Deployment - Time Multi - Cloud Application Security
 

Introduction

The focus of this use case is security.  Through the work carried out, the aim is to provide an automatic security evaluation and bootstrap for newly created Virtual Machines (VMs) in the cloud.  This can help build a security baseline for new VMs, which protects the VM against malicious attacks and removes the need for the manual configuration of security.

The three main aspects of this use case utilised to deliver this security baseline are the OpenVAS Vulnerability Scanner, Firewall deployment and Chef integration.

Vulnerability Scanner

The core of this use case is the Open Vulnerability Assessment System (OpenVAS).  OpenVAS is a collection of several tools and services used to provide a complete vulnerability scanning framework.  It is utilised in this use case to automatically scan newly created Virtual Machines in order to detect security vulnerabilities.

To automatically operate the scanner, a Java program has been developed to listen for incoming VM details, and to then use these details to build commands which can be read by the OpenVAS command line interface.  This application is known as the “listener”.  A separate java program (the “forwarder”) has been developed which captures VM details (UUID, IP address, email address etc.) as command line arguments, and forwards them to the listener application.  For this use case, the OpenVAS vulnerability scanner and the listener application used to automatically operate it have been configured to run inside a docker container, to maximise portability.

The scanner can conduct a surface level scan, if just the IP of the VM is provided to the listener application.  This will detect vulnerabilities such as SSH Encryption Algorithms, but cannot drill down further into the VM to detect user level security issues.  If the listener application receives VM login details such as a username and password/SSH Key, a credentialed scan can be built which allows OpenVAS to explore the entice filesystem of the VM and detect vulnerable packages, applications and files.  This provides a full and complete overview of the vulnerabilities which could be a threat to the security of the VM.

Upon the completion of a vulnerability scan, a report is generated detailing the detected vulnerabilities.  The listener application receives this report from the OpenVAS scanner, and sends this report to the email address supplied by the forwarder.  This allows the VM owner to view the individual vulnerabilities detected by the OpenVAS scanner, as well as an overall “severity rating” on a 0-10 scale.  Details of scanned VMs are also stored separately by the application in order to keep an activity log.

OpenVAS GUI

OpenVAS GUI


Firewall Deployment

After the vulnerability scan of a VM is complete, the next phase of providing a security baseline is the automatic deployment of a firewall on a cloud platform level.  This is accomplished by the listener application using the API of the cloud platform on which the VM is running to deploy a firewall.  The platforms which currently support this feature are FCO, Openstack, Open Nebula and Amazon AWS.  The respective API is utilised to create and apply a new security group to the VM.

The security group is configured from a group of rules, which are defined using firewall configuration files.  These configuration files are stored on the same docker container which houses the OpenVAS deployment and listener application.  These configuration files are defined by the user, to allow customisability of the firewalls which are deployed.  In order to determine which firewall is deployed to a VM, a firewall tag is applied as metadata to the VM on the platform.  The firewall tag is a name or key which matches the desired firewall configuration file.  If no firewall tag is found to be applied to the VM, then a default firewall template is created to provide a basic security standard.

The automatic and customisable aspects of this feature allow VMs to be provisioned for the purpose for which they will operate.  There is no manual configuration required by the user to apply this security feature, beyond initially creating the required firewall templates and applying the firewall tags to VMs.

Generated firewall template applied to a VM on Openstack

Generated firewall template applied to a VM on Openstack

Chef Integration

The final phase of the security framework that is applied is an automatic deployment of Chef on the VM.  Chef is an infrastructure which facilitates the automatic deployment of packages known as “cookbooks” to servers.

This use case employs chef to install security based cookbooks to the VM after the vulnerability scan and firewall deployment phase.  This provides a final layer of protection on a VM level against security threats.  The application has been developed in order to support Chef bootstrapping using either a password or an SSH key, to allow flexibility to the user’s authentication setup.

The initial cookbooks which have been set up to be deployed on the VM are os-hardening, fail2ban and apt-update.  These three cookbooks provide an initial security baseline on a user level of the VM.  More cookbooks will be added in the future in order to further boost the robustness of the VM security.
 

Chef server showing bootstrapped VMs

Chef server showing bootstrapped VMs

Integration

The three main features described work in conjunction to provide security in different facets of the VM.  The detection of vulnerabilities, deployment of a firewall and chef provisioning all contribute to the overall task of securing the VM against threats. The features described also have direct points of interaction.  For example, one of the planned features is to tailor the firewall template to attempt to neutralise the vulnerabilities detected by the vulnerability scanner.  This can also be applied to the firewall/chef deployment, where the chef cookbooks installed can be tailored to compliment the firewall deployed to the VM on the cloud platform level.

Conclusion

In conclusion, the three main components of the use case described above provide a concrete security baseline for newly created VMs.  The autonomous nature of the vulnerability scanner, firewall creation and chef integration process provide an easy and powerful method of identifying and securing new VMs against malicious security threats.

Developed by flexiOPS and currently supports 4 cloud platforms, Amazon Web Services, OpenStack, OpenNebula and Flexiant Cloud Orchestrator.  

The source code is available on Github

Version 0.1 is available here 
Version 0.2 is available here