ibm smartcloud orchestrator version 2.3: security ... · 2.3 threat modeling ... scans, triages and...
TRANSCRIPT
IBM® Cloud and Smarter Infrastructure Software
SmartCloud Orchestrator Version 2.3: Security Hardening Guide
Document version 2.3.4
IBM SmartCloud Orchestrator Security Team
© Copyright International Business Machines Corporation 2014, 2015. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
iii
CONTENTS
Contents .............................................................................................................................. iii
List of Figures ...................................................................................................................... v
Author List .......................................................................................................................... vii
Revision History ................................................................................................................ viii
1 Introduction .............................................................................................................. 9
2 Security Management Overview ........................................................................... 10
2.1 Web Application Security Scanning .......................................................... 11
2.2 Application Source Code Scanning .......................................................... 11
2.3 Threat Modeling ........................................................................................ 12
2.4 Security Regulatory Compliance Reports................................................. 12
2.5 Authentication Management ..................................................................... 13
2.6 Authorization Management ....................................................................... 16
3 Security Hardening................................................................................................ 19
3.1 Port Management and Firewall Configuration .......................................... 19
3.1.1 Methodology ........................................................................................... 19
3.1.2 Reference Tables ................................................................................... 20
3.2 “nologin” Shell Configuration .................................................................... 26
3.3 HBase Process Name Management ........................................................ 27
iv
3.4 Common Vulnerabilities and Exposures Management ............................ 27
3.5 Secure Sockets Layer Management ........................................................ 28
Appendix A: The Cloud Orchestrator Security Evaluation Tool (coset) ........................... 29
A.1 Port Utility Configuration ........................................................................... 29
A.2 Port Utility List Mode ................................................................................. 31
A.3 Port Utility Inbound Connection Mode ...................................................... 31
A.4 Port Utility Outbound Connection Mode ................................................... 32
A.5 Port Utility Monitor Mode ........................................................................... 32
References ........................................................................................................................ 33
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
v
LIST OF FIGURES
Figure 1: Revision History .............................................................................................................. viii
Figure 2: SCO 2.3 Security Management Summary ...................................................................... 10
Figure 3: Security Compliance Report Options .............................................................................. 12
Figure 4: Security Single Sign-on Overview ................................................................................... 13
Figure 5: Security Authentication Flow........................................................................................... 14
Figure 6: Security Flow for Self Service Request ........................................................................... 14
Figure 7: Security Flow for Import OVA Image .............................................................................. 15
Figure 8: Security Flow for Register Image .................................................................................... 15
Figure 9: Security Flow for Image Extension ................................................................................ 16
Figure 10: Orchestrator User Registry ........................................................................................... 17
Figure 11: Orchestrator Authorization Entity-Relationship Diagram ............................................... 17
Figure 12: Orchestrator Authorization Management ...................................................................... 18
Figure 13: Orchestration Management Server Core ...................................................................... 20
Figure 14: Central Server 1 Port Management .............................................................................. 21
Figure 15: Central Server 2 Port Management .............................................................................. 22
Figure 16: Central Server 3 Port Management .............................................................................. 23
Figure 17: Central Server 4 Port Management (WebSphere Deployment Manager) ..................... 23
Figure 18: Central Server 4 Port Management (WebSphere Node Agent) .................................... 24
Figure 19: Central Server 4 Port Management (BPM EAR) ........................................................... 24
Figure 20: Region Server Port Management ................................................................................. 25
Figure 21: Other IBM Port Management Considerations ............................................................... 25
Figure 22: OpenStack Port Management Considerations .............................................................. 25
Figure 23: VMware Port Management Considerations .................................................................. 26
Figure 24: Deployed Virtual System & Extended Image Port Management Considerations .......... 26
Figure 25: Verifying "nologin" support. ........................................................................................... 26
Figure 26: Recommended Users for "nologin" Support ................................................................. 27
Figure 27: Port Utility Hosts Configuration ..................................................................................... 29
Figure 28: Port Utility Region Server Template Configuration ....................................................... 30
Figure 29: Port Utility Active Port Configuration ............................................................................. 30
Figure 30: Port Utility Ports and Programs to Ignore ..................................................................... 31
Figure 31: Port Utility List Mode Sample ........................................................................................ 31
Figure 32: Port Utility Inbound Connection Mode Sample ............................................................. 31
Figure 33: Port Utility Outbound Connection Mode Sample........................................................... 32
vi
Figure 34: Port Utility Monitor Mode Sample ................................................................................. 32
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
vii
AUTHOR LIST
This paper is the team effort of a number of cloud security specialists comprising the SmartCloud Orchestrator security team. Additional recognition goes out to the entire SmartCloud Orchestrator and OpenStack development teams.
