increase datacenter
play

Increase Datacenter Security Posture LinuxCon North America 2016 - PowerPoint PPT Presentation

Using Hypervisor and Container Technology to Increase Datacenter Security Posture LinuxCon North America 2016 Toronto Canada #whoami Tim Mackey Current roles: Senior Technical Evangelist; Occasional coder Former XenServer Community


  1. Using Hypervisor and Container Technology to Increase Datacenter Security Posture LinuxCon North America 2016 – Toronto Canada

  2. #whoami – Tim Mackey Current roles: Senior Technical Evangelist; Occasional coder • Former XenServer Community Manager in Citrix Open Source Business Office Cool things I’ve done • Designed laser communication systems • Early designer of retail self-checkout machines • Embedded special relativity algorithms into industrial control system Find me • Twitter: @TimInTech ( https://twitter.com/TimInTech ) • SlideShare: slideshare.net/TimMackey • LinkedIn: www.linkedin.com/in/mackeytim

  3. Understanding the Attacker Model

  4. Attacks are Big Business In 2015, 89% of data breaches had a financial or espionage motive Source: Verizon 2016 Data Breach Report

  5. Attackers Decide What’s Valuable …

  6. But security investment is often not aligned with actual risks

  7. Anatomy of a New Attack Deploy Potential Attack Test against platforms Document Iterate Don’t forget PR department!

  8. Exploiting a Vulnerability

  9. Knowledge is Key. Can You Keep Up? Bug Reported glibc July 2015 Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

  10. Knowledge is Key. Can You Keep Up? Vuln Bug CVE Introduced Reported Assigned CVE-2015- glibc glibc 7547 May 2008 July 2015 Feb 16-2016 Vuln: CVE-2015-7547: glibc getaddrinfo stack-based Low Security Risk buffer overflow

  11. Knowledge is Key. Can You Keep Up? Vuln Bug CVE Vuln Introduced Reported Assigned Published CVE-2015- glibc glibc National 7547 Vulnerability Database May 2008 July 2015 Feb 16-2016 Feb 18-2016 Moderate Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack-based Low Security Risk buffer overflow

  12. Knowledge is Key. Can You Keep Up? Vuln Bug CVE Vuln You You Introduced Reported Assigned Published Find It Fix It CVE-2015- glibc glibc National 7547 Vulnerability Database May 2008 July 2015 Feb 16-2016 Feb 18-2016 Highest Security Risk Moderate Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack-based Low Security Risk buffer overflow Patches Available

  13. Understanding Vulnerability Impact

  14. Vulnerability Disclosures Trending Upward Open Source Vulnerabilities Reported Per Year BDS-exclusive nvd 3500 3000 2500 2000 1500 1000 500 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Reference: Black Duck Software KnowledgeBase, NVD

  15. Virtualization Extensions for Threat Mitigation

  16. Intel TXT – Trusted Execution Protection - Foundational Primary goals • Protect against BIOS and firmware attacks • Protect cryptographic host state • Ensure valid hypervisor kernel • Validate launch of critical VMs • Attest to hosts’ trust state Implemented by • Intel Haswell and newer • Cryptographic hashes stored in TPM

  17. Intel SMAP – Supervisor Mode Access Protection Operating System Kernel User Mode Applications Read Kernel Memory Read Application Memory Write Kernel Memory Write Application Memory Read Kernel Memory Write Kernel Memory Read Application Memory Write Application Memory

  18. Intel PML- Page Modification Logging mov r8d,2Bh mov ss,r8w mov r9d,dword ptr [r13+3Ch] mov dword ptr [rsp],r9d mov esp,dword ptr [r13+48h] jmp fword ptr [r14] mov r14,rsp mov word ptr [rsp+8],23h mov word ptr [rsp+20h],2Bh mov r8d,dword ptr [r13+44h] and dword ptr [r13+44h],0FFFFFEFFh mov dword ptr [rsp+10h],r8d mov r8d,dword ptr [r13+48h] mov qword ptr [rsp+18h],r8 mov r8d,dword ptr [r13+3Ch] mov qword ptr [rsp],r8

  19. Intel PML- Page Modification Logging Who changed the world? What in the world changed? When did the change occur? Why did the world change?

