...

SmartCloud Orchestrator Version 2.3: Security Hardening Guide Document version 2.3.4

by user

on
Category: Documents
4

views

Report

Comments

Transcript

SmartCloud Orchestrator Version 2.3: Security Hardening Guide Document version 2.3.4
IBM® Cloud and Smarter Infrastructure Software
SmartCloud Orchestrator
Version 2.3:
Security Hardening Guide
Document version 2.3.4
IBM SmartCloud Orchestrator Security Team
© Copyright International Business Machines Corporation 2014, 2015.
US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corp.
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
CONTENTS
Contents .............................................................................................................................. iii
List of Figures ...................................................................................................................... v
Author List .......................................................................................................................... vii
Revision History ................................................................................................................ viii
1
Introduction.............................................................................................................. 9
2
Security Management Overview ........................................................................... 10
3
2.1
Web Application Security Scanning .......................................................... 11
2.2
Application Source Code Scanning .......................................................... 11
2.3
Threat Modeling ........................................................................................ 12
2.4
Security Regulatory Compliance Reports................................................. 12
2.5
Authentication Management ..................................................................... 13
2.6
Authorization Management ....................................................................... 16
Security Hardening................................................................................................ 19
3.1
Port Management and Firewall Configuration .......................................... 19
3.1.1
Methodology........................................................................................... 19
3.1.2
Reference Tables ................................................................................... 20
3.2
“nologin” Shell Configuration .................................................................... 26
3.3
HBase Process Name Management ........................................................ 27
iii
3.4
Common Vulnerabilities and Exposures Management ............................ 27
3.5
Secure Sockets Layer Management ........................................................ 28
Appendix A: The Cloud Orchestrator Security Evaluation Tool (coset) ........................... 29
A.1
Port Utility Configuration ........................................................................... 29
A.2
Port Utility List Mode ................................................................................. 31
A.3
Port Utility Inbound Connection Mode ...................................................... 31
A.4
Port Utility Outbound Connection Mode ................................................... 32
A.5
Port Utility Monitor Mode ........................................................................... 32
References ........................................................................................................................ 33
iv
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
LIST OF FIGURES
Figure 1: Revision History .............................................................................................................. viii
Figure 2: SCO 2.3 Security Management Summary ...................................................................... 10
Figure 3: Security Compliance Report Options .............................................................................. 12
Figure 4: Security Single Sign-on Overview................................................................................... 13
Figure 5: Security Authentication Flow........................................................................................... 14
Figure 6: Security Flow for Self Service Request ........................................................................... 14
Figure 7: Security Flow for Import OVA Image .............................................................................. 15
Figure 8: Security Flow for Register Image .................................................................................... 15
Figure 9: Security Flow for Image Extension ................................................................................ 16
Figure 10: Orchestrator User Registry ........................................................................................... 17
Figure 11: Orchestrator Authorization Entity-Relationship Diagram ............................................... 17
Figure 12: Orchestrator Authorization Management ...................................................................... 18
Figure 13: Orchestration Management Server Core ...................................................................... 20
Figure 14: Central Server 1 Port Management .............................................................................. 21
Figure 15: Central Server 2 Port Management .............................................................................. 22
Figure 16: Central Server 3 Port Management .............................................................................. 23
Figure 17: Central Server 4 Port Management (WebSphere Deployment Manager) ..................... 23
Figure 18: Central Server 4 Port Management (WebSphere Node Agent) .................................... 24
Figure 19: Central Server 4 Port Management (BPM EAR) ........................................................... 24
Figure 20: Region Server Port Management ................................................................................. 25
Figure 21: Other IBM Port Management Considerations ............................................................... 25
Figure 22: OpenStack Port Management Considerations .............................................................. 25
Figure 23: VMware Port Management Considerations .................................................................. 26
Figure 24: Deployed Virtual System & Extended Image Port Management Considerations .......... 26
Figure 25: Verifying "nologin" support. ........................................................................................... 26
Figure 26: Recommended Users for "nologin" Support ................................................................. 27
Figure 27: Port Utility Hosts Configuration ..................................................................................... 29
Figure 28: Port Utility Region Server Template Configuration ....................................................... 30
Figure 29: Port Utility Active Port Configuration ............................................................................. 30
Figure 30: Port Utility Ports and Programs to Ignore ..................................................................... 31
Figure 31: Port Utility List Mode Sample ........................................................................................ 31
Figure 32: Port Utility Inbound Connection Mode Sample ............................................................. 31
Figure 33: Port Utility Outbound Connection Mode Sample........................................................... 32
v
Figure 34: Port Utility Monitor Mode Sample ................................................................................. 32
vi
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
AUTHOR LIST
This paper is the team effort of a number of cloud security specialists comprising the SmartCloud
Orchestrator security team. Additional recognition goes out to the entire SmartCloud Orchestrator
and OpenStack development teams.
Mark Leitch
(primary contact for this paper)
IBM Toronto Laboratory
Marc Schunk
IBM Boeblingen Laboratory
Nate Rockwell
IBM USA
Piotr Gnysinski
IBM Ireland
vii
Michele Licursi
IBM Rome Laboratory
REVISION HISTORY
Date
Version
Revised By
Comments
April 30th, 2014
Draft
MDL
Initial version for review.
May 4th, 2014
2.3.0
MDL
First version for external review.
May
5th,
2014
2.3.1
MDL
Added “nologin” support.
May
7th,
2014
2.3.2
MDL
Added HBase process name management.
June 18th, 2014
2.3.3
MDL
Revised port listing.
February 11th, 2015
2.3.4
MDL
Added SSL information.
Figure 1: Revision History
viii
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
1
Introduction
Security management is critical for any enterprise. With the adoption of cloud
technologies, security management becomes even more critical as the range and scale of
possible exploits expand dramatically through the power of enterprise cloud management.
This document will provide an overview of security management approaches for the IBM
SmartCloud Orchestrator (SCO) Version 2.3.
SCO Version 2.3 offers end to end management of service offerings across a number of
cloud technology offerings including VMware, Kernel-based Virtual Machine (KVM), IBM
PowerVM, and IBM System z. A key implementation aspect is integration with OpenStack,
the de facto leading open virtualization technology. OpenStack offers the ability to control
compute, storage, and network resources through an open, community based architecture.
We will first describe security management approaches for SmartCloud Orchestrator. We
will then offer some prescriptive approaches for security hardening of a cloud installation.
Note: This document is considered a work in progress. Security recommendations will be
refined and updated as new SCO releases are available. While the paper in general is
considered suitable for all SCO Version 2.3 releases, it is best oriented towards SCO
Version 2.3.0.1. In addition, a number of references are provided in the References
section. These papers are highly recommended for readers who want detailed knowledge
of cloud security management.
Note: Some artifacts are distributed with this paper. The distributions are in zip format.
However Adobe protects against files with a “zip” suffix. As a result, the file suffix is set to
“zap” per distribution. To use these artifacts, simply rename the distribution to “zip” and
process as usual.
9
2
Security Management Overview
The following table provides a summary of SCO 2.3 security management. Specific
security areas are expanded upon as appropriate.
Security Area
Disposition
Web Application Security Scanning
Scans mandated by IBM Corporate Security
Standards. Automated and repeatable security
assessment.
Application Source Code Scanning
Scans mandated by IBM Corporate Security
Standards. Automated and repeatable security
assessment.
Threat Modeling
Threat model assessment mandated by IBM
Corporate Security Standards.
Security Regulatory Compliance Reports
Several compliance reports (e.g. PCI DSS) are
available as part of the web application security
scanning work.
Multitenancy: Isolation of Back End Resources
Available in SCO 2.3. Offers the ability to
assign tenants (aka projects) resources that are
partitioned by cloud regions (aka availability
zones).
Multitenancy: Segregation of cloud resources
via role based authorization.
Segregation of cloud resources is available in
SCO 2.3.
LDAP Support
The OpenStack Keystone component provides
a comprehensive role/authorization/
authentication service.
Read only LDAP support is available in the SCO
2.3 release.
Figure 2: SCO 2.3 Security Management Summary
The first four management areas are described in specific sections. A description of
security authentication and authorization management, with implications for multitenancy
and directory support, is then provided.
10
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
2.1
Web Application Security Scanning
Web Application security scanning is performed by the IBM Rational Appscan Standard
Edition reference tool. Some of the capabilities of this tool include the following.

Heightened scan severity ratings through the enablement of Collateral Damage
and Target Distribution settings specifically for cloud offerings.

Provides visibility into the security and regulatory compliance risks web
applications present to your organization.

Uses a combination of testing techniques to provide thorough, automated
assessments.

Scans websites for both embedded malware and links to malicious or undesirable
websites.

Helps ensure your website is not infecting visitors or directing them to unwanted or
dangerous websites.

Correlates results discovered using dynamic and static analysis techniques.

Tests web services.

Delivers more than 40 security compliance reports, including PCI Data Security
Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), ISO
27001 and ISO 27002, HIPAA, GLBA and Basel II.
Further information on the Rational Appscan offering is available in the References section.
2.2
Application Source Code Scanning
Application source code scanning is performed by the Rational Appscan Source reference
tool. Some notable features of the Rational Appscan instance that apply to cloud
deployments follow.

Identifies security vulnerabilities and defects in the source code during the early
stages of the application lifecycle when they are the least expensive to remediate.

Builds automated security into development by integrating security source code
analysis with automated scanning during the build process.

Scans, triages and manages security policies; prioritizes assignment of results to
security teams for vulnerability remediation.

Delivers fast scans of more than one million lines of code per hour, allowing you to
scan even the most complex enterprise applications.

Uses string analysis to simplify the adoption of security testing by development
teams.

Support for testing mobile applications including Java, C# and Objective-C.
11
Further information on the Rational Appscan Source offering is available in the References
section.
2.3
Threat Modeling
Threat modeling assessments may encompass automated and manual approaches,
including ethical hacking approaches. Basic methods employed include the following.
2.4

Enforcement of non-root runtime for audit and trust purposes.

Enforcement of necessary permissions.

Secure credentials management (e.g. passwords).

Secure port analysis.

Ethical hacking approaches.
Security Regulatory Compliance Reports
The Web Application Security Scanning tool offers a number of regulatory compliance
reports. See the following figure for some sample report types.
Figure 3: Security Compliance Report Options
12
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
It is worth noting these are simply report options. For example, for the PCI DSS report
neither Rational Appscan nor IBM are approved scanning vendors. While the reports are
considered to have value in terms of classifications and exposures, they are not
considered to be at the certification level.
Note: PCI DSS regulatory reports have been generated for SCO. These reports illustrate
unique findings over the thirty three PCI DSS classification areas. The unique issues are
also identified in the base Web Application Security Scanning reports, with the regulatory
report aligning each finding with the suitable regulatory classification area.
2.5
Authentication Management
A single sign-on approach is used across the primary SmartCloud Orchestrator
components (i.e. IWD, BPM, SWI, and OpenStack)1. The single sign-on authentication
uses a token approach. The token contains user and project information, has an expiration
date, and is stored in the browser as a cookie for the domain. The following figure
provides an overview of the single sign-on approach.
Figure 4: Security Single Sign-on Overview
1
This document does not provide an overview of the Orchestrator components. For background on
the components and their management please see SmartCloud Orchestrator Version 2.3: Capacity
Planning, Performance, and Management Guide in the References section.
13
An alternate view showing the authentication flow for IWD follows.
Figure 5: Security Authentication Flow
The following figure shows the role of the authentication flow for a self service request.
The flows are simplified for display purposes, with the authentication step at the top left.
Figure 6: Security Flow for Self Service Request
14
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
The following figure shows the component interaction for the import of an OVA image.
Figure 7: Security Flow for Import OVA Image
The following figure shows the component interaction for the registration of an image.
Figure 8: Security Flow for Register Image
15
The following figure shows the component interaction for the extension of the image. Once
again, the authentication management is shown at the start of the scenario.
Figure 9: Security Flow for Image Extension
2.6
Authorization Management
We will provide an overview of user, role, and project management. The OpenStack
Keystone component provides the reference repository for managing these objects. For
SmartCloud Orchestrator, the customer may populate Keystone from a corporate read only
LDAP. The following diagram offers a simple view of the user registry.
16
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
Figure 10: Orchestrator User Registry
In simplest terms, roles determine the actions that a user is allowed to perform. A project
(referred to as a tenant in Keystone parlance) is a set of specific resources granted to a set
of users. Through these constructs, a cloud administrator may strictly control the set of
cloud resources authorized to a specific user. Further information is available in the
SmartCloud Orchestrator information center (see the References section). The following
diagram provides an entity-relationship diagram for authorization management (mapped
OpenStack entities are shown in blue).
Figure 11: Orchestrator Authorization Entity-Relationship Diagram
The following diagram provides a breakdown of where information is managed. To be
specific:

The original source for information (identified by a clear box).

