Defensive techniques

Defensive techniques

The techniques described in this chapter are mostly based on STRIDE as we focus on Mirantis OpenStack, which is a software product. Each threat class is represented with a corresponding set of mitigation techniques and recommended tools. The table below represents information about threats and mitigation techniques based on the STRIDE model.

Table 1: Mitigating STRIDE threats
Threat Type Violates Mitigation Tools
Spoofing Authentication PKI: LS and certificates, digital signatures Secrets manager (Barbican)
Tampering Integrity MAC/RBAC, digital signatures SELinux, AppArmor, grsecurity, Identity Federation, secrets manager (Barbican)
Repudiation Non-repudiation Secure logging and auditing, digital signatures LMA toolchain, Keystone CADF events
Information disclosure Confidentiality Encryption, MAC/RBAC Volume encryption, ephemeral disk encryption in LVM format, Object encryption, secrets manager (Barbican), SELinux, AppArmor, grsecurity
Denial of Service (DoS) Availability ACLs, filtering, quotas, geo distribution Firewall (layer 3,4,7), load balancer, DDoS protection, availability zones in OpenStack
Elevation of Privilege (EoP) Authorization MAC/RBAC, Group or role membership, privilege ownership, input validation SELinux, AppArmor, grsecurity, Identity Federation, DMZ
Table 2: Mitigating cloud-specific threats
Threat Type Violates Mitigation Tools
Insider threats (information disclosure, spoofing) Cloud tenant security and privacy Contractually, MAC/RBAC, data encryption (information disclosure), Isolate the management network from tenant’s networks (information disclosure, spoofing), sniff outgoing traffic (information disclosure) SELinux, AppArmor, grsecurity, volume encryption, ephemeral disk encryption in LVM format, object encryption, secrets Manager (Barbican), DLP
Co-tenant threats (spoofing, EoP, DoS, information disclosure, repudiation) Cloud tenant security and privacy East-west traffic inspection to detect anomalies and restricted application layer protocols (EoP, information disclosure), brute-force protection (EoP), Cloud separation using Host Agregates and Availability Zones to avoid running VMs with different security level on the same Compute node EoP, information disclosure, DoS), WAF, IDPS, MOS brute force protection, trusted computing pool based on Intel TXT, host aggregates and Availability Zones in OpenStack Compute
Tenants hack the provider: Running out of VM and get access to the management interface or network (EoP), Using stolen another tenant’s credentials (EoP, spoofing, repudiation), brute-force and dictionary attacks (EoP), resource exhaustion (DoS) Cloud provider security and privacy Brute force protection (EoP), limit access to admin interfaces (EoP), change default passwords (EoP), monitor and detect anomalies in management and tenants’ networks (EoP, information disclosure), disable indexing by search engines (information disclosure), logging (repudiation) WAF, IDPS, LMA toolchain, brute-force protection
NFV threats: intellectual property (information disclosure), altering of VNF images (tampering), network traffic loops (DoS), exhausting resources of the virtualisation infrastructure (DoS), VM can access another VM’s memory when using IOMMU (EoP), a cloned VNF image may contain confidential information (information disclosure), diagnostic interfaces enabled in a VNF for remote support can be exploited by attackers. Cloud provider and tenant security and privacy Protect the proprietary code in VNFs, integrity verification for VNF images, detect loops during topology validation or when forwarding messages, enable monitoring for degraded performance and anomalies in resource allocation, use shared IOMMU within the SR-IOV standard, use secure key management and a unique key pair for every cloned image as well as operator-controlled certification authorities (CAs) for internal services, enable authorization to control VNF’s maintenance operations. LMA toolchain, SELinux, AppArmor, grsecurity, secrets manager.
Outsider threats: targeted attacks (EoP), DDoS, human-related threats: insider access, social engineering (spoofing, EoP), third-party access (information disclosure), MITM (information disclosure) and DoS attacks using BGP exposed to Internet Cloud provider and tenant security and privacy DMZ (EoP), increasing staff security awareness (spoofing, EoP), BGP peer filtering (information disclosure, EoP) Firewall (layer 3,4,7), load balancer, DDoS protection, sandbox
Forensic threats Cloud forensic data Logging, setting security domain/project with forensic tools LMA toolchain, network sniffer