  20. Intel EPT – Extended Page Tables Host Memory Virtual Machine Page 0 App Memory OS Memory … … Page 0 TLB CR3 EPT Page 217 … 0→64589 Page 126 126→31289 … 13553→127 Page 127 Page 127→0 Page 31289 13553 … 13554→64591 64589→97586 … Page Page 64590→217 … 13554 64589 64591→78924 … Page 78924 Page … 64590 Page Page 97586 64591 …

  21. Hypervisor Memory Introspection – Enabled by EPT Implementation Overview EPT#1 • Critical memory pages are 126→31289 (R/X) assigned permissions in EPT 127→0 (R/X) VM Kernel Memory Layout • Exception handler defined in … 64589→97586 (R/W) hypervisor Exception Kernel Code (R/X) Handler 64590→217 (R/X) • Shadow EPT defined with elevated privs Driver Code (R/X) 64591→78924 (R/W) … Protects Against Attack Techniques • Driver Data (R/W) EPT#2 (Shadow) Rootkit injection • 126→31289 (+W) Kernel Code (R/X) Buffer overflow 127→0 (+W) • API hooking Kernel Data (R/W) 64589→97586 (+X) … 64590→217 (+W) 64591→78924 (+X) Hypervisor

  22. Simplified Hypervisor Introspection Architecture Diagram Guest Guest Guest Guest Guest Security Control Appliance Domain (domU) (dom0) Memory Critical Critical Critical Critical Critical Introspection Memory Memory Memory Memory Memory Access Access Access Access Access Engine Direct Inspect Xen Project Hypervisor APIs Networking Storage Compute

  23. Virtual Switches as Local Edge Protection – Silent Block Virtual Switch Rules Ingress: Guest HTTPS public VM Egress: Dynamic port to origin SSL access MySQL internal Private CIDR internal Port 22 access Attack silently blocked

  24. Virtual Switches as Local Edge Protection – Traffic Monitor Virtual Switch Rules Virtual Switch Rules Ingress: Ingress: Guest HTTPS public HTTPS public VM Egress: Egress: Dynamic port to origin Dynamic port to origin SSL access MySQL internal MySQL internal Private CIDR internal Private CIDR internal Mirror: Port 22 to Traffic Monitor All attacker traffic to monitor ovs Controller Port 22 access Log SSH Port 22 access Traffic Create port mirror for attacker Monitor Attack blocked with traffic log

  25. Virtual Switches as Local Edge Protection – Quarantine Virtual Switch Rules Virtual Switch Rules Ingress: Ingress: Guest Guest HTTPS public HTTPS attacker VM VM Egress: Egress: Dynamic port to origin Dynamic port to origin SSL access Mirror: MySQL internal Port 22 to Traffic Monitor Private CIDR internal All attacker traffic to monitor ovs Controller Port 22 access Traffic Log SSH Port 22 access Monitor Create port mirror for attacker Quarantine VM for attacker use Trigger replacement VM for farm Attack quarantined with full log

  26. Containers to Limit Scope of Compromise

  27. Are Containers Production Ready?

  28. Container Deployment Models

  29. Container Use Cases Application containers MySQL Tomcat nginx • Hold a single application • Can follow micro-services, cloud native design pattern • Starting point for most container usage Kernel • Short lifespan, many per host System containers • Proxy for a VM MySQL • Insulate against core operating system Tomcat • Perfect for legacy apps nginx • Long lifespan, few per host Kernel

  30. Securing the Container Contents and Environment

  31. Trust Container Source RedHat Registry Docker Hub Third Party and Custom Problem: Who to trust, and why? • Trusted source? • Unexpected image contents • Locked application layer Docker Container Docker Container Docker Container Docker Container Docker Container Atomic Nulecule Atomic Nulecule versions (e.g. no yum update) Atomic App Atomic App • Layer dependencies Jenkins MySQL Redis (monolithic vs micro-services) • Validated when? Atomic Host

  32. Determine Who Can Launch A Container Container default is root access • RBAC/ABAC is orchestration specific Docker Datacenter • Universal Control Plane • RBAC – LDAP/AD/local users • Full/Restricted/View/None Kubernetes • Authorization modules • Admission controllers

  33. Define Sensible Container Network Policies Docker default network is Linux Bridge Access policy defined in iptables • Based on Docker daemon startup External communication on by default • -- iptables=off to disable iptables modification Inter container communication on by default • -- icc=false to disable inter container communication • -- link=CONTAINER_NAME_or_ID:ALIAS with EXPOSE ports from Docker file • All inter-container/cross host communication is external `docker network` command simplifies aspects of network design • Create user defined networks, including overlay networks • docker network create --driver bridge sql

  34. Docker Networking - Example Container Container Container Container Container Container Container Container Container Container Container Container veth2 veth5 veth2 veth5 veth0 veth1 veth3 veth4 veth0 veth1 veth3 veth4 iptables iptables NAT/ 172.16.1.0/24 NAT/ 172.16.1.0/24 docker0 docker0 Host Host eth0/10.204.136.2 eth0/10.204.136.1

  35. Kubernetes Networking - Example Container Container Container Container Container Container Container Container Container Container Container Container Pause Pause Pause Pause Pod Pod Pod Pod veth0/10.204.136.11 veth0/10.204.136.12 veth0/10.204.136.21 veth0/10.204.136.22 Kubernetes Network Kubernetes Network Host Host eth0/10.204.136.10 eth0/10.204.136.20

Recommend


More recommend