Security, Open Stack, Quantum, Software Defined Clouds

Roy Campbell Lecture 9

Cloud Services

• What cloud services can you think of?

Security as a Service

• Origins: Email Spam• Today– Email Filtering– Web Content Filtering– Vulnerability Management– Identity Management as a service– Etc.

• Naming: SaaS – NOT to be confused with Software as a Service!SecaaS: Security as a Service (Cloud Security Alliance)

https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf

SaaS Categorization by CSA

CSA: Cloud Security Alliance1. Identity and Access Management 2. Data Loss Prevention3. Web Security4. Email Security5. Security Assessments6. Intrusion Management7. Security Information and Event Management (SIEM)8. Encryption9. Business Continuity and Disaster Recovery10. Network Security

Identity and Access Management (IAM)

• SAML, SPML, XACML, (MOF/ECORE), OAuth, OpenID, Active Directory Federated Services (ADFS2), WS- Federation

• Commercial Cloud Examples– CA Arcot Webfort – CyberArk Software Privileged Identity Manager– Novell Cloud Security Services– ObjectSecurity OpenPMF (authorization policy automation, for private

cloud only)– Symplified

• Threats addressed– Identity theft, Unauthorized access, Privilege escalation, Insider threat,

Non-repudiation, Excess privileges / Excessive access, Delegation of authorizations / Entitlements, Fraud

Data Loss Prevention• Monitoring, protecting, and verifying the security of data• by running as a client on desktops / servers and running rules

– “No FTP” or “No uploads” to web sites– “No documents with numbers that look like credit cards can be emailed” – “Anything saved to USB storage is automatically encrypted and can only

be unencrypted on another office owned machine with a correctly installed DLP client”

– “Only clients with functioning DLP software can open files from the fileserver”

• Related to IAM • Threats Addressed

– Data loss/leakage, Unauthorized access, Malicious compromises of data integrity, Data sovereignty issues, Regulatory sanctions and fines

Web Security

• Real-time protection – On-premise through software/appliance installation– Proxying or redirecting web traffic to the cloud provider

• Prevent malware from entering the enterprise via activities such as web browsing

• Mail Server, Anti-virus, Anti-spam, Web Filtering, Web Monitoring, Vulnerability Management, Anti-phishing

• Threats addressed– Keyloggers, Domain Content, Malware, Spyware, Bot Network,

Phishing, Virus, Bandwidth consumption, Data Loss Prevention, Spam

Email Security

• Control over inbound and outbound email• Enforce corporate polices such as acceptable use and spam• Policy-based encryption of emails• Digital signatures enabling identification and non-

repudiation • Services

– Content security, Anti- virus/Anti-malware, Spam filtering, Email encryption, DLP for outbound email, Web mail, Anti-phishing

• Threats addressed– Phishing, Intrusion, Malware, Spam, Address spoofing

Security Assessments• Third-party audits of cloud services or assessments of local systems via

cloud-provided solutions• Well defined and supported by multiple standards such as NIST, ISO, and CIS• Additional Cloud Challenges

– Virtualization awareness of the tool– Support for common web frameworks in PaaS applications– Compliance Controls for IaaS, PaaS, and SaaS platforms

• Services– Internal and / or external penetration test, Application penetration test, Host and

guest assessments, Firewall / IPS (security components of the infrastructure) assessments, Virtual infrastructure assessment

• Threats addressed– Inaccurate inventory, Lack of continuous monitoring, Lack of correlation

information, Lack of complete auditing, Failure to meet/prove adherence to Regulatory/Standards Compliance, Insecure / vulnerable configurations, Insecure architectures, Insecure processes / processes not being followed

Intrusion Management

• Using pattern recognition to detect and react to statistically unusual events

• IM tools are mature, however – virtualization and massive multi-tenancy is creating new

targets for intrusion– raises many questions about the implementation of the same

protection in cloud environments• Services– Packet Inspection, Detection, Prevention

• Threats addressed– Intrusion, Malware

Security Information and Event Management (SIEM)

• Accept log and event information• Correlate and analyze to provide real-time reporting and

alerting on incidents / events• Services

– Log management, Event correlation, Security/Incident response, Scalability, Log and Event Storage, Interactive searching and parsing of log data, Logs immutable (for legal investigations)

• Threats addressed– Abuse, Insecure Interfaces and APIs, Malicious Insiders, Shared

Technology Issues, Data Loss and Leakage, Account or Service Hijacking, Unknown Risk Profile, Fraud

Encryption

• The process of obfuscating/encoding data using cryptographic algorithms – Algorithm(s) that are computationally difficult to break