A resource reference (identified by a box with hash lines).
17
Once again, OpenStack Keystone is the reference repository for users, roles, and tenants.
The remaining components may reference these objects, while managing specific objects
required for their functional requirements.
Figure 12: Orchestrator Authorization Management
18
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
3
Security Hardening
Security hardening has multiple dimensions, particularly in the cloud space. We will break
the hardening dimensions into the managed cloud and management server components.
For the managed cloud, the cloud providers offer specific security hardening approaches.
For example, VMware offers prescriptive hardening spreadsheets to enforce best
practices. Resources for these spreadsheets based on specific vSphere versions are
provided in the References section.
For the management server hardening, we will provide the following hardening
approaches.
3.1

Port management and firewall configuration.

“nologin” shell configuration.

HBase process name management.
Port Management and Firewall Configuration
We will describe the port management methodology, followed by the port management
reference tables.
3.1.1 Methodology
The following diagnostic tools are the basis for programmatically managing the
Orchestrator ports.

The nmap utility (obtained via the Red Hat distribution) is used to derive the list of
available ports for a server instance.
Sample command usage: nmap -p1-65535 <server>

Within a server instance, the set of ports being listened on or established is
managed via the lsof command.
Sample command usage: lsof –i –P | grep LISTEN
Sample command usage: lsof –i –P | grep ESTABLISHED

Based on the above, the command line invocations associated with the interesting
process identifiers may be established.
Sample command usage: cat /proc/$pid/cmdline
To facilitate port management for the Orchestrator installation, a port management tool has
been specially created based upon the ‘lsof’ utility. Appendix A provides an overview of
this tool. In addition, the following diagram identifying the host names and their runtime is
included for reference.
19
Figure 13: Orchestration Management Server Core
3.1.2 Reference Tables
The following tables provide a summary of Orchestrator port management and firewall
configuration. The following attributes are managed.

Server instance.
The management server instance where the port is active. Tables are broken
down by server instance.

Port.
The specific port that is open.

Protocol.
The specific network protocol in effect, where applicable.

Program instance.
The program holding the port. This may be a specific executable or a general
class designation (e.g. “Operating System”).

Operating system user id instance.
The operating system user id the program is running under.

Incoming hosts.
A list of expected incoming host identifiers.
Some critical items of interest follow for the reference tables.

The reference tables describe the Orchestrator runtime requirements. The install
and upgrade requirements are not included.

The ports described are for the Orchestrator content. Additional operating system
services may be active, and an approach for managing these services is provided
in Appendix A.

It is generally recommended to disable the chef services once the install or
upgrade processes are complete. For example:
20
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
service chef_repo_srvd stop
chkconfig chef_repo_srvd off
Port

DNS and directory services are be specific to an enterprise deployment and may
require additional customization.

An incoming host of “Public cloud user” indicates the port should be enabled for a
firewall on top of a public cloud installation.

