Real Security in a Virtual EnvironmentBy Mattias GeniarSystem Engineer @Nucleus

Mattias Geniar

System Engineer at Nucleus(Cloud) Hosting provider

http://mattiasgeniar.be@mattiasgeniar

So ... Who am I?

root@mattias:~#

My comfort zone.

Not this.

Now what’s this about?

First: what is cloud computing?

Infrastructure-as-a-Service

Software-as-a-Service

Platform-as-a-Service

Hey dude, security?!

Preventing this cloud ...

From becoming this one.

Whatcha talking ‘bout fool?

Quote

Every security system that hasever been breached was oncethought infallible.

“

It’s about layers. Many layers.

A secure location.

With sufficient power.

And cooling.

That is secure.

But that’s just the bottom layer.

Don’t forget this.

How virtual is ‘virtual’?

The heart: storage.

Seperate network.

But in a good way.

Should it be encrypted?

On your storage itself?

Or within your VM?

Key management.

Redundant storage. Good x 2.

RAIDs

Have backups. Lots of them.

The kidneys: connectivity.

Walls of fire.

Subnet example

This is youIP: 10.0.0.100Subnet: 255.255.255.0Gateway: 10.0.0.1

This is evil meIP: 10.0.0.105Subnet: 255.255.255.0Gateway: 10.0.0.1

The firewall: 10.0.0.1

Firewall your firewall?

Secure connections.

Know what goes on.

Find intruders.

IDS & IPS

We like graphs. And IDS.

And boxes. With info.

Even when the cloud ‘moves’.

# diff ‘os-virt’ ‘hardware-virt’

Oh hai root.root@srv:~# hostnamesrv.domain.be

root@srv:~# vzlist --allCTID NPROC STATUS IP_ADDR HOSTNAME 101 74 running 10.0.2.1 topsecret-srv

root@srv:~# vzctl enter 101-bash-3.1# hostnametopsecret-srv.domain.be-bash-3.1# iduid=0(root) gid=0(root)

Who’s this?

Quote

The weakest link in any security system, is the person holding the information

“

Developers that care.

That don’t do stupid things.

With secure API’s.

And management.

No no. Real management.

Quote

Geeks don’t have interests.They have passions.

“

So. Layers you said?

Q & A

root@mattias:~# logout

Thank you.

Twitter: @mattiasgeniar www.nucleus.be Mail: m@ttias.be