Mark Leitch (primary contact for this paper) IBM Toronto Laboratory Nate Rockwell IBM USA
Marc Schunk IBM Boeblingen Laboratory
Piotr Gnysinski IBM Ireland
Michele Licursi IBM Rome Laboratory
viii
REVISION HISTORY
Date Version Revised By Comments
April 30th, 2014 Draft MDL Initial version for review.
May 4th, 2014 2.3.0 MDL First version for external review.
May 5th, 2014 2.3.1 MDL Added “nologin” support.
May 7th, 2014 2.3.2 MDL Added HBase process name management.
June 18th, 2014 2.3.3 MDL Revised port listing.
February 11th, 2015 2.3.4 MDL Added SSL information.
Figure 1: Revision History
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
9
1 Introduction
Security management is critical for any enterprise. With the adoption of cloud technologies, security management becomes even more critical as the range and scale of possible exploits expand dramatically through the power of enterprise cloud management. This document will provide an overview of security management approaches for the IBM SmartCloud Orchestrator (SCO) Version 2.3.
SCO Version 2.3 offers end to end management of service offerings across a number of cloud technology offerings including VMware, Kernel-based Virtual Machine (KVM), IBM PowerVM, and IBM System z. A key implementation aspect is integration with OpenStack, the de facto leading open virtualization technology. OpenStack offers the ability to control compute, storage, and network resources through an open, community based architecture.
We will first describe security management approaches for SmartCloud Orchestrator. We will then offer some prescriptive approaches for security hardening of a cloud installation.
Note: This document is considered a work in progress. Security recommendations will be refined and updated as new SCO releases are available. While the paper in general is considered suitable for all SCO Version 2.3 releases, it is best oriented towards SCO Version 2.3.0.1. In addition, a number of references are provided in the References section. These papers are highly recommended for readers who want detailed knowledge of cloud security management.
Note: Some artifacts are distributed with this paper. The distributions are in zip format. However Adobe protects against files with a “zip” suffix. As a result, the file suffix is set to “zap” per distribution. To use these artifacts, simply rename the distribution to “zip” and process as usual.
10
2 Security Management Overview
The following table provides a summary of SCO 2.3 security management. Specific security areas are expanded upon as appropriate.
Security Area Disposition
Web Application Security Scanning Scans mandated by IBM Corporate Security Standards. Automated and repeatable security assessment.
Application Source Code Scanning Scans mandated by IBM Corporate Security Standards. Automated and repeatable security assessment.
Threat Modeling Threat model assessment mandated by IBM Corporate Security Standards.
Security Regulatory Compliance Reports Several compliance reports (e.g. PCI DSS) are available as part of the web application security scanning work.
Multitenancy: Isolation of Back End Resources Available in SCO 2.3. Offers the ability to assign tenants (aka projects) resources that are partitioned by cloud regions (aka availability zones).
Multitenancy: Segregation of cloud resources via role based authorization.
Segregation of cloud resources is available in SCO 2.3.
LDAP Support The OpenStack Keystone component provides a comprehensive role/authorization/ authentication service.
Read only LDAP support is available in the SCO 2.3 release.
Figure 2: SCO 2.3 Security Management Summary
The first four management areas are described in specific sections. A description of security authentication and authorization management, with implications for multitenancy and directory support, is then provided.
