Securing OpenStack Networking
Cloud Security is currently top of mind for IT. In this blog post, I will provide a 10 point checklist to help you secure your OpenStack Neutron networking service. Ensure that you use “Defense in depth” as the primary security strategy and deploy a series of defensive mechanisms, as no single method exists for successfully protecting your entire service. This strategy ensures that even if one mechanism is compromised, another will be there to defend against the attack. Design network security in layers. So, instead of creating a single layer of network security protection at the perimeter, apply network security to every layer of the network, every component of the networking service and the communication channel.
Here’s the security checklist. Do keep in mind that this is not a complete list of every possible defensive mechanism that you could employ. The purpose is to provide some key security checks that you could use.
- Are all interactions with the networking service isolated into security domains with proper network segmentation?
- Does your ML2 mechanism driver mitigate ARP spoofing?
- Have you considered the pros and cons of supporting various tenant network types such as Flat, VLAN, VXLAN etc.?
- Have you hardened the Host OS, vSwitch, Message Queue and SQL Database?
- Have you patched all reported neutron security vulnerabilities?
- Are you using neutron security-groups and enabled port-security?
- Are all communications using SSL encryption?
- Has API access been secured using role-based access control (RBAC) by using the concept of least privilege?
- Have you investigated the maturity and security features of the various pluggable neutron components used?
- Are you using quotas to limit project resources?
For more information you can listen to my talk given on this topic at the recently concluded Boston OpenStack Summit.
It can be found here.
I value your feedback. Feel free to comment and share your thoughts on this topic.