OpenStack (Behind te frewal securit)

:: OpenStack for you and your entrprise ::

:: Keystne
:: Etan Intoducton
Kurt :: 1 :: ::

Advertsing
Me

- Nay Myo Hlaing @ Etan Kurt

- In Network and Systms feld
(nearly 8 years)
- In Securit fled
(nearly 3 years)

Team

- Ubuntu Myanmar LoCo Team

- Free and OpenSource Software (FOSS) Organizaton Myanmar
Contact
- etan@ubuntu-mm.net
:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 2 ::

A new cloud era ...

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 3 ::

New Chalenges in Cloud Era

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 4 ::

Stat of Cyber Securit Implicatons for 2016

(An ISACA and RSA Conference Survey)

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 5 ::

OpenStack Core Services

Swift
- Object Strage Service
Nova
- Comput Service
Neuton
- Networking Service
Cinder
- Block Strage Service
Glance
- Image Service

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 6 ::

What about Identt securit check?

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 7 ::

Keystne (One key t rule tem al)

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 8 ::

Histry of keystne
- Austn (nova, swift) (21/Oct/2010)
- Bexar (glance, nova, swift)
- Catcus (glance, nova, swift)
- Diablo (glance, nova, swift)
- Essex (glance, horizon, keystne V2.o nova, swift)
(05/Apr/2012)
- Folsom, Grizzly, Havana, Icehouse, Juno, Kilo (te last of V2.0) Apr, 2015
- Libert (Start v3.0 15/Oct/2015)
- Mitaka (Keystne v3 Latst Release)
- Newtn (Current 06/Oct/2010)

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 9 ::

What is keystne?
- Identt Service
- Cental autentcaton &
autorizaton systm
(Single point aut for al
OpenStack services)
- Auditng
- OpenService Discovery
- Supports intgraton wit
a variet of Identt providers
- Keystne should be te
frst service t be instaled

:: OpenStack for you and your entrprise ::

:: Keystne
:: Etan Kurt
Intoducton
:: 10 :: ::

Components of keystne
User
Tenant/Project
Role
Token
Endpoint
Service

:: OpenStack for you and your entrprise ::

:: Keystne
:: Etan Intoducton
Kurt :: 11 :: ::

User (User)
- A user represent a human user and has associat informaton
such as username (credental), password (credental) and email.
Tenant/Project (Group)
- A container t group and isolat resources and users. It must
specif in order t make requests t services. (Represent a custmer,
organizaton or a group.)
Role (Permission)
- Includes a set of rights for performing specifc actons tat can
be assigned t a specifc user. (A role is what operatons a user is
permited t perform in given tnant.

:: OpenStack for you and your entrprise ::

:: Keystne
:: Etan Kurt
Intoducton
:: 12 :: ::

Token
- a short message returned by Keystne and used for accessing services.
Each tken has a scope which describes which resources are accessible
wit it.
Endpoint
- an address accessible over a network, described by URL, fom where
it is possible t make requests t OpenStack services.
Service
- provides one or more endpoints trough which users can access resources
and perform operatons. (e.g. Swift, Nova, Neuton, etc.)
- A service is identfed by: identfcaton number, name, service tpe
and descripton
:: OpenStack for you and your entrprise ::

:: Keystne
:: Etan Intoducton
Kurt :: 13 :: ::

(Te admin) User Creatng

$ keystne user-creat --name=admin --pass=SuperSecrect email=etan@ubuntu-mm.net

(Te admin) Role Creatng

$ keystne role-creat --name=admin

(Te admin) Tenant/Project Creatng

$ keystne tnant-creat name=admin descripton=Admin Tenant

Linking (admin user, admin role, admin tnant)

$ keystne user-role-add user=admin tnant=admin --role=admin

Link admin user t _member_ role

$ keystne user-role-add --user=admin --role=_member_ --tnant=admin

Tenant/Project service creatng

$ keystne tnant-creat --name=service --descripton=Service Tenant

:: OpenStack for you and your entrprise ::

:: Keystne
:: Etan Kurt
Intoducton
:: 14 :: ::

APIs Securit

:: OpenStack for you and your entrprise ::

:: Etan Kurt
:: 15 :: ::
:: Keystne
Intoducton

APIs Endpoints
Client

Comput

Network/Internet via https

Object
Strage

Block Strage

API
Rest, XML-RPC, SOAP ...

Networking

Identt

Not:

APIs are your point of contact fom extrnal world, you must make te highly secure!
Firewals are not enough because anyting can be sent over htp/htps ...
:: OpenStack for you and your entrprise ::

:: Etan Kurt
:: 16 :: ::
:: Keystne
Intoducton

General API best practces

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 17 ::

OpenStack APIs

Al OpenStack software is
based on APIs. End custmer
and tols t access te platform
programatcaly.
Among OpenStack components,
is a way of decoupling components
implementatons.

Easily fom
'curl' tols

OpenStack
command line
tols

Restfl API
OpenStack
Rest clients

software
development
Kit (SDK)

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 18 ::

OpenStack APIs Workfow

1. Obtain a tken
curl -d '{auth:{tenantName:customer-x, passwordCredentials:
{userName:userethan,password:supersecret}}}' -H Content-type:
application/json http://localhst:35357/v2.0/tokens

2. Consume te API (trough te obtained tken):

Curl -i -X GET http://localhost:35357/v2.0/tenants -H User-Agent:
python-keystoneclient -H X-Auth-Token: token

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 19 ::

OpenStack APIs best practces

Isolat API endpoint
Processes, especialy tose tat reside witin te public securit domain should
be deployed on separat hosts for increased isolaton
Apply Defense-in-Dept
concept: confgure services, host-based frewals, local policy (AppArmor)
Use Linux namespaces
t assign processes int independent domains
Use network ACLs and IDS
tchnologies t enforce explicit point t communicaton between network services
(e.g. wire level ACLs in L3 switches)
:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 20 ::

Mandatry access contol in APIs

Isolat API endpoint processes fom each oter and oter processes on a machine.

Use Mandatry Access Contols (MAC) on tp of Discretonary Access Contols t

segregat processes. e.g. SE-Linux

Objectve: containment and escalaton of API endpoint securit breaches.

Use of MACs at te OS level severely limit access t resources and provide earlier
altring on such events.

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 21 ::

Te power of keystne

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 22 ::

Te power of keystne

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 23 ::

Te power of keystne

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 24 ::

Te power of keystne
Single Point Autentcaton for al
OpenStack services
Single sign-on t OpenStack services
Reduces exposure of credentals

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 25 ::

Contnuous Securit

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 26 ::

Contnuous Securit
Which tken should I use for securit purpose Luke?
- UUID,
- PKI,
- PKIZ,
- FERNET
Horizon and Fernet
- Yes, Fernet tken work wit Horizon
- Libert and beyond No patches necessary
- Kilo Needs a patch for DOA (Django OpenStack Aut)
- htps://review.openstack.org/#/c/169994

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 27 ::

Contnuous Securit
Cookie Backend
- Secure cookies, use htps (High-level Certfcats)
- CSRF_COOKIE_SECURE = True
- SESSION_COOKIE_SECURE = True
htp://docs.openstack.org/developer/horizon/tpics/setings.html
htp://docs.openstack.org/securit-guide/dashboard/cookies.html
Of course, you need taditonal securit, Bob

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 28 ::

Tank You!

:: OpenStack for you and your entrprise ::

:: Etan Kurt :: 29 ::