are mature, however virtualization and massive multi-tenancy is creating new targets for intrusion raises many questions about the implementation of the same protection in cloud environments Services Packet Inspection, Detection, Prevention Threats addressed Intrusion, Malware

11 Security Information and Event Management (SIEM)
Accept log and event information Correlate and analyze to provide real-time reporting and alerting on incidents / events Services Log management, Event correlation, Security/Incident response, Scalability, Log and Event Storage, Interactive searching and parsing of log data, Logs immutable (for legal investigations) Threats addressed Abuse, Insecure Interfaces and APIs, Malicious Insiders, Shared Technology Issues, Data Loss and Leakage, Account or Service Hijacking, Unknown Risk Profile, Fraud

12 Encryption The process of obfuscating/encoding data using cryptographic algorithms Algorithm(s) that are computationally difficult to break Services VPN services, Encryption Key Management, Virtual Storage Encryption, Communications Encryption, Application Encryption, Database Encryption, digital signatures, Integrity validation Threats addressed Failure to meet Regulatory Compliance requirements, Mitigating insider and external threats to data, Intercepted clear text network traffic, Clear text data on stolen / disposed of hardware, Reducing the risk or and potentially enabling cross-border business opportunities, Reducing perceived risks and thus enabling Cloud's Adoption by government

13 Business Continuity and Disaster Recovery
Ensure operational resiliency in the event of any service interruptions Flexible and reliable failover Utilize cloud’s flexibility to minimize cost and maximize benefits Services File recovery provider, File backup provider, Cold site, Warm site, Hot site, Insurance, Business partner agreements, Replication (e.g. Databases)Threats addressed Natural disaster, Fire, Power outage, Terrorism/sabotage, Data corruption, Data deletion, Pandemic/biohazard

14 Network Security Services that allocate access, distribute, monitor, and protect the underlying resource services Address security controls at the network in aggregate, Or Specifically address at the individual network of each underlying resource In Clouds, likely to be provided by virtual devices alongside traditional physical devices Tight integration with the hypervisor to ensure full visibility of all traffic on the virtual network layer is key Services Firewall (perimeter and server tier), Web application firewall, DDOS protection/mitigation, DLP, IR management, IDS / IPS Threats addressed Data Threats, Access Control Threats, Application Vulnerabilities, Cloud Platform Threats, Regulatory, Compliance & Law Enforcement

15 Network Security of IaaS
IaaS is provided by Open Stack Natural question: How is the network organized? Answer Software defined networks Network as a Service (API to describe network services) Combination of both

16 What is OpenFlow? OpenFlow is an API Control how packets are forwarded
Implemented on hardware or software switches Controller OpenFlow Firmware Software Layer OpenFlow Switch PC Flow Table MAC src dst IP Src Dst TCP sport dport Action OF Protocol Hardware Layer or Vswitch 1st packet routing * port 1 port 1 port 2 port 3 port 4 following packets routing PKT PKT IP dst:

17 Switches Control packets Network links
The Stanford Clean Slate Program

18 The Stanford Clean Slate Program

19 Quantum: Network as a Service
Quantum is a “virtual network service”, similar to how Nova is a “virtual machine service”. Nova Quantum

20 Quantum: Network as a Service
Quantum is a “virtual network service”, similar to how Nova is a “virtual machine service”. Create VMs Nova VM1 VM2 VM3 Quantum

21 Quantum: Network as a Service
Quantum is a “virtual network service”, similar to how Nova is a “virtual machine service”. Create VMs Nova VM1 VM2 VM3 Create Networks Quantum Net1 Net2

22 Quantum: Network as a Service
Quantum is a “virtual network service”, similar to how Nova is a “virtual machine service”. Create VMs Nova VM1 VM2 VM3 Create Networks Quantum Net1 Net2 Attach Interfaces

23 What is Quantum? A standalone Openstack service
Provides network connectivity between a set of network “interfaces” from other services (e.g., vNICs from compute service, interfaces on a load-balancer service). Exposes API of logical abstractions for describing network connectivity + policy between interfaces. Uses a “plug-in” architecture, so multiple technologies can implement the logical abstractions. Provides a “building block” for sophisticated cloud network topologies. Does NOT provide advanced services like load-balancers, firewalls, etc. These things can “plug” into a network offered by Quantum.

