OpenStack Cloud Security电子书

OpenStack Cloud Security

Table of Contents

OpenStack Cloud Security

Credits

About the Author

About the Reviewers

www.PacktPub.com

Support files, eBooks, discount offers, and more

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Errata

Piracy

Questions

1. First Things First – Creating a Safe Environment

Access control

The CIA model

Confidentiality

Integrity

Availability

Some considerations

A real-world example

The principles of security

The Principle of Insecurity

The Principle of Least Privilege

The Principle of Separation of Duties

The Principle of Internal Security

Data center security

Select a good place

Implement a castle-like structure

Secure your authorization points

Defend your employees

Defend all your support systems

Keep a low profile

The power of redundancy

Cameras

Blueprints

Data center in office

Server security

The importance of logs

Where to store the logs?

Evaluate what to log

Evaluate the number of logs

The people aspect of security

Simple forgetfulness

Shortcuts

Human error

Lack of information

Social engineering

Evil actions under threats

Evil actions for personal advantage

Summary

2. OpenStack Security Challenges

Private cloud versus public cloud security

The private cloud

The public cloud

Private cloud versus public cloud

The different kinds of security threats

Possible attackers

The possible attacks

Denial of Service

0-day

Brute force

Advanced Persistent Threat

Automated exploitation tools

The ISP intercept

The supply chain attack

Social engineering

The Hypervisor breakout

The OpenStack structure

OpenStack Compute Service – Nova

OpenStack Object Storage Service – Swift

OpenStack Image Service – Glance

OpenStack Dashboard – Horizon

OpenStack Identity Service – Keystone

OpenStack Networking Service – Neutron

OpenStack Block Storage Service – Cinder

OpenStack Orchestration – Heat

OpenStack Telemetry – Ceilometer

OpenStack Database Service – Trove

OpenStack Data Processing Service – Sahara

Future components

Ironic – bare metal provisioning

Zaqar – cloud messaging

Manila – file sharing

Designate – DNS

Barbican – key management

Summary

3. Securing OpenStack Networking

The Open Systems Interconnection model

Layer 1 – the Physical layer

Layer 2 – the Data link layer

Address Resolution Protocol (ARP) spoofing

MAC flooding and Content Addressable Memory table overflow attack

Dynamic Host Configuration Protocol (DHCP) starvation attack

Cisco Discovery Protocol (CDP) attacks

Spanning Tree Protocol (STP) attacks

Virtual LAN (VLAN) attacks

Layer 3 – the Network layer

Layer 4 – the Transport layer

Layer 5 – the Session layer

Layer 6 – the Presentation layer

Layer 7 – the Application layer

TCP/IP

Architecting secure networks

Different uses means different network

The importance of firewall, IDS, and IPS

Firewall

Intrusion detection system (IDS)

Intrusion prevention system (IPS)

Generic Routing Encapsulation (GRE)

VXLAN

Flat network versus VLAN versus GRE in OpenStack Quantum

Design a secure network for your OpenStack deployment

The networking resource policy engine

Virtual Private Network as a Service (VPNaaS)

Summary

4. Securing OpenStack Communications and Its API

Encryption security

Symmetric encryption

Stream cipher

Block cipher

Asymmetric encryption

Diffie-Hellman

RSA algorithm

Elliptic Curve Cryptography

Symmetric/asymmetric comparison and synergies

Hashing

MD5

SHA

Public key infrastructure

Signed certificates versus self-signed certificates

Cipher security

Designing a redundant environment for your APIs

Secure your OpenStack API with TLS

Apache HTTPd

Nginx

Enforcing HTTPS for future connections

Summary

5. Securing the OpenStack Identification and Authentication System and Its Dashboard

Identification versus authentication versus authorization

Identification

Authentication

Something you know

Something you have

Something you are

The multifactor authentication

Authorization

Mandatory Access Control

Discretionary Access Control

Role-based Access Control

Lattice-based Access Control

Session management

Federated identity

Configuring OpenStack Keystone to use Apache HTTPd

Apache HTTPd configuration

Making Keystone available to Apache HTTPd

Configuring iptables

Configuring firewalld

SELinux

Setting up shared tokens

Setting up the startup properly

Setting up Keystone as a Identity Provider

Configuring Apache HTTPd

Configuring Shibboleth

Configuring OpenStack Keystone

Summary

6. Securing OpenStack Storage

Different storage types

Object storage

Block storage

File storage

Comparison between storage solutions

Security

Backends

Ceph

GlusterFS

The Logical Volume Manager

The Network File System

Sheepdog

Swift

Z File System (ZFS)

Security

Securing OpenStack Swift

Hiding information

Securing ports

Summary

7. Securing the Hypervisor

Various types of virtualization

Full virtualization

Paravirtualization

Partial virtualization

Comparison of virtualization levels

Hypervisors

Kernel-based Virtual Machine

Xen

VMware ESXi

Hyper-V

Baremetal

Containers

Docker

Linux Containers

Criteria for choosing a hypervisor

Team expertise

Product or project maturity

Certifications and attestations

Features and performance

Hardware concerns

Hypervisor memory optimization

Additional security features

Hardening the hardware management

Physical hardware – PCI passthrough

Virtual hardware with Quick Emulator

sVirt – SELinux and virtualization

Hardening the host operative system

Summary

Index