Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Tips for OpenStack @NCSA James Eyrich Manager Security Operations and Incident Response eyrich@Illinois.edu help+security@ncsa.Illinois.edu.

Published byCandice Lewis Modified over 5 years ago

Similar presentations

Presentation on theme: "Security Tips for OpenStack @NCSA James Eyrich Manager Security Operations and Incident Response eyrich@Illinois.edu help+security@ncsa.Illinois.edu."— Presentation transcript:

1 Security Tips for OpenStack @NCSA
James Eyrich Manager Security Operations and Incident Response

2 Choosing an Image and Managing a Server
Consider choosing an LTS (long term support) image for your server, allows you to keep in service longer. Out of support Operating Systems should be upgraded or replaced Run OS update (ie yum) as soon as system is online Have a maintenance schedule to regularly patch system

3 Server management recommendations
NCSA draft Server Policy: How Tos:

4 Default Credentials Many images and services come with well known credentials already configured Before opening these services to the network change any preconfigured passwords, certificates, keys. Or when you clone a machine Examples Regenerate any SSH, and SSL keys Root passwords Database admin passwords Service account credentials

5 OpenStack Security Groups
OpenStack provided external firewall Use the No Open Services group until you have SSH locked down. Access via console. Use the SSH restricted group until you have your services secured and IPtables configured.

6

7 Security Groups Resources
Further Information about OpenStack Groups Nebula Admins have asked that Security Groups be used sparingly due to concerns about current way implemented.

8 IPtables and service access restrictions
Use the host based firewall Restrict access to services based on source and service port Default block – anything not explicitly allowed is blocked Service Restrictions Can also set restrictions via the Service Configurations TCP wrappers

9 Public IPs - does every VM need one?
Easy way to restrict access is to place the VM on project IP space. Do back end servers (ie DB) need public IPs? Private IPs are NATed for Internet Access Possibly use a hardened bastion host for remote administration Bastion host – restricted access system strictly used to control remote access

10 NCSA Security Operation and Incident Reponses Team Actions & Response
Activities Scanning for open ports SSH Brute Forcing Response Ticket Blackhole Routing - Shutdown VM

Download ppt "Security Tips for OpenStack @NCSA James Eyrich Manager Security Operations and Incident Response eyrich@Illinois.edu help+security@ncsa.Illinois.edu."

Similar presentations

Security Update Server Registration, Active scanning and Windows patching.

Security Update Server Registration, Active scanning and Windows patching.
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.

An Approach to Secure Cloud Computing Architectures By Y. Serge Joseph FAU security Group February 24th, 2011.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Potions of Protection Server Security. What does that do again? Familiarity Differing levels of protection –Low, does not exist –Medium, No private data.

Potions of Protection Server Security. What does that do again? Familiarity Differing levels of protection –Low, does not exist –Medium, No private data.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Windows Remote Administration

Windows Remote Administration
Voyager Server Security and Monitoring Best practices and tools.

Voyager Server Security and Monitoring Best practices and tools.
Additional SugarCRM details for complete, functional, and portable deployment.

Additional SugarCRM details for complete, functional, and portable deployment.
GROUP POLICY An overview of Microsoft Windows Group Policy.

GROUP POLICY An overview of Microsoft Windows Group Policy.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Va-scanCopyright 2002, Marchany Securing Solaris Servers Randy Marchany.

Va-scanCopyright 2002, Marchany Securing Solaris Servers Randy Marchany.
© 2005,2006 NeoAccel Inc. Partners Presentation SSL VPN-Plus 2.0 Quick Start Guide.

© 2005,2006 NeoAccel Inc. Partners Presentation SSL VPN-Plus 2.0 Quick Start Guide.
LANDesk Management Gateway

LANDesk Management Gateway
Network Configuration Charles (Cal) Loomis & Mohammed Airaj LAL, Univ. Paris-Sud, CNRS/IN2P3 24-25 October 2013.

Network Configuration Charles (Cal) Loomis & Mohammed Airaj LAL, Univ. Paris-Sud, CNRS/IN2P October 2013.

Similar presentations

Ads by Google