Download - Securing Your Cloud Servers with Halo NetSec
![Page 1: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/1.jpg)
© 2012 CloudPassage Inc.
Securing Your Cloud Servers with Halo NetSecRand WackerVP of [email protected]@randwacker
![Page 2: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/2.jpg)
© 2012 CloudPassage Inc.
CloudPassage Halo was purpose-built to
deliver real security for servers in the cloud.
![Page 3: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/3.jpg)
© 2012 CloudPassage Inc.
What does CloudPassage do?
Firewall Management
Server Configurations
Server account Management
Compromise & intrusion alerting
Security & compliance auditing
Vulnerability Management
Security for virtual servers running in public and private
clouds
![Page 4: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/4.jpg)
© 2012 CloudPassage Inc.
CloudPassage Halo Packages
Halo BasicFree security for initial cloud migrations
Halo NetSecFull perimeter protection and security
integration
Halo ProfessionalComprehensive security and compliance
controls
NEW
![Page 5: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/5.jpg)
© 2012 CloudPassage Inc.
Cloud Requires A New Approach to Security
![Page 6: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/6.jpg)
© 2012 CloudPassage Inc.
www-1 www-2 www-3 www-4
Cloud Security Is Newprivate datacenter
public cloud
www-1 www-2 www-3 www-4
![Page 7: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/7.jpg)
© 2012 CloudPassage Inc.
www-4
Cloud Security Is Differentprivate datacenter
public cloud
www-1 www-2 www-3
www-4
www-4
![Page 8: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/8.jpg)
© 2012 CloudPassage Inc.
Cloud Security Is Complex
Cloud Provider A
www-7
www-4
www-8
www-5
www-9
www-6
www-10
Cloud Provider B
www-7 www-8 www-9 www-10
Private Datacenter
www-1 www-2 www-3 www-4
![Page 9: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/9.jpg)
© 2012 CloudPassage Inc.
Security Products Aren’t Adapting
Cloud Provider A
www-4 www-5 www-6 Cloud Provider B
www-7 www-8 www-9 www-10
Private Datacenter
www-1 www-2 www-3
Temporary & Elastic Deployments
Multiple CloudEnvironments
Metered Usage
![Page 10: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/10.jpg)
© 2012 CloudPassage Inc.
Cloud Security Responsibility
![Page 11: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/11.jpg)
© 2012 CloudPassage Inc.
Cloud Security Responsibility
Physical Facilities
Hypervisor
Compute & Storage
Shared Network
Virtual Machine
Data
App Code
App Framework
Operating System
Cu
sto
mer
Resp
on
sib
ilityP
rovid
er
Resp
on
sib
ility
“…the customer should assume responsibility and management of, but not limited to, the guest operating system.. and associated application software...”
“it is possible for customers to enhance security and/or meet more stringent compliance requirements with the addition of… host based firewalls, host based intrusion detection/prevention, encryption and key management.”
Amazon Web Services: Overview of Security Processes
AWS Shared Responsibility Model
![Page 12: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/12.jpg)
© 2012 CloudPassage Inc.
Survey: Cloud Providers
Amazon EC2 Rackspace Terramark GoGrid Other
30%
16%
9%6%
50%
Source: CloudPassage CloudSec Community Survey
Question: Which cloud hosting providers do you use?
![Page 13: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/13.jpg)
© 2012 CloudPassage Inc.
Survey: Cloud Security Practices
Open source or custom-de-veloped tools
Commercial Tool
My provider does it for me
Amazon Security Group
We're not securing our cloud servers
Source: CloudPassage CloudSec Community Survey
Question: How do you secure your cloud servers today?
![Page 14: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/14.jpg)
© 2012 CloudPassage Inc.
Survey: Cloud Security Concerns
Enterprise security tools don't work in the cloud
Provider access to guest servers
Achieving compliance with PCI or other standards
Multi-tenancy of infrastructure or applications
Lack of perimeter defenses and/or network control
23%
24%
26%
40%
44%
Multiple Choice
Source: CloudPassage CloudSec Community Survey
Question: What security concerns are most important to you regarding public cloud computing?
![Page 15: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/15.jpg)
© 2012 CloudPassage Inc.
Introducing Halo NetSec
![Page 16: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/16.jpg)
© 2012 CloudPassage Inc.
Halo NetSec provides firewalling, 2-factor
authentication, and full automation for the protection of cloud
servers.
![Page 17: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/17.jpg)
© 2012 CloudPassage Inc.
Halo NetSec:Dynamic Cloud Firewall
![Page 18: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/18.jpg)
© 2012 CloudPassage Inc.
Traditional Perimeter Securityprivate datacenter
DB
Firewall
Load Balancer
App Server
App Server
Load Balancer
App Server
App Server
DB
![Page 19: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/19.jpg)
© 2012 CloudPassage Inc.
Dynamic Cloud Firewall
public cloud
Load Balancer
Halo
FW
App Server
Halo
FW
App Server
Halo
FW
DB Master
Halo
FW
![Page 20: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/20.jpg)
© 2012 CloudPassage Inc.
Dynamic Cloud Firewall
public cloud
Load Balancer
Halo
FW
App Server
Halo
FW
App Server
Halo
FW
Load Balancer
Halo
FW
App Server
Halo
FW
DB Master
Halo
FW
DB Slave
Halo
FW
![Page 21: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/21.jpg)
© 2012 CloudPassage Inc.
App Server
IP
Dynamic Cloud Firewall
public cloud
Load Balancer
Halo
FW
App Server
Halo
FW
App Server
Halo
FW
Load Balancer
Halo
FW
App Server
Halo
FW
DB Master
Halo
FW
DB Slave
Halo
FW
![Page 22: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/22.jpg)
© 2012 CloudPassage Inc.
Dynamic Cloud Firewall
public cloud
Load Balancer
Halo
FW
App Server
Halo
FW
App Server
Halo
FW
Load Balancer
Halo
FW
DB Master
Halo
FW
DB Slave
Halo
FW
App Server
IP
![Page 23: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/23.jpg)
© 2012 CloudPassage Inc.
Multi-Cloud Firewall
US West Cloud
Private Datacenter
App Server
Halo
FW
App Server
Halo
FW
US East Cloud
App Server
Halo
FW
App Server
Halo
FW
DB
Halo
FW
DB
Halo
DB
Halo
Firewall
DB
Halo
FW
![Page 24: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/24.jpg)
© 2012 CloudPassage Inc.
Multi-Cloud Firewall
US West Cloud
Private Datacenter
App Server
Halo
FW
App Server
Halo
FW
US East Cloud
App Server
Halo
FW
App Server
Halo
FW
DB
Halo
FW
DB
Halo
DB
Halo
Firewall
DB
Halo
FW
![Page 25: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/25.jpg)
![Page 26: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/26.jpg)
![Page 27: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/27.jpg)
© 2012 CloudPassage Inc.
Halo NetSec:GhostPorts 2-Factor Authentication
![Page 28: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/28.jpg)
© 2012 CloudPassage Inc.
GhostPorts 2-Factor Auth
YubiKey-generated one-time password
USB token contains no batteries or moving parts
Prevent brute force attacks on SSH and web
applications
![Page 29: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/29.jpg)
© 2012 CloudPassage Inc.
GhostPorts 2-Factor Auth
ssh
DB Server
Halo
FW
![Page 30: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/30.jpg)
© 2012 CloudPassage Inc.
GhostPorts 2-Factor Auth
Halo Grid
Clo
ud
Passa
ge H
alo
https
DB Server
Halo
FW
![Page 31: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/31.jpg)
© 2012 CloudPassage Inc.
GhostPorts 2-Factor Auth
ssh
Halo Grid
https
Clo
ud
Passa
ge H
alo
DB Server
Halo
FW
![Page 32: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/32.jpg)
© 2012 CloudPassage Inc.
GhostPorts 2-Factor Auth
ssh
ssh
DB Server
Halo
FW
![Page 33: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/33.jpg)
© 2012 CloudPassage Inc.
![Page 34: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/34.jpg)
© 2012 CloudPassage Inc.
Halo NetSec:Integration API
![Page 35: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/35.jpg)
© 2012 CloudPassage Inc.
Halo Reduces Your Workload
Things you DON’T need to script with CloudPassage Halo
Managed Automatically
• Add new server to policy group
• Remove firewall policies when servers are retired
• Scan for vulnerabilities of installed software packages
• Many, many more…
Monitored Continually
• Verify firewall rules match policy
• Alert administrators of missing servers
• Monitor critical server configuration files for security posture
• Many, many more…
![Page 36: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/36.jpg)
© 2012 CloudPassage Inc.
Adding New Server Accounts
Halo Grid
Clo
ud
Passa
ge H
alo
RESTful API Gateway
private datacenter
Corporate Directory
Enterprise
Provisioning
System
Security Operation
sPortal
https
www-1
Halo
www-2
Halo
public cloud
GhostPorts Access, Local Server Accounts
![Page 37: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/37.jpg)
© 2012 CloudPassage Inc.
Other Cool Halo/API Tricks• Set password reset requirements for a server user account.• Find server accounts that don't have passwords (it happens)• Find those spooky root-owned setuid files.• Generate alerts if PID files go missing.• Generate an alert if someone is in a group they shouldn't be in (like wheel).• Generate massively detailed reports of server configuration status for auditors
(keep 'em busy for weeks).• Get a report of every server that a user *does not* have an account on.• Get a report of every server that a user has an account on.• Get alerted if a new cloud server gets created.• Learn what process that TCP/IP port is bound to.• Make sure that init.d startup scripts can't be tampered with by non-root users.• Make sure that services are not running with excessive privileges.• Monitor servers to detect old user accounts that should have been cleaned up,
but might have gotten missed.
Many, many more at community.cloudpassage.com
![Page 38: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/38.jpg)
© 2012 CloudPassage Inc.
CloudPassage Halo Architecture
![Page 39: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/39.jpg)
© 2012 CloudPassage Inc.
How It Works
Halo Grid
• Halo Daemon– Ultra light-weight software
– Installed on server image
– Automatically provisioned
• Halo Grid– Elastic compute grid
– Hosted by CloudPassage
– Does the heavy lifting for the Halo Daemons
www-1
www-1
Halo
Halo Daemon
![Page 40: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/40.jpg)
© 2012 CloudPassage Inc.
www-4
Halo
www-3
Halo
Alerts, Reports and Trending
www-1
ComputeGrid
UserPortal
https
RESTful API Gateway
https
Clo
udPa
ssag
e
Halo
Policies,Commands, Reports
www-1
Halo
www-2
Halo
![Page 41: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/41.jpg)
© 2012 CloudPassage Inc.
Getting Started
![Page 42: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/42.jpg)
© 2012 CloudPassage Inc.
CloudPassage Halo Packages
Halo BasicFree security for initial cloud migrations
Halo NetSecFull perimeter protection and security
integration
Halo ProfessionalComprehensive security and compliance
controls
NEW
![Page 43: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/43.jpg)
Features and PricingBasic NetSec Pro
Network Security
Host Firewall Management ✔ ✔ ✔
GhostPorts Multi-Factor Authentication ✔ ✔
Host Security
Server Exposure Monitoring ✔ ✔ ✔
Software Vulnerability Monitoring ✔ ✔ ✔
Account & Access Scanning ✔ ✔ ✔
Cloud Server Event Logging & Alerting ✔ ✔ ✔
File Integrity Monitoring ✔
Data Storage One day Two years(FW events)
Two years(All scans)
Maximum Scanning Frequency Daily Daily Hourly
Integration, Management Support
Web Management Portal ✔ ✔ ✔
RESTful API Access ✔ ✔
Technical Support Community
Professional
Professional
Servers Protected Up to 25 Unlimited Unlimited
Pricing FREE3.5¢/hour
10¢/hour
New!
![Page 44: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/44.jpg)
© 2012 CloudPassage Inc.
FREE 5 Minute Setup
Register at cloudpassage.com/regis
ter
Configure security policies in Halo web
portal
Install daemons on cloud servers
![Page 45: Securing Your Cloud Servers with Halo NetSec](https://reader037.vdocuments.us/reader037/viewer/2022103021/55d511c0bb61eb632e8b46a7/html5/thumbnails/45.jpg)
© 2012 CloudPassage Inc.
Summary
Cloud deployments require a new approach to security
Halo is the only security platform purpose-built for
the cloud
All you need to secure your cloud servers