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
11
2.1 Web Application Security Scanning
Web Application security scanning is performed by the IBM Rational Appscan Standard Edition reference tool. Some of the capabilities of this tool include the following.
Heightened scan severity ratings through the enablement of Collateral Damage and Target Distribution settings specifically for cloud offerings.
Provides visibility into the security and regulatory compliance risks web applications present to your organization.
Uses a combination of testing techniques to provide thorough, automated assessments.
Scans websites for both embedded malware and links to malicious or undesirable websites.
Helps ensure your website is not infecting visitors or directing them to unwanted or dangerous websites.
Correlates results discovered using dynamic and static analysis techniques.
Tests web services.
Delivers more than 40 security compliance reports, including PCI Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), ISO 27001 and ISO 27002, HIPAA, GLBA and Basel II.
Further information on the Rational Appscan offering is available in the References section.
2.2 Application Source Code Scanning
Application source code scanning is performed by the Rational Appscan Source reference tool. Some notable features of the Rational Appscan instance that apply to cloud deployments follow.
Identifies security vulnerabilities and defects in the source code during the early stages of the application lifecycle when they are the least expensive to remediate.
Builds automated security into development by integrating security source code analysis with automated scanning during the build process.
Scans, triages and manages security policies; prioritizes assignment of results to security teams for vulnerability remediation.
Delivers fast scans of more than one million lines of code per hour, allowing you to scan even the most complex enterprise applications.
Uses string analysis to simplify the adoption of security testing by development teams.
Support for testing mobile applications including Java, C# and Objective-C.
12
Further information on the Rational Appscan Source offering is available in the References section.
2.3 Threat Modeling
Threat modeling assessments may encompass automated and manual approaches, including ethical hacking approaches. Basic methods employed include the following.
Enforcement of non-root runtime for audit and trust purposes.
Enforcement of necessary permissions.
Secure credentials management (e.g. passwords).
Secure port analysis.
Ethical hacking approaches.
2.4 Security Regulatory Compliance Reports
The Web Application Security Scanning tool offers a number of regulatory compliance reports. See the following figure for some sample report types.
Figure 3: Security Compliance Report Options
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
13
It is worth noting these are simply report options. For example, for the PCI DSS report neither Rational Appscan nor IBM are approved scanning vendors. While the reports are considered to have value in terms of classifications and exposures, they are not considered to be at the certification level.
Note: PCI DSS regulatory reports have been generated for SCO. These reports illustrate unique findings over the thirty three PCI DSS classification areas. The unique issues are also identified in the base Web Application Security Scanning reports, with the regulatory report aligning each finding with the suitable regulatory classification area.
2.5 Authentication Management
A single sign-on approach is used across the primary SmartCloud Orchestrator components (i.e. IWD, BPM, SWI, and OpenStack)1. The single sign-on authentication uses a token approach. The token contains user and project information, has an expiration date, and is stored in the browser as a cookie for the domain. The following figure provides an overview of the single sign-on approach.
Figure 4: Security Single Sign-on Overview
1 This document does not provide an overview of the Orchestrator components. For background on
the components and their management please see SmartCloud Orchestrator Version 2.3: Capacity
Planning, Performance, and Management Guide in the References section.
14
An alternate view showing the authentication flow for IWD follows.
Figure 5: Security Authentication Flow
The following figure shows the role of the authentication flow for a self service request. The flows are simplified for display purposes, with the authentication step at the top left.
Figure 6: Security Flow for Self Service Request
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
15
The following figure shows the component interaction for the import of an OVA image.
Figure 7: Security Flow for Import OVA Image
The following figure shows the component interaction for the registration of an image.
Figure 8: Security Flow for Register Image
16
The following figure shows the component interaction for the extension of the image. Once again, the authentication management is shown at the start of the scenario.
Figure 9: Security Flow for Image Extension
2.6 Authorization Management
We will provide an overview of user, role, and project management. The OpenStack Keystone component provides the reference repository for managing these objects. For SmartCloud Orchestrator, the customer may populate Keystone from a corporate read only LDAP. The following diagram offers a simple view of the user registry.
