Arm yourself against cloud attacks

Stormy Weather

Security Appliances

Caution is also advised before the customer buys a cloud appliance that includes features such as an IDS, supposedly out of the box. One prominent player in this market is Kaspersky, which wants to bring its hybrid cloud security product to the people. In principle, the product description looks good: Anyone pursuing a hybrid cloud concept should be able to use the product to protect their own cloud and their own data reliably against attacks in a large public cloud.

The Kaspersky product contains an IDS and an intrusion prevention system (IPS), as well as various other functions that enable network traffic control and blocking. What Kaspersky actually does is more likely bundle various components into a finished product that can be rolled out and used quickly in the style of an appliance.

Nevertheless, caution is advised with such offerings, because such providers often define the cloud differently from Amazon. Kaspersky, for example, does not have OpenStack, the most widely used open source solution for cloud environments. The assumption is that the customer's private cloud is based on products such as VMware and that AWS, Azure, and others are used as the public cloud.

McAffee offers a public cloud server security product, with the option of connecting to OpenStack with a connector module, along with features such as intrusion detection.

However: If the platform supports VNF features out of the box, they can be deployed manually without detouring through a proprietary solution. A customer must ultimately decide whether to pay a vendor money to reduce the workload for implementing the cloud, although there is no technical reason to do so.

Encrypted Volumes

The previously mentioned encrypted volumes make a small contribution toward data security. Volume snapshots can also be encrypted in most cloud environments so that data stored there is protected against third-party eyes or fingers.

With a volume in use, however, it is not so easy: During operation, the volume must be mounted in the filesystem and usually has to be writable, which translates to decrypted.

By the way, if you store backups of your environment in an object store, be it Amazon S3 or a private store (e.g., Ceph), you will want to use the encryption function in your backup software. Almost every modern backup program offers matching features, but thus far, too few admins are aware of this fact.

Caution with Pen Tests

As already mentioned, a cloud can have several levels of security under the microscope. On the one hand is the bare metal and the APIs that belong to the cloud – the provider is responsible for these. The VMs of the customers, for which they are responsible, run on this infrastructure. Usually the transfer point is the single VM and, more specifically, its Linux kernel.

If you have built a setup and want to put it through its paces or see how a cloud is doing in terms of security, you can always use Kali Linux. In recent years, the distribution has made a name for itself as a system specializing in penetration tests (Figure 4).

Figure 4: Kali Linux is considered a hacker distribution, but in reality, it is an efficient pen-testing tool.

If you want to run Kali Linux on hardware, you usually need a fairly powerful system. However, this contradicts the concept of the cloud, which is intended to free customers from any need to keep hardware in stock. Therefore, the distro has established itself in recent years as a method of conducting pen tests from a VM in the cloud.

At times, so many admins have done this that the big public clouds almost came across as botnets – Kali Linux, for example, runs various (heavy) attacks against the infrastructure. If a Kali Linux instance falls into the wrong hands, it can be combined with the power of virtual instances to cause trouble in the cloud.

For this reason, all major public cloud providers strictly specify whether and under what circumstances Kali Linux can be run in a VM on a platform. For example, AWS requires the password-based login to be disabled for Kali Linux VMs, so only SSH key login to a VM is possible.

Furthermore, and it should go without saying, it is illegal to use Kali Linux for purposes other than performing a penetration test on your own environment. Users are well advised to follow the basic rules of the cloud providers, because in the worst-case scenario, it can mean the end of your cloud account. One thing is still true: If you follow the rules set by the provider, you will find Kali Linux a powerful tool.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus