OpenStack Cloud Security Build a secure OpenStack cloud to withstand all common attacks Fabio Alessandro Locati BIRMINGHAM - MUMBAI OpenStack Cloud Security Copyright © 2015 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: July 2015 Production reference: 1220715 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78217-098-3 www.packtpub.com Credits Author Project Coordinator Fabio Alessandro Locati Sanjeet Rao Reviewers Proofreader Pedro Navarro Pérez Safis Editing Vinoth Kumar Selvaraj Indexer Tejal Soni Commissioning Editor Kartikey Pandey Graphics Jason Monteiro Acquisition Editor Nikhil Karkal Production Coordinator Melwyn D'sa Content Development Editor Mamata Walkar Cover Work Melwyn D'sa Technical Editor Namrata Patil Copy Editors Puja Lalwani Laxmi Subramanian About the Author Fabio Alessandro Locati is an Italian IT external consultant. His main areas of expertise are Linux, networking, security, data centers, and OpenStack. With more than 10 years of working experience in this field, he has experienced different IT roles, technologies, and languages. Fabio has worked for many different companies, starting from a one-man company to huge companies such as Tech Data and Samsung. This has allowed him to consider various technologies from different points of view, helping him develop critical thinking and understand whether a particular technology is the correct one in a very short span of time. Since he is always looking for better technologies, he also tries new technologies to see their advantages over the old ones. Two of the most important things Fabio evaluates in a technology are its internal security and the possibility of additional security through configuration or interaction with the other technologies. For virtualization, he often uses OpenStack due to its power and simplicity, ever since he first tried it in 2011. Fabio has used OpenStack for the public-facing cloud, as well as the internal clouds. I would like to thank my parents, who introduced me to computer science before I was even able to write, and my whole family, who has always been supportive. A special thanks goes to everyone I worked with at Packt Publishing for their hard work and to the reviewers for their constructive feedback. Of course, I would also like to thank NASA, Rackspace, the OpenStack community, and all the companies that have created and improved OpenStack over the years. About the Reviewers Pedro Navarro Pérez works as an OpenStack specialist at Red Hat. He does training, coding, configuration, and installation of OpenStack; he is also a major contributor to OpenStack on Hyper-V. Prior to working for Red Hat, Pedro spent several years working as a developer for award-winning cloud start-ups. Pedro graduated from Telecom Bretagne and Universidad Politécnica de Valencia in 2008. He also likes salsa, playing handball, and evangelizing about how to cook authentic Valencian paella. He currently resides in Barcelona, Spain. Vinoth Kumar Selvaraj is an enthusiastic computer science engineer from Tamil Nadu, India. He works as an OpenStack engineer for Cloudenablers. He is a graduate from Sri Ram Engineering College, Veppampattu, Chennai. He has been working on various cloud-based technologies and their integrations since the beginning of his career. He is constantly striving to learn new technologies and learn better and faster ways to solve problems. He is an active member of the OpenStack community at https://ask.openstack. org/en/users/1825/vinoth/. In his spare time, Vinoth enjoys sharing his insights on technologies at http://www.hellovinoth.com and via his Twitter handle @vinoth6664. I wish I could thank everyone personally, but let me thank Amma, Appa, Anna, and my friends for their love and support. I would also like to thank Konda Chendil, Rathinasabapathy, Thiruvalluvar, Venkatesh Perumal, and Krishna Kumar for their support and trust in me. www.PacktPub.com Support files, eBooks, discount offers, and more For support files and downloads related to your book, please visit www.PacktPub.com. Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks. https://www2.packtpub.com/books/subscription/packtlib Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books. Why subscribe? • Fully searchable across every book published by Packt • Copy and paste, print, and bookmark content • On demand and accessible via a web browser Free access for Packt account holders If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view 9 entirely free books. Simply use your login credentials for immediate access. Table of Contents Preface vii Chapter 1: First Things First – Creating a Safe Environment 1 Access control 1 The CIA model 2 Confidentiality 2 Integrity 4 Availability 5 Some considerations 6 A real-world example 6 The principles of security 8 The Principle of Insecurity 8 The Principle of Least Privilege 8 The Principle of Separation of Duties 9 The Principle of Internal Security 10 Data center security 11 Select a good place 11 Implement a castle-like structure 12 Secure your authorization points 13 Defend your employees 13 Defend all your support systems 13 Keep a low profile 13 The power of redundancy 14 Cameras 14 Blueprints 15 Data center in office 15 Server security 16 The importance of logs 17 Where to store the logs? 17 [ i ] Table of Contents Evaluate what to log 18 Evaluate the number of logs 19 The people aspect of security 19 Simple forgetfulness 20 Shortcuts 21 Human error 22 Lack of information 23 Social engineering 24 Evil actions under threats 25 Evil actions for personal advantage 26 Summary 26 Chapter 2: OpenStack Security Challenges 27 Private cloud versus public cloud security 27 The private cloud 28 The public cloud 28 Private cloud versus public cloud 29 The different kinds of security threats 30 Possible attackers 30 The possible attacks 30 Denial of Service 31 0-day 32 Brute force 33 Advanced Persistent Threat 33 Automated exploitation tools 33 The ISP intercept 34 The supply chain attack 34 Social engineering 35 The Hypervisor breakout 35 The OpenStack structure 35 OpenStack Compute Service – Nova 36 OpenStack Object Storage Service – Swift 36 OpenStack Image Service – Glance 37 OpenStack Dashboard – Horizon 37 OpenStack Identity Service – Keystone 38 OpenStack Networking Service – Neutron 38 OpenStack Block Storage Service – Cinder 39 OpenStack Orchestration – Heat 39 OpenStack Telemetry – Ceilometer 39 OpenStack Database Service – Trove 40 OpenStack Data Processing Service – Sahara 40 [ ii ] Table of Contents Future components 40 Ironic – bare metal provisioning 41 Zaqar – cloud messaging 41 Manila – file sharing 41 Designate – DNS 41 Barbican – key management 42 Summary 42 Chapter 3: Securing OpenStack Networking 43 The Open Systems Interconnection model 44 Layer 1 – the Physical layer 44 Layer 2 – the Data link layer 45 Address Resolution Protocol (ARP) spoofing 46 MAC flooding and Content Addressable Memory table overflow attack 47 Dynamic Host Configuration Protocol (DHCP) starvation attack 47 Cisco Discovery Protocol (CDP) attacks 48 Spanning Tree Protocol (STP) attacks 48 Virtual LAN (VLAN) attacks 49 Layer 3 – the Network layer 50 Layer 4 – the Transport layer 51 Layer 5 – the Session layer 51 Layer 6 – the Presentation layer 51 Layer 7 – the Application layer 52 TCP/IP 52 Architecting secure networks 53 Different uses means different network 53 The importance of firewall, IDS, and IPS 55 Firewall 55 Intrusion detection system (IDS) 56 Intrusion prevention system (IPS) 57 Generic Routing Encapsulation (GRE) 57 VXLAN 58 Flat network versus VLAN versus GRE in OpenStack Quantum 58 Design a secure network for your OpenStack deployment 59 The networking resource policy engine 60 Virtual Private Network as a Service (VPNaaS) 60 Summary 61 Chapter 4: Securing OpenStack Communications and Its API 63 Encryption security 64 Symmetric encryption 64 Stream cipher 65 Block cipher 66 [ iii ]