Data Center Networks & Cloud Computing SecurityLecture 8

Identity and Access ManagementRemote Monitoring

Pavel Moravec

DevOPs (Development & Operations) in DCsDevOPs has 5 following “pillars of success”:

Reduce organizational silos Accept failure as normal Implement gradual changes Leverage tooling and automation Measure everything

Alternative approach: Site Reliability Engineering (Google) Includes continuous integration & cont. delivery approach

3

Identity and Access Management(IAM)

Basic Identity ManagementManage the accounts in standard identity management tools:

Lightweight Directory Access Protocol (LDAP)Remote Authentication Dial-In User Service (RADIUS)Active Directory for Microsoft-based products

Use a solution allowing Single-sign-on (SSO):KerberosOAuth2SAML 2.0OpenID connect

LDAPOpen, vendor-neutral, industry standard.Used for accessing and maintaining distributed directory information services

Simplifies CCITT X.500 DAP standardThe purpose of directory server is to maintain a central storage of information related to network users

Often a central place to store usernames and passwordsObjects with various attributes are organized into a tree structure

Hierarchical system of containersMay contain invisible attributes

The LDAP scheme that defines object classes and their attributes may be customized to maintain custom attributes

RADIUSCentralized Authentication, Authorization, and Accounting (AAA) servicesMainly used to manage access to the networkStandardized in RFC 2865 + 2866 (Accounting)User or machine sends a request to a Network Access Server (NAS) to gain access, which contacts RADIUS srv.

Username + password (CHAP style), certificates, ...One-way or mutual authentication

Roaming is feasible between DCs or even ISPsRealms are used to identify domains user@domain.tldProxy requests and responses are issued, chaining is possible

Active DirectoryDirectory-based identity-related servicesMeant for Windows domain networksUses Domain Controller as a server for authorization and authentication

Provides LDAP and DNS and MS version of KerberosFederation service enables SSO

Logically divided to: forest, tree, and domain Objects may be grouped by Organization Units (OUs)Partitioning and multi-master replication is possibleMainly for Microsoft products (MacOS, Linux binding?)Azure Active Directory: IDaaS, cloud solution

KerberosNetwork authentication protocol developed mid 1980s at MITSecret key-based service for providing authentication in open networks. 2-factor authentication is available in newer versions.

Provides strong authentication for client-server applicationsSingle central server → single point of failureOn log-on or after expiration, client authenticates itself to the Authentication Server (AS) and it forwards the username to a key distribution center (KDC). KDC issues a time-stamped ticket-granting ticket (TGT) encrypted using the secret key of the ticket-granting service (TGS). Pre-authentication possible in KRB5.

Time-sensitive due to timestampsFor communication with another node, client sends the TGT to the TGS using Service Principal Name (SPN) to request a service registered at TGS (and is verified it may use it). Ticket and session keys are provided to the client who sends the ticket the service server (SS) along with service request.

Security Assertion Markup Language (SAML)XML-based OASIS open standard for exchanging authentication and authorization data between parties3 entities and their roles:

Principal – the user looking to verify his or her identityIdentity provider (idP) – entity capable of verifying the identity of principalThe service provider (SP) – entity looking to use the identity provider to verify the identity of the end user

Language for security assertions: Authentication statements – principal did authenticate with idP, authentication context may be disclosed to service prov.Attribute statements – name-value pairs for ACLsAuthorization decision statements – entity is permitted to perform action A on resource R given evidence E

Attacks: XML Signature wrapping (XSW), HTTP Referrer Attack, Signature Exclusion Attack

SAML SSO in Web Browser

Author: Tom Scavo

OAuth 2.0Open standard focusing exclusively on authorization3 (or 4) entities and their roles:

Resource owner – end user/entity owning the resource in questionResource server (OAuth Provider), which is hosting the resource

Authorization Server – verifies the identity of the resource owner and then issues access tokens to the client application.

Client (OAuth Consumer), which trying to consume the resource after getting authorized from the client

Enables applications to obtain limited access to user accounts on an HTTP(S) service, such as Facebook, GitHub, Google, …For both web and desktop applicationsDoes not support signatures, encryption, channel binding, or client verification. We need to use TLS for thatSecurity issues: Account Takeover Vulnerability, Account hijacking (session fixation, leaking auth. Code), Leaking Client credentials, Replay attack

OAuth 2.0 Application CredentialsApplication Registration – application must be registered with the service, including its name, web site/URL and Redirect URI or Callback URLOnce registered, service is able to issue “client credentials” as a client identifier and a client secret.

Client identifier is a publicly exposed string used by the service API to identify the application, and is also used to build authorization URLs that are presented to users.Client Secret is used to authenticate the identity of the application to the service API when it requests to access the user's account, it must be kept private between the application and the API.

Oauth 2.0 Protocol FlowFollowing steps are taken by application in abstract protocol flow:1. Request of authorization from Resource owner2. Sending of authorization grant obtained from Resource owner to

Authorization server3. Sending of authorization token obtained from Authorization server to

Resource serverIf authorization code is used as grant type, the source code is not exposed and Client Secret is confidential. The first step is redirected through user agent (UA, web browser) and receiving API authorization codes is routed through it to application as well.In implicit grant type, the second step is also routed through the user agent.

OpenID ConnectUsers employ a single set of credentials, managed by a 3rd party OpenID Connect identity provider (IDP) – Google, MS, … Built on top of the OAuth 2.0 protocol using REST + JSONComputing clients authenticate against authorization server and obtain basic profile information about the end-user

Local authentication system is not needed3 entities and their roles:

End user or entity that is to be verifiedRelying party (RP), looking to verify the identity of the end userThe OpenID Connect provider (OP), that registers the OpenID URL and can verify the end user’s identity

Attacks: Mix-up (binding authorization to wrong user by RP), Covert Redirect

Identity and Access Management in CloudWho can do what in given cloud accountTypical IAM Objects

User – with password, access key, 2FA/MFA device if needed. Group – user collections, multiple groups per userPermissions – assigned by IAM policies (inline/managed), JSON/?Role – another ID, no credentials, assigned to anybody, federationServices and Resources

IAM controlCentralizedFine-grained for APIs, resources, management

SecuritySeparate credentials and permissionDefault policy – deny access

16

DC Monitoring

Monitoring toolsStandard resource monitoring/data collecting tools

Simple Network Management Protocol (SNMP)Windows Management Instrumentation (WMI)Custom solution for collection + RRDTool for visualization

Multi Router Traffic Grapher (MRTG)CollectdMuninCacti

OTRS System Monitoring – automatically generates tickets for component failures in OTRS ticket system

Nagios (Nagios Core)ZabbixCustom-built solution for given DC or Cloud provider

e.g. Amazon CloudWatch

Performance monitoring of HW and SWTypically a monitoring system supplied by manufacturer:

IBM Systems DirectorOracle Enterprise ManagerSystem Center Operations Manager (Microsoft)

Consists of several typical components:Agents

Collection, aggregation, repository, …Reporting consoleManagement server

Architecture may be distributed or limited to a single server

Traffic Monitoring Dashboard Example

NagiosApplication for monitoring systems, networks & infrastructureAlerts sent to user on failure and on problem resolution as wellRunning on Linux and other UNIX-based systemsObjects (network services, host resources, network devices accessed through plugins) are accessed through agents which provide data to Nagios for storage and processingStatus is then provided through graphs, web interface, different notifications (SMS, e-mail, custom plugin, …) or processed through event handlersRedundant monitoring hosts implementation is availablePerformance data graphing is availableThere is support for database backend, storing in RRD databaseIssues with intellectual property, web sites, commercial interface

Nagios Core Examples

ZabbixPlatform for monitoring servers, networks, services and cloudC back-end and PHP/JS front-end (web interface)

Stores data in standard SQL databasesAgent-less monitoring of services like SMTP, HTTP, …Agents for UNIX- and Windows-based hosts for their monitoringSNMP monitoring of devices which support itNear real-time notification (E-mail, XMPP, SMS, alarm, …).Auto-discovery of servers and network devices

Zabbix ModulesBack-end – collects data for the server

Agents – deployed on end systems to monitor CPU, HDD, memory, …Both push (active mode) and pull (passive mode) approaches

Proxy – collects data from agents on behalf of the serversServer – retrieves monitored items, applies triggers on them, applies templates and stores data in DB. Front-end – presents through dashboards, screens & graphs

Remote ManagementOut-of-band (OOB) management – separate IP address VLAN or even a network card, console access to the device. Typically in a separate management network, protected by ACLsIn-band (IB) management, allowing remote desktop access directly through the server IP address, e.g. through VNC, Remote Desktop, Terminal Services, etc. Risk of an attacker using vulnerabilities in the service.

Bastion login servers, which work in-band (SSH) and allow accessing the out-of-band network are possible

Virtual servers with a management console allowing virt. console access to server in virtual infrastructure (VI), e.g. vSphere Selected users may be permitted to use a VPN connection to access the OOB, IB and VI management

Logging in Data CentersStandard logging infrastructure in data center

Servers, infrastructure, storages, and hypervisors sending logs to the (read-only) logging server

Normally through syslog protocolLog data accessible for analytics toolsLog entries may be encrypted to prevent unauthorized access to sensitive data

Log analytics toolsConcentration on specific service – e.g. web server logsProviding general correlations – e.g. how a fault spreadAutomated analysis with a dashboard for easy access

e.g. the vCenter Log Insight virtual appliance

Audit TrailSecurity-relevant chronological (set of) record(s) providing documentary evidence of the sequence of activities

May contain sources and destinations of the recordsIncludes information what have been affected (operation, procedure, event)

Normal user must not be able to stop/change the collection process creating audit trail

Role-based security may be applied to protect itRecords the

completed and attempted accesses and service, or data forming a logical path linking a sequence of events

Can be used to trace the transactions that have affected the contents of a record