7/31/2019 skylabv2
1/56
Project Skylab:Helping You Get Your Cloud On
Craig BaldingFounder, cloudsecurity.org
1
7/31/2019 skylabv2
2/56
7/31/2019 skylabv2
3/56
3
Last year at Brucon, I talked about Cloud Security and broke new ground through using theBeer and Brewing as an analogy for cloud computing. The climax of that talk was significantafter-cloud.
7/31/2019 skylabv2
4/56
4
But as I sat there in the speaker room as the make-up crew and hairstylists did the best theycould in the circumstances, I made myself a promise. If I got selected to talk in 2010 I wouldtake things more seriously.
7/31/2019 skylabv2
5/56
No More Gimmicks
5
Cloud Security is not a laughing matter.
7/31/2019 skylabv2
6/56
6
No more clowning around.
7/31/2019 skylabv2
7/56
Sorry
7
But my apology is two-fold. My blatant lies about gimmicks to one side...
7/31/2019 skylabv2
8/56
The Cloud Security Broken Record
8
I was starting to feel like a stuck record, going on about high level cloud security issues.
7/31/2019 skylabv2
9/56
9
I became an expert source on all things cloud security and strangely enough: cloud.
7/31/2019 skylabv2
10/56
Again, sorry...
10
I promise to mend my ways. Hence, the birth of my Skylab project. Rather than just talkingabout it, lets do something with it. Something useful, something that might just draw youinto my cloud...
7/31/2019 skylabv2
11/56
11
But I wasnt just challenging myself with Skylab. Im challenging you, my fellow infosec pros.Perhaps youre ignoring cloud, hoping it will just blow over. Or maybe, youre convincedyourself youre so busy, you just dont have time to get into it. Or perhaps, you just haventseen the writing on the wall or believe its another dot com bust in the making.
7/31/2019 skylabv2
12/56
7/31/2019 skylabv2
13/56
Cloud Is Coming
13
Im not here to make predictions about cloud. Personally, I see writing on the wall, but Imnot trying to convince you of that. Rather, I want to ask you a question.
7/31/2019 skylabv2
14/56
What
AreYou
DoingTo
KeepUp?
14
What are you doing to keep up? Cloud is just the latest big thing. But before that we hadvirtualization, we had VoIP, we had converged networking. I think we all need to challengeourselves a little more. Seek our own truths as it were. Stop paying attention and reacting tothe endless media sound bites by people that clearly dont get security. Do original research.
Apply the new technologies for ourselves before the people that pay our wages do...
7/31/2019 skylabv2
15/56
15
This boils down to something really simple. We have to find our Droids. Each of have droidsto seek out. What Droids are you looking for? How hard are you looking? What are youwaiting for? Dont wait til you feel youre good enough or until you have more free time. Ihope to ofer you something that may make you change your mind.
7/31/2019 skylabv2
16/56
16
For me, I wanted to commit a little more to building something. I wanted to find out whatcloud technology I could use right now to do something useful for my own R&D purposes.There are many things that can get in your way, but one big one is....
7/31/2019 skylabv2
17/56
17
Friction is the enemy of your imagination. I dont know about you, but for me its not havingthe right set up at the right time. Im always trading one resource for another. My free diskspace is *always* on the wrong machine. I can never run enough virtual machines... Not onlythat, I have whims. I also have a Wim (looks at Wim), but they are mostly 2 diferent things...
I have kites I want to fly. I have ideas I want to quickly test. But most of them never see thelight of day, which makes me feel sad and deprives me of valuable learning lessons. Why?Because of friction. Infrastructure friction. Changing my test network setup is a pain. Illhave to shue resources around and make compromises as I dont have an army of machinesto play with. Ill have to make do and collapse multiple workloads onto single machines.Virtual machines have certainly helped - theyve given me more options than I had before.But at the same time virtual compute has highlighted that I can never own enough hardware
(I just want to run one more). Plus Ive got the virtual headache of managing an everincreasing stable of virtual machine images. I want my infrastructure to be malleable likecode and my operations to be automated. Or to put it another way, I need some seriouslubrication.
7/31/2019 skylabv2
18/56
Prior Art
18
Along came project Skylab. This is my meta-idea. The idea that can help bring my otherideas to life. Skylab will help me fail faster and cheaper than I can today. This isntpessimism, this is how great ideas come to be - you just have to let all the bad ones getthemselves out of you first.
7/31/2019 skylabv2
19/56
Learn
Get Practical
Home Server RIP
Geekin Out
Open Source
Community Project
Motives
19
7/31/2019 skylabv2
20/56
7/31/2019 skylabv2
21/56
Do you use cloud storage?
Have you booted a machinein a public cloud?
Have you played with cloudnetwork overlays?
3 Questions For You
21
W b Cl d
7/31/2019 skylabv2
22/56
Wannabe Cloudtroopers
22
Come to the darkside my friends. Embrace the cloud. Or at least dip your toe in it so youcan backup whatever opinion you profer. If that doesnt convince you, Im ofering free sea-shell hats for cloud converts.
7/31/2019 skylabv2
23/56
On Demand Test Labs
23
So Skylabs is about on demand test labs. Im sure you can think of times when you having aninflatable test lab that you can spin up and shutdown when you want could be pretty darnhandy
7/31/2019 skylabv2
24/56
Testing new/updated too
NIDS/NIPS testing
Exploit testing
Target practice
24
On the ofense side of security, there is target practice. Dont be a dummy and ride exploitsbareback. Tut tut. Always practice in a lab. For every action there is a reaction. Observe,learn, practice, profit. For your career with not be cut-short... But its not just pen-testlabs...Capture the Flag, Hands-on Practicals when hiring so-called experienced pen-testers
etc.
A T
7/31/2019 skylabv2
25/56
Package GoldenImage as AMI
Upload, launch [1...n]
Apply patches,workarounds& run tests
Assurance Testing
25
Then on the defensive side of the house, what about someone to test your mitigatingcontrols...or heaven forbid, patches! Deploying new security tools? Again, good to have alab. Or 3. Or 7.
During a
7/31/2019 skylabv2
26/56
During a
Pen-Test?
26
Need a disposable IP?Need to run a phishing scam?The latest svn update from the Social Engineer Toolkit burning a hole in your toolkit?
7/31/2019 skylabv2
27/56
Whats your use case?
27
7/31/2019 skylabv2
28/56
Its a Commodity
28
The key to remember when thinking about cloud is that its a commodity. You get what youpay for. But sometimes, commodity is just what you want.
7/31/2019 skylabv2
29/56
Infrastructure as aService
29
So what are we talking about? Were talking about using infrastructure as a service to createon-demand test labs. Were intentionally confining ourselves to just 1 layer of the cloudservices model: were ignoring Platform as a Service and Software as a Service. In fact, Skylabitself will have attributes of platform and software as a service in terms of doing some of the
heavy lifting for you.
D i
7/31/2019 skylabv2
30/56
Design
30
Lets touch on some design principles
7/31/2019 skylabv2
31/56
Design Principles
Hit common use cases
On demand
Infrastructure as code("agility")
Cost-conscious
Hardware reuse: bringyour own lab, or not
31
Need a disposable IP?Need to run a phishing scam?The latest svn update from the Social Engineer Toolkit burning a hole in your toolkit?
D P l
7/31/2019 skylabv2
32/56
Design Principles
Hypervisor agnostic: Xen,kvm, VMware
Security test lab "features"
Freedom: open source
Pragmatic: don't reinvent
infrastructure wheels
Scriptable & Fun
32
Need a disposable IP?Need to run a phishing scam?The latest svn update from the Social Engineer Toolkit burning a hole in your toolkit?
7/31/2019 skylabv2
33/56
Shopping for a CloudPlatform
33
OPEN?
7/31/2019 skylabv2
34/56
API
Core
Source
Development
Decision Making
OPEN?
