Securing Your Cloud Servers with Halo NetSec

© 2012 CloudPassage Inc.

Securing Your Cloud Servers with Halo NetSecRand WackerVP of [email protected]@randwacker


CloudPassage Halo was purpose-built to

deliver real security for servers in the cloud.


What does CloudPassage do?

Firewall Management

Server Configurations

Server account Management

Compromise & intrusion alerting

Security & compliance auditing

Vulnerability Management

Security for virtual servers running in public and private

clouds


CloudPassage Halo Packages

Halo BasicFree security for initial cloud migrations

Halo NetSecFull perimeter protection and security

integration

Halo ProfessionalComprehensive security and compliance

controls

NEW


Cloud Requires A New Approach to Security


www-1 www-2 www-3 www-4

Cloud Security Is Newprivate datacenter

public cloud



www-4

Cloud Security Is Differentprivate datacenter

public cloud

www-1 www-2 www-3

www-4

www-4


Cloud Security Is Complex

Cloud Provider A

www-7

www-4

www-8

www-5

www-9

www-6

www-10

Cloud Provider B


Private Datacenter



Security Products Aren’t Adapting

Cloud Provider A

www-4 www-5 www-6 Cloud Provider B


Private Datacenter

www-1 www-2 www-3

Temporary & Elastic Deployments

Multiple CloudEnvironments

Metered Usage


Cloud Security Responsibility


Cloud Security Responsibility

Physical Facilities

Hypervisor

Compute & Storage

Shared Network

Virtual Machine

Data

App Code

App Framework

Operating System

Cu

sto

mer

Resp

on

sib

ilityP

rovid

er

Resp

on

sib

ility

“…the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...”

“it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.”

Amazon Web Services: Overview of Security Processes

AWS Shared Responsibility Model


Survey: Cloud Providers

Amazon EC2 Rackspace Terramark GoGrid Other

30%

16%

9%6%

50%

Source: CloudPassage CloudSec Community Survey

Question: Which cloud hosting providers do you use?


Survey: Cloud Security Practices

Open source or custom-de-veloped tools

Commercial Tool

My provider does it for me

Amazon Security Group

We're not securing our cloud servers


Question: How do you secure your cloud servers today?


Survey: Cloud Security Concerns

Enterprise security tools don't work in the cloud

Provider access to guest servers

Achieving compliance with PCI or other standards

Multi-tenancy of infrastructure or applications

Lack of perimeter defenses and/or network control

23%

24%

26%

40%

44%

Multiple Choice


Question: What security concerns are most important to you regarding public cloud computing?


Introducing Halo NetSec


Halo NetSec provides firewalling, 2-factor

authentication, and full automation for the protection of cloud

servers.


Halo NetSec:Dynamic Cloud Firewall


Traditional Perimeter Securityprivate datacenter

DB

Firewall

Load Balancer

App Server

App Server

Load Balancer

App Server

App Server

DB


Dynamic Cloud Firewall

public cloud

Load Balancer

Halo

FW

App Server

Halo

FW

App Server

Halo

FW

DB Master

Halo

FW



public cloud

Load Balancer

Halo

FW

App Server

Halo

FW

App Server

Halo

FW

Load Balancer

Halo

FW

App Server

Halo

FW

DB Master

Halo

FW

DB Slave

Halo

FW


App Server

IP


public cloud

Load Balancer

Halo

FW

App Server

Halo

FW

App Server

Halo

FW

Load Balancer

Halo

FW

App Server

Halo

FW

DB Master

Halo

FW

DB Slave

Halo

FW



public cloud

Load Balancer

Halo

FW

App Server

Halo

FW

App Server

Halo

FW

Load Balancer

Halo

FW

DB Master

Halo

FW

DB Slave

Halo

FW

App Server

IP


Multi-Cloud Firewall

US West Cloud

Private Datacenter

App Server

Halo

FW

App Server

Halo

FW

US East Cloud

App Server

Halo

FW

App Server

Halo

FW

DB

Halo

FW

DB

Halo

DB

Halo

Firewall

DB

Halo

FW


Halo NetSec:GhostPorts 2-Factor Authentication


GhostPorts 2-Factor Auth

YubiKey-generated one-time password

USB token contains no batteries or moving parts

Prevent brute force attacks on SSH and web

applications



ssh

DB Server

Halo

FW



Halo Grid

Clo

ud

Passa

ge H

alo

https

DB Server

Halo

FW



ssh

Halo Grid

https

Clo

ud

Passa

ge H

alo

DB Server

Halo

FW



ssh

ssh

DB Server

Halo

FW


Halo NetSec:Integration API


Halo Reduces Your Workload

Things you DON’T need to script with CloudPassage Halo

Managed Automatically

• Add new server to policy group

• Remove firewall policies when servers are retired

• Scan for vulnerabilities of installed software packages

• Many, many more…

Monitored Continually

• Verify firewall rules match policy

• Alert administrators of missing servers

• Monitor critical server configuration files for security posture

• Many, many more…


Adding New Server Accounts

Halo Grid

Clo

ud

Passa

ge H

alo

RESTful API Gateway

private datacenter

Corporate Directory

Enterprise

Provisioning

System

Security Operation

sPortal

https

www-1

Halo

www-2

Halo

public cloud

GhostPorts Access, Local Server Accounts


Other Cool Halo/API Tricks• Set password reset requirements for a server user account.• Find server accounts that don't have passwords (it happens)• Find those spooky root-owned setuid files.• Generate alerts if PID files go missing.• Generate an alert if someone is in a group they shouldn't be in (like wheel).• Generate massively detailed reports of server configuration status for auditors

(keep 'em busy for weeks).• Get a report of every server that a user *does not* have an account on.• Get a report of every server that a user has an account on.• Get alerted if a new cloud server gets created.• Learn what process that TCP/IP port is bound to.• Make sure that init.d startup scripts can't be tampered with by non-root users.• Make sure that services are not running with excessive privileges.• Monitor servers to detect old user accounts that should have been cleaned up,

but might have gotten missed.

Many, many more at community.cloudpassage.com


CloudPassage Halo Architecture


How It Works

Halo Grid

• Halo Daemon– Ultra light-weight software

– Installed on server image

– Automatically provisioned

• Halo Grid– Elastic compute grid

– Hosted by CloudPassage

– Does the heavy lifting for the Halo Daemons

www-1

www-1

Halo

Halo Daemon


www-4

Halo

www-3

Halo

Alerts, Reports and Trending

www-1

ComputeGrid

UserPortal

https

RESTful API Gateway

https

Clo

udPa

ssag

e

Halo

Policies,Commands, Reports

www-1

Halo

www-2

Halo


Getting Started


CloudPassage Halo Packages

Halo BasicFree security for initial cloud migrations

Halo NetSecFull perimeter protection and security

integration

Halo ProfessionalComprehensive security and compliance

controls

NEW

Features and PricingBasic NetSec Pro

Network Security

Host Firewall Management ✔ ✔ ✔

GhostPorts Multi-Factor Authentication ✔ ✔

Host Security

Server Exposure Monitoring ✔ ✔ ✔

Software Vulnerability Monitoring ✔ ✔ ✔

Account & Access Scanning ✔ ✔ ✔

Cloud Server Event Logging & Alerting ✔ ✔ ✔

File Integrity Monitoring ✔

Data Storage One day Two years(FW events)

Two years(All scans)

Maximum Scanning Frequency Daily Daily Hourly

Integration, Management Support

Web Management Portal ✔ ✔ ✔

RESTful API Access ✔ ✔

Technical Support Community

Professional

Professional

Servers Protected Up to 25 Unlimited Unlimited

Pricing FREE3.5¢/hour

10¢/hour

New!


FREE 5 Minute Setup

Register at cloudpassage.com/regis

ter

Configure security policies in Halo web

portal

Install daemons on cloud servers


Summary

Cloud deployments require a new approach to security

Halo is the only security platform purpose-built for

the cloud

All you need to secure your cloud servers


Q&A Rand [email protected]@randwacker


Thank You!For more information:

[email protected]

Securing Your Cloud Servers with Halo NetSec

Technology

Transcript of Securing Your Cloud Servers with Halo NetSec