Post on 15-Jul-2015
CloudPassage Halo Installfest 2
Quick Intro
• Thanks for coming out!
• Enjoy the free food ☺
• Focus on security issues with IaaS cloud
• Interweave that with installing Halo
• We’re here to help!
– Ask questions
– Staff will be handy if you need us
– Any and all feedback greatly appreciated
CloudPassage Halo Installfest 4
Tonight’s Focus
• Infrastructure as a Service (IaaS)
– Can apply to PaaS and SaaS from a provider’s perspective
• Mostly geared to public cloud
– Although applicable to private
• Tenant security concerns
– We’ll skip physical security
CloudPassage Halo Installfest 5
What You Need For The Labs
• Laptop or tablet
• Root equiv access to a Linux VM
– Local or public is fine
– Spin up now if needed
• Internet access
– Wifi settings: As Posted
CloudPassage Halo Installfest 6
Houston…We Have a Problem
All network security benefitsLost in migration: • Firewall – Filter port level access• Firewall – Control rootkit transfer• Proxy – Control app level data• NIDS – Inspect stream for attacks• Sniffer – Audit trail of network traffic
CloudPassage Halo Installfest 7
Delineation of Responsibility
Facility
Network
Compute & Storage
Operating System
Hypervisor
Solution Stack
Application
Facility
Network
Compute & Storage
Operating System
Hypervisor
Solution Stack
Application
Facility
Network
Compute & Storage
Operating System
Hypervisor
Solution Stack
Application
IaaS PaaS SaaSInterface Interface Interface
Tenant
Provider
CloudPassage Halo Installfest 9
Issues to Address
• No firewall control
• Vulnerability management
• Provider image may not meet corporate standards
– Configuration settings
– Accounts
• Detect intrusions
CloudPassage Halo Installfest 11
LAN Extended Challenges
• Increases load on corporate link
– Today we’re mobile
– Limits public cloud scaling
• Increase load on perimeter infrastructure
• Negates network benefits
– Provider load balancing
– Multi-peer points
– Geo-location DNS
– Higher latency
• No protection within virtual infrastructure
CloudPassage Halo Installfest 14
What About Introspection?
• Hypervisor based security
– Has visibility into all VMs
• Single point of control
– For a specific hypervisor deployment
• Public - Do you want other tenants to have access to your hypervisor?
• Do you want your provider to have non-auditable access to your VMs?
• Can break segregation of duties
CloudPassage Halo Installfest 15
Host-Based Architecture
Consistent architecture (and risk abatement) regardless of deployment
CloudPassage Halo Installfest 16
Why Host Based Firewalls?
• Tenant controlled
– Provider gains no additional access
• Mitigate potential risks from vswitch or VLANs
• Supported across all cloud infrastructures
– Consistent management regardless of deployment
• Security Is portable with the VM
• This is the model supported by Halo
CloudPassage Halo Installfest 17
Why restrict Admin Ports?
Dshield.org data
Green = # of IPs looking for open SSH ports
Red = # of IPs hit by SSH scan
CloudPassage Halo Installfest 18
Halo Firewall Interface
Cloak the port till these users authenticate
CloudPassage Halo Installfest 19
Issues to Address
• No firewall control
• Vulnerability management
• Provider image may not meet corporate standards
– Configuration settings
– Accounts
• Detect intrusions
CloudPassage Halo Installfest 20
Image Deployment
• Provider images usually not patched
• Some 3rd party images are pre-patched
– To the time of the image's release
– Which 3rd parties can you trust?
• Auto-patching usually disabled
• Some known vulnerabilities may not yet be patched– But it may be possible to mitigate risk is known
CloudPassage Halo Installfest 21
Vulnerability Wire Testing
• Some providers have restrictions
– May be limited by terms of service
– May be limited to specific products
• Targeting concerns
– What if your IP’s are not continuous?
– What if the IP changes?
• Does not detect local exploits
CloudPassage Halo Installfest 22
Host Based Vulnerability Checking
• Validate compliances within the VM itself
• Can check remote and local vulnerabilities
• Typically lower cost to deploy
– Less billable utilization
• Can false negative if patch not loaded
– Kernel updates
• This is the model Halo uses
CloudPassage Halo Installfest 24
Issues to Address
• No firewall control
• Vulnerability management
• Provider image may not meet corporate standards
– Configuration settings
– Accounts
• Detect intrusions
CloudPassage Halo Installfest 25
Configuration Settings
• Are only required processes running?
– Are they securely configured?
• Is password aging enforced?
• Is root permitted direct SSH access?
• Proper permissions on critical files?
• Is sudo or wheel properly configured?
• Any changes since deployment?
CloudPassage Halo Installfest 28
System Accounts
• What accounts are on the system?
• Did the provider modify the default accounts?
– ec2-user
• Which accounts have root level access?
• Who has accounts on which servers?
• How do you add/delete accounts for many servers simultaneously?
CloudPassage Halo Installfest 31
Issues to Address
• No firewall control
• Vulnerability management
• Provider image may not meet corporate standards
– Configuration settings
– Accounts
• Detect intrusions
CloudPassage Halo Installfest 32
Clues To An Attack
• Some file changes indicate a compromise
• Static Web server files
• /etc/passwd has new account
• /etc/sudoers has new entries
• ssh_known_hosts has new entries
• authorized_keys has new entries
• Halo uses SHA-256 to detect changes