increase datacenter
play

Increase Datacenter Security Posture LinuxCon North America 2016 - PowerPoint PPT Presentation

Jan 14, 2024 •334 likes •781 views

Using Hypervisor and Container Technology to Increase Datacenter Security Posture LinuxCon North America 2016 Toronto Canada #whoami Tim Mackey Current roles: Senior Technical Evangelist; Occasional coder Former XenServer Community

  1. Using Hypervisor and Container Technology to Increase Datacenter Security Posture LinuxCon North America 2016 – Toronto Canada

  2. #whoami – Tim Mackey Current roles: Senior Technical Evangelist; Occasional coder • Former XenServer Community Manager in Citrix Open Source Business Office Cool things I’ve done • Designed laser communication systems • Early designer of retail self-checkout machines • Embedded special relativity algorithms into industrial control system Find me • Twitter: @TimInTech ( https://twitter.com/TimInTech ) • SlideShare: slideshare.net/TimMackey • LinkedIn: www.linkedin.com/in/mackeytim

  3. Understanding the Attacker Model

  4. Attacks are Big Business In 2015, 89% of data breaches had a financial or espionage motive Source: Verizon 2016 Data Breach Report

  5. Attackers Decide What’s Valuable …

  6. But security investment is often not aligned with actual risks

  7. Anatomy of a New Attack Deploy Potential Attack Test against platforms Document Iterate Don’t forget PR department!

  8. Exploiting a Vulnerability

  9. Knowledge is Key. Can You Keep Up? Bug Reported glibc July 2015 Vuln: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

  10. Knowledge is Key. Can You Keep Up? Vuln Bug CVE Introduced Reported Assigned CVE-2015- glibc glibc 7547 May 2008 July 2015 Feb 16-2016 Vuln: CVE-2015-7547: glibc getaddrinfo stack-based Low Security Risk buffer overflow

  11. Knowledge is Key. Can You Keep Up? Vuln Bug CVE Vuln Introduced Reported Assigned Published CVE-2015- glibc glibc National 7547 Vulnerability Database May 2008 July 2015 Feb 16-2016 Feb 18-2016 Moderate Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack-based Low Security Risk buffer overflow

  12. Knowledge is Key. Can You Keep Up? Vuln Bug CVE Vuln You You Introduced Reported Assigned Published Find It Fix It CVE-2015- glibc glibc National 7547 Vulnerability Database May 2008 July 2015 Feb 16-2016 Feb 18-2016 Highest Security Risk Moderate Security Risk Vuln: CVE-2015-7547: glibc getaddrinfo stack-based Low Security Risk buffer overflow Patches Available

  13. Understanding Vulnerability Impact

  14. Vulnerability Disclosures Trending Upward Open Source Vulnerabilities Reported Per Year BDS-exclusive nvd 3500 3000 2500 2000 1500 1000 500 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 Reference: Black Duck Software KnowledgeBase, NVD

  15. Virtualization Extensions for Threat Mitigation

  16. Intel TXT – Trusted Execution Protection - Foundational Primary goals • Protect against BIOS and firmware attacks • Protect cryptographic host state • Ensure valid hypervisor kernel • Validate launch of critical VMs • Attest to hosts’ trust state Implemented by • Intel Haswell and newer • Cryptographic hashes stored in TPM

  17. Intel SMAP – Supervisor Mode Access Protection Operating System Kernel User Mode Applications Read Kernel Memory Read Application Memory Write Kernel Memory Write Application Memory Read Kernel Memory Write Kernel Memory Read Application Memory Write Application Memory

  18. Intel PML- Page Modification Logging mov r8d,2Bh mov ss,r8w mov r9d,dword ptr [r13+3Ch] mov dword ptr [rsp],r9d mov esp,dword ptr [r13+48h] jmp fword ptr [r14] mov r14,rsp mov word ptr [rsp+8],23h mov word ptr [rsp+20h],2Bh mov r8d,dword ptr [r13+44h] and dword ptr [r13+44h],0FFFFFEFFh mov dword ptr [rsp+10h],r8d mov r8d,dword ptr [r13+48h] mov qword ptr [rsp+18h],r8 mov r8d,dword ptr [r13+3Ch] mov qword ptr [rsp],r8

  19. Intel PML- Page Modification Logging Who changed the world? What in the world changed? When did the change occur? Why did the world change?

  20. Intel EPT – Extended Page Tables Host Memory Virtual Machine Page 0 App Memory OS Memory … … Page 0 TLB CR3 EPT Page 217 … 0→64589 Page 126 126→31289 … 13553→127 Page 127 Page 127→0 Page 31289 13553 … 13554→64591 64589→97586 … Page Page 64590→217 … 13554 64589 64591→78924 … Page 78924 Page … 64590 Page Page 97586 64591 …

  21. Hypervisor Memory Introspection – Enabled by EPT Implementation Overview EPT#1 • Critical memory pages are 126→31289 (R/X) assigned permissions in EPT 127→0 (R/X) VM Kernel Memory Layout • Exception handler defined in … 64589→97586 (R/W) hypervisor Exception Kernel Code (R/X) Handler 64590→217 (R/X) • Shadow EPT defined with elevated privs Driver Code (R/X) 64591→78924 (R/W) … Protects Against Attack Techniques • Driver Data (R/W) EPT#2 (Shadow) Rootkit injection • 126→31289 (+W) Kernel Code (R/X) Buffer overflow 127→0 (+W) • API hooking Kernel Data (R/W) 64589→97586 (+X) … 64590→217 (+W) 64591→78924 (+X) Hypervisor

  22. Simplified Hypervisor Introspection Architecture Diagram Guest Guest Guest Guest Guest Security Control Appliance Domain (domU) (dom0) Memory Critical Critical Critical Critical Critical Introspection Memory Memory Memory Memory Memory Access Access Access Access Access Engine Direct Inspect Xen Project Hypervisor APIs Networking Storage Compute

  23. Virtual Switches as Local Edge Protection – Silent Block Virtual Switch Rules Ingress: Guest HTTPS public VM Egress: Dynamic port to origin SSL access MySQL internal Private CIDR internal Port 22 access Attack silently blocked

  24. Virtual Switches as Local Edge Protection – Traffic Monitor Virtual Switch Rules Virtual Switch Rules Ingress: Ingress: Guest HTTPS public HTTPS public VM Egress: Egress: Dynamic port to origin Dynamic port to origin SSL access MySQL internal MySQL internal Private CIDR internal Private CIDR internal Mirror: Port 22 to Traffic Monitor All attacker traffic to monitor ovs Controller Port 22 access Log SSH Port 22 access Traffic Create port mirror for attacker Monitor Attack blocked with traffic log

  25. Virtual Switches as Local Edge Protection – Quarantine Virtual Switch Rules Virtual Switch Rules Ingress: Ingress: Guest Guest HTTPS public HTTPS attacker VM VM Egress: Egress: Dynamic port to origin Dynamic port to origin SSL access Mirror: MySQL internal Port 22 to Traffic Monitor Private CIDR internal All attacker traffic to monitor ovs Controller Port 22 access Traffic Log SSH Port 22 access Monitor Create port mirror for attacker Quarantine VM for attacker use Trigger replacement VM for farm Attack quarantined with full log

  26. Containers to Limit Scope of Compromise

  27. Are Containers Production Ready?

  28. Container Deployment Models

  29. Container Use Cases Application containers MySQL Tomcat nginx • Hold a single application • Can follow micro-services, cloud native design pattern • Starting point for most container usage Kernel • Short lifespan, many per host System containers • Proxy for a VM MySQL • Insulate against core operating system Tomcat • Perfect for legacy apps nginx • Long lifespan, few per host Kernel

  30. Securing the Container Contents and Environment

  31. Trust Container Source RedHat Registry Docker Hub Third Party and Custom Problem: Who to trust, and why? • Trusted source? • Unexpected image contents • Locked application layer Docker Container Docker Container Docker Container Docker Container Docker Container Atomic Nulecule Atomic Nulecule versions (e.g. no yum update) Atomic App Atomic App • Layer dependencies Jenkins MySQL Redis (monolithic vs micro-services) • Validated when? Atomic Host

  32. Determine Who Can Launch A Container Container default is root access • RBAC/ABAC is orchestration specific Docker Datacenter • Universal Control Plane • RBAC – LDAP/AD/local users • Full/Restricted/View/None Kubernetes • Authorization modules • Admission controllers

  33. Define Sensible Container Network Policies Docker default network is Linux Bridge Access policy defined in iptables • Based on Docker daemon startup External communication on by default • -- iptables=off to disable iptables modification Inter container communication on by default • -- icc=false to disable inter container communication • -- link=CONTAINER_NAME_or_ID:ALIAS with EXPOSE ports from Docker file • All inter-container/cross host communication is external `docker network` command simplifies aspects of network design • Create user defined networks, including overlay networks • docker network create --driver bridge sql

  34. Docker Networking - Example Container Container Container Container Container Container Container Container Container Container Container Container veth2 veth5 veth2 veth5 veth0 veth1 veth3 veth4 veth0 veth1 veth3 veth4 iptables iptables NAT/ 172.16.1.0/24 NAT/ 172.16.1.0/24 docker0 docker0 Host Host eth0/10.204.136.2 eth0/10.204.136.1

  35. Kubernetes Networking - Example Container Container Container Container Container Container Container Container Container Container Container Container Pause Pause Pause Pause Pod Pod Pod Pod veth0/10.204.136.11 veth0/10.204.136.12 veth0/10.204.136.21 veth0/10.204.136.22 Kubernetes Network Kubernetes Network Host Host eth0/10.204.136.10 eth0/10.204.136.20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CompSci 514: Computer Networks Lecture 14 Datacenter Transport protocols II Xiaowei Yang

CompSci 514: Computer Networks Lecture 14 Datacenter Transport protocols II Xiaowei Yang

CompSci 514: Computer Networks Lecture 14 Datacenter Transport protocols II Xiaowei Yang Roadmap Clos topology Datacenter TCP Re-architecting datacenter networks and stacks for low latency and high performance Best Paper award,

437 views • 41 slides
Google Datacenter CS 142 Lecture Notes: Datacenters Slide 1 Datacenter Organization Single

Google Datacenter CS 142 Lecture Notes: Datacenters Slide 1 Datacenter Organization Single

Google Datacenter CS 142 Lecture Notes: Datacenters Slide 1 Datacenter Organization Single server: 8-24 cores DRAM: 16-64GB @ 100ns Disk: 2 TB @10ms Rack: 50 machines DRAM: 800-3200GB @ 300 s Disk: 100TB @

328 views • 10 slides
Datacenter Trends and Challenges 50% 2x 2x 2x 8x Application Growth Reduction in Data

Datacenter Trends and Challenges 50% 2x 2x 2x 8x Application Growth Reduction in Data

Datacenter Trends and Challenges 50% 2x 2x 2x 8x Application Growth Reduction in Data Volume Every Operational Costs Increase in Every Management & Compute Costs 18 Months Every 2 Years Administration 1 Every 2 Years 8 Years

627 views • 19 slides
Datacenter Trends and Challenges 50% 2x 2x 2x 8x Application Growth Reduction in Data

Datacenter Trends and Challenges 50% 2x 2x 2x 8x Application Growth Reduction in Data

Datacenter Trends and Challenges 50% 2x 2x 2x 8x Application Growth Reduction in Data Volume Every Operational Costs Increase in Every Management & Compute Costs 18 Months Every 2 Years Administration 1 Every 2 Years 8 Years

250 views • 11 slides
The Time-less Datacenter Paul Borrill and Alan H. Karp Earth Computing The Datacenter Resilience

The Time-less Datacenter Paul Borrill and Alan H. Karp Earth Computing The Datacenter Resilience

The Time-less Datacenter Paul Borrill and Alan H. Karp Earth Computing The Datacenter Resilience Company Stanford EE Computer Systems Colloquium Wednesday, November 16, 2016 http://ee380.stanford.edu Cloud Computing The Three Taxes: 1.

