The flexiOPS Use Case

“I see only murk. Murk outside; murk inside. I hope, for everyone’s sake, the scanners do better.”
— from A Scanner Darkly, by Philip K Dick

In this post, flexiOPS developer Andrew Phee details the implementation of the flexiOPS Use Case for the BEACON project.

The BEACON Use Case involves using an open source security scanner to highlight security limitations of Virtual Machine (VM) deployments. The scanner is configured to support scanning of VMs from multiple cloud platforms. The scanner that was chosen for use was OpenVAS, a powerful open source vulnerability scanning framework.

The overall result of the work carried out is that in the case where a new VM is created on the platform, it is scanned by OpenVAS for security vulnerabilities. Next, the generated security report is emailed to the VM owner, and a firewall is created and applied to the VM for additional security measures.

Existing on the FCO platform is a program known as a trigger. In the FCO platform, a trigger is a program that “allows an action in Flexiant Cloud Orchestrator to initiate a second action”[1]. In this case, the code is executed in the event that a new VM is created on a specific customer account. The trigger codes resulting action first launches the new VM into a running state, then uses the client socket executable located on the FCO management box to send the VM details (IP, UUID etc) to the vulnerability scanner listener program located on a separate server.

Assuming the vulnerability scanner is listening properly, it receives the VM details and uses them to build commands to be sent to the OpenVAS deployment. OpenVAS then performs actions based on the received commands. The main task performed by OpenVAS is to carry out a security vulnerability scan on the VM which was newly created at the beginning of the process. This scan generates a report, which provides insight into how vulnerable to security attackers the VM is.

This report is sent to the customer email associated with the account used to create the VM. This could potentially be extremely useful for a VM owner, as they can use the report to understand exactly where the security failings are on their VM and make improvements accordingly.

Finally, the vulnerability scanner listener creates a generic firewall on the FCO platform, and applies it to the VM. While not specifically configured to address the security problems highlighted by the OpenVAS scan report, it nonetheless provides an additional security layer for the VM.

This process helps provide immediate security improvements in the form of creating and applying a firewall to the VM. Possible future improvements are also feasible, as the VM owner has the OpenVAS report which highlights areas in which the security of the VM can be improved.

References

[1]. http://docs.flexiant.com/display/DOCS/Triggers