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
17
Figure 10: Orchestrator User Registry
In simplest terms, roles determine the actions that a user is allowed to perform. A project (referred to as a tenant in Keystone parlance) is a set of specific resources granted to a set of users. Through these constructs, a cloud administrator may strictly control the set of cloud resources authorized to a specific user. Further information is available in the SmartCloud Orchestrator information center (see the References section). The following diagram provides an entity-relationship diagram for authorization management (mapped OpenStack entities are shown in blue).
Figure 11: Orchestrator Authorization Entity-Relationship Diagram
The following diagram provides a breakdown of where information is managed. To be specific:
The original source for information (identified by a clear box).
A resource reference (identified by a box with hash lines).
18
Once again, OpenStack Keystone is the reference repository for users, roles, and tenants. The remaining components may reference these objects, while managing specific objects required for their functional requirements.
Figure 12: Orchestrator Authorization Management
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
19
3 Security Hardening
Security hardening has multiple dimensions, particularly in the cloud space. We will break the hardening dimensions into the managed cloud and management server components.
For the managed cloud, the cloud providers offer specific security hardening approaches. For example, VMware offers prescriptive hardening spreadsheets to enforce best practices. Resources for these spreadsheets based on specific vSphere versions are provided in the References section.
For the management server hardening, we will provide the following hardening approaches.
Port management and firewall configuration.
“nologin” shell configuration.
HBase process name management.
3.1 Port Management and Firewall Configuration
We will describe the port management methodology, followed by the port management reference tables.
3.1.1 Methodology
The following diagnostic tools are the basis for programmatically managing the Orchestrator ports.
The nmap utility (obtained via the Red Hat distribution) is used to derive the list of available ports for a server instance. Sample command usage: nmap -p1-65535 <server>
Within a server instance, the set of ports being listened on or established is managed via the lsof command. Sample command usage: lsof –i –P | grep LISTEN Sample command usage: lsof –i –P | grep ESTABLISHED
Based on the above, the command line invocations associated with the interesting process identifiers may be established. Sample command usage: cat /proc/$pid/cmdline
To facilitate port management for the Orchestrator installation, a port management tool has been specially created based upon the ‘lsof’ utility. Appendix A provides an overview of this tool. In addition, the following diagram identifying the host names and their runtime is included for reference.
20
Figure 13: Orchestration Management Server Core
3.1.2 Reference Tables
The following tables provide a summary of Orchestrator port management and firewall configuration. The following attributes are managed.
Server instance. The management server instance where the port is active. Tables are broken down by server instance.
Port. The specific port that is open.
Protocol. The specific network protocol in effect, where applicable.
Program instance. The program holding the port. This may be a specific executable or a general class designation (e.g. “Operating System”).
Operating system user id instance. The operating system user id the program is running under.
Incoming hosts. A list of expected incoming host identifiers.
Some critical items of interest follow for the reference tables.
The reference tables describe the Orchestrator runtime requirements. The install and upgrade requirements are not included.
The ports described are for the Orchestrator content. Additional operating system services may be active, and an approach for managing these services is provided in Appendix A.
It is generally recommended to disable the chef services once the install or upgrade processes are complete. For example:
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
21
service chef_repo_srvd stop chkconfig chef_repo_srvd off
DNS and directory services are be specific to an enterprise deployment and may require additional customization.
An incoming host of “Public cloud user” indicates the port should be enabled for a firewall on top of a public cloud installation.
Information is not provided for the System Automation Application Manager at the time of this writing.
Port Protocol Program User Incoming Hosts
50000 TCP db2sysc db2inst1 CS2, CS3, CS4, Region Servers
53 953
UDP DNS named All hosts. Relevant if DNS server is enabled on Central Server 1.
123 UDP NTP All hosts. Relevant if NTP server is enabled on Central Server 1.
Figure 14: Central Server 1 Port Management
22
Port Protocol Program User Incoming Hosts
2181 TCP HBase (VIL) root
2809 9402 9403 9633
TCP VIL (WAS) root
5000 35357
HTTP Keystone keystone CS2,CS3
6379 Proxy VIL (WAS) root
8005 8009 8182
TCP VIL proxy root
8123 TCP Origami (VIL) root
8880 SOAP VIL (WAS) root
9043 HTTPS VIL (WAS) root Public Cloud User
9060 HTTP VIL (WAS) root Public Cloud User
9080 HTTP VIL (WAS) root
9100 ORB VIL (WAS) root
9443 HTTPS VIL (WAS) root Public Cloud User, CS3
9797 HTTP PCG root CS3
9973 HTTP IaaS Gateway root CS3, ICCT
11211 TCP Memcached 496
60000 60010 60020 60030
TCP HBase (VIL) root
Figure 15: Central Server 2 Port Management
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
23
Port Protocol Program User Incoming Hosts
80 HTTP IWD root CS4
443 9443
HTTPS IWD root CS4
9444 HTTPS IWD root
20001 TCP IWD root
7443 HTTPS SCUI root Public Cloud User
ICMP IWD root Deployed virtual systems (Windows only and only if using add-ons and script packages).
Figure 16: Central Server 3 Port Management
Port Protocol Program User Incoming Hosts
7060 7277 9352 9402 9420 9809
11006
TCP Deployment Manager
root
8879 SOAP Deployment Manager
root
9043 HTTPS Deployment Manager
root
9060 HTTP Deployment Manager
root
9100 ORB Deployment Manager
root
9403 HTTP Deployment Manager
root
9632 IPC (TCP) Deployment Manager
root
Figure 17: Central Server 4 Port Management (WebSphere Deployment Manager)
24
Port Protocol Program User Incoming Hosts
2809 7062 7272 9353
11004
TCP Nodeagent root
8878 SOAP Nodeagent root
9201
9202
RMI/IIOP,SSL Nodeagent root
9629 IPC (TCP) Nodeagent root
9900 ORB Nodeagent root
Figure 18: Central Server 4 Port Management (WebSphere Node Agent)
Port Protocol Program User Incoming Hosts
7276 7286 9044 9191 9354
11008
TCP BPM root
8880 SOAP BMP root
9061 HTTP BPM root
9080 HTTP BPM root Public Cloud User, CS3
9405 9406
RMI/IIOP.SSL BPM root
9443 HTTPS BPM root
9633 IPC (TCP) BPM root
9810 ORB BPM root
Figure 19: Central Server 4 Port Management (BPM EAR)
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
25
Port Protocol Program User Incoming Hosts
4444 Proxy VIL root CS2
8123 HTTP VIL Proxy root CS2
80 HTTP Apache root
7080 HTTP SCE root RS (VMware only)
7777 TELNET SCE root RS (VMware only)
Figure 20: Region Server Port Management
Port Protocol Program User Incoming Hosts
80 HTTP IBM Infocenter n/a CS3
443 HTTPS ICCT n/a Public Cloud User
ICMP ICCT n/a Extended Image (Windows only)
Figure 21: Other IBM Port Management Considerations
Port Protocol Program User Incoming Hosts
8776 HTTP Cinder cinder
3260 iSCSI Glance root
9191 9292
HTTP Glance glance CS2
5000 35357
HTTP Keystone keystone CS2, CS3
53 953
DNS Named named
6080 8774 8775
HTTP Nova nova CS2, CS3
5672 AMQP Qpid qpidd RS
Figure 22: OpenStack Port Management Considerations
26
Port Protocol Program User Incoming Hosts
443 HTTPS VMware vCenter
CS2, Region Servers
902 HTTP VMware ESXi CS2
Figure 23: VMware Port Management Considerations
Port Protocol Program User Incoming Hosts
139 TCP Windows OS n/a CS3
ICMP Windows OS n/a CS3
22 SSH OS/Image n/a CS3, ICCT
445 TCP OS/Image n/a CS3, ICCT
80 Image n/a ICCT
Figure 24: Deployed Virtual System & Extended Image Port Management Considerations
3.2 “nologin” Shell Configuration
User instances are bound to a shell. A special shell, referred to as “nologin”, may be enabled for user accounts to prevent logging into a shell instance for that user. Any attempt to invoke a shell instance will be politely refused.
We will describe how to implement nologin support. The first step is to ensure it is a supported shell on the compute node. The following example shows support for “/sbin/nologin”.
Figure 25: Verifying "nologin" support.
From here the approach may follow some basic steps:
1. Determine the set of user ids to enable the “nologin” shell. A recommended set of ids is provided in the table below.
2. For each user, set the shell. Sample command usage: usermod -s /sbin/nologin gleRNSUM
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
27
3. Restart the Orchestrator at your convenience. Note the change will take effect immediately and there is no explicit need for restart.
Node User IDs to Enable
Central Server 1 gleRNSUM, noaRNSUM, sceRNSUM, cirRNSUM, qtmRNSUM, ksdb
Region Servers nova
Figure 26: Recommended Users for "nologin" Support
3.3 HBase Process Name Management
The HBase processes associated with Central Server 2 may allocate dynamic ports. In addition, given HBase runs under the Java execution environment, it will appear in process listings as “java”. In order to readily identify the dynamic ports with HBase (for example, for secure port scan management) it can be helpful to have the HBase processes appear as “HBase” in a process listing. The following steps utilize a symbolic link to achieve this.
1. Log on to Central Server 2.
2. Determine the location of $JAVA_HOME (e.g. /opt/IBM/WebSphere/AppServer/java).
3. Create a symbolic link for $JAVA_HOME/java (e.g. ln -s java HBase).
4. Update the HBase startup script (i.e. /opt/hbase/bin/hbase).
5. Change this line: JAVA=$JAVA_HOME/bin/java to this: JAVA=$JAVA_HOME/bin/HBase
6. Restart the Virtual Image Library and/or the Cloud Orchestrator.
3.4 Common Vulnerabilities and Exposures Management
Cloud security management typically implies multi data center security management, and is a herculean task. The “Common Vulnerabilities and Exposures” (CVE) offers a free dictionary of publicly known vulnerabilities (see the References section) that can assist in this task. Given the Cloud Orchestrator includes OpenStack, and typically involves a “bring your own operating system” approach, it is extremely useful to be aware of these vulnerabilities, and associated alerts. Some prominent recent alerts, that should be addressed by any cloud deployment, follow.
1. Heartbleed: An OpenSSL vulnerability (URL).
2. POODLE: An OpenSSL vulnerability (URL).
3. Shellshock: A GNU Bash shell vulnerability (URL).
28
It should be noted the IBM Rational scan tools cited earlier are CVE compatible. In addition, given the prominence of SSL, the following section provides a description of the Orchestrator SSL implementation.
3.5 Secure Sockets Layer Management
Secure Sockets Layer (SSL) management is the de facto standard for communication of secure applications. It is part of the comprehensive cryptographic and security solution across the different layers of the Cloud Orchestrator IaaS platform. The Orchestrator solution includes the IBM OpenStack Enterprise Edition (OSEE) bundle that in turn includes OpenSSL, python-passlib, Cyrus SASL, PyCrypto libraries, and the IBM WebSphere sMash and DB2 products. The version of the libraries is determined by the prerequisite Linux Virtual Machine and/or IBM JDK 1.6.0.
Further characteristics of the SSL implementation may be broken down as follows.
AES is used in 128-bit and 256-bit block mode and is defined in FIPS 197.
SHA1 certificates utilize RSA Digital Signatures with 2048 bits key length.
SSL is used for communications and is defined in IETF RFC 5246.
LTPA is used for authentication.
OpenStack Nova API exposes RSA-based certificate creation with 1024 bit key-pairs, which can be disabled.
The OpenStack Nova API also allows the end user to generate a 2048 bit RSA key-pair to SSH into a virtual machine instance.
IBM OpenStack EE uses Secure Sockets Layer SSL v2/v3, Transport Layer Security: TLS v1, and SSH.