Information is not provided for the System Automation Application Manager at the
time of this writing.
Protocol
Program
User
50000
TCP
db2sysc
db2inst1
53
953
UDP
DNS
named
123
UDP
NTP
Incoming Hosts
CS2, CS3, CS4, Region Servers
All hosts. Relevant if DNS server is
enabled on Central Server 1.
All hosts. Relevant if NTP server is
enabled on Central Server 1.
Figure 14: Central Server 1 Port Management
21
Port
Protocol
Program
User
2181
TCP
HBase (VIL)
root
2809
9402
9403
9633
TCP
VIL (WAS)
root
5000
35357
HTTP
Keystone
keystone
6379
Proxy
VIL (WAS)
root
8005
8009
8182
TCP
VIL proxy
root
8123
TCP
Origami (VIL)
root
8880
SOAP
VIL (WAS)
root
9043
HTTPS
VIL (WAS)
root
Public Cloud User
9060
HTTP
VIL (WAS)
root
Public Cloud User
9080
HTTP
VIL (WAS)
root
9100
ORB
VIL (WAS)
root
9443
HTTPS
VIL (WAS)
root
Public Cloud User, CS3
9797
HTTP
PCG
root
CS3
9973
HTTP
IaaS Gateway
root
CS3, ICCT
11211
TCP
Memcached
496
60000
60010
60020
60030
TCP
HBase (VIL)
root
Figure 15: Central Server 2 Port Management
22
Incoming Hosts
CS2,CS3
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
Port
Protocol
Program
User
HTTP
IWD
root
CS4
443
9443
HTTPS
IWD
root
CS4
9444
HTTPS
IWD
root
20001
TCP
IWD
root
7443
HTTPS
SCUI
root
Public Cloud User
ICMP
IWD
root
Deployed virtual systems (Windows
only and only if using add-ons and
script packages).
80
Incoming Hosts
Figure 16: Central Server 3 Port Management
Port
Protocol
Program
User
7060
7277
9352
9402
9420
9809
11006
TCP
Deployment
Manager
root
8879
SOAP
Deployment
Manager
root
9043
HTTPS
Deployment
Manager
root
9060
HTTP
Deployment
Manager
root
9100
ORB
Deployment
Manager
root
9403
HTTP
Deployment
Manager
root
9632
IPC (TCP)
Deployment
Manager
root
Incoming Hosts
Figure 17: Central Server 4 Port Management (WebSphere Deployment Manager)
23
Port
Protocol
Program
User
2809
7062
7272
9353
11004
TCP
Nodeagent
root
8878
SOAP
Nodeagent
root
9201
9202
RMI/IIOP,SSL
Nodeagent
root
9629
IPC (TCP)
Nodeagent
root
9900
ORB
Nodeagent
root
Incoming Hosts
Figure 18: Central Server 4 Port Management (WebSphere Node Agent)
Protocol
Program
User
7276
7286
9044
9191
9354
11008
TCP
BPM
root
8880
SOAP
BMP
root
9061
HTTP
BPM
root
9080
HTTP
BPM
root
9405
9406
RMI/IIOP.SSL
BPM
root
9443
HTTPS
BPM
root
9633
IPC (TCP)
BPM
root
9810
ORB
BPM
root
Port
Figure 19: Central Server 4 Port Management (BPM EAR)
24
Incoming Hosts
Public Cloud User, CS3
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
Port
Protocol
Program
User
Incoming Hosts
4444
Proxy
VIL
root
CS2
8123
HTTP
VIL Proxy
root
CS2
80
HTTP
Apache
root
7080
HTTP
SCE
root
RS (VMware only)
7777
TELNET
SCE
root
RS (VMware only)
Figure 20: Region Server Port Management
Port
Protocol
Program
User
Incoming Hosts
80
HTTP
IBM Infocenter
n/a
CS3
443
HTTPS
ICCT
n/a
Public Cloud User
ICMP
ICCT
n/a
Extended Image (Windows only)
Figure 21: Other IBM Port Management Considerations
Port
Protocol
Program
User
8776
HTTP
Cinder
cinder
3260
iSCSI
Glance
root
9191
9292
HTTP
Glance
glance
5000
35357
HTTP
Keystone
keystone
53
953
DNS
Named
named
6080
8774
8775
HTTP
Nova
nova
CS2, CS3
5672
AMQP
Qpid
qpidd
RS
Figure 22: OpenStack Port Management Considerations
25
Incoming Hosts
CS2
CS2, CS3
Port
Protocol
Program
443
HTTPS
VMware
vCenter
902
HTTP
VMware ESXi
User
Incoming Hosts
CS2, Region Servers
CS2
Figure 23: VMware Port Management Considerations
Port
Protocol
Program
User
TCP
Windows OS
n/a
CS3
ICMP
Windows OS
n/a
CS3
22
SSH
OS/Image
n/a
CS3, ICCT
445
TCP
OS/Image
n/a
CS3, ICCT
Image
n/a
ICCT
139
80
Incoming Hosts
Figure 24: Deployed Virtual System & Extended Image Port Management Considerations
3.2
“nologin” Shell Configuration
