IBM SmartCloud Orchestrator Version 2.3: Security ... · 2.3 Threat Modeling ... Scans, triages and manages security policies; prioritizes assignment of results to security teams

IBM® Cloud and Smarter Infrastructure Software

SmartCloud Orchestrator Version 2.3: Security Hardening Guide

Document version 2.3.4

IBM SmartCloud Orchestrator Security Team

© Copyright International Business Machines Corporation 2014, 2015. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

SmartCloud Orchestrator Version 2.3:

Security Hardening Guide

iii

CONTENTS

Contents .............................................................................................................................. iii

List of Figures ...................................................................................................................... v

Author List .......................................................................................................................... vii

Revision History ................................................................................................................ viii

1 Introduction .............................................................................................................. 9

2 Security Management Overview ........................................................................... 10

2.1 Web Application Security Scanning .......................................................... 11

2.2 Application Source Code Scanning .......................................................... 11

2.3 Threat Modeling ........................................................................................ 12

2.4 Security Regulatory Compliance Reports................................................. 12

2.5 Authentication Management ..................................................................... 13

2.6 Authorization Management ....................................................................... 16

3 Security Hardening................................................................................................ 19

3.1 Port Management and Firewall Configuration .......................................... 19

3.1.1 Methodology ........................................................................................... 19

3.1.2 Reference Tables ................................................................................... 20

3.2 “nologin” Shell Configuration .................................................................... 26

3.3 HBase Process Name Management ........................................................ 27

iv

3.4 Common Vulnerabilities and Exposures Management ............................ 27

3.5 Secure Sockets Layer Management ........................................................ 28

Appendix A: The Cloud Orchestrator Security Evaluation Tool (coset) ........................... 29

A.1 Port Utility Configuration ........................................................................... 29

A.2 Port Utility List Mode ................................................................................. 31

A.3 Port Utility Inbound Connection Mode ...................................................... 31

A.4 Port Utility Outbound Connection Mode ................................................... 32

A.5 Port Utility Monitor Mode ........................................................................... 32

References ........................................................................................................................ 33



v

LIST OF FIGURES

Figure 1: Revision History .............................................................................................................. viii

Figure 2: SCO 2.3 Security Management Summary ...................................................................... 10

Figure 3: Security Compliance Report Options .............................................................................. 12

Figure 4: Security Single Sign-on Overview ................................................................................... 13

Figure 5: Security Authentication Flow........................................................................................... 14

Figure 6: Security Flow for Self Service Request ........................................................................... 14

Figure 7: Security Flow for Import OVA Image .............................................................................. 15

Figure 8: Security Flow for Register Image .................................................................................... 15

Figure 9: Security Flow for Image Extension ................................................................................ 16

Figure 10: Orchestrator User Registry ........................................................................................... 17

Figure 11: Orchestrator Authorization Entity-Relationship Diagram ............................................... 17

Figure 12: Orchestrator Authorization Management ...................................................................... 18

Figure 13: Orchestration Management Server Core ...................................................................... 20

Figure 14: Central Server 1 Port Management .............................................................................. 21



Figure 17: Central Server 4 Port Management (WebSphere Deployment Manager) ..................... 23

Figure 18: Central Server 4 Port Management (WebSphere Node Agent) .................................... 24

Figure 19: Central Server 4 Port Management (BPM EAR) ........................................................... 24

Figure 20: Region Server Port Management ................................................................................. 25

Figure 21: Other IBM Port Management Considerations ............................................................... 25

Figure 22: OpenStack Port Management Considerations .............................................................. 25

Figure 23: VMware Port Management Considerations .................................................................. 26

Figure 24: Deployed Virtual System & Extended Image Port Management Considerations .......... 26

Figure 25: Verifying "nologin" support. ........................................................................................... 26

Figure 26: Recommended Users for "nologin" Support ................................................................. 27

Figure 27: Port Utility Hosts Configuration ..................................................................................... 29

Figure 28: Port Utility Region Server Template Configuration ....................................................... 30

Figure 29: Port Utility Active Port Configuration ............................................................................. 30

