Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[BruCON] Project Skylab 1.0: Helping You Get Your Cloud On

Project Skylab 1.0: Helping You Get Your Cloud On (Craig Balding)

The Cloud Security Broken Record

It’s time to stop talking the same stuff and start talking about what you can do.

Don’t just disengage when you hear cloud. It’s time to use it for something useful.

People are criticizing something they might not have ever used. Lots of people are making opinions about cloud without real experience.

It’s easy to read somebody else’s opinion… but what are you doing to keep up!

Friction

  • The hard disk space is always in the wrong place
  • The box you want is always busy
  • There’s no space

So how do you get around these issues?

What does your test lab need

  • Interoperability: Ability to interact with multiple cloud providers
  • Security: Protect your systems (pay per use is pricey if others are using it as a torrent site)
  • Visibility: You need to know what your tools are doing to the system (CPU usage, etc…)
  • Workshop: A place to do your testing

Startup mantra: Fail as fast as you can!

Because you don’t want to waste time on something that won’t work!

Motives

  • Learn
  • Get practical
  • Home server is RIP
  • Geekin’ Out
  • Open Source
  • Community Projects

Why not just use VMware for Skylab? Because tying yourself to a single provider is an invitation to fail.

3 Questions for you

  • Do you use cloud storage?
    • Answer: 33% YES
  • Have you booted a machine in a public cloud?
    • Answer: About 12 people
  • Have you played with cloud network overlays?
    • Answer: 1 person

These answers are typical for European conferences and show that few people played with cloud.

Use Cases

  • Target Practice
    • New tools
    • New attacks
  • Assurance Testing
    • Testing patches
    • New software interaction
  • During a Pen-Test
    • Random IP-Addresses

Skylab == Infrastructure as a Service

What else should it be!

  • Hit common use cases
  • On demand
  • Infrastructure as code (Configure your datacenter as a conf file)
  • Cost-conscious
  • Hardware re-use

Design principles

  • Hypervisor agnostic
  • Security test lab “features”
  • Freedom: Open-Source
  • Pragmatic: Don’t reinvent the wheel
  • Scriptable and Fun!

Sharing a whole VM is overkill. We should be able to convey what needs to be in a system without the need to download what we already have!

Shopping for a cloud platform

Things to look for –>Openness

  • API
  • Core
  • Source
  • Development
  • Decision Making

OpenNebula.org: The Open Source Toolkit for Cloud Computing

The ability to share and sell your Cloud systems to others.

Hybrid interaction with a range of other providers. Using OpenNebula and RedHats Delta-cloud. With a single command, you can start and manage remote cloud systems from any provider supported.

Pay as you go… Don’t forget to turn it off!

Terms of service… Check it allows what you need. TOS do change!

Cloud Networking

We need to simulate not only single isolated systems, but complete networks.

Amazon VMs only provide a single ethernet. Using Amazon Security Group you can divert traffic. However we just want to use routing!

Overlay Networks –> VPN infrastructure (e.g. Amazon VPC)

Some other providers don’t offer this as a solution… in this instance you can use a paid service like VPNcubed.

Configuration Management –> Configure/Script what you want your network to look like.

Various options to do this. Different languages.

Example:

default_attributes(
“apache2″ => {
“listen_ports” => [ "80, "443"]
})

Things still to do

  • Establish Amazon VPC Connection
  • Build Visibility VM (Splunk, Nagios, + extras)
  • Chef Recipes for Security Extras & CM
  • Build Range of Victim/Enterprise VMs
  • Create Easy “DC Creator” front-end script

Making it simple is the hard part!

LINK:

About these ads

Comments are closed.

Follow

Get every new post delivered to your Inbox.

Join 118 other followers

%d bloggers like this: