Halo Installfest Slides

1

CloudPassage HaloInstallfest

CloudPassage Halo Installfest 2

Quick Intro

• Thanks for coming out!

• Enjoy the free food ☺

• Focus on security issues with IaaS cloud

• Interweave that with installing Halo

• We’re here to help!

– Ask questions

– Staff will be handy if you need us

– Any and all feedback greatly appreciated


Where Can I Get These Slides?

community.cloudpassage.com


Tonight’s Focus

• Infrastructure as a Service (IaaS)

– Can apply to PaaS and SaaS from a provider’s perspective

• Mostly geared to public cloud

– Although applicable to private

• Tenant security concerns

– We’ll skip physical security


What You Need For The Labs

• Laptop or tablet

• Root equiv access to a Linux VM

– Local or public is fine

– Spin up now if needed

• Internet access

– Wifi settings: As Posted


Houston…We Have a Problem

All network security benefitsLost in migration: • Firewall – Filter port level access• Firewall – Control rootkit transfer• Proxy – Control app level data• NIDS – Inspect stream for attacks• Sniffer – Audit trail of network traffic


Delineation of Responsibility

Facility

Network

Compute & Storage

Operating System

Hypervisor

Solution Stack

Application

Facility

Network

Compute & Storage

Operating System

Hypervisor

Solution Stack

Application

Facility

Network

Compute & Storage

Operating System

Hypervisor

Solution Stack

Application

IaaS PaaS SaaSInterface Interface Interface

Tenant

Provider


What Are My Options?


Issues to Address

• No firewall control

• Vulnerability management

• Provider image may not meet corporate standards

– Configuration settings

– Accounts

• Detect intrusions


Extending The LAN Into The Cloud


LAN Extended Challenges

• Increases load on corporate link

– Today we’re mobile

– Limits public cloud scaling

• Increase load on perimeter infrastructure

• Negates network benefits

– Provider load balancing

– Multi-peer points

– Geo-location DNS

– Higher latency

• No protection within virtual infrastructure


Virtual Appliance Management


Virtual Appliance Architecture


What About Introspection?

• Hypervisor based security

– Has visibility into all VMs

• Single point of control

– For a specific hypervisor deployment

• Public - Do you want other tenants to have access to your hypervisor?

• Do you want your provider to have non-auditable access to your VMs?

• Can break segregation of duties


Host-Based Architecture

Consistent architecture (and risk abatement) regardless of deployment


Why Host Based Firewalls?

• Tenant controlled

– Provider gains no additional access

• Mitigate potential risks from vswitch or VLANs

• Supported across all cloud infrastructures

– Consistent management regardless of deployment

• Security Is portable with the VM

• This is the model supported by Halo


Why restrict Admin Ports?

Dshield.org data

Green = # of IPs looking for open SSH ports

Red = # of IPs hit by SSH scan


Halo Firewall Interface

Cloak the port till these users authenticate


Issues to Address





– Accounts



Image Deployment

• Provider images usually not patched

• Some 3rd party images are pre-patched

– To the time of the image's release

– Which 3rd parties can you trust?

• Auto-patching usually disabled

• Some known vulnerabilities may not yet be patched– But it may be possible to mitigate risk is known


Vulnerability Wire Testing

• Some providers have restrictions

– May be limited by terms of service

– May be limited to specific products

• Targeting concerns

– What if your IP’s are not continuous?

– What if the IP changes?

• Does not detect local exploits


Host Based Vulnerability Checking

• Validate compliances within the VM itself

• Can check remote and local vulnerabilities

• Typically lower cost to deploy

– Less billable utilization

• Can false negative if patch not loaded

– Kernel updates

• This is the model Halo uses


Halo Software Risks


Issues to Address





– Accounts



Configuration Settings

• Are only required processes running?

– Are they securely configured?

• Is password aging enforced?

• Is root permitted direct SSH access?

• Proper permissions on critical files?

• Is sudo or wheel properly configured?

• Any changes since deployment?


Creating A Halo Check


Halo Check Results


System Accounts

• What accounts are on the system?

• Did the provider modify the default accounts?

– ec2-user

• Which accounts have root level access?

• Who has accounts on which servers?

• How do you add/delete accounts for many servers simultaneously?


Halo Server Access


Expanded Details


Issues to Address





– Accounts



Clues To An Attack

• Some file changes indicate a compromise

• Static Web server files

• /etc/passwd has new account

• /etc/sudoers has new entries

• ssh_known_hosts has new entries

• authorized_keys has new entries

• Halo uses SHA-256 to detect changes


Define Files to Check


Halo FIM Reporting


Event Reporting


Alert Reporting


Lab Time

Let’s Install Halo!


Start Here to Create an Account

Technology

Halo Installfest Slides