Openstack Security Overview - May 2012
-
Upload
dome9-security -
Category
Technology
-
view
512 -
download
2
description
Transcript of Openstack Security Overview - May 2012
Israel May 2012
Dome9 Security Ltd. – http://www.dome9.com
Israel May 2012OpenStack Security Overview
2012 and beyond
Zohar Alon
Co-Founder & CEO Dome9 Security
[email protected] @zoharalon
Israel May 2012Dome9 Quick Background
• Dome9’s Mission
Manage All Cloud Security Stacks
– Operating System,
Virtual Machine
and/or any V*LAN Policy
– Firewall, VPN, IDS, Auditing &
Logging
– Technology & Service Provider
Agnostic
• Pat. Pending Security
Automation & SSH Strengthening
• Highly Affordable SaaS offering
– Users installs and manages
– Freemium to 4₵/server/hour
Dome9 Founded: 2010
First GA: Sept ‘11Backing: Opus CapitalEmployees: 10
Israel May 2012OpenStack Security Considerations
• What are you building?– Public or Private
• Access Credentials?– root::alpine is good
• Key Pairs– Make sure we all have a copy of all .pems in our Gmails/DBoxes
• Security Groups– Any, Any, Any, Accept – It just works!
• Data Sensitivity Constrains– Nothing is encrypted, unless you work hard; HTTPS is almost free
• Inside the VMs– Its not my responsibility. Is it?
• Other Places to avoid consider:– API security, Image Safety, Backups, Logs
Israel May 2012HP Cloud – OpenStack Public IaaS
• Out-of-the-Box OpenStack as a public IaaS– Diablo based; Nova and Swift; in public beta now
– 3 Availability Zones (≠ AWS AZ)
– EC2 API compatible listener
– Flat network; Floating (Elastic)/Temp Public/Private IP
• Security– EC2 Style Security Groups
• Inbound, port ranges, SG2SG within same AZ
– Instance Authentication through SSH key-pairs• No import or sharing between AZs
– Object Storage (Swift): Public or Private setting• No Data-at-rest Encryption
Israel May 2012HP Cloud Security Group
Israel May 2012Quantum: Virtualizing the Network
• Tenant Facing API for network management
– Enables rich multi-level network topologies
– Decouples “Logical” network from “Physical” constrains
• Abstract Advanced Network Elements (soon…)
– Firewalls, VPNs, LBs, NAT, DHCP
– We’ll manage them as they come, but be patient
• Quantum Security Groups: More robust!
– Per VIF vs. Per VM
– Inbound and Outbound
– Flexibility could lead to complexity
Israel May 2012
Quantum Physical vs. Virtual
+ Firewalling
Israel May 2012
Dome9 for OpenStack
Announcing Private Cloud Connector
• Define, Manage and automate OpenStack SGs
• Leverage Host-based Policies where required
• Share your Objects: Networks, Servers and Users across Clouds
Israel May 2012
Dome9 Central
Rule Your Cloud Security Policy
Israel May 2012Credits and Thanks
• Salvatore Orlando, Citrix @taturiello– http://www.infoq.com/presentations/Quantum-Virtual-Networks-for-
OpenStack
• Dave Lapsley, nicira @davlaps– http://slidesha.re/HQvDTk
• Joshua McKenty, Piston Cloud @jmckenty– http://www.slideshare.net/joshuamckenty/open-stack-security-emea-
launch
• Thank you!
Zohar Alon [email protected] @zoharalon
• PS don’t forget to ask your DevOps to sharpen their networking skills!