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
29
APPENDIX A: THE CLOUD ORCHESTRATOR
SECURITY EVALUATION TOOL (COSET)
A port management tool is provided with this paper. We will describe the tool configuration, and then the four management nodes it provides.
1. List mode: List the set of interesting ports currently being listened on.
2. Inbound connection mode: List the inbound connections to interesting ports.
3. Outbound connection mode: List the outbound connections to interesting ports.
4. Monitor mode: Continuously monitor the ports being listened on, and determine if unrecognized ports are active.
A.1 Port Utility Configuration
The ‘coset’ tool is a Perl based utility. A standard Perl technique is to put configuration settings in a separate file, using Perl variables that may be sourced directly. The benefits of this are advanced data structures may be supported with all parsing provided by the Perl interpreter. For the ‘coset’ utility, this approach is used. We will describe each of the variables in the provided configuration sample.
The first variable is the set of servers to be managed. This is a hash of the node alias (a symbolic value), and the fully qualified host name. This structure should be changed per Orchestrator installation, for the nodes the utility is to be run against. A sample follows.
%hosts = (
'CS1' => 'CentralServer1.perf.cil.raleigh.ibm.com',
'CS2' => 'CentralServer2.perf.cil.raleigh.ibm.com',
'CS3' => 'CentralServer3.perf.cil.raleigh.ibm.com',
'CS4' => 'CentralServer4.perf.cil.raleigh.ibm.com',
'RS1' => 'RegionServer1.RegionOneBC1.perf.cil.raleigh.ibm.com',
'RS2' => 'RegionServer2.RegionOneKVM.perf.cil.raleigh.ibm.com',
'RS4' => 'RegionServer4.RegionOneBC2.perf.cil.raleigh.ibm.com',
'RS5' => 'RegionServer5.RegionFiveBC3.perf.cil.raleigh.ibm.com',
);
Figure 27: Port Utility Hosts Configuration
Next a region server template is provided. This is not directly used by the utility, but is a variable specific to the configuration file given all region servers have the same requirements. The value is simply the set of “interesting” ports for the region servers. In this context, “interesting” means ports required for the successful operation of the Orchestrator.
30
@region_server_template = (
# Cinder Glance Nova QPid VIL SCE Apache DNS
8776, 9191, 8774, 5672, 4444, 7777, 80, 53,
3260, 9292, 8775, 8123, 7080, 953,
6080
);
Figure 28: Port Utility Region Server Template Configuration
The next structure shows the set of active ports required for the Orchestrator. These are the defined listening ports, broken down by host and organized by component. Samples are shown for Central Server 1 and 2, and the Region Servers. Note the region servers all have an identical configuration, and simply reference the template provided above. The ports for all servers are provided in the sample configuration attached to this paper.
%ports_active = (
'CS1' => [# DNS DB2
53, 50000,
953
],
'CS2' => [# VIL Hbase Origami IaaS PCG Keystone Tomcat Memcached
9443, 2181, 8123, 9973, 9797, 5000, 8182, 11211,
9043, 60000, 35357, 8009,
9060, 60010, 8005,
6379, 60020,
8880, 60030,
9633,
9080,
9100,
9403,
9402,
2809,
4444
],
'RS1' => [@region_server_template],
'RS2' => [@region_server_template],
'RS4' => [@region_server_template],
'RS5' => [@region_server_template]
);
Figure 29: Port Utility Active Port Configuration
The next structures serve a common purpose: they indicate the ports or the programs associated with ports that may be ignored. The intent is to remove any noise from the port monitoring view. This is particularly valuable in monitor mode, which will be discussed later.
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
31
%ports_ignore = (
'CS1' => [80, 523, 657],
'CS2' => [],
'CS3' => [],
'CS4' => [],
'RS1' => [],
'RS2' => [],
'RS4' => [],
'RS5' => []
);
@programs_ignore = (
'cupsd', 'dnsmasq', 'master', 'repo_srv.', 'rpcbind', 'rpc.statd',
'sshd'
);
Figure 30: Port Utility Ports and Programs to Ignore
A.2 Port Utility List Mode
The port utility list mode will simply show for the current host and associated ports (as defined in the configuration file), the listening state of all of the active ports. The following is a complete sample for Central Server 1.
