Upload
netcetera
View
236
Download
4
Tags:
Embed Size (px)
DESCRIPTION
This talk describes an automated trusted remote Java development sandbox hosted in the amazon cloud that uses strong encryption for system authentication and file system services. Security-conscious users can trust that their application intellectual property won't be leaked while trusting neither the cloud provider nor the operators who deploy and maintain the cloud-based sandbox service.
Citation preview
“Remote Desktop for big data + DevOps + Encryption Everywhere”Deploying trusted developer sandboxes in Amazon’s cloud
Jason Brazile, Remi Locherer, Ronnie Brunner 10 June 2014
Open Cloud Day
Netcetera | 2
A case for…• remote desktop w/“big data in the cloud”
• automated immutable system images
• not-too-inconvenient encryption everywhere
Open Cloud Day
Netcetera | 3
ESA Study: 2009-2011potential use-cases:• …• Cloud for free* data
access• Cloud for remote
development• …
Background:
(*)https://www.google.com/?q=ESA+Earth+Observation+Data+Policy ESRIN/Contract Nr. 227700/09/I-SB final report (245 pages)
Open Cloud Day
Netcetera | 4
• Big, free-ish, Data• Distinct, proprietary,
software devs• Slow test data
distribution to code developers
• Devs nervous about their code leaking
ESA CIOP
Proprietary Algorithm A dev’d by X
Proprietary Algorithm B dev’d by Y
Instead, bring the devs to the data
(in the cloud)Soln?
Open Cloud Day
Netcetera | 5
• hacking science data• brand damage• Leaking developer’s
algorithms Summary• Data = not sensitive• Dev’s Code = sensitive• Soln à easy for devs
(non-)Priorities…Zzz
Open Cloud Day
Netcetera | 6
1. Hide in the network (Tor)2. Encrypt communications3. Encrypt data 4. Be suspicious of commercial
encryption from large vendors5. Use public-domain encryption
Schneier’s “NSA” Recommendations
Open Cloud Day
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
Image source: Wikipedia
w/ESA CIOP 4 of 5 are
built-in to system
Netcetera | 7
/data
sandbox a
/home/a
sandbox b
sandbox c
portal
catalog
ESA private net
ESA/CIOP DMZ
NFS ldap
encfs sshd
encfs sshd
encfs sshd
user a
Admin
user b
user c
Existing X.509 certsCloud Sandbox Prototype
X.509 derivedssh key
ldap config limits user c to sandbox c
nfs mount of encfsencrypted /home/a
sandbox images basically read-only
Open Cloud Day
/home/b
/home/c
knows no CIOP secrets
Netcetera | 8
Getting big data into the cloud
Open Cloud Day
http://aws.amazon.com/importexport/faqs/
http://calculator.s3.amazonaws.com/index.html?s=importexport
http://docs.aws.amazon.com/AWSImportExport/latest/DG/GSCreateSampleEBSImportRequest.html
1. Net or Post?2. Est. Cost3. Submit job
Netcetera | 9
Easy? First Time Usage Single encfspassphrase
decrypts both dev’s /home and shared /validate
Open Cloud Day
ssh identity derived from
existing X.509 certificate
1.
2.
Netcetera | 10|
Easy? Daily Usage
ssh identity derived from
existing X.509 certificate
Single encfspassphrase
decrypts both dev’s /home and shared /validate
ldap directory centralized access control to machines
and nfs mounts Open Cloud Day
1.
2.
Netcetera | 11
Details:Encrypted File systemchoices SL6
Open Cloud Day
Netcetera | 12
name: fedora-xfcesummary: Fedora with xfceos:
name: fedoraversion: 16
hardware:partitions:
"/":size: 5
packages:- @base- @base-x- @fonts- @xfce-desktop- @critical-path-xfce
access_key: yourawsaccesskeysecret_access_key: youawssecretkeyaccount_number: youramazonaccountnumbercert_file: /root/.ec2/yourcertificate.pemkey_file: /root/.ec2/yourprivatekey.pem
Details: just the OS
The only change needed:name: slversion: 6
Note: boxgrinder is “sleeping”. Now we use appliance-creator(~150 line shell script)
Open Cloud Dayhttps://github.com/netceteragroup/esa-beam/blob/master/beam-3dveglab-vlab/src/main/scripts/build_fedora_virtual_image.sh
Netcetera | 13
Details: server script (~500 lines)# local firewall rules for inbound trafficlokkit --nostart --enabled \--service=ssh \--port=111:tcp \--port=111:udp \--port=514:tcp \--port=636:tcp \--port=662:tcp \--port=662:udp \--port=2049:tcp \--port=2049:udp \--port=32803:tcp \--port=32769:udp
# 111 rpc (for nfs)# ldap-ssl (port 636)# 514 rsyslog# 662 statd (for nfs) # 2049 nfs4# 32803,32769 lockd (for nfs)
Nice-to-have: rsyslog à TLS rsyslog
# ldap configurationyum install -y openldap-clients openldap-servers nss-pam-ldapd
# prepare ldap certcd /etc/openldap/cacertsopenssl genrsa -out cert.key 2048…openssl req -new -key cert.key -out cert.csr -subj \"/C=IT/L=Default City/O=Default Company Ltd/CN=192.168.11.10"
…/usr/sbin/cacertdir_rehash /export/certs/
cat <<EOF> /etc/openldap/slapd.d/cn=config.ldif…cat <<EOF> /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif…cat <<EOF> /etc/openldap/slapd.d/cn=config/cn=schema/cn={12}autofs.ldif…cat <<EOF> /etc/openldap/slapd.d/cn=config/cn=schema/cn={14}ldappubkey.ldif…cat <<EOF> /etc/openldap/g-pod.ldif…slapadd -l /etc/openldap/g-pod.ldif
• Firewall• Nfs/autofs• Certificates• Ldap• Syslog
Open Cloud Day
Netcetera | 14
Details: sandbox script (~250 lines)…chmod +x /etc/profile.d/encfs.sh
# load fuse kernel module at bootcat <<EOF> /etc/sysconfig/modules/encfs.modules#!/bin/bashexec /sbin/modprobe fuse >/dev/null 2>&1EOFchmod +x /etc/sysconfig/modules/encfs.modules
yum install -y openssh-ldapecho 'AuthorizedKeysCommand \/usr/libexec/openssh/ssh-ldap-wrapper' >> /etc/ssh/sshd_config
# for ssh-ldap-helperln -s /etc/openldap/ldap.conf /etc/ssh/ldap.conf
# encrypt temporary filesystemsyum install -y cryptsetup-luks# swap space# (use "cryptsetup status /dev/mapper/swap" after reboot)echo 'swap /dev/mapper/VolGroup-lv_swap /dev/urandom \cipher=aes-cbc-essiv:sha256,size=128,swap' > /etc/crypttabsed -i 's/.*swap.*/\/dev\/mapper\/swap swap swap defaults 0 0/' /etc/fstab# temporary file systemsecho 'none /tmp tmpfs defaults,size=64m 0 0' >> /etc/fstabecho 'none /var/tmp tmpfs defaults,size=128m 0 0' >> /etc/fstab
[…]
# home directory encryption# fuse-2.8.3-1.el6 works, fuse-2.8.3-3.el6_1 "fusermount -u" does not work.yum install -y \fuse-2.8.3-1.el6 \fuse-encfs-1.7.4-1.el6.i686 \pwgen
• Firewall• Nfs/autofs/fuse-encfs• Encrypted /tmp & swap• Openssh-ldap• Syslog
Open Cloud Day
Netcetera | 15
Takeaways…• remote desktop w/“big data in the cloud”
• automated immutable system images
• not-too-inconvenient encryption everywhere
Open Cloud Day
github.com/netceteragroup/esa-ciop-sandbox-image-proto