You are previewing OpenStack Cloud Security.
O'Reilly logo
OpenStack Cloud Security

Book Description

Build a secure OpenStack cloud to withstand all common attacks

In Detail

OpenStack is a system that controls large pools of computing, storage, and networking resources, allowing its users to provision resources through a user-friendly interface. OpenStack helps developers with features such as rolling upgrades, federated identity, and software reliability.

You will begin with basic security policies, such as MAC, MLS, and MCS, and explore the structure of OpenStack and virtual networks with Neutron. Next, you will configure secure communications on the OpenStack API with HTTP connections. You will also learn how to set OpenStack Keystone and OpenStack Horizon and gain a deeper understanding of the similarities/differences between OpenStack Cinder and OpenStack Swift.

By the end of this book, you will be able to tweak your hypervisor to make it safer and a smart choice based on your needs.

What You Will Learn

  • OpenStack is a system that controls large pools of computing, storage, and networking resources, allowing its users to provision resources through a user-friendly interface. OpenStack helps developers with features such as rolling upgrades, federated identity, and software reliability.

  • Gain insights into ISP intercept and social engineering

  • Explore automated attacks with the help of mass phishing, brute force, and automated exploitation tools

  • Secure your OpenStack installation from a networking perspective at both low and high levels

  • Get to know how to secure your OpenStack to use only encrypted communications for APIs

  • Configure secure communications on the OpenStack API

  • Harden OpenStack Keystone and Horizon for a more secure environment

  • Protect the Swift replication mechanism through network hardening

  • Downloading the example code for this book. You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