Figure 31: Port Utility List Mode Sample
A.3 Port Utility Inbound Connection Mode
The port utility inbound connection mode will simply show for the current host and associated ports, the established inbound connection state for all of the active ports. Note the utility does not list inbound connections from the node itself. This is easily changed via an internal configuration option. The following is a truncated sample for Central Server 1 (there are literally hundreds of inbound connections to the database server).
Figure 32: Port Utility Inbound Connection Mode Sample
32
A.4 Port Utility Outbound Connection Mode
The port utility outbound connection mode will simply show for the current host and associated ports, the established outbound connection state for all of the active ports. Note the utility does not list outbound connections for the node itself. This is easily changed via an internal configuration option. The following is a complete sample for Central Server 1. Note the sample is empty; showing the database server itself is not initiating outbound connections (as expected).
Figure 33: Port Utility Outbound Connection Mode Sample
A.5 Port Utility Monitor Mode
The port utility monitor mode is the most useful capability. The monitor mode will loop indefinitely and for all of the active ports, will list any ports it may not identify as being on the active or ignore lists. Why is this so useful? Well, by running the monitor mode it can be established if new, unexpected ports are being initiated. These ports may either be shut down, or managed per enterprise firewall standards.
The sample below has been manipulated to show a case where the monitor is continuously identifying an unexpected port (953).
Figure 34: Port Utility Monitor Mode Sample
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
33
REFERENCES
SmartCloud Orchestrator and Related Component References
SmartCloud Orchestrator Version 2.3: Capacity Planning, Performance, and Management Guide
http://www.ibm.com/software/ismlibrary?NavCode=1TW10SO7P
IBM SmartCloud Orchestrator: Offline-backup approach using Tivoli Storage Manager for Virtual
Environments http://www.ibm.com/software/ismlibrary?NavCode=1TW10SO7Q
IBM SmartCloud Orchestration Information Center
SCO 2.3 Information Center IBM SmartCloud Orchestrator Resource Center
SCO Resource Center
IBM DB2 10.1 Information Center http://pic.dhe.ibm.com/infocenter/db2luw/v10r1/index.jsp?topic=/com
Advanced Security Hardening in WebSphere Application Server V7, V8 and V8.5, Part 1: Overview and Approach to Security Hardening http://www.ibm.com/developerworks/websphere/techjournal/1210_lansche/1210_lansche.html
OpenStack References
OpenStack Security Guide http://docs.openstack.org/sec/
OpenStack Keystone http://docs.openstack.org/developer/keystone/
Hypervisor References
VMware Security Guide http://www.vmware.com/security
vSphere 5.1 Hardening Guide hardeningguide-vsphere5-1-ga-release-public.xlsx
vSphere 5.5 Hardening Guide hardeningguide-vsphere5-5-ga-released.xlsx
Linux on System x: KVM Security Linux on System x Information Center
34
Security Scan References
IBM Rational Security Appscan Enterprise Edition
http://www-03.ibm.com/software/products/us/en/appscan-enterprise
IBM Rational Security Appscan Source
http://www-03.ibm.com/software/products/us/en/appscan-source
Common Vulnerabilities and Exposures https://cve.mitre.org/
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
35
®
© Copyright IBM Corporation 2014, 2015 IBM United States of America Produced in the United States of America US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PAPER “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes may be made periodically to the information herein; these changes may be incorporated in subsequent versions of the paper. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this paper at any time without notice. Any references in this document to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation 4205 South Miami Boulevard Research Triangle Park, NC 27709 U.S.A. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information is for planning purposes only. The information herein is subject to change before the products described become available. If you are viewing this information softcopy, the photographs and color illustrations may not appear.
36
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at http://www.ibm.com/legal/copytrade.shtml.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other
countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Other company, product, or service names may be trademarks or service marks of others.