34
P i /P bli /H b id
7/31/2019 skylabv2
35/56
Private/Public/Hybrid
35
P i t
7/31/2019 skylabv2
36/56
Private
36
H b id
7/31/2019 skylabv2
37/56
Hybrid
37
RH Delta cloud
7/31/2019 skylabv2
38/56
RH Delta-cloud
38
Turbo charge your hybrid cloud with RedHats Delta Cloud...access more cloud providers
Dont Forget
7/31/2019 skylabv2
39/56
Don t Forget
39
Leaving cloud compute instances running at the cloud provider does actually cost money. Itis surprisingly easy to do though. Do it once and youll feel stupid, do it twice and youll findyourself writing a script to remind you not to feel stupid :)
Terms of Service
7/31/2019 skylabv2
40/56
Terms of Service
40
Know the terms of service of your hosting and/or cloud provider. Check clauses aboutintroduction of malware in particular.
7/31/2019 skylabv2
41/56
Cloud Networking
41
Public Cloud
7/31/2019 skylabv2
42/56
Networking 101
One NIC Per VM
Limited Routing
Basic Firewalls
42
Use cases
Overlay Networks
7/31/2019 skylabv2
43/56
Overlay Networks
An overlay network is a computer networkwhich is built on top of another network.Nodes in the overlay can be thought of asbeing connected by virtual or logical links,each of which corresponds to a path,
perhaps through many physical links, in theunderlying network
43
Use cases
A VPC
http://en.wikipedia.org/wiki/Node_%28networking%29http://en.wikipedia.org/wiki/Node_%28networking%297/31/2019 skylabv2
44/56
Amazon VPC
44
Amazon recently opened up their Virtual Private Cloud, currently beta
This is a cloud provider specific network overlay
Hook up your existing network. Software VPN on your side, Hardware on their side.
All trac traverses the customer gateway - no Internet access from within VPC
Can use existing AMIs and Elastic Block Storage
Amazon rapidly innovating - keep up with release details!
VPNCubed
7/31/2019 skylabv2
45/56
VPNCubed
45
The first overlay network service for the cloud market.
Based on OpenVPN, uses CohesiveFT created VMs as cloud VPN endpoints
Supports multicast.
Cross connect clouds, extend your home/business network
Supports Amazon EC2 and gogrid
7/31/2019 skylabv2
46/56
Config Management
46
Chef from Opscode
7/31/2019 skylabv2
47/56
Chef from Opscode
47
7/31/2019 skylabv2
48/56
ThePractical
Bit(wakey, wakey)
48
7/31/2019 skylabv2
49/56
DEMO: Sneak Peek
49
TO DO
7/31/2019 skylabv2
50/56
TO DO
Establish Amazon VPC Connection
Build Visibility VM (Splunk + extras)Chef Recipes for Security Extras & CM
Build Range of Victim/Enterprise VMs
Create easy DC Creator front-end script
50
Futures
7/31/2019 skylabv2
51/56
Beyond x86Multi-providerDocumentation
VMware SupportEnhanced routing
Explore ecosystemImproved Automation
Define more Use CasesMore Security Related AMIs
51
cloudsecurity.org
7/31/2019 skylabv2
52/56
y g
52
Check out cloudsecurity.org/resources for recommended reading on cloud security.
Project Updates
7/31/2019 skylabv2
53/56
j p
53
Recently created the cloud security forum (cloudsecurity.org/forum)- an independent hangout for IT and IT security people to discuss cloud security issues
Topic areas out as per CSA security domains
Theres a dedicated forum for Skylab which Ill be posting to with progress updates.
If you have suggestions for Skylab, please share with me there.
Credits
7/31/2019 skylabv2
54/56
Stormtroopers: Stefan
http://stormtroopers365.com/
Creators of KVM, Xen, Qemu,libvirt, OpenNebula,DeltaCloud, Chef, libcloud
54
Stefan made some great images and all credit is due to him.
Im also extremely grateful for all the open source software Im gluing together for thisproject. Skylab would have been very dicult, it not impossible, for a sole person to piecetogether without all the efort from numerous developers.
7/31/2019 skylabv2
55/56
Questions?
[email protected] / @craigbalding
55
mailto:[email protected]:[email protected]7/31/2019 skylabv2
56/56
56