24 Example Architecture: Two Services
Tenant API Quantum Service Quantum Plugin Internal Plugin Communication physical switch vswitch vswitch Network Edge: Point at which a service “plugs” into the network. FW FW FW VM VM VM VM Firewall Service Compute Service Tenant API Tenant API

25 Virtual Network Abstractions (1)
Services (e.g., nova, atlas) expose interface-IDs via their own tenant APIs to represent any device from that service that can be “plugged” into a virtual network. Example:<tenant-id>/server/<server-id>/eth0 Tenants use Quantum API to create networks, get back UUID: Example:<tenant-id>/network/<network-id> Tenants can create ports on a network, get a UUID, and associate config with those ports (APIs for advanced port config are TBD, initially ports give L2 connectivity): Example:<tenant-id>/network/<network-id>/port/<port-id> Tenants can “plug” an interface into a port by setting the attachment of a port to be the appropriate interface-id. Example: set<tenant-id>/network/<network-id>/port/<port-id>/attach to value “<tenant-id>/server/<server-id>/eth0” .

26 Virtual Network Abstractions (2)
Note: At no time does the customer see details of how a network is implemented (e.g., VLANs). Association of interfaces with network is an explicit step. Plugins can expose API extensions to introduce more complex functionality (e.g., QoS). Extension support is query-iable, so a customer can “discover” capabilities. API extensions that represent common functionality across many plug-ins can become part of the core API. Core API for diablo is simple, focused on connectivity. Core API will evolve.

27 Why Quantum? API gives ability to create interesting network topologies. Example: create multi-tier applications Provide way to connect interconnect multiple Openstack services (*-aaS). Example: Nova VM + Atlas LB on same private network. Open the floodgates to let anyone build services (open or closed) that plug into Openstack networks. Examples: VPN-aaS, firewall-aaS, IDS-aaS. Allows innovation plugins that overcomes common cloud networking problems Example: avoid VLAN limits, provide strong QoS

28 Quantum +OVSwitch Demo
Quantum running Open vSwitch Plugin Nova uses QEMU w/libvirt for compute Experimental Nova Quantum NetManager Single-node setup, with automated script, derived from Vish’s script. Uses “simple quantum orchestrator” script( that speaks to Quantum/Nova APIs

29 Demo Scenario Other tips: Example Orchestrator ( Commands:
create-network public-net create-network private-net create-server web1=public-net,private-net create-server web2=public-net,private-net create-server db1=private-net Other tips: To view allocated IPs run “show” cmd. VMs can be reached directly using SSH or VNC (root password is “password”) To clear all existing setup, run “delete” cmd. web1 db1 public-net Private-net web2

30 Running the Demo To run the demo yourself, see:
Requires a 64-bit Ubuntu Natty VM. Installation + setup is completely automated.

31 Virtual Cloud Can build virtual switching topologies using openflow
Can create networking services – firewalls, load balancers, secure interconnects… Can create IaaS stacks Can connect SDNetworks to SDStacks at various levels of abstraction (SaaS, PaaS…) Define SD Cloud architectures for security, and other purposes

32 Back to Network Security

33 Back to Network Security
Policies about the configurations of the infrastructure are used for specifying security and availability requirements A critical device should be placed within a security perimeter Unprotected devices should not communicate with machines running critical services Computation on confidential data must performed on hosts under the control of DoD Policy-driven approach has been taken by FISMA, PCI-DSS, NERC Scalability Real-time detection of violations Requirements Monitoring itself needs to be secure Information needs to be shared across cloud providers

34 Middleware for Assured Clouds
Policy Distribution Reaction Agent Odessa Agent NetOdessa Agent DORA Subsystem Trustworthiness of Workflows Trust Calculation Module External Event Aggregator Formal Design and analysis of Assured Mission Critical Computations Evaluation on a distributed networked test-bed Distance from Compliance Calculation Risk Assessment Modules

35 Reaction Agents are part of the Middleware
When a policy violation is detected Security, availability, or timeliness requirements might not be satisfied We need to reconfigure the system We implemented a cloud-based OpenFlow reaction agent OpenFlow controller Flow information violation reconfigurations Reaction Agent

36 To Read Further Roy H. Campbell, Mirko Montanari, Reza Farivar, Middleware for Assured Clouds, Journal of Internet Services and Applications, 2011 [pdf] Mirko Montanari, Roy H. Campbell, Attack-resilient Compliance Monitoring for Large Distributed Infrastructure Systems, IEEE International Conference on Network and System Security (NSS), Sept 2011. [pdf] Mirko Montanari, Ellick Chan, Kevin Larson, Wucherl Yoo, Roy H. Campbell, "Distributed Security Policy Conformance," IFIP SEC 2011, Lucerne, Switzerland, June 2011. [pdf]

Download ppt "Security, Open Stack, Quantum, Software Defined Clouds"

Similar presentations

Ads by Google