Open Source Private Cloud Management with OpenStack and Security Evaluation with Intrusion Detection/ Prevention Systems
Download as PPTX, PDF1 like373 views
The document outlines a project aimed at creating a secure private cloud using OpenStack and virtualization technologies. It describes the architecture of the cloud system, security measures implemented, and results from penetration testing that assess the system's vulnerability to attacks. The conclusions emphasize the importance of comprehensive security strategies and the need for further enhancements to safeguard the cloud infrastructure.
Open Source Private Cloud Management with OpenStack and Security Evaluation with Intrusion Detection/ Prevention Systems
- 1. Open Source Private Cloud Management with OpenStack and Security Evaluation with Intrusion Detection/Prevention Systems Penetration Testing for Evaluation of Cloud’s Security 05/07/2016 1
- 2. Taking a sneak peek on cloud computing definition • Key technology for sharing resources • Web as a space where computing has been preinstalled and exists as a service Data centres, storage, operating systems, applications and processing power ALL shared on the web. 05/07/2016 2
- 3. Virtualization in Cloud Systems • Almost complete simulation of the actual Hardware to allow Software to run unmodified • Example: We have a desktop computer with Ubuntu OS and with virtualization technology we can run another Ubuntu OS, inside the Host machine, as a complete fully functional second desktop computer inside ours 05/07/2016 3
- 4. How is cloud connected to virtualization? • Easy to understand. Cloud Computing provides: on-demand resources and dynamically Virtualization provides : on-demand resources (you can create a virtual machine whenever you need or delete one) and dynamically (change your resources as you like, example 1) CPU, 2) CPUs, 3) CPUs 05/07/2016 4
- 5. Our Project’s Goal ! • Create a Cloud using virtualization Hardware • Specifically Using OpenStack Cloud Management System • Secure our Cloud System with Security software and tools 05/07/2016 5
- 6. Architecture of our Cloud System(1) • Initial plan • 3 virtualized OpenStack nodes • 1 OSSEC server monitoring the physical network and servers, plus the virtualized network and servers • Deployment of Fortification/security measures on the physical and virtualized Servers • Testing by means of offense 05/07/2016 6
- 7. • OpenStack Networking (Neutron) Architecture • OSSEC server-client architecture 05/07/2016 7
- 8. Architecture of our Cloud Systems(2) • Final plan: • 1 virtualized OpenStack node • 1virtualized OSSEC server • Deployment of Fortification/security measures on the physical and virtualized Servers • Testing by means of offense 05/07/2016 8
- 9. • DevStack OpenStack Cloud Management Architecture • OSSEC server-client architecture 05/07/2016 9
- 10. OSSEC Features • File integrity checking • Log Monitoring • Rootkit Detection • Active Response 05/07/2016 10
- 11. OSSEC Compliance Requirements • Detect + Alerts Reasons : • Unauthorized filesystem modifications • Malicious behaviour in log files 05/07/2016 11
- 12. Fortification/security measures of servers • SSH configurations for high security • Firewall rules modifications for inbound traffic • Iptables rules modifications • Apache server security hardening with Mod Security • Logwatch for the operating systems • Rkhunter rootkit scanner 05/07/2016 12
- 13. Attacking Scenario No.1 • Sqlmap toolset. • This tool focuses primarily on exploiting an SQL database. • The Goal of this test was to check if our Cloud has any vulnerabilities against SQL attack methods, like SQL injections. • Example attack command: • python sqlmap.py -u "http://www.site.com/section.php?id=51" 05/07/2016 13
- 14. • The next method of attack is by sqlmap again trying to reach any database entries from the Dashboard (Horizon) • The example command is: • Sqlmap –u “http://192.168.100.50” --db 05/07/2016 14
- 15. Attacking Scenario No.2 • THC Hydra toolset • This tool focuses on cracking login information • It supports quite plenty of protocols, such as HTTP, HTTPS, SFTP, SSH (v1 and v2) SSHKEY, POSTGRE and etc. • A first method of attack is by trying to attempt logging in as a root user on an SSH server. • #hydra –l root –P /usr/share/wordlists/metasploit/unix_passwor ds.txt –t 6 ssh://192.168.100.50 05/07/2016 15
- 16. Security Evaluation of our Cloud • It endured any attack from the two scenarios. • This means the fortification is quite satisfying • Unfortunately there were not more attacking methods in order to cover a larger area of security issues. The result is : Our Private DevStack Cloud has achieved to stand against threats. GOALS ACHIEVED! 05/07/2016 16
- 17. Conclusions • There is no “Best Security Strategy” for a Cloud System. • To secure a Cloud we shall: Be open-minded, adopt and other security products, methods used by others. Fuse our strategy with other existing effective strategies. Bear in mind, one wooden stick can be broken, 20 wooden sticks, will never be broken, or even worse, bend. 05/07/2016 17
- 18. Conclusions • Securing the Cloud’s infrastructure is sensible. • Securing the probable Servers hosting Cloud’s components is sensible. • INSENSIBLE would be if only securing one of these two. • Nevertheless, our project scope was to deploy security measures on the Servers of the Cloud. • However, future work, shall be to research, design and deploy the security technologies on the Cloud’s platform. 05/07/2016 18
- 19. Conclusions • Final step : Deploy and implement complementary security technologies on the Cloud too. At last, after a lot of effort, it shall be ready for migration to real environment. 05/07/2016 19