User instances are bound to a shell. A special shell, referred to as “nologin”, may be
enabled for user accounts to prevent logging into a shell instance for that user. Any
attempt to invoke a shell instance will be politely refused.
We will describe how to implement nologin support. The first step is to ensure it is a
supported shell on the compute node. The following example shows support for
“/sbin/nologin”.
Figure 25: Verifying "nologin" support.
From here the approach may follow some basic steps:
1. Determine the set of user ids to enable the “nologin” shell.
A recommended set of ids is provided in the table below.
2. For each user, set the shell.
Sample command usage: usermod -s /sbin/nologin gleRNSUM
26
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
3. Restart the Orchestrator at your convenience.
Note the change will take effect immediately and there is no explicit need for
restart.
Node
User IDs to Enable
Central Server 1
gleRNSUM, noaRNSUM, sceRNSUM, cirRNSUM, qtmRNSUM, ksdb
Region Servers
nova
Figure 26: Recommended Users for "nologin" Support
3.3
HBase Process Name Management
The HBase processes associated with Central Server 2 may allocate dynamic ports. In
addition, given HBase runs under the Java execution environment, it will appear in process
listings as “java”. In order to readily identify the dynamic ports with HBase (for example, for
secure port scan management) it can be helpful to have the HBase processes appear as
“HBase” in a process listing. The following steps utilize a symbolic link to achieve this.
1. Log on to Central Server 2.
2. Determine the location of $JAVA_HOME
(e.g. /opt/IBM/WebSphere/AppServer/java).
3. Create a symbolic link for $JAVA_HOME/java
(e.g. ln -s java HBase).
4. Update the HBase startup script
(i.e. /opt/hbase/bin/hbase).
5. Change this line: JAVA=$JAVA_HOME/bin/java
to this: JAVA=$JAVA_HOME/bin/HBase
6. Restart the Virtual Image Library and/or the Cloud Orchestrator.
3.4
Common Vulnerabilities and Exposures Management
Cloud security management typically implies multi data center security management, and
is a herculean task. The “Common Vulnerabilities and Exposures” (CVE) offers a free
dictionary of publicly known vulnerabilities (see the References section) that can assist in
this task. Given the Cloud Orchestrator includes OpenStack, and typically involves a “bring
your own operating system” approach, it is extremely useful to be aware of these
vulnerabilities, and associated alerts. Some prominent recent alerts, that should be
addressed by any cloud deployment, follow.
1. Heartbleed: An OpenSSL vulnerability (URL).
2. POODLE: An OpenSSL vulnerability (URL).
3. Shellshock: A GNU Bash shell vulnerability (URL).
27
It should be noted the IBM Rational scan tools cited earlier are CVE compatible. In
addition, given the prominence of SSL, the following section provides a description of the
Orchestrator SSL implementation.
3.5
Secure Sockets Layer Management
Secure Sockets Layer (SSL) management is the de facto standard for communication of
secure applications. It is part of the comprehensive cryptographic and security solution
across the different layers of the Cloud Orchestrator IaaS platform. The Orchestrator
solution includes the IBM OpenStack Enterprise Edition (OSEE) bundle that in turn
includes OpenSSL, python-passlib, Cyrus SASL, PyCrypto libraries, and the IBM
WebSphere sMash and DB2 products. The version of the libraries is determined by the
prerequisite Linux Virtual Machine and/or IBM JDK 1.6.0.
Further characteristics of the SSL implementation may be broken down as follows.

