Openstack Security Guide April 26, 2014 Current
Total Page:16
File Type:pdf, Size:1020Kb
OpenStack Security Guide April 26, 2014 current OpenStack Security Guide current (2014-04-26) Copyright © 2013 OpenStack Foundation Some rights reserved. This book provides best practices and conceptual information about securing an OpenStack cloud. Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. http://creativecommons.org/licenses/by/3.0/legalcode i TM OpenStack Security Guide April 26, 2014 current Table of Contents Preface ................................................................................................ 11 Conventions ................................................................................. 11 Document change history ............................................................ 11 1. Acknowledgments ............................................................................. 1 2. Why and how we wrote this book ..................................................... 3 Objectives ...................................................................................... 3 How .............................................................................................. 3 How to contribute to this book ..................................................... 7 3. Introduction to OpenStack ................................................................. 9 Cloud types ................................................................................... 9 OpenStack service overview ......................................................... 11 4. Security Boundaries and Threats ....................................................... 15 Security Domains ......................................................................... 15 Bridging Security Domains ............................................................ 17 Threat Classification, Actors and Attack Vectors ............................ 19 5. Introduction to Case Studies ............................................................ 25 Case Study : Alice the private cloud builder ................................... 25 Case Study : Bob the public cloud provider ................................... 25 6. System Documentation Requirements .............................................. 27 System Roles & Types ................................................................... 27 System Inventory ......................................................................... 27 Network Topology ....................................................................... 28 Services, Protocols and Ports ........................................................ 28 7. Case Studies: System Documentation ................................................ 31 Alice's Private Cloud ..................................................................... 31 Bob's Public Cloud ........................................................................ 31 8. Management Introduction ............................................................... 33 9. Continuous Systems Management .................................................... 35 Vulnerability Management ........................................................... 35 Configuration Management ......................................................... 37 Secure Backup and Recovery ........................................................ 38 Security Auditing Tools ................................................................ 39 10. Integrity Life-cycle .......................................................................... 41 Secure Bootstrapping ................................................................... 41 Runtime Verification .................................................................... 45 11. Management Interfaces ................................................................. 49 Dashboard ................................................................................... 49 OpenStack API ............................................................................. 50 Secure Shell (SSH) ........................................................................ 51 Management Utilities ................................................................... 52 Out-of-Band Management Interface ............................................. 52 iii OpenStack Security Guide April 26, 2014 current 12. Case Studies: Management Interfaces ............................................. 55 Alice's Private Cloud ..................................................................... 55 Bob's Public Cloud ........................................................................ 56 13. Introduction to SSL/TLS .................................................................. 57 Certification Authorities ............................................................... 58 SSL/TLS Libraries .......................................................................... 59 Cryptographic Algorithms, Cipher Modes, and Protocols ............... 59 Summary ..................................................................................... 59 14. Case Studies: PKI and Certificate Management ............................... 61 Alice's Private Cloud ..................................................................... 61 Bob's Public Cloud ........................................................................ 61 15. SSL Proxies and HTTP Services ........................................................ 63 Examples ..................................................................................... 63 nginx ........................................................................................... 67 HTTP Strict Transport Security ...................................................... 68 16. API Endpoint Configuration Recommendations ............................... 71 Internal API Communications ....................................................... 71 Paste and Middleware ................................................................. 72 API Endpoint Process Isolation & Policy ........................................ 73 17. Case Studies: API Endpoints ........................................................... 75 Alice's Private Cloud ..................................................................... 75 Bob's Public Cloud ........................................................................ 75 18. Identity .......................................................................................... 77 Authentication ............................................................................. 77 Authentication Methods .............................................................. 78 Authorization ............................................................................... 80 Policies ......................................................................................... 81 Tokens ......................................................................................... 83 Future .......................................................................................... 84 19. Dashboard ..................................................................................... 85 Basic Web Server Configuration ................................................... 85 HTTPS .......................................................................................... 86 HTTP Strict Transport Security (HSTS) ........................................... 86 Front end Caching ....................................................................... 86 Domain Names ............................................................................ 86 Static Media ................................................................................. 87 Secret Key .................................................................................... 88 Session Backend ........................................................................... 88 Allowed Hosts .............................................................................. 88 Cookies ........................................................................................ 89 Password Auto Complete ............................................................. 89 Cross Site Request Forgery (CSRF) ................................................ 89 Cross Site Scripting (XSS) .............................................................. 89 iv OpenStack Security Guide April 26, 2014 current Cross Origin Resource Sharing (CORS) .......................................... 90 Horizon Image Upload ................................................................. 90 Upgrading ................................................................................... 90 Debug .......................................................................................... 90 20. Compute ........................................................................................ 91 Virtual Console Selection .............................................................. 91 21. Object Storage ............................................................................... 95 First thing to secure – the network .............................................. 96 Securing services – general ........................................................... 98 Securing storage services .............................................................. 99 Securing proxy services ............................................................... 100 Object storage authentication .................................................... 102 Other notable items ..................................................................