Use Case : Cloud Security Design and Implementation
Post on 13-May-2015
970 Views
Preview:
DESCRIPTION
Transcript
1 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Use Case : Cloud Security
Design and Implementation
Orgad Kimchi
ISV Engineering
Oracle Solaris 11
2 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
2 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
The following is intended to outline our general product direction. It is intended
for information purposes only, and may not be incorporated into any contract. It
is not a commitment to deliver any material, code, or functionality, and should
not be relied upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle ’s products
remains at the sole discretion of Oracle.
3 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Security Challenges
• Securing Data At Rest, In Transit, and In Use
• Minimize operating system attack surface
• Prevent denial of service attacks against their infrastructure
• Segregate network traffic between different cloud users
• Disable hostile code (e.g.’ rootkit’ attacks)
• Secure data deletions once we have done with our project
4 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Concerns With Public Cloud computing
Source : http://blogs.gartner.com/neil_macdonald/2010/12/16/security-is-the-top-concern-for-public-cloud-but-what-does-that-really-mean/
5 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle Solaris Remote Lab
•Solaris Network Virtualization
– Segregate network traffic & secure VLAN per user
• Solaris Zones
– Isolates partner VMs in a secure environment
• Solaris ZFS
– Rapid & secure deployment of images in partner VMs
• Secure Global Desktop
– Separates communications channels
A secure cloud environment built on Solaris technologies
Now in the Cloud
6 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Cryptography
7 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
8 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Cryptographic Acceleration Oracle SPARC T4 Processor
• Scalable Performance – On-core, unprivileged, cryptographic instructions
– OpenSSL 5x faster than IBM POWER7
– ZFS encryption is 3x faster than Intel
• Most Industry Standard Algorithms – Public Key Encryption: RSA, DSA, ECC, DH
– Symmetric Key Encryption: AES, 3DES, DES, Kasumi, Camellia
– Message Digests: CRC32c, MD5, SHA-1, SHA-224, SHA-256,
SHA-384, SHA-512
– Random number generation (FIPS 140-2 compliant)
9 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
SPARC T4 Cryptographic Acceleration Significant Performance Gains for SSL
• Two-way SSL
• RSA-2048
• AES-256
10 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS: Next Generation File System
• Immense Capacity (128-bit)
• ZFS capacity: 256 quadrillion ZB (1ZB = 1 billion TB)
• Exceeds quantum limit of Earth-based storage.
• Dynamic Metadata
• No limits on files, directory entries, snapshots, etc.
• No tuning parameters to enable expansion.
• Parallel, constant-time directory operations.
• Pooled design – continuous future growth
Scalability
11 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS Encryption
• Encryption policy is set at the ZFS data set level
• Supports delegation of key management operations
• Leverages a dual key model: wrapping vs. encryption key
• Variety of options for format/location of the wrapping key
• Wrapping key inherited by child data sets
12 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS Encryption Example
# zfs create -o encryption=on -o dedup=on -o compression=on \
rpool/scratch
Enter passphrase for 'rpool/scratch':
Enter again:
# zfs get encryption,keysource,dedup,compression rpool/scratch
NAME PROPERTY VALUE SOURCE
rpool/scratch encryption on local
rpool/scratch keysource passphrase,prompt local
rpool/scratch dedup on local
rpool/scratch compression on local
# zfs key -u rpool/scratch
# zfs mount rpool/scratch
Enter passphrase for 'rpool/scratch':
13 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Assured Deletion with ZFS Encryption
# zfs create -o encryption=on rpool/scratch
Enter passphrase for 'rpool/scratch':
Enter again:
# zfs key -c -o keysource=raw,file:///dev/random rpool/scratch
# zfs get keysource rpool/scratch
NAME PROPERTY VALUE SOURCE
rpool/scratch keysource raw,file:///dev/random local
# zfs key –u rpool/scratch
# zfs destroy rpool/scratch
14 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Encrypted Swap and /tmp
$ awk '($4 == "swap") { print; }' /etc/vfstab
/dev/zvol/dsk/rpool/swap - - swap - no encrypted
$ swap –l
swapfile dev swaplo blocks free
/dev/lofi/1 145,1 8 2097128 2097128
$ lofiadm
Block Device File Options
/dev/lofi/1 /devices/pseudo/zfs@0:2 Encrypted
15 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Networking
16 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Network Secure by Default
• Expose only required services to the network
– Reduce the operating system network foot print
– Most services are disabled; a few are set to “local only”
• Integrated with Service Management Facility
– Common administrative model for all service operations
– Fully customizable based upon unique site requirements
• Foundation for Additional Protections and Configuration
17 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Network Architecture Strategies
18 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Network Virtualization
• Using network VLANs
• Combine with physical switches
• Layer 2 segregation
• # dladm create-vnic -l net0 vnic2 -v 2
Network segregation
19 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
IP Filters
• Ability to configure what ports
are open between system
• Simple to configure and SMF
service
• Can configure direction as
well as ports
20 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Network Resource Management
• Introducing network resource control
– Bandwidth control
– Flow control
• Split up large network pipes
• Guarantee types of network traffic for
your applications
• In the following example we limit the SSL traffic to 100Mb
on the vnic0 network interface
# dladm create-vnic vnic0 –l net0
# flowadm add-flow -l vnic0 –a \
transport=TCP,local_port=443 https-flow
# flowadm set-flowprop -p maxbw=100M https-flow
Control the Un-Controlable
21 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Data Link Protection
# dladm show-linkprop -p protection net0
LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
net0 protection rw -- -- mac-nospoof,
restricted,
ip-nospoof,
dhcp-nospoof
# dladm set-linkprop -p allowed-ips=10.0.2.15
# dladm set-linkprop -p protection=mac-nospoof,ip-nospoof,\
restricted net0
# ping 10.0.2.2
10.0.2.2 is alive
[set IP address manually to something other than 10.0.2.15.]
# ping 10.0.2.2
no answer from 10.0.2.2
22 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Designed-in Virtualization
Oracle Solaris Zones
23 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Integrated Virtualization
Security
Automated Install
Packaging Zones
Networking
ZFS
24 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle Solaris Zones
• Built-in solution for
application deployment
• Compatibility environments
• Solaris 10 only
• Zones now more complete
• Delegated administration
• Observability
• NFS shares
• Network virtualization
25 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
• Restricted In-Zone Operations
– Individual operating system hardening, RBAC, auditing, etc.
– Prohibited from directly accessing kernel (modules), raw memory
• External Enforcement of Zone Configuration
– Configurable privileges, immutability, devices, file systems,
resource controls, virtual network security controls, etc.
• Observability with Integrity
– Protected audit trails, file integrity verification, global zone has
complete introspection capabilities
Solaris Zones Security Benefits
26 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Immutable Zones Example (1/2)
# zonecfg -z myzone 'set file-mac-profile=fixed-configuration’
# zoneadm -z myzone boot
# zlogin myzone
[Connected to zone 'myzone' pts/3]
myzone# rm /etc/passwd
rm: /etc/passwd: override protection 644 (yes/no)? y
rm: /etc/passwd not removed: Read-only file system
myzone# pkg install emacs
pkg install: Could not complete the operation on /var/pkg/lock:
read-only filesystem.
myzone# rm /usr/bin/vi
rm: /usr/bin/vi not removed: Read-only file system
27 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Immutable Zones Example (2/2)
myzone# touch /var/tmp/foo
myzone# touch /tmp/bar
myzone# svcadm disable ssh
root@solaris:~# svcs ssh
STATE STIME FMRI
disabled 6:52:53 svc:/network/ssh:default
28 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Data Architecture Strategies
29 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
ZFS Zone Root Encryption
# pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=zoneroot
Enter PIN for Sun Software PKCS#11 softtoken:
# zfs create -o encryption=on -o keysource=raw,pkcs11:object=zoneroot \
rpool/zones
Enter PKCS#11 token PIN for 'rpool/zones':
# zonecfg -z myzone 'create; set zonepath=/rpool/zones/myzone’
# zoneadm –z myzone install
[… once install completes, the system is rebooted]
# zfs key -l rpool/zones
Enter PKCS#11 token PIN for 'rpool/zones':
# zfs mount –a
# zoneadm -z myzone boot
30 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Auditing
31 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Solaris Auditing
• Kernel-based, fine-grained introspection
• Captures commands, syscalls, admin. Actions
• Flexible audit policy for global and non-global zones
• Several audit trail formats: binary, text, XML, etc.
• New in Solaris 11
– Auditing on by default with no performance penalty
– Supports secure remote storage of audit trails
– Greater visibility into system events with less “noise”
32 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Per-User Auditing Policy
# userattr audit_flags gbrunett
#
# usermod –K audit_flags=lo,ad,ex:lo gbrunett
# userattr audit_flags gbrunett
lo,ad,ex:no
# su – gbrunett
$ exit
# auditreduce -r baz -c lo /var/audit/*not_term* | praudit -s
header,97,2,AUE_su,,testhost,2012-11-13 06:33:21.514 -08:00
subject,testuser,baz,staff,baz,staff,5243,2804137368,0 0 testhost
return,success,0
33 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Putting it all together
with Solaris 11 Security!
34 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle Solaris Remote Lab – Schematic
35 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
OSRL - Data
• Single Zpool multiple
ZFS file systems
Resource Sharing
• Data stored in ZFS SA
• Hybrid Storage
• Disk + SSD + RAM
• ZFS Cloning
Performance
• Encrypted ZFS
• Partner specific Key
• Each partner has their
own ZFS File System
Security
Create
Use
Delete
• Data isolated in VLAN
• Separate NFS server per
partner
• SGD - CDM
• All intra VM data
transfers self contained
in Blade chassis
• ZFS clones
- Share everything but the
changes
• ZFS Secure delete
• ZFS encrypt + Delete
almost instantaneous
operation
36 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
OSRL - Virtual Machines (Zones)
• Zone cloning
• less than 18 MB of RAM
• less than 100 MB of Disk
Resource Sharing
• ZFS + Zone cloning
• new zone in minutes
Performance
• ZFS encryption for zone
file system
• Exclusive IP stack +
VNIC
Security
Create
Use
Delete
• All Zones isolated in
non-routable VLAN
• Secure global desktop
access
• Resource allocation
• network bandwidth
• Memory
• CPU
• Zone shares all OS
resources
- Single kernel
- Single storage
• ZFS Secure delete
• ZFS encrypt + Delete
almost instantaneous
operation
37 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
When 1 + 1 > 2
• Zone + ZFS
– Fast zone provisioning
– Very low overhead
– Encrypt file system as well as share resource
• Zones + Network virtualization
• Allows for sharing single physical network
• VLAN tagging allows for creating one VLAN/Partner
• Exclusive IP stack on shared physical network
38 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
When 1 + 1 > 2
• Zones + ZFS + NFS
• Each NFS server is a zone
• Single data store
• Single Physical server
• Multiple NFS file systems shared with ZFS
• ZFS supports NFS sharing
• Encryption + Cloning reduces overhead
• Zones + IPS
• Global Zone has IPS proxy
• Single IPS repository accessible from non routable VLAN
39 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Additional Resources
• Solaris 11 Security Hardening Guidelines http://docs.oracle.com/cd/E26502_01/html/E29014/index.html
• Solaris 11 Secure Coding Guidelines for Developers http://docs.oracle.com/cd/E26502_01/html/E29016/scode-1.html
• Glenn Faden’s Solaris 11.1 Hands On Security Lab https://blogs.oracle.com/gfaden/entry/solaris_11_1_is_available
• Darren Moffat’s Solaris Security Blog https://blogs.oracle.com/darren/tags/solaris+security
40 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
For More Information / Try Out Today
• Product overview and download
– oracle.com/solaris
• Oracle Technology Network
– oracle.com/technetwork/server-storage/solaris11
• System Administrators Community
– oracle.com/technetwork/systems
• @ORCL_Solaris
• facebook.com/oraclesolaris
• Oracle Solaris Insider
40
41 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Questions
42 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Acknowledgements
Special thanks to Darren Moffat and Glenn Faden, Angelo
Rajadurai and many others for sharing their ideas and
examples with the world.
43 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
top related