    Table of Contents

    1. OpenStack Cloud Security
      1. Table of Contents
      2. OpenStack Cloud Security
      3. Credits
      4. About the Author
      5. About the Reviewers
      6. www.PacktPub.com
        1. Support files, eBooks, discount offers, and more
          1. Why subscribe?
          2. Free access for Packt account holders
      7. Preface
        1. What this book covers
        2. What you need for this book
        3. Who this book is for
        4. Conventions
        5. Reader feedback
        6. Customer support
          1. Downloading the example code
          2. Errata
          3. Piracy
          4. Questions
      8. 1. First Things First – Creating a Safe Environment
        1. Access control
        2. The CIA model
          1. Confidentiality
          2. Integrity
          3. Availability
          4. Some considerations
          5. A real-world example
        3. The principles of security
          1. The Principle of Insecurity
          2. The Principle of Least Privilege
          3. The Principle of Separation of Duties
          4. The Principle of Internal Security
        4. Data center security
          1. Select a good place
          2. Implement a castle-like structure
          3. Secure your authorization points
          4. Defend your employees
          5. Defend all your support systems
          6. Keep a low profile
          7. The power of redundancy
          8. Cameras
          9. Blueprints
          10. Data center in office
        5. Server security
        6. The importance of logs
          1. Where to store the logs?
          2. Evaluate what to log
          3. Evaluate the number of logs
        7. The people aspect of security
          1. Simple forgetfulness
          2. Shortcuts
          3. Human error
          4. Lack of information
          5. Social engineering
          6. Evil actions under threats
          7. Evil actions for personal advantage
        8. Summary
      9. 2. OpenStack Security Challenges
        1. Private cloud versus public cloud security
          1. The private cloud
          2. The public cloud
          3. Private cloud versus public cloud
        2. The different kinds of security threats
          1. Possible attackers
        3. The possible attacks
          1. Denial of Service
          2. 0-day
          3. Brute force
          4. Advanced Persistent Threat
          5. Automated exploitation tools
          6. The ISP intercept
          7. The supply chain attack
          8. Social engineering
          9. The Hypervisor breakout
        4. The OpenStack structure
          1. OpenStack Compute Service – Nova
          2. OpenStack Object Storage Service – Swift
          3. OpenStack Image Service – Glance
          4. OpenStack Dashboard – Horizon
          5. OpenStack Identity Service – Keystone
          6. OpenStack Networking Service – Neutron
          7. OpenStack Block Storage Service – Cinder
          8. OpenStack Orchestration – Heat
          9. OpenStack Telemetry – Ceilometer
          10. OpenStack Database Service – Trove
          11. OpenStack Data Processing Service – Sahara
        5. Future components
          1. Ironic – bare metal provisioning
          2. Zaqar – cloud messaging
          3. Manila – file sharing
          4. Designate – DNS
          5. Barbican – key management
        6. Summary
      10. 3. Securing OpenStack Networking
        1. The Open Systems Interconnection model
          1. Layer 1 – the Physical layer
          2. Layer 2 – the Data link layer
            1. Address Resolution Protocol (ARP) spoofing
            2. MAC flooding and Content Addressable Memory table overflow attack
            3. Dynamic Host Configuration Protocol (DHCP) starvation attack
            4. Cisco Discovery Protocol (CDP) attacks
            5. Spanning Tree Protocol (STP) attacks
            6. Virtual LAN (VLAN) attacks
          3. Layer 3 – the Network layer
          4. Layer 4 – the Transport layer
          5. Layer 5 – the Session layer
          6. Layer 6 – the Presentation layer
          7. Layer 7 – the Application layer
        2. TCP/IP
        3. Architecting secure networks
          1. Different uses means different network
          2. The importance of firewall, IDS, and IPS
            1. Firewall
            2. Intrusion detection system (IDS)
            3. Intrusion prevention system (IPS)
        4. Generic Routing Encapsulation (GRE)
          1. VXLAN
        5. Flat network versus VLAN versus GRE in OpenStack Quantum
        6. Design a secure network for your OpenStack deployment
          1. The networking resource policy engine
        7. Virtual Private Network as a Service (VPNaaS)
        8. Summary
      11. 4. Securing OpenStack Communications and Its API
        1. Encryption security
        2. Symmetric encryption
          1. Stream cipher
          2. Block cipher
        3. Asymmetric encryption
          1. Diffie-Hellman
          2. RSA algorithm
          3. Elliptic Curve Cryptography
        4. Symmetric/asymmetric comparison and synergies
        5. Hashing
          1. MD5
          2. SHA
        6. Public key infrastructure
          1. Signed certificates versus self-signed certificates
        7. Cipher security
        8. Designing a redundant environment for your APIs
        9. Secure your OpenStack API with TLS
          1. Apache HTTPd
          2. Nginx
        10. Enforcing HTTPS for future connections
        11. Summary
      12. 5. Securing the OpenStack Identification and Authentication System and Its Dashboard
        1. Identification versus authentication versus authorization
        2. Identification
        3. Authentication
          1. Something you know
          2. Something you have
          3. Something you are
          4. The multifactor authentication
        4. Authorization
          1. Mandatory Access Control
          2. Discretionary Access Control
          3. Role-based Access Control
          4. Lattice-based Access Control
        5. Session management
        6. Federated identity
        7. Configuring OpenStack Keystone to use Apache HTTPd
          1. Apache HTTPd configuration
          2. Making Keystone available to Apache HTTPd
          3. Configuring iptables
          4. Configuring firewalld
          5. SELinux
          6. Setting up shared tokens
          7. Setting up the startup properly
        8. Setting up Keystone as a Identity Provider
          1. Configuring Apache HTTPd
        9. Configuring Shibboleth
          1. Configuring OpenStack Keystone
        10. Summary
      13. 6. Securing OpenStack Storage
        1. Different storage types
          1. Object storage
          2. Block storage
          3. File storage
          4. Comparison between storage solutions
          5. Security
        2. Backends
          1. Ceph
          2. GlusterFS
          3. The Logical Volume Manager
          4. The Network File System
          5. Sheepdog
          6. Swift
          7. Z File System (ZFS)
        3. Security
        4. Securing OpenStack Swift
          1. Hiding information
          2. Securing ports
        5. Summary
      14. 7. Securing the Hypervisor
        1. Various types of virtualization
          1. Full virtualization
          2. Paravirtualization
          3. Partial virtualization
          4. Comparison of virtualization levels
        2. Hypervisors
          1. Kernel-based Virtual Machine
          2. Xen
          3. VMware ESXi
          4. Hyper-V
        3. Baremetal
        4. Containers
        5. Docker
        6. Linux Containers
        7. Criteria for choosing a hypervisor
          1. Team expertise
          2. Product or project maturity
          3. Certifications and attestations
          4. Features and performance
          5. Hardware concerns
          6. Hypervisor memory optimization
          7. Additional security features
        8. Hardening the hardware management
          1. Physical hardware – PCI passthrough
          2. Virtual hardware with Quick Emulator
        9. sVirt – SELinux and virtualization
        10. Hardening the host operative system
        11. Summary
      15. Index