Figure 30: Port Utility Ports and Programs to Ignore ..................................................................... 31

Figure 31: Port Utility List Mode Sample ........................................................................................ 31

Figure 32: Port Utility Inbound Connection Mode Sample ............................................................. 31

Figure 33: Port Utility Outbound Connection Mode Sample........................................................... 32

vi

Figure 34: Port Utility Monitor Mode Sample ................................................................................. 32



vii

AUTHOR LIST

This paper is the team effort of a number of cloud security specialists comprising the SmartCloud Orchestrator security team. Additional recognition goes out to the entire SmartCloud Orchestrator and OpenStack development teams.

Mark Leitch (primary contact for this paper) IBM Toronto Laboratory Nate Rockwell IBM USA

Marc Schunk IBM Boeblingen Laboratory

Piotr Gnysinski IBM Ireland

Michele Licursi IBM Rome Laboratory

viii

REVISION HISTORY

Date Version Revised By Comments

April 30th, 2014 Draft MDL Initial version for review.

May 4th, 2014 2.3.0 MDL First version for external review.

May 5th, 2014 2.3.1 MDL Added “nologin” support.

May 7th, 2014 2.3.2 MDL Added HBase process name management.

June 18th, 2014 2.3.3 MDL Revised port listing.

February 11th, 2015 2.3.4 MDL Added SSL information.

Figure 1: Revision History



9

1 Introduction

Security management is critical for any enterprise. With the adoption of cloud technologies, security management becomes even more critical as the range and scale of possible exploits expand dramatically through the power of enterprise cloud management. This document will provide an overview of security management approaches for the IBM SmartCloud Orchestrator (SCO) Version 2.3.

SCO Version 2.3 offers end to end management of service offerings across a number of cloud technology offerings including VMware, Kernel-based Virtual Machine (KVM), IBM PowerVM, and IBM System z. A key implementation aspect is integration with OpenStack, the de facto leading open virtualization technology. OpenStack offers the ability to control compute, storage, and network resources through an open, community based architecture.

We will first describe security management approaches for SmartCloud Orchestrator. We will then offer some prescriptive approaches for security hardening of a cloud installation.

Note: This document is considered a work in progress. Security recommendations will be refined and updated as new SCO releases are available. While the paper in general is considered suitable for all SCO Version 2.3 releases, it is best oriented towards SCO Version 2.3.0.1. In addition, a number of references are provided in the References section. These papers are highly recommended for readers who want detailed knowledge of cloud security management.

Note: Some artifacts are distributed with this paper. The distributions are in zip format. However Adobe protects against files with a “zip” suffix. As a result, the file suffix is set to “zap” per distribution. To use these artifacts, simply rename the distribution to “zip” and process as usual.

10

2 Security Management Overview

The following table provides a summary of SCO 2.3 security management. Specific security areas are expanded upon as appropriate.

Security Area Disposition

Web Application Security Scanning Scans mandated by IBM Corporate Security Standards. Automated and repeatable security assessment.

Application Source Code Scanning Scans mandated by IBM Corporate Security Standards. Automated and repeatable security assessment.

Threat Modeling Threat model assessment mandated by IBM Corporate Security Standards.

Security Regulatory Compliance Reports Several compliance reports (e.g. PCI DSS) are available as part of the web application security scanning work.

Multitenancy: Isolation of Back End Resources Available in SCO 2.3. Offers the ability to assign tenants (aka projects) resources that are partitioned by cloud regions (aka availability zones).

Multitenancy: Segregation of cloud resources via role based authorization.

Segregation of cloud resources is available in SCO 2.3.

LDAP Support The OpenStack Keystone component provides a comprehensive role/authorization/ authentication service.

Read only LDAP support is available in the SCO 2.3 release.

Figure 2: SCO 2.3 Security Management Summary

The first four management areas are described in specific sections. A description of security authentication and authorization management, with implications for multitenancy and directory support, is then provided.



11

2.1 Web Application Security Scanning

Web Application security scanning is performed by the IBM Rational Appscan Standard Edition reference tool. Some of the capabilities of this tool include the following.

Heightened scan severity ratings through the enablement of Collateral Damage and Target Distribution settings specifically for cloud offerings.

Provides visibility into the security and regulatory compliance risks web applications present to your organization.

Uses a combination of testing techniques to provide thorough, automated assessments.

Scans websites for both embedded malware and links to malicious or undesirable websites.

Helps ensure your website is not infecting visitors or directing them to unwanted or dangerous websites.

Correlates results discovered using dynamic and static analysis techniques.

Tests web services.

Delivers more than 40 security compliance reports, including PCI Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), ISO 27001 and ISO 27002, HIPAA, GLBA and Basel II.

Further information on the Rational Appscan offering is available in the References section.

2.2 Application Source Code Scanning

Application source code scanning is performed by the Rational Appscan Source reference tool. Some notable features of the Rational Appscan instance that apply to cloud deployments follow.

Identifies security vulnerabilities and defects in the source code during the early stages of the application lifecycle when they are the least expensive to remediate.

Builds automated security into development by integrating security source code analysis with automated scanning during the build process.

Scans, triages and manages security policies; prioritizes assignment of results to security teams for vulnerability remediation.

Delivers fast scans of more than one million lines of code per hour, allowing you to scan even the most complex enterprise applications.

Uses string analysis to simplify the adoption of security testing by development teams.

Support for testing mobile applications including Java, C# and Objective-C.

12

Further information on the Rational Appscan Source offering is available in the References section.

2.3 Threat Modeling

Threat modeling assessments may encompass automated and manual approaches, including ethical hacking approaches. Basic methods employed include the following.

Enforcement of non-root runtime for audit and trust purposes.

Enforcement of necessary permissions.

Secure credentials management (e.g. passwords).

Secure port analysis.

Ethical hacking approaches.

2.4 Security Regulatory Compliance Reports

The Web Application Security Scanning tool offers a number of regulatory compliance reports. See the following figure for some sample report types.

Figure 3: Security Compliance Report Options



13

It is worth noting these are simply report options. For example, for the PCI DSS report neither Rational Appscan nor IBM are approved scanning vendors. While the reports are considered to have value in terms of classifications and exposures, they are not considered to be at the certification level.

Note: PCI DSS regulatory reports have been generated for SCO. These reports illustrate unique findings over the thirty three PCI DSS classification areas. The unique issues are also identified in the base Web Application Security Scanning reports, with the regulatory report aligning each finding with the suitable regulatory classification area.

2.5 Authentication Management

A single sign-on approach is used across the primary SmartCloud Orchestrator components (i.e. IWD, BPM, SWI, and OpenStack)1. The single sign-on authentication uses a token approach. The token contains user and project information, has an expiration date, and is stored in the browser as a cookie for the domain. The following figure provides an overview of the single sign-on approach.

Figure 4: Security Single Sign-on Overview

1 This document does not provide an overview of the Orchestrator components. For background on

the components and their management please see SmartCloud Orchestrator Version 2.3: Capacity

Planning, Performance, and Management Guide in the References section.

14

An alternate view showing the authentication flow for IWD follows.

Figure 5: Security Authentication Flow

The following figure shows the role of the authentication flow for a self service request. The flows are simplified for display purposes, with the authentication step at the top left.

Figure 6: Security Flow for Self Service Request



15

The following figure shows the component interaction for the import of an OVA image.

Figure 7: Security Flow for Import OVA Image

The following figure shows the component interaction for the registration of an image.

Figure 8: Security Flow for Register Image

16

The following figure shows the component interaction for the extension of the image. Once again, the authentication management is shown at the start of the scenario.

Figure 9: Security Flow for Image Extension

2.6 Authorization Management

We will provide an overview of user, role, and project management. The OpenStack Keystone component provides the reference repository for managing these objects. For SmartCloud Orchestrator, the customer may populate Keystone from a corporate read only LDAP. The following diagram offers a simple view of the user registry.



17

Figure 10: Orchestrator User Registry

In simplest terms, roles determine the actions that a user is allowed to perform. A project (referred to as a tenant in Keystone parlance) is a set of specific resources granted to a set of users. Through these constructs, a cloud administrator may strictly control the set of cloud resources authorized to a specific user. Further information is available in the SmartCloud Orchestrator information center (see the References section). The following diagram provides an entity-relationship diagram for authorization management (mapped OpenStack entities are shown in blue).

Figure 11: Orchestrator Authorization Entity-Relationship Diagram

The following diagram provides a breakdown of where information is managed. To be specific:

The original source for information (identified by a clear box).

A resource reference (identified by a box with hash lines).

18

Once again, OpenStack Keystone is the reference repository for users, roles, and tenants. The remaining components may reference these objects, while managing specific objects required for their functional requirements.

Figure 12: Orchestrator Authorization Management



19

3 Security Hardening

Security hardening has multiple dimensions, particularly in the cloud space. We will break the hardening dimensions into the managed cloud and management server components.

For the managed cloud, the cloud providers offer specific security hardening approaches. For example, VMware offers prescriptive hardening spreadsheets to enforce best practices. Resources for these spreadsheets based on specific vSphere versions are provided in the References section.

For the management server hardening, we will provide the following hardening approaches.

Port management and firewall configuration.

“nologin” shell configuration.

HBase process name management.

3.1 Port Management and Firewall Configuration

We will describe the port management methodology, followed by the port management reference tables.

3.1.1 Methodology

The following diagnostic tools are the basis for programmatically managing the Orchestrator ports.

The nmap utility (obtained via the Red Hat distribution) is used to derive the list of available ports for a server instance. Sample command usage: nmap -p1-65535 <server>

Within a server instance, the set of ports being listened on or established is managed via the lsof command. Sample command usage: lsof –i –P | grep LISTEN Sample command usage: lsof –i –P | grep ESTABLISHED

Based on the above, the command line invocations associated with the interesting process identifiers may be established. Sample command usage: cat /proc/$pid/cmdline

To facilitate port management for the Orchestrator installation, a port management tool has been specially created based upon the ‘lsof’ utility. Appendix A provides an overview of this tool. In addition, the following diagram identifying the host names and their runtime is included for reference.

20

Figure 13: Orchestration Management Server Core

3.1.2 Reference Tables

The following tables provide a summary of Orchestrator port management and firewall configuration. The following attributes are managed.

Server instance. The management server instance where the port is active. Tables are broken down by server instance.

Port. The specific port that is open.

Protocol. The specific network protocol in effect, where applicable.

Program instance. The program holding the port. This may be a specific executable or a general class designation (e.g. “Operating System”).

Operating system user id instance. The operating system user id the program is running under.

Incoming hosts. A list of expected incoming host identifiers.

Some critical items of interest follow for the reference tables.

The reference tables describe the Orchestrator runtime requirements. The install and upgrade requirements are not included.

The ports described are for the Orchestrator content. Additional operating system services may be active, and an approach for managing these services is provided in Appendix A.

It is generally recommended to disable the chef services once the install or upgrade processes are complete. For example:



21

service chef_repo_srvd stop chkconfig chef_repo_srvd off

DNS and directory services are be specific to an enterprise deployment and may require additional customization.

An incoming host of “Public cloud user” indicates the port should be enabled for a firewall on top of a public cloud installation.

Information is not provided for the System Automation Application Manager at the time of this writing.

Port Protocol Program User Incoming Hosts

50000 TCP db2sysc db2inst1 CS2, CS3, CS4, Region Servers

53 953

UDP DNS named All hosts. Relevant if DNS server is enabled on Central Server 1.

123 UDP NTP All hosts. Relevant if NTP server is enabled on Central Server 1.

Figure 14: Central Server 1 Port Management

22


2181 TCP HBase (VIL) root

2809 9402 9403 9633

TCP VIL (WAS) root

5000 35357

HTTP Keystone keystone CS2,CS3

6379 Proxy VIL (WAS) root

8005 8009 8182

TCP VIL proxy root

8123 TCP Origami (VIL) root

8880 SOAP VIL (WAS) root

9043 HTTPS VIL (WAS) root Public Cloud User

9060 HTTP VIL (WAS) root Public Cloud User

9080 HTTP VIL (WAS) root

9100 ORB VIL (WAS) root

9443 HTTPS VIL (WAS) root Public Cloud User, CS3

9797 HTTP PCG root CS3

9973 HTTP IaaS Gateway root CS3, ICCT

11211 TCP Memcached 496

60000 60010 60020 60030

TCP HBase (VIL) root




23


80 HTTP IWD root CS4

443 9443

HTTPS IWD root CS4

9444 HTTPS IWD root

20001 TCP IWD root

7443 HTTPS SCUI root Public Cloud User

ICMP IWD root Deployed virtual systems (Windows only and only if using add-ons and script packages).



7060 7277 9352 9402 9420 9809

11006

TCP Deployment Manager

root

8879 SOAP Deployment Manager

root

9043 HTTPS Deployment Manager

root

9060 HTTP Deployment Manager

root

9100 ORB Deployment Manager

root

9403 HTTP Deployment Manager

root

9632 IPC (TCP) Deployment Manager

root

Figure 17: Central Server 4 Port Management (WebSphere Deployment Manager)

24


2809 7062 7272 9353

11004

TCP Nodeagent root

8878 SOAP Nodeagent root

9201

9202

RMI/IIOP,SSL Nodeagent root

9629 IPC (TCP) Nodeagent root

9900 ORB Nodeagent root

Figure 18: Central Server 4 Port Management (WebSphere Node Agent)


7276 7286 9044 9191 9354

11008

TCP BPM root

8880 SOAP BMP root

9061 HTTP BPM root

9080 HTTP BPM root Public Cloud User, CS3

9405 9406

RMI/IIOP.SSL BPM root

9443 HTTPS BPM root

9633 IPC (TCP) BPM root

9810 ORB BPM root

Figure 19: Central Server 4 Port Management (BPM EAR)



25


4444 Proxy VIL root CS2

8123 HTTP VIL Proxy root CS2

80 HTTP Apache root

7080 HTTP SCE root RS (VMware only)

7777 TELNET SCE root RS (VMware only)

Figure 20: Region Server Port Management


80 HTTP IBM Infocenter n/a CS3

443 HTTPS ICCT n/a Public Cloud User

ICMP ICCT n/a Extended Image (Windows only)

Figure 21: Other IBM Port Management Considerations


8776 HTTP Cinder cinder

3260 iSCSI Glance root

9191 9292

HTTP Glance glance CS2

5000 35357

HTTP Keystone keystone CS2, CS3

53 953

DNS Named named

6080 8774 8775

HTTP Nova nova CS2, CS3

5672 AMQP Qpid qpidd RS

Figure 22: OpenStack Port Management Considerations

26


443 HTTPS VMware vCenter

CS2, Region Servers

902 HTTP VMware ESXi CS2

Figure 23: VMware Port Management Considerations


139 TCP Windows OS n/a CS3

ICMP Windows OS n/a CS3

22 SSH OS/Image n/a CS3, ICCT

445 TCP OS/Image n/a CS3, ICCT

80 Image n/a ICCT

Figure 24: Deployed Virtual System & Extended Image Port Management Considerations

3.2 “nologin” Shell Configuration

User instances are bound to a shell. A special shell, referred to as “nologin”, may be enabled for user accounts to prevent logging into a shell instance for that user. Any attempt to invoke a shell instance will be politely refused.

We will describe how to implement nologin support. The first step is to ensure it is a supported shell on the compute node. The following example shows support for “/sbin/nologin”.

Figure 25: Verifying "nologin" support.

From here the approach may follow some basic steps:

1. Determine the set of user ids to enable the “nologin” shell. A recommended set of ids is provided in the table below.

2. For each user, set the shell. Sample command usage: usermod -s /sbin/nologin gleRNSUM



27

3. Restart the Orchestrator at your convenience. Note the change will take effect immediately and there is no explicit need for restart.

Node User IDs to Enable

Central Server 1 gleRNSUM, noaRNSUM, sceRNSUM, cirRNSUM, qtmRNSUM, ksdb

Region Servers nova

Figure 26: Recommended Users for "nologin" Support

3.3 HBase Process Name Management

The HBase processes associated with Central Server 2 may allocate dynamic ports. In addition, given HBase runs under the Java execution environment, it will appear in process listings as “java”. In order to readily identify the dynamic ports with HBase (for example, for secure port scan management) it can be helpful to have the HBase processes appear as “HBase” in a process listing. The following steps utilize a symbolic link to achieve this.

1. Log on to Central Server 2.

2. Determine the location of $JAVA_HOME (e.g. /opt/IBM/WebSphere/AppServer/java).

3. Create a symbolic link for $JAVA_HOME/java (e.g. ln -s java HBase).

4. Update the HBase startup script (i.e. /opt/hbase/bin/hbase).

5. Change this line: JAVA=$JAVA_HOME/bin/java to this: JAVA=$JAVA_HOME/bin/HBase

6. Restart the Virtual Image Library and/or the Cloud Orchestrator.

3.4 Common Vulnerabilities and Exposures Management

Cloud security management typically implies multi data center security management, and is a herculean task. The “Common Vulnerabilities and Exposures” (CVE) offers a free dictionary of publicly known vulnerabilities (see the References section) that can assist in this task. Given the Cloud Orchestrator includes OpenStack, and typically involves a “bring your own operating system” approach, it is extremely useful to be aware of these vulnerabilities, and associated alerts. Some prominent recent alerts, that should be addressed by any cloud deployment, follow.

1. Heartbleed: An OpenSSL vulnerability (URL).

2. POODLE: An OpenSSL vulnerability (URL).

3. Shellshock: A GNU Bash shell vulnerability (URL).

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

28

It should be noted the IBM Rational scan tools cited earlier are CVE compatible. In addition, given the prominence of SSL, the following section provides a description of the Orchestrator SSL implementation.

3.5 Secure Sockets Layer Management

Secure Sockets Layer (SSL) management is the de facto standard for communication of secure applications. It is part of the comprehensive cryptographic and security solution across the different layers of the Cloud Orchestrator IaaS platform. The Orchestrator solution includes the IBM OpenStack Enterprise Edition (OSEE) bundle that in turn includes OpenSSL, python-passlib, Cyrus SASL, PyCrypto libraries, and the IBM WebSphere sMash and DB2 products. The version of the libraries is determined by the prerequisite Linux Virtual Machine and/or IBM JDK 1.6.0.

Further characteristics of the SSL implementation may be broken down as follows.

AES is used in 128-bit and 256-bit block mode and is defined in FIPS 197.

SHA1 certificates utilize RSA Digital Signatures with 2048 bits key length.

SSL is used for communications and is defined in IETF RFC 5246.

LTPA is used for authentication.

OpenStack Nova API exposes RSA-based certificate creation with 1024 bit key-pairs, which can be disabled.

The OpenStack Nova API also allows the end user to generate a 2048 bit RSA key-pair to SSH into a virtual machine instance.

IBM OpenStack EE uses Secure Sockets Layer SSL v2/v3, Transport Layer Security: TLS v1, and SSH.



29

APPENDIX A: THE CLOUD ORCHESTRATOR

SECURITY EVALUATION TOOL (COSET)

A port management tool is provided with this paper. We will describe the tool configuration, and then the four management nodes it provides.

1. List mode: List the set of interesting ports currently being listened on.

2. Inbound connection mode: List the inbound connections to interesting ports.

3. Outbound connection mode: List the outbound connections to interesting ports.

4. Monitor mode: Continuously monitor the ports being listened on, and determine if unrecognized ports are active.

A.1 Port Utility Configuration

The ‘coset’ tool is a Perl based utility. A standard Perl technique is to put configuration settings in a separate file, using Perl variables that may be sourced directly. The benefits of this are advanced data structures may be supported with all parsing provided by the Perl interpreter. For the ‘coset’ utility, this approach is used. We will describe each of the variables in the provided configuration sample.

The first variable is the set of servers to be managed. This is a hash of the node alias (a symbolic value), and the fully qualified host name. This structure should be changed per Orchestrator installation, for the nodes the utility is to be run against. A sample follows.

%hosts = (

'CS1' => 'CentralServer1.perf.cil.raleigh.ibm.com',




'RS1' => 'RegionServer1.RegionOneBC1.perf.cil.raleigh.ibm.com',

'RS2' => 'RegionServer2.RegionOneKVM.perf.cil.raleigh.ibm.com',

'RS4' => 'RegionServer4.RegionOneBC2.perf.cil.raleigh.ibm.com',

'RS5' => 'RegionServer5.RegionFiveBC3.perf.cil.raleigh.ibm.com',

);

Figure 27: Port Utility Hosts Configuration

Next a region server template is provided. This is not directly used by the utility, but is a variable specific to the configuration file given all region servers have the same requirements. The value is simply the set of “interesting” ports for the region servers. In this context, “interesting” means ports required for the successful operation of the Orchestrator.

30

@region_server_template = (

# Cinder Glance Nova QPid VIL SCE Apache DNS

8776, 9191, 8774, 5672, 4444, 7777, 80, 53,

3260, 9292, 8775, 8123, 7080, 953,

6080

);

Figure 28: Port Utility Region Server Template Configuration

The next structure shows the set of active ports required for the Orchestrator. These are the defined listening ports, broken down by host and organized by component. Samples are shown for Central Server 1 and 2, and the Region Servers. Note the region servers all have an identical configuration, and simply reference the template provided above. The ports for all servers are provided in the sample configuration attached to this paper.

%ports_active = (

'CS1' => [# DNS DB2

53, 50000,

953

],

'CS2' => [# VIL Hbase Origami IaaS PCG Keystone Tomcat Memcached

9443, 2181, 8123, 9973, 9797, 5000, 8182, 11211,

9043, 60000, 35357, 8009,

9060, 60010, 8005,

6379, 60020,

8880, 60030,

9633,

9080,

9100,

9403,

9402,

2809,

4444

],

'RS1' => [@region_server_template],



'RS5' => [@region_server_template]

);

Figure 29: Port Utility Active Port Configuration

The next structures serve a common purpose: they indicate the ports or the programs associated with ports that may be ignored. The intent is to remove any noise from the port monitoring view. This is particularly valuable in monitor mode, which will be discussed later.



31

%ports_ignore = (

'CS1' => [80, 523, 657],

'CS2' => [],

'CS3' => [],

'CS4' => [],

'RS1' => [],

'RS2' => [],

'RS4' => [],

'RS5' => []

);

@programs_ignore = (

'cupsd', 'dnsmasq', 'master', 'repo_srv.', 'rpcbind', 'rpc.statd',

'sshd'

);

Figure 30: Port Utility Ports and Programs to Ignore

A.2 Port Utility List Mode

The port utility list mode will simply show for the current host and associated ports (as defined in the configuration file), the listening state of all of the active ports. The following is a complete sample for Central Server 1.

Figure 31: Port Utility List Mode Sample

A.3 Port Utility Inbound Connection Mode

The port utility inbound connection mode will simply show for the current host and associated ports, the established inbound connection state for all of the active ports. Note the utility does not list inbound connections from the node itself. This is easily changed via an internal configuration option. The following is a truncated sample for Central Server 1 (there are literally hundreds of inbound connections to the database server).

Figure 32: Port Utility Inbound Connection Mode Sample

32

A.4 Port Utility Outbound Connection Mode

The port utility outbound connection mode will simply show for the current host and associated ports, the established outbound connection state for all of the active ports. Note the utility does not list outbound connections for the node itself. This is easily changed via an internal configuration option. The following is a complete sample for Central Server 1. Note the sample is empty; showing the database server itself is not initiating outbound connections (as expected).

Figure 33: Port Utility Outbound Connection Mode Sample

A.5 Port Utility Monitor Mode

The port utility monitor mode is the most useful capability. The monitor mode will loop indefinitely and for all of the active ports, will list any ports it may not identify as being on the active or ignore lists. Why is this so useful? Well, by running the monitor mode it can be established if new, unexpected ports are being initiated. These ports may either be shut down, or managed per enterprise firewall standards.

The sample below has been manipulated to show a case where the monitor is continuously identifying an unexpected port (953).

Figure 34: Port Utility Monitor Mode Sample



33

REFERENCES

SmartCloud Orchestrator and Related Component References

SmartCloud Orchestrator Version 2.3: Capacity Planning, Performance, and Management Guide

http://www.ibm.com/software/ismlibrary?NavCode=1TW10SO7P

IBM SmartCloud Orchestrator: Offline-backup approach using Tivoli Storage Manager for Virtual

Environments http://www.ibm.com/software/ismlibrary?NavCode=1TW10SO7Q

IBM SmartCloud Orchestration Information Center

SCO 2.3 Information Center IBM SmartCloud Orchestrator Resource Center

SCO Resource Center

IBM DB2 10.1 Information Center http://pic.dhe.ibm.com/infocenter/db2luw/v10r1/index.jsp?topic=/com

Advanced Security Hardening in WebSphere Application Server V7, V8 and V8.5, Part 1: Overview and Approach to Security Hardening http://www.ibm.com/developerworks/websphere/techjournal/1210_lansche/1210_lansche.html

OpenStack References

OpenStack Security Guide http://docs.openstack.org/sec/

OpenStack Keystone http://docs.openstack.org/developer/keystone/

Hypervisor References

VMware Security Guide http://www.vmware.com/security

vSphere 5.1 Hardening Guide hardeningguide-vsphere5-1-ga-release-public.xlsx

vSphere 5.5 Hardening Guide hardeningguide-vsphere5-5-ga-released.xlsx

Linux on System x: KVM Security Linux on System x Information Center

http://www.ibm.com/software/ismlibrary?NavCode=1TW10SO7P

http://www.ibm.com/software/ismlibrary?NavCode=1TW10SO7Q

http://pic.dhe.ibm.com/infocenter/tivihelp/v48r1/index.jsp?topic=%2Fcom.ibm.sco.doc_2.3%2Fwelcome.html

http://www-03.ibm.com/software/products/en/smartcloud-orchestrator/

http://pic.dhe.ibm.com/infocenter/db2luw/v10r1/index.jsp?topic=/com

http://www.ibm.com/developerworks/websphere/techjournal/1210_lansche/1210_lansche.html

http://docs.openstack.org/sec/

http://docs.openstack.org/developer/keystone/

http://www.vmware.com/security

hardeningguide-vsphere5-1-ga-release-public.xlsx

hardeningguide-vsphere5-5-ga-released.xlsx

http://pic.dhe.ibm.com/infocenter/lnxinfo/v3r0m0/index.jsp?topic=%2Fliaat%2Fliaatseckickoff.htm&resultof=

34

Security Scan References

IBM Rational Security Appscan Enterprise Edition

http://www-03.ibm.com/software/products/us/en/appscan-enterprise

IBM Rational Security Appscan Source

http://www-03.ibm.com/software/products/us/en/appscan-source

Common Vulnerabilities and Exposures https://cve.mitre.org/

http://www-03.ibm.com/software/products/us/en/appscan-enterprise

http://www-03.ibm.com/software/products/us/en/appscan-source

https://cve.mitre.org/



35

®

© Copyright IBM Corporation 2014, 2015 IBM United States of America Produced in the United States of America US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PAPER “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes may be made periodically to the information herein; these changes may be incorporated in subsequent versions of the paper. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this paper at any time without notice. Any references in this document to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation 4205 South Miami Boulevard Research Triangle Park, NC 27709 U.S.A. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information is for planning purposes only. The information herein is subject to change before the products described become available. If you are viewing this information softcopy, the photographs and color illustrations may not appear.

36

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other

countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

Other company, product, or service names may be trademarks or service marks of others.

IBM SmartCloud Orchestrator Version 2.3: Security ... · 2.3 Threat Modeling ... Scans, triages and manages security policies; prioritizes assignment of results to security teams

Documents