499 views • 28 slides
CompSci 514: Computer Networks Lecture 15 Practical Datacenter Networks Xiaowei Yang Overview

CompSci 514: Computer Networks Lecture 15 Practical Datacenter Networks Xiaowei Yang Overview

CompSci 514: Computer Networks Lecture 15 Practical Datacenter Networks Xiaowei Yang Overview Wrap up DCTCP analysis Today Googles datacenter networks Topology, routing, and management Inside Facebooks datacenter

525 views • 37 slides
Datacenter application interference CMPs (popular in datacenters) offer increased throughput

Datacenter application interference CMPs (popular in datacenters) offer increased throughput

Datacenter application interference CMPs (popular in datacenters) offer increased throughput and reduced power consumption They also increase resource sharing between applications, which can result in negative interference. 1 Resource

558 views • 34 slides
Day in a Life of a Datacenter Architect Kushagra Vaid

Day in a Life of a Datacenter Architect Kushagra Vaid

QPS,KW-hr,MTBF,T,PUE,IOPS,DB/RH: A Day in a Life of a Datacenter Architect Kushagra Vaid Principal Architect, Datacenter Infrastructure Microso: Online Services

830 views • 37 slides
DATACENTERS ERS DATACE CENT NTERS What is a Dataceneter? What makes up a Datacenter

DATACENTERS ERS DATACE CENT NTERS What is a Dataceneter? What makes up a Datacenter

DATACENTERS ERS DATACE CENT NTERS What is a Dataceneter? What makes up a Datacenter (Processing, storage, networking, infrastructure)? What is searched in a Datacenter (High availability, efficiency, security)? R? WH WHAT IS A T

708 views • 68 slides
Life lessons and datacenter performance analysis Dan Ardelean Amer Diwan Rick Hank Christian

Life lessons and datacenter performance analysis Dan Ardelean Amer Diwan Rick Hank Christian

Life lessons and datacenter performance analysis Dan Ardelean Amer Diwan Rick Hank Christian Kurmann Balaji Raghavan Matt Seegmiller The need to solve performance crimes Performance crimes are anything that unnecessarily increase

529 views • 42 slides
Incentivizing Self-Capping to Increase Cloud Utilization Mohammad Shahrad Cristian Klein

Incentivizing Self-Capping to Increase Cloud Utilization Mohammad Shahrad Cristian Klein

Incentivizing Self-Capping to Increase Cloud Utilization Mohammad Shahrad Cristian Klein Liang Zheng Mung Chiang Erik Elmroth David Wentzlaff September 25, 2017 Installment cost of a datacenter ~$100M [1] Google Traces

244 views • 20 slides
THE DATACENTER NEEDS AN OPERATING SYSTEM MATEI ZAHARIA, BENJAMIN HINDMAN, ANDY KONWINSKI, ALI

THE DATACENTER NEEDS AN OPERATING SYSTEM MATEI ZAHARIA, BENJAMIN HINDMAN, ANDY KONWINSKI, ALI

THE DATACENTER NEEDS AN OPERATING SYSTEM MATEI ZAHARIA, BENJAMIN HINDMAN, ANDY KONWINSKI, ALI GHODSI, ANTHONY JOSEPH, RANDY KATZ, SCOTT SHENKER, ION STOICA UC BERKELEY THE DATACENTER IS THE NEW COMPUTER Running todays most popular

182 views • 14 slides
AC DC TCP: Virtual Congestion Control Enforcement for Datacenter Networks Ke Keqiang He He ,

AC DC TCP: Virtual Congestion Control Enforcement for Datacenter Networks Ke Keqiang He He ,

AC DC TCP: Virtual Congestion Control Enforcement for Datacenter Networks Ke Keqiang He He , Eric Rozner, Kanak Agarwal, Yu Gu, Wes Felter, John Carter, Aditya Akella 1 Datacenter Network Congestion Control Congestion is not rare in

560 views • 34 slides
GautamAltekar and Ion Stoica University of California, Berkeley Debugging datacenter software is

GautamAltekar and Ion Stoica University of California, Berkeley Debugging datacenter software is

GautamAltekar and Ion Stoica University of California, Berkeley Debugging datacenter software is really hard Datacenter software? Hard? Non-determinism Large-scale, Cant reproduce data-intensive, failures distributed apps

539 views • 29 slides
Fastpass A Centralized Zero-Queue Datacenter Network Jonathan Perry Amy Ousterhout Hari

Fastpass A Centralized Zero-Queue Datacenter Network Jonathan Perry Amy Ousterhout Hari

Fastpass A Centralized Zero-Queue Datacenter Network Jonathan Perry Amy Ousterhout Hari Balakrishnan Devavrat Shah Hans Fugal Ideal datacenter network properties No current design satisfies all these properties simultaneously Scaling

352 views • 21 slides
FireFly: A Reconfigurable Wireless Datacenter Fabric using Free-Space Optics Navid Hamedazimi,

FireFly: A Reconfigurable Wireless Datacenter Fabric using Free-Space Optics Navid Hamedazimi,

FireFly: A Reconfigurable Wireless Datacenter Fabric using Free-Space Optics Navid Hamedazimi, Zafar Qazi, Himanshu Gupta, Vyas Sekar, Samir Das, Jon Longtin, Himanshu Shah, Ashish Tanwer ACM SIGCOMM 2014 Datacenter network design is hard!

568 views • 30 slides
How to Speak A, B and C A is for Audience B is for Body Language Power Power Power C

How to Speak A, B and C A is for Audience B is for Body Language Power Power Power C

How to Speak A, B and C A is for Audience B is for Body Language Power Power Power C is for Connection S-O-F-T-E-N S: is for Smile O: Is for Open Posture F is for Facial Expression T: is for Tone E: is for Eye Contact N: is for Nodding

449 views • 16 slides
Parkinson's Gait: Global Efficacy of DBS and Pharma Therapy Thursday September 19 th , 2013

Parkinson's Gait: Global Efficacy of DBS and Pharma Therapy Thursday September 19 th , 2013

Parkinson's Gait: Global Efficacy of DBS and Pharma Therapy Thursday September 19 th , 2013 Starts at 12:00 PM EST Presented by Elizabeth Brokaw, PhD Outline Parkinsons Gait Quantifying Impairment Kinesia Discrete: Tasks

588 views • 29 slides
Motion Capture for full-body interaction 1. Background on full-body motion capture Example

Motion Capture for full-body interaction 1. Background on full-body motion capture Example

Virtual Reality Motion Capture for full-body interaction 1. Background on full-body motion capture Example of a film production Example of real-time interaction 2. Posture reconstruction 3. Collision avoidance Th8.1 1. Background on

332 views • 32 slides
Assentication: User De-Authentication and Lunch Time Attack Mitigation with Seated Posture

Assentication: User De-Authentication and Lunch Time Attack Mitigation with Seated Posture

5/25/2019 Assentication: User De-Authentication and Lunch Time Attack Mitigation with Seated Posture Biometric University of California, Irvine Tyler Kaczmarek , Ercan Ozturk, Gene Tsudik { tkaczmar , ercano, gtsudik}@uci.edu 1 Overview

588 views • 15 slides
Just in Time Delivery: A Public Speaking Manual Based on the work of Grace Giorgio and the JIT

Just in Time Delivery: A Public Speaking Manual Based on the work of Grace Giorgio and the JIT

Just in Time Delivery: A Public Speaking Manual Based on the work of Grace Giorgio and the JIT SIIP Funded by AE3 Organization Why does public speaking matter? Delivery of an oral presentation. Vocal elements of delivery.

430 views • 26 slides
ET-805 Modeling Learners Emotions Ramkumar.Rajendran@iitb.ac.in Activity - TPS An ITS

ET-805 Modeling Learners Emotions Ramkumar.Rajendran@iitb.ac.in Activity - TPS An ITS

ET-805 Modeling Learners Emotions Ramkumar.Rajendran@iitb.ac.in Activity - TPS An ITS adapts the learning content/feedback based on learners performance and preferences. Think individually and write down two most important preferences

460 views • 26 slides
What make a Virtual Human Alive ? 1. Avatar & Autonomous Virtual Humans 2. The complexity of

What make a Virtual Human Alive ? 1. Avatar & Autonomous Virtual Humans 2. The complexity of

Virtual Reality What make a Virtual Human Alive ? 1. Avatar & Autonomous Virtual Humans 2. The complexity of expressive movements 3. From artificial to real: the uncanny valley 4. Motion capture is part of the solution (film) 5. Perception

496 views • 30 slides
Time-optimal time scaling Chapter 9 Introduction to Robotics: Mechanics, Planning, and Control

Time-optimal time scaling Chapter 9 Introduction to Robotics: Mechanics, Planning, and Control

Time-optimal time scaling Chapter 9 Introduction to Robotics: Mechanics, Planning, and Control Frank Park and Kevin Lynch Time-optimal time scaling of a path Dynamics constrained to a path Actuator torque/force limits Acceleration limits

431 views • 15 slides

More recommend