Project Skylab 1.0: Helping You Get Your Cloud On (Craig Balding)
The Cloud Security Broken Record
It’s time to stop talking the same stuff and start talking about what you can do.
Don’t just disengage when you hear cloud. It’s time to use it for something useful.
People are criticizing something they might not have ever used. Lots of people are making opinions about cloud without real experience.
It’s easy to read somebody else’s opinion… but what are you doing to keep up!
Friction
- The hard disk space is always in the wrong place
- The box you want is always busy
- There’s no space
So how do you get around these issues?
What does your test lab need
- Interoperability: Ability to interact with multiple cloud providers
- Security: Protect your systems (pay per use is pricey if others are using it as a torrent site)
- Visibility: You need to know what your tools are doing to the system (CPU usage, etc…)
- Workshop: A place to do your testing
Startup mantra: Fail as fast as you can!
Because you don’t want to waste time on something that won’t work!
Motives
- Learn
- Get practical
- Home server is RIP
- Geekin’ Out
- Open Source
- Community Projects
Why not just use VMware for Skylab? Because tying yourself to a single provider is an invitation to fail.
3 Questions for you
- Do you use cloud storage?
- Have you booted a machine in a public cloud?
- Have you played with cloud network overlays?
These answers are typical for European conferences and show that few people played with cloud.
Use Cases
- Target Practice
- Assurance Testing
- Testing patches
- New software interaction
- During a Pen-Test
Skylab == Infrastructure as a Service
What else should it be!
- Hit common use cases
- On demand
- Infrastructure as code (Configure your datacenter as a conf file)
- Cost-conscious
- Hardware re-use
Design principles
- Hypervisor agnostic
- Security test lab “features”
- Freedom: Open-Source
- Pragmatic: Don’t reinvent the wheel
- Scriptable and Fun!
Sharing a whole VM is overkill. We should be able to convey what needs to be in a system without the need to download what we already have!
Shopping for a cloud platform
Things to look for –>Openness
- API
- Core
- Source
- Development
- Decision Making
OpenNebula.org: The Open Source Toolkit for Cloud Computing
The ability to share and sell your Cloud systems to others.
Hybrid interaction with a range of other providers. Using OpenNebula and RedHats Delta-cloud. With a single command, you can start and manage remote cloud systems from any provider supported.
Pay as you go… Don’t forget to turn it off!
Terms of service… Check it allows what you need. TOS do change!
Cloud Networking
We need to simulate not only single isolated systems, but complete networks.
Amazon VMs only provide a single ethernet. Using Amazon Security Group you can divert traffic. However we just want to use routing!
Overlay Networks –> VPN infrastructure (e.g. Amazon VPC)
Some other providers don’t offer this as a solution… in this instance you can use a paid service like VPNcubed.
Configuration Management –> Configure/Script what you want your network to look like.
Various options to do this. Different languages.
Example:
default_attributes(
“apache2” => {
“listen_ports” => [ “80, “443”]
})
Things still to do
- Establish Amazon VPC Connection
- Build Visibility VM (Splunk, Nagios, + extras)
- Chef Recipes for Security Extras & CM
- Build Range of Victim/Enterprise VMs
- Create Easy “DC Creator” front-end script
Making it simple is the hard part!
LINK: