Friday Jun 14, 2013

Public Cloud Security Anti Spoofing Protection

This past week (9-Jun-2013) Oracle ISV Engineering participated in the IGT cloud meetup, the largest cloud community in Israel with 4,000 registered members.
During the meetup, ISV Engineering presented two presentations: 

Introduction to Oracle Cloud Infrastructure presented by Frederic Pariente
Use case : Cloud Security Design and Implementation presented by me 
In addition, there was a partner presentation from ECI Telecom
Using Oracle Solaris11 Technologies for Building ECI R&D and Product Private Clouds presented by Mark Markman from ECI Telecom 
The Solaris 11 feature that received the most attention from the audience was the new Solaris 11 network virtualization technology.
The Solaris 11 network virtualization allows us to build any physical network topology inside the Solaris operating system including virtual network cards (VNICs), virtual switches (vSwitch), and more sophisticated network components (e.g. load balancers, routers and fire-walls).
The benefits for using this technology are in reducing infrastructure cost since there is no need to invest in superfluous network equipment. In addition the infrastructure deployment is much faster, since all the network building blocks are based on software and not in hardware. 
One of the key features of this network virtualization technology is the Data Link Protection. With this capability we can provide the flexibility that our partners need in a cloud environment and allow them root account access from inside the Solaris zone. Although we disabled their ability to create spoofing attack  by sending outgoing packets with a different source IP or MAC address and packets which aren't types of IPv4, IPv6, and ARP.

The following example demonstrates how to enable this feature:
Create the virtual VNIC (in a further step, we will associate this VNIC with the Solaris zone):

# dladm create-vnic -l net0 vnic0

Setup the Solaris zone:
# zonecfg -z secure-zone
Use 'create' to begin configuring a new zone:
zonecfg:secure-zone> create
create: Using system default template 'SYSdefault'
zonecfg:secure-zone> set zonepath=/zones/secure-zone
zonecfg:secure-zone> add net
zonecfg:secure-zone:net> set physical=vnic0
zonecfg:secure-zone:net> end
zonecfg:secure-zone> verify
zonecfg:secure-zone> commit
zonecfg:secure-zone> exit

Install the zone:
# zoneadm -z secure-zone install
Boot the zone: # zoneadm -z secure-zone boot
Log In to the zone:
# zlogin -C secure-zone

NOTE - During the zone setup select the vnic0 network interface and assign the 10.0.0.1 IP address.

From the global zone enable link protection on vnic0:

We can set different modes: ip-nospoof, dhcp-nospoof, mac-nospoof and restricted.
ip-nospoof:
Any outgoing IP, ARP, or NDP packet must have an address field that matches either a DHCP-configured IP address or one of the addresses listed in the allowed-ips link property.
mac-nospoof: prevents the root user from changing the zone mac address. An outbound packet's source MAC address must match the datalink's configured MAC address.
dhcp-nospoof: prevents Client ID/DUID spoofing for DHCP.
restricted:
only allows IPv4, IPv6 and ARP protocols. Using this protection type prevents the link from generating potentially harmful L2 control frames.

# dladm set-linkprop -p protection=mac-nospoof,restricted,ip-nospoof vnic0

Specify the 10.0.0.1 IP address as values for the allowed-ips property for the vnic0 link:

# dladm set-linkprop -p allowed-ips=10.0.0.1 vnic0

Verify the link protection property values:
# dladm show-linkprop -p protection,allowed-ips vnic0

LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
vnic0 protection rw mac-nospoof, -- mac-nospoof,
restricted, restricted,
ip-nospoof ip-nospoof,
dhcp-nospoof
vnic0 allowed-ips rw 10.0.0.1 -- --

We can see that 10.0.0.1 is set as allowed ip address.

Log In to the zone

# zlogin secure-zone

After we login into the zone let's try to change the zone's ip address:

root@secure-zone:~# ifconfig vnic0 10.0.0.2
ifconfig:could not create address: Permission denied

As we can see we can't change the zone's ip address!

Optional - disable the link protection from the global zone:

# dladm reset-linkprop -p protection,allowed-ips vnic0

NOTE - we don't need to reboot the zone in order to disable this property.

Verify the change

# dladm show-linkprop -p protection,allowed-ips vnic0 LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
vnic0 protection rw -- -- mac-nospoof,
restricted,
ip-nospoof,
dhcp-nospoof
vnic0 allowed-ips rw -- -- --

As we can see we don't have restriction on the allowed-ips property.

Conclusion In this blog I demonstrated how we can leverage the Solaris 11 Data link protection in order to prevent spoofing attacks.

Monday May 20, 2013

How To Protect Public Cloud Using Solaris 11 Technologies

When we meet with our partners, we often ask them, “ What are their main security challenges for public cloud infrastructure.? What worries them in this regard?”
This is what we've gathered from our partners regarding the security challenges:

1.    Protect data at rest in transit and in use using encryption
2.    Prevent denial of service attacks against their infrastructure
3.    Segregate network traffic between different cloud users
4.    Disable hostile code (e.g.’ rootkit’ attacks)
5.    Minimize operating system attack surface
6.    Secure data deletions once we have done with our project
7.    Enable strong authorization and authentication for non secure protocols

Based on these guidelines, we began to design our Oracle Developer Cloud. Our vision was to leverage Solaris 11 technologies in order to meet those security requirements.


First - Our partners would like to encrypt everything from disk up the layers to the application without the performance overhead which is usually associated with this type of technology.
The SPARC T4 (and lately the SPARC T5) integrated cryptographic accelerator allow us to encrypt data using ZFS encryption capability.
We can encrypt all the network traffic using SSL from the client connection to the cloud main portal using the Secure Global Desktop (SGD) technology and also encrypt the network traffic between the application tier to the database tier. In addition to that we can protect our Database tables using Oracle Transparent Data Encryption (TDE).
During our performance tests we saw that the performance impact was very low (less than 5%) when we enabled those encryption technologies.
The following example shows how we created an encrypted file system

# zfs create -o encryption=on rpool/zfs_file_system

Enter passphrase for 'rpool/zfs_file_system':
Enter again:

NOTE - In the above example, we used a passphrase that is interactively requested but we can use SSL or a key repository.
Second  - How we can mitigate denial of service attacks?
The new Solaris 11 network virtualization technology allow us to apply virtualization technologies to  our network by splitting the physical network card into multiple virtual network ‘cards’. in addition, it provides the capability to setup flow which is sophisticated quality of service mechanism.
Flows allow us to limit the network bandwidth for a specific network port on specific network interface.

In the following example we limit the SSL traffic to 100Mb on the vnic0 network interface

# dladm create-vnic vnic0 –l net0
# flowadm add-flow -l vnic0 -a transport=TCP,local_port=443 https-flow
# flowadm set-flowprop -p maxbw=100M https-flow


During any (Denial of Service) DOS attack against this web server, we can minimize the impact on the rest of the infrastructure.
Third -  How can we isolate network traffic between different tenants of the public cloud?
The new Solaris 11 network technology allow us to segregate the network traffic on multiple layers.

For example we can limit the network traffic based on the layer two using VLANs

# dladm create-vnic -l net0  -v 2 vnic1

Also we can be implement firewall rules for layer three separations using the Solaris 11 built-in firewall software.
For an example of Solaris 11 firewall see
In addition to the firewall software, Solaris 11 has built-in load balancer and routing software. In a cloud based environment it means that new functionality can be added promptly since we don't need an extra hardware in order to implement those extra functions.

Fourth - Rootkits have become a serious threat is allowing the insertion of hostile code using custom kernel modules.
The Solaris Zones technology prevents loading or unloading kernel modules (since local zones lack the sys_config privilege).
This way we can limit the attack surface and prevent this type of attack.

In the following example we can see that even the root user is unable to load custom kernel module inside a Solaris zone

# ppriv -De modload -p /tmp/systrace

modload[21174]: missing privilege "ALL" (euid = 0, syscall = 152) needed at modctl+0x52
Insufficient privileges to load a module

Fifth - the Solaris immutable zones technology allows us to minimize the operating system attack surface
For example: disable the ability to install new IPS packages and modify file systems like /etc
We can setup Solaris immutable zones using the zonecfg command.

# zonecfg -z secure-zone
Use 'create' to begin configuring a new zone.
zonecfg:secure-zone> create
create: Using system default template 'SYSdefault'
zonecfg:secure-zone> set zonepath=/zones/secure-zone
zonecfg:secure-zone> set file-mac-profile=fixed-configuration
zonecfg:secure-zone> commit
zonecfg:secure-zone> exit

# zoneadm -z secure-zone install

We can combine the ZFS encryption and immutable zones for more examples see:

Sixth - The main challenge of building secure BIG Data solution is the lack of built-in security mechanism for authorization and authentication.
The Integrated Solaris Kerberos allows us to enable strong authorization and authentication for non-secure by default distributed systems like Apache Hadoop.

The following example demonstrates how easy it is to install and setup Kerberos infrastructure on Solaris 11

# pkg install pkg://solaris/system/security/kerberos-5
# kdcmgr -a kws/admin -r EXAMPLE.COM create master


Finally - our partners want to assure that when the projects are finished and complete, all the data is erased without the ability to recover this data by looking at the disk blocks directly bypassing the file system layer.
ZFS assured delete feature allows us to implement this kind of secure deletion.
The following example shows how we can change the ZFS wrapping key to a random data (output of /dev/random) then we unmount the file system and finally destroy it.

# zfs key -c -o  keysource=raw,file:///dev/random rpool/zfs_file_system
# zfs key -u rpool/zfs_file_system
# zfs destroy rpool/zfs_file_system


Conclusion
In this blog entry, I covered how we can leverage the SPARC T4/T5 and the Solaris 11 features in order to build secure cloud infrastructure. Those technologies allow us to build highly protected environments without  the need to invest extra budget on special hardware. They also  allow us to protect our data and network traffic from various threats.
If you would like to hear more about those technologies, please join us at the next IGT cloud meet-up

Wednesday Jan 28, 2009

xVM public API

There are two ways of accessing the public API, the simplest is by writing a Java client using JMX, or alternatively for non-Java client programs using Web Services for Management (WS-MAN, JSR-262).

 



This example demonstrates the usage of the direct access to the read-only copy of the domain model. This example can be run against both Sun xVM Server or Sun xVM Ops Center.


This example performs the following functions:



  • Configures the connection

  • Performs security settings

  • Opens the connection (locally or remotely)

  • Queries the domain model for all the OperatingSystems objects and displays the value of their Hosts name

  • Closes the connection


 



ServerClient.java

/\*\*
\* Copyright 2006 Sun Microsystems, Inc. All rights reserved.
\* SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
\*/
import com.sun.hss.type.os.OperatingSystem;
import com.sun.hss.type.server.Server;
import com.sun.hss.type.virtserver.VirtServerContainer;
import com.sun.hss.type.virtserver.VirtServerOperatingSystem;
import com.sun.hss.type.xvmserver.XVMApplianceDetails;
import com.sun.hss.type.xvmserver.XVMServer;
import java.util.HashMap;
import java.util.Map;

import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import javax.net.ssl.X509TrustManager;
import javax.net.ssl.TrustManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;

import javax.management.MBeanServerConnection;
import javax.management.remote.JMXConnector;
import javax.management.remote.JMXConnectorFactory;
import javax.management.remote.JMXServiceURL;
import javax.management.ObjectName;
import com.sun.xvm.services.guest.GuestServiceMXBean;
import com.sun.xvm.services.xvmserver.XVMServerServiceMXBean;
import com.sun.xvm.services.guest.GuestDetails;

public class ServerClient {

static private JMXConnector connector = null;
static private MBeanServerConnection mbsc = null;
static private String hostname = null;

/\*\*
\* Simple SocketFactory that uses a trust manager that ALWAYS
\* accept the certificate provided by the server we try to connect to.
\*
\* This is unsafe and should NOT be used for production code.
\*/
private static SSLSocketFactory getSocketFactory() {
X509TrustManager tm = new AnyServerX509TrustManager();
TrustManager[] tms = {tm};

try {
SSLContext sslc = SSLContext.getInstance("TLSv1");
sslc.init(null, tms, null);

SSLSocketFactory factory = sslc.getSocketFactory();

return factory;
} catch (Exception ex) {

return null;
}
}

/\*\*
\* Small trustmanager that ALWAYS accepts the certificate provided
\* by the server we try to connect to.
\*
\* This is unsafe and should NOT be used for production code.
\*/
public static class AnyServerX509TrustManager implements X509TrustManager {
// Documented in X509TrustManager

public X509Certificate[] getAcceptedIssuers() {
// since client authentication is not supported by this
// trust manager, there's no certicate authority trusted
// for authenticating peers
return new X509Certificate[0];
}

// Documented in X509TrustManager
public void checkClientTrusted(X509Certificate[] certs, String authType)
throws CertificateException {
// this trust manager is dedicated to server authentication
throw new CertificateException("not supported");
}

// Documented in X509TrustManager
public void checkServerTrusted(X509Certificate[] certs, String authType)
throws CertificateException {
// any certificate sent by the server is automatically accepted
return;
}
}

/\*\*
\* Create a WSMAN connection using the given credentials
\*
\* @param host
\* @param userName
\* @param userPass
\* @return MBeanServerConnection
\*/
private static void setupConnection(String host, String user, String pass)
throws Exception {
try {
int port = 443;

String urlPath = "/wsman/ea/jmxws";

Map env = new HashMap();

// credentials for basic authentication with the server
String[] creds = new String[2];
creds[0] = user;
creds[1] = pass;

env.put(JMXConnector.CREDENTIALS, creds);

// provide a specific socket factory to avoid the need to setup
// a truststore
env.put("com.sun.xml.ws.transport.https.client.SSLSocketFactory",
getSocketFactory());

// Create JMX Agent URL over https
JMXServiceURL url = new JMXServiceURL("ws-secure", host, port, urlPath);

// System.out.println("WSMAN client opening a connection with url " + url.toString());

// Connect the JMXConnector
connector = JMXConnectorFactory.connect(url, env);

// Get the MBeanServerConnection
mbsc = connector.getMBeanServerConnection();

} catch (Exception ex) {
System.out.println("Got an exception while trying to open a WSMAN connection : " + ex.toString());
throw ex;
}
}

public static void main(String[] args) {
if ((args.length == 0) || (args.length > 3)) {
System.err.println("Usage: user password [target]");
System.exit(1);
}

String userName = args[0];
String userPass = args[1];

hostname = "localhost";

if (args.length == 3) {
hostname = args[2];
}

try {
// Open the WSMAN connection and get the MBeanServerConnection
setupConnection(hostname, userName, userPass);

// get details on these xVM servers
serverService();

} catch (Exception ex) {

System.out.println("WSMAN client error : " + ex.toString());
ex.printStackTrace();
System.exit(1);

} finally {
// close connection if necessary
if (connector != null) {
try {
connector.close();
} catch (Exception dc) {
}

}
}
}

private static void serverService() throws Exception {

try {
XVMServerServiceMXBean xssmxb = ServerClientServices.getXVMServerService(mbsc, false);

// get the list of xVM servers
ObjectName[] servers = xssmxb.getXVMApplianceDetailsObjectNames(null, null);

if ((servers == null) || (servers.length == 0)) {
System.out.println("No xVM server detected on " + hostname);
return;
}

GuestServiceMXBean guestmxb = ServerClientServices.getGuestService(mbsc, false);

// get details on these xVM servers
for (int i = 0; i < servers.length; i++) {

XVMApplianceDetails details = xssmxb.getXVMApplianceDetails(servers[i]);

if (details != null) {
OperatingSystem os = details.getOperatingsystem();

Server svr = details.getServer();

VirtServerContainer vsc = details.getVirtservercontainer();

XVMServer xsvr = details.getXvmserver();

if (xsvr != null) {
System.out.println("xVM Server name = " + xsvr.getApplianceName());
}

}

// get guests on this xVM server
ObjectName[] guests = guestmxb.getGuestObjectNames(servers[i], null, null);

Java.util.Map<java.lang.String, Java.util.Set<java.lang.string>> map = null;
GuestDetails guestDetails[] = guestmxb.getGuestDetails(guests, map);

String s = guests[0].getCanonicalName();

if ((guests == null) || (guests.length == 0)) {
System.out.println("No guest on this xVM server");
}
if (guestDetails != null) {
for (int k = 0; k < guestDetails.length; k++) {
VirtServerOperatingSystem virt = guestDetails[k].getVirtServerOperatingSystem();
System.out.println("guest hostname is " + k + ": " + virt.getHostname());

}
}
}
} catch (Exception ex) {
System.err.println("Got Exception while testing the xVM server service : " + ex.toString());
throw ex;
}

}
}


ServerClientServices.java

public class ServerClientServices
{
   /\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*
    \* getCacheManagerService
    \*
    \* @param mbsc
    \* @return CacheManagerMXBean
    \* @throws java.lang.Exception
    \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*/
   public static CacheManagerMXBean getCacheManagerService(MBeanServerConnection mbsc, boolean verbose)
          throws Exception
   {
       CacheManagerMXBean cmmxb = null;

       try {
           // build the objectname to access the service
           ObjectName cmson = new ObjectName(CacheManagerMXBean.DOMAIN +
                                             ":type=" + CacheManagerMXBean.TYPE);

           // verify that the service is currently deployed
           if (!mbsc.isRegistered(cmson)) {
               System.out.println("Cache Manager service is not registered : aborting");
               throw new Exception("MXBean for Cache Manager service not registered");
           }

           // create a proxy to access the service
           cmmxb = JMX.newMXBeanProxy(mbsc,
                                      cmson,
                                      CacheManagerMXBean.class,
                                      false);

           if (verbose) {
               System.out.println("Proxy for Cache Manager service : OK");
           }
           return cmmxb;

       } catch (Exception ex) {
           System.err.println("Got Exception while creating the Cache Manager service proxy : " + ex.toString());
           ex.printStackTrace();
           throw ex;
       }
   }

About

This blog covers cloud computing, big data and virtualization technologies

Search

Categories
Archives
« July 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
  
       
Today