Defensive techniques

Defensive techniques

The techniques described in this chapter are mostly based on STRIDE as we focus on Mirantis OpenStack, which is a software product. Each threat class is represented with a corresponding set of mitigation techniques and recommended tools. The table below represents information about threats and mitigation techniques based on the STRIDE model.

Table 1: Mitigating STRIDE threats

Threat Type

Violates

Mitigation

Tools

Spoofing

Authentication

PKI: LS and certificates, digital signatures

Secrets manager (Barbican)

Tampering

Integrity

MAC/RBAC, digital signatures

SELinux, AppArmor, grsecurity, Identity Federation, secrets manager (Barbican)

Repudiation

Non-repudiation

Secure logging and auditing, digital signatures

LMA toolchain, Keystone CADF events

Information disclosure

Confidentiality

Encryption, MAC/RBAC

Volume encryption, ephemeral disk encryption in LVM format, Object encryption, secrets manager (Barbican), SELinux, AppArmor, grsecurity

Denial of Service (DoS)

Availability

ACLs, filtering, quotas, geo distribution

Firewall (layer 3,4,7), load balancer, DDoS protection, availability zones in OpenStack

Elevation of Privilege (EoP)

Authorization

MAC/RBAC, Group or role membership, privilege ownership, input validation

SELinux, AppArmor, grsecurity, Identity Federation, DMZ

Table 2: Mitigating cloud-specific threats

Threat Type

Violates

Mitigation

Tools

Insider threats (information disclosure, spoofing)

Cloud tenant security and privacy

Contractually, MAC/RBAC, data encryption (information disclosure), Isolate the management network from tenant’s networks (information disclosure, spoofing), sniff outgoing traffic (information disclosure)

SELinux, AppArmor, grsecurity, volume encryption, ephemeral disk encryption in LVM format, object encryption, secrets Manager (Barbican), DLP

Co-tenant threats (spoofing, EoP, DoS, information disclosure, repudiation)

Cloud tenant security and privacy

East-west traffic inspection to detect anomalies and restricted application layer protocols (EoP, information disclosure), brute-force protection (EoP), Cloud separation using Host Agregates and Availability Zones to avoid running VMs with different security level on the same Compute node EoP, information disclosure, DoS),

WAF, IDPS, MOS brute force protection, trusted computing pool based on Intel TXT, host aggregates and Availability Zones in OpenStack Compute

Tenants hack the provider: Running out of VM and get access to the management interface or network (EoP), Using stolen another tenant’s credentials (EoP, spoofing, repudiation), brute-force and dictionary attacks (EoP), resource exhaustion (DoS)

Cloud provider security and privacy

Brute force protection (EoP), limit access to admin interfaces (EoP), change default passwords (EoP), monitor and detect anomalies in management and tenants’ networks (EoP, information disclosure), disable indexing by search engines (information disclosure), logging (repudiation)

WAF, IDPS, LMA toolchain, brute-force protection

NFV threats: intellectual property (information disclosure), altering of VNF images (tampering), network traffic loops (DoS), exhausting resources of the virtualisation infrastructure (DoS), VM can access another VM’s memory when using IOMMU (EoP), a cloned VNF image may contain confidential information (information disclosure), diagnostic interfaces enabled in a VNF for remote support can be exploited by attackers.

Cloud provider and tenant security and privacy

Protect the proprietary code in VNFs, integrity verification for VNF images, detect loops during topology validation or when forwarding messages, enable monitoring for degraded performance and anomalies in resource allocation, use shared IOMMU within the SR-IOV standard, use secure key management and a unique key pair for every cloned image as well as operator-controlled certification authorities (CAs) for internal services, enable authorization to control VNF’s maintenance operations.

LMA toolchain, SELinux, AppArmor, grsecurity, secrets manager.

Outsider threats: targeted attacks (EoP), DDoS, human-related threats: insider access, social engineering (spoofing, EoP), third-party access (information disclosure), MITM (information disclosure) and DoS attacks using BGP exposed to Internet

Cloud provider and tenant security and privacy

DMZ (EoP), increasing staff security awareness (spoofing, EoP), BGP peer filtering (information disclosure, EoP)

Firewall (layer 3,4,7), load balancer, DDoS protection, sandbox

Forensic threats

Cloud forensic data

Logging, setting security domain/project with forensic tools

LMA toolchain, network sniffer