AES is used in 128-bit and 256-bit block mode and is defined in FIPS 197.

SHA1 certificates utilize RSA Digital Signatures with 2048 bits key length.

SSL is used for communications and is defined in IETF RFC 5246.

LTPA is used for authentication.

OpenStack Nova API exposes RSA-based certificate creation with 1024 bit keypairs, which can be disabled.

The OpenStack Nova API also allows the end user to generate a 2048 bit RSA
key-pair to SSH into a virtual machine instance.

IBM OpenStack EE uses Secure Sockets Layer SSL v2/v3, Transport Layer
Security: TLS v1, and SSH.
28
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
APPENDIX A: THE CLOUD ORCHESTRATOR
SECURITY EVALUATION TOOL (COSET)
A port management tool is provided with this paper. We will describe the tool
configuration, and then the four management nodes it provides.
1. List mode:
List the set of interesting ports currently being listened on.
2. Inbound connection mode:
List the inbound connections to interesting ports.
3. Outbound connection mode:
List the outbound connections to interesting ports.
4. Monitor mode:
Continuously monitor the ports being listened on, and determine if unrecognized
ports are active.
A.1
Port Utility Configuration
The ‘coset’ tool is a Perl based utility. A standard Perl technique is to put configuration
settings in a separate file, using Perl variables that may be sourced directly. The benefits
of this are advanced data structures may be supported with all parsing provided by the Perl
interpreter. For the ‘coset’ utility, this approach is used. We will describe each of the
variables in the provided configuration sample.
The first variable is the set of servers to be managed. This is a hash of the node alias (a
symbolic value), and the fully qualified host name. This structure should be changed per
Orchestrator installation, for the nodes the utility is to be run against. A sample follows.
%hosts =
'CS1'
'CS2'
'CS3'
'CS4'
'RS1'
'RS2'
'RS4'
'RS5'
);
(
=>
=>
=>
=>
=>
=>
=>
=>
'CentralServer1.perf.cil.raleigh.ibm.com',
'CentralServer2.perf.cil.raleigh.ibm.com',
'CentralServer3.perf.cil.raleigh.ibm.com',
'CentralServer4.perf.cil.raleigh.ibm.com',
'RegionServer1.RegionOneBC1.perf.cil.raleigh.ibm.com',
'RegionServer2.RegionOneKVM.perf.cil.raleigh.ibm.com',
'RegionServer4.RegionOneBC2.perf.cil.raleigh.ibm.com',
'RegionServer5.RegionFiveBC3.perf.cil.raleigh.ibm.com',
Figure 27: Port Utility Hosts Configuration
Next a region server template is provided. This is not directly used by the utility, but is a
variable specific to the configuration file given all region servers have the same
requirements. The value is simply the set of “interesting” ports for the region servers. In
this context, “interesting” means ports required for the successful operation of the
Orchestrator.
29
@region_server_template = (
# Cinder Glance Nova QPid VIL
SCE
Apache DNS
8776, 9191, 8774, 5672, 4444, 7777, 80,
53,
3260, 9292, 8775,
8123, 7080,
953,
6080
);
Figure 28: Port Utility Region Server Template Configuration
The next structure shows the set of active ports required for the Orchestrator. These are
the defined listening ports, broken down by host and organized by component. Samples
are shown for Central Server 1 and 2, and the Region Servers. Note the region servers all
have an identical configuration, and simply reference the template provided above. The
ports for all servers are provided in the sample configuration attached to this paper.
%ports_active = (
'CS1' =>
[# DNS DB2
53, 50000,
953
],
'CS2' =>
[# VIL
9443,
9043,
9060,
6379,
8880,
9633,
9080,
9100,
9403,
9402,
2809,
4444
],
'RS1'
'RS2'
'RS4'
'RS5'
);
[@region_server_template],
[@region_server_template],
[@region_server_template],
[@region_server_template]
=>
=>
=>
=>
Hbase Origami IaaS PCG
Keystone Tomcat Memcached
2181, 8123,
9973, 9797, 5000,
8182, 11211,
60000,
35357,
8009,
60010,
8005,
60020,
60030,
Figure 29: Port Utility Active Port Configuration
The next structures serve a common purpose: they indicate the ports or the programs
associated with ports that may be ignored. The intent is to remove any noise from the port
monitoring view. This is particularly valuable in monitor mode, which will be discussed
later.
30
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
%ports_ignore = (
'CS1'
=> [80, 523, 657],
'CS2'
=> [],
'CS3'
=> [],
'CS4'
=> [],
'RS1'
=> [],
'RS2'
=> [],
'RS4'
=> [],
'RS5'
=> []
);
@programs_ignore = (
'cupsd', 'dnsmasq', 'master', 'repo_srv.', 'rpcbind', 'rpc.statd',
'sshd'
);
Figure 30: Port Utility Ports and Programs to Ignore
A.2
Port Utility List Mode
The port utility list mode will simply show for the current host and associated ports (as
defined in the configuration file), the listening state of all of the active ports. The following
is a complete sample for Central Server 1.
Figure 31: Port Utility List Mode Sample
A.3
Port Utility Inbound Connection Mode
The port utility inbound connection mode will simply show for the current host and
associated ports, the established inbound connection state for all of the active ports. Note
the utility does not list inbound connections from the node itself. This is easily changed via
an internal configuration option. The following is a truncated sample for Central Server 1
(there are literally hundreds of inbound connections to the database server).
Figure 32: Port Utility Inbound Connection Mode Sample
31
A.4
Port Utility Outbound Connection Mode
The port utility outbound connection mode will simply show for the current host and
associated ports, the established outbound connection state for all of the active ports.
Note the utility does not list outbound connections for the node itself. This is easily
changed via an internal configuration option. The following is a complete sample for
Central Server 1. Note the sample is empty; showing the database server itself is not
initiating outbound connections (as expected).
Figure 33: Port Utility Outbound Connection Mode Sample
A.5
Port Utility Monitor Mode
The port utility monitor mode is the most useful capability. The monitor mode will loop
indefinitely and for all of the active ports, will list any ports it may not identify as being on
the active or ignore lists. Why is this so useful? Well, by running the monitor mode it can
be established if new, unexpected ports are being initiated. These ports may either be
shut down, or managed per enterprise firewall standards.
The sample below has been manipulated to show a case where the monitor is continuously
identifying an unexpected port (953).
Figure 34: Port Utility Monitor Mode Sample
32
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
REFERENCES
SmartCloud Orchestrator and Related Component References
SmartCloud Orchestrator Version 2.3: Capacity Planning, Performance, and Management Guide
http://www.ibm.com/software/ismlibrary?NavCode=1TW10SO7P
IBM SmartCloud Orchestrator: Offline-backup approach using Tivoli Storage Manager for Virtual
Environments
http://www.ibm.com/software/ismlibrary?NavCode=1TW10SO7Q
IBM SmartCloud Orchestration Information Center
SCO 2.3 Information Center
IBM SmartCloud Orchestrator Resource Center
SCO Resource Center
IBM DB2 10.1 Information Center
http://pic.dhe.ibm.com/infocenter/db2luw/v10r1/index.jsp?topic=/com
Advanced Security Hardening in WebSphere Application Server V7, V8 and V8.5, Part 1: Overview
and Approach to Security Hardening
http://www.ibm.com/developerworks/websphere/techjournal/1210_lansche/1210_lansche.html
OpenStack References
OpenStack Security Guide
http://docs.openstack.org/sec/
OpenStack Keystone
http://docs.openstack.org/developer/keystone/
Hypervisor References
VMware Security Guide
http://www.vmware.com/security
vSphere 5.1 Hardening Guide
hardeningguide-vsphere5-1-ga-release-public.xlsx
vSphere 5.5 Hardening Guide
hardeningguide-vsphere5-5-ga-released.xlsx
Linux on System x: KVM Security
Linux on System x Information Center
33
Security Scan References
IBM Rational Security Appscan Enterprise Edition
http://www-03.ibm.com/software/products/us/en/appscan-enterprise
IBM Rational Security Appscan Source
http://www-03.ibm.com/software/products/us/en/appscan-source
Common Vulnerabilities and Exposures
https://cve.mitre.org/
34
SmartCloud Orchestrator Version 2.3:
Security Hardening Guide
®
© Copyright IBM Corporation 2014, 2015
IBM United States of America
Produced in the United States of America
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with
IBM Corp.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM
product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used.
Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be
used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program,
or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of
this document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
The following paragraph does not apply to the United Kingdom or any other country where such provisions are
inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PAPER “AS IS” WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow
disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes may be made periodically to the
information herein; these changes may be incorporated in subsequent versions of the paper. IBM may make improvements
and/or changes in the product(s) and/or the program(s) described in this paper at any time without notice.
Any references in this document to non-IBM Web sites are provided for convenience only and do not in any manner serve
as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product
and use of those Web sites is at your own risk.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of
this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
4205 South Miami Boulevard
Research Triangle Park, NC 27709 U.S.A.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent
goals and objectives only.
This information is for planning purposes only. The information herein is subject to change before the products described
become available.
If you are viewing this information softcopy, the photographs and color illustrations may not appear.
35
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in
the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in
this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks
owned by IBM at the time this information was published. Such trademarks may also be registered or common law
trademarks in other countries. A current list of IBM trademarks is available on the web at "Copyright and trademark
information" at http://www.ibm.com/legal/copytrade.shtml.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other
countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Other company, product, or service names may be trademarks or service marks of others.
36
Fly UP