- 160 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
OpenStack Cloud Security
About this book
If you are an OpenStack administrator or developer, or wish to build solutions to protect your OpenStack environment, then this book is for you. Experience of Linux administration and familiarity with different OpenStack components is assumed.
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
- Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
- Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access OpenStack Cloud Security by Fabio Alessandro Locati in PDF and/or ePUB format, as well as other popular books in Computer Science & Cloud Computing. We have over one million books available in our catalogue for you to explore.
Information
OpenStack Cloud Security
Table of Contents
OpenStack Cloud Security
Credits
About the Author
About the Reviewers
www.PacktPub.com
Support files, eBooks, discount offers, and more
Why subscribe?
Free access for Packt account holders
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Downloading the example code
Errata
Piracy
Questions
1. First Things First – Creating a Safe Environment
Access control
The CIA model
Confidentiality
Integrity
Availability
Some considerations
A real-world example
The principles of security
The Principle of Insecurity
The Principle of Least Privilege
The Principle of Separation of Duties
The Principle of Internal Security
Data center security
Select a good place
Implement a castle-like structure
Secure your authorization points
Defend your employees
Defend all your support systems
Keep a low profile
The power of redundancy
Cameras
Blueprints
Data center in office
Server security
The importance of logs
Where to store the logs?
Evaluate what to log
Evaluate the number of logs
The people aspect of security
Simple forgetfulness
Shortcuts
Human error
Lack of information
Social engineering
Evil actions under threats
Evil actions for personal advantage
Summary
2. OpenStack Security Challenges
Private cloud versus public cloud security
The private cloud
The public cloud
Private cloud versus public cloud
The different kinds of security threats
Possible attackers
The possible attacks
Denial of Service
0-day
Brute force
Advanced Persistent Threat
Automated exploitation tools
The ISP intercept
The supply chain attack
Social engineering
The Hypervisor breakout
The OpenStack structure
OpenStack Compute Service – Nova
OpenStack Object Storage Service – Swift
OpenStack Image Service – Glance
OpenStack Dashboard – Horizon
OpenStack Identity Service – Keystone
OpenStack Networking Service – Neutron
OpenStack Block Storage Service – Cinder
OpenStack Orchestration – Heat
OpenStack Telemetry – Ceilometer
OpenStack Database Service – Trove
OpenStack Data Processing Service – Sahara
Future components
Ironic – bare metal provisioning
Zaqar – cloud messaging
Manila – file sharing
Designate – DNS
Barbican – key management
Summary
3. Securing OpenStack Networking
The Open Systems Interconnection model
Layer 1 – the Physical layer
Layer 2 – the Data link layer
Address Resolution Protocol (ARP) spoofing
MAC flooding and Content Addressable Memory table overflow attack
Dynamic Host Configuration Protocol (DHCP) starvation attack
Cisco Discovery Protocol (CDP) attacks
Spanning Tree Protocol (STP) attacks
Virtual LAN (VLAN) attacks
Layer 3 – the Network layer
Layer 4 – the Transport layer
Layer 5 – the Session layer
Layer 6 – the Presentation layer
Layer 7 – the Application layer
TCP/IP
Architecting secure networks
Different uses means different network
The importance of firewall, IDS, and IPS
Firewall
Intrusion detection system (IDS)
Intrusion prevention system (IPS)
Generic Routing Encapsulation (GRE)
VXLAN
Flat network versus VLAN versus GRE in OpenStack Quantum
Design a secure network for your OpenStack deployment
The networking resource policy engine
Virtual Private Network as a Service (VPNaaS)
Summary
4. Securing OpenStack Communications and Its API
Encryption security
Symmetric encryption
Stream cipher
Block cipher
Asymmetric encryption
Diffie-Hellman
RSA algorithm
Elliptic Curve Cryptography
Symmetric/asymmetric comparison and synergies
Hashing
MD5
SHA
Public key infrastructure
Signed certificates versus self-signed certificates
Cipher security
Designing a redundant environment for your APIs
Secure your OpenStack API with TLS
Apache HTTPd
Nginx
Enforcing HTTPS for future connections
Summary
5. Securing the OpenStack Identification and Authentication System and Its Dashboard
Identification versus authentication versus authorization
Identification
Authentication
Something you know
Something you have
Something you are
The multifactor authentication
Authorization
Mandatory Access Control
Discretionary Access Control
Role-based Access Control
Lattice-based Access Control
Session management
Federated identity
Configuring OpenStack Keystone to use Apache HTTPd
Apache HTTPd configuration
Making Keystone available to Apache HTTPd
Configuring iptables
Configuring firewalld
SELinux
Setting up shared tokens
Setting up the startup properly
Setting up Keystone as a Identity Provider
Configuring Apache HTTPd
Configuring Shibboleth
Configuring OpenStack Keystone
Summary
6. Securing OpenStack Storage
Different storage types
Object storage
Block storage
File storage
Comparison between storage solutions
Security
Backends
Ceph
GlusterFS
The Logical Volume Manager
The Network File System
Sheepdog
Swift
Z File System (ZFS)
Security
Securing OpenStack Swift
Hiding information
Securing ports
Summary
7. Securing the Hypervisor
Various types of virtualization
Full virtualization
Paravirtualization
Partial virtualization
Comparison of virtualization levels
Hypervisors
Kernel-based Virtual Machine
Xen
VMware ESXi
Hyper-V
Baremetal
Containers
Docker
Linux Containers
Criteria for choosing a hypervisor
Team expertise
Product or project maturity
Certifications and attestations
Features and performance
Hardware concerns
Hypervisor memory optimization
Additional security features
Hardening the hardware management
Physical hardware – PCI passthrough
Virtual hardware with Quick Emulator
sVirt – SELinux and virtualization
Hardening the host operative system
Summary
Index
OpenStack Cloud Security
Copyright © 2015 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, wi...
Table of contents
- OpenStack Cloud Security