• Services– VPN services, Encryption Key Management, Virtual Storage

Encryption, Communications Encryption, Application Encryption, Database Encryption, digital signatures, Integrity validation

• Threats addressed– Failure to meet Regulatory Compliance requirements, Mitigating

insider and external threats to data, Intercepted clear text network traffic, Clear text data on stolen / disposed of hardware, Reducing the risk or and potentially enabling cross-border business opportunities, Reducing perceived risks and thus enabling Cloud's Adoption by government

Business Continuity and Disaster Recovery

• Ensure operational resiliency in the event of any service interruptions

• Flexible and reliable failover • Utilize cloud’s flexibility to minimize cost and maximize

benefits• Services

– File recovery provider, File backup provider, Cold site, Warm site, Hot site, Insurance, Business partner agreements, Replication (e.g. Databases)Threats addressed

– Natural disaster, Fire, Power outage, Terrorism/sabotage, Data corruption, Data deletion, Pandemic/biohazard

Network Security• Services that allocate access, distribute, monitor, and protect the

underlying resource services– Address security controls at the network in aggregate, Or – Specifically address at the individual network of each underlying resource

• In Clouds, likely to be provided by virtual devices alongside traditional physical devices– Tight integration with the hypervisor to ensure full visibility of all traffic

on the virtual network layer is key• Services

– Firewall (perimeter and server tier), Web application firewall, DDOS protection/mitigation, DLP, IR management, IDS / IPS

• Threats addressed– Data Threats, Access Control Threats, Application Vulnerabilities, Cloud

Platform Threats, Regulatory, Compliance & Law Enforcement

Network Security of IaaS

• IaaS is provided by Open Stack • Natural question: How is the network

organized?• Answer– Software defined networks– Network as a Service (API to describe network

services)– Combination of both

16

What is OpenFlow?• OpenFlow is an API• Control how packets are forwarded• Implemented on hardware or software switches

PC

Hardware Layeror Vswitch

Software Layer

Flow TableMACsrc

MACdst

IPSrc

IPDst

TCPsport

TCPdport Action

OpenFlow Firmware

**5.6.7.8*** port 1

port 4port 3port 2port 1

1.2.3.45.6.7.8

PKT

Controller

OpenFlow Switch

IP dst: 5.6.7.8

OFProtocol

PKT

1st packetrouting

following packetsrouting

The Stanford Clean Slate Program

http://cleanslate.stanford.edu

Switches

Network links

Control packets

The Stanford Clean Slate Program

http://cleanslate.stanford.edu

Quantum: Network as a ServiceQuantum is a “virtual network service”, similar to how Nova is a “virtual machine service”.

Nova

Quantum

Quantum: Network as a ServiceQuantum is a “virtual network service”, similar to how Nova is a “virtual machine service”.

Create VMs Nova

Quantum

VM1 VM2 VM3

Quantum: Network as a ServiceQuantum is a “virtual network service”, similar to how Nova is a “virtual machine service”.

Create VMs

Create Networks

Nova

Quantum

VM1 VM2 VM3

Net1 Net2

Quantum: Network as a ServiceQuantum is a “virtual network service”, similar to how Nova is a “virtual machine service”.

Create VMs

Create Networks

AttachInterfaces

Nova

Quantum

VM1 VM2 VM3

Net1 Net2

What is Quantum?• A standalone Openstack service• Provides network connectivity between a set of network

“interfaces” from other services (e.g., vNICs from compute service, interfaces on a load-balancer service).

• Exposes API of logical abstractions for describing network connectivity + policy between interfaces.

• Uses a “plug-in” architecture, so multiple technologies can implement the logical abstractions.

• Provides a “building block” for sophisticated cloud network topologies.

• Does NOT provide advanced services like load-balancers, firewalls, etc. These things can “plug” into a network offered by Quantum.

Example Architecture: Two Services

Quantum Service

Quantum Plugin

Tenant API

VM VM VM VM

vswitch vswitchphysicalswitch

FWFW FW

Internal PluginCommunication

Network Edge:Point at which a

service “plugs” into the network.

Firewall Service

Tenant API

Compute Service

Tenant API

Virtual Network Abstractions (1)

• Services (e.g., nova, atlas) expose interface-IDs via their own tenant APIs to represent any device from that service that can be “plugged” into a virtual network. – Example: nova.foo.com/<tenant-id>/server/<server-id>/eth0

• Tenants use Quantum API to create networks, get back UUID: – Example: quantum.foo.com/<tenant-id>/network/<network-id>

• Tenants can create ports on a network, get a UUID, and associate config with those ports (APIs for advanced port config are TBD, initially ports give L2 connectivity):– Example: quantum.foo.com/<tenant-id>/network/<network-id>/port/<port-id>

• Tenants can “plug” an interface into a port by setting the attachment of a port to be the appropriate interface-id. – Example: set quantum.foo.com/<tenant-id>/network/<network-id>/port/<port-id>/attach to

value “nova.foo.com/<tenant-id>/server/<server-id>/eth0” .

Virtual Network Abstractions (2)

• Note: At no time does the customer see details of how a network is implemented (e.g., VLANs).

• Association of interfaces with network is an explicit step.

• Plugins can expose API extensions to introduce more complex functionality (e.g., QoS). Extension support is query-iable, so a customer can “discover” capabilities.

• API extensions that represent common functionality across many plug-ins can become part of the core API.

• Core API for diablo is simple, focused on connectivity. Core API will evolve.

Why Quantum?

• API gives ability to create interesting network topologies.– Example: create multi-tier applications

• Provide way to connect interconnect multiple Openstack services (*-aaS).– Example: Nova VM + Atlas LB on same private network.

• Open the floodgates to let anyone build services (open or closed) that plug into Openstack networks. – Examples: VPN-aaS, firewall-aaS, IDS-aaS.

• Allows innovation plugins that overcomes common cloud networking problems– Example: avoid VLAN limits, provide strong QoS

Quantum +OVSwitch Demo

• Quantum running Open vSwitch Plugin• Nova uses QEMU w/libvirt for compute• Experimental Nova Quantum NetManager• Single-node setup, with automated script,

derived from Vish’s nova.sh script. • Uses “simple quantum orchestrator”

script(sqo.py) that speaks to Quantum/Nova APIs

Demo Scenario

Example Orchestrator (sqo.py) Commands: • create-network public-net• create-network private-net• create-server web1=public-net,private-net• create-server web2=public-net,private-net• create-server db1=private-net

web1

web2

db1public-net Private-net

Other tips: • To view allocated IPs run

“show” cmd.• VMs can be reached directly

using SSH or VNC (root password is “password”)

• To clear all existing setup, run “delete” cmd.

Running the Demo

• To run the demo yourself, see: – http://wiki.openstack.org/QuantumOVSDemo

• Requires a 64-bit Ubuntu Natty VM. • Installation + setup is completely automated.

Virtual Cloud

• Can build virtual switching topologies using openflow

• Can create networking services – firewalls, load balancers, secure interconnects…

• Can create IaaS stacks • Can connect SDNetworks to SDStacks at various

levels of abstraction (SaaS, PaaS…)• Define SD Cloud architectures for security, and

other purposes

Back to Network Security

33

Back to Network Security• Policies about the configurations of the infrastructure are used for specifying security and

availability requirements

• A critical device should be placed within a security perimeter• Unprotected devices should not communicate with machines running critical services• Computation on confidential data must performed on hosts under the control of DoD

• Policy-driven approach has been taken by FISMA, PCI-DSS, NERC

Scalability Real-time detection of violations

Monitoring itself needs to be secure

Information needs to be shared across cloud providers

Requirements

34

Policy Distribution

Reaction Agent

Reaction Agent

Odessa Agent

Odessa Agent

NetOdessa Agent

DORA Subsystem

Trustworthiness of W

orkflows

Trust Calculation Module

External Event

Aggregator

External Event

Aggregator

Formal Design and analysis of Assured

Mission Critical Computations

Evaluation on a distributed networked

test-bed

Middleware for Assured Clouds

Risk Assessment Modules

Distance from Compliance Calculation

35

Reaction Agents are part of the Middleware

When a policy violation is detected• Security, availability, or timeliness requirements might not be

satisfied • We need to reconfigure the system

We implemented a cloud-based OpenFlow reaction agent

OpenFlow controller Flow information

reconfigurationsReactionAgent

violation

To Read Further

• Roy H. Campbell, Mirko Montanari, Reza Farivar, Middleware for Assured Clouds, Journal of Internet Services and Applications, 2011 [pdf]

• Mirko Montanari, Roy H. Campbell, Attack-resilient Compliance Monitoring for Large Distributed Infrastructure Systems, IEEE International Conference on Network and System Security (NSS), Sept 2011. [pdf]

• Mirko Montanari, Ellick Chan, Kevin Larson, Wucherl Yoo, Roy H. Campbell, "Distributed Security Policy Conformance," IFIP SEC 2011, Lucerne, Switzerland, June 2011. [pdf]