Elastic Security

Icon

Security for the Cloud

May 10, 2012 • 21:20 1

Launch of HP Cloud with OpenStack

We’ve been busy lately with the second version of Elastic Detector, that supports Amazon EC2, Terremark’s vCloud Express and Eucalyptus. Today we’re thrilled to announce support of another leading cloud infrastructure: HP Cloud. Please find the complete announcement here.

We are strong believers in OpenStack and we have participated to the private beta of HP Cloud, in order to be ready from day one. We are happy to start our partnership with HP Cloud, with the goal of bringing added security services to the HP Cloud customers.

Filed under: Cloud Computing, Elastic Security, IaaS, Solutions, , ,

December 15, 2011 • 18:24 0

AWS South America support in CloudyScripts

Yesterday, Amazon announced that they have deployed a new region in South America (to Sao Paulo, Brazil) on its blog (the full article could be found here)

Even if Amazon documentation did not contain all the required information (such as the Amazon Kernel Image IDs), we were able to retrieve them, thus allowing to fully support this New Region in CloudyScripts.

CloudyScripts gem

A new version has been released with all the AKIs mapping table up to date for this new region.
We managed to retrieve the AKIs list using AWS EC2 API Tools as follow:

[fred@secludit-debian]# /bin/ec2-describe-images -K pkey-XXX.pem -C cert-XXX.pem --region sa-east-1 -a | grep pv-grub | awk '{print $2" "$3" "$7}'
aki-863ce39b ec2-public-images-sa-east-1/pv-grub-hd0-V1.01-i386.gz.manifest.xml i386
aki-d63ce3cb ec2-public-images-sa-east-1/pv-grub-hd0-V1.01-x86_64.gz.manifest.xml x86_64
aki-803ce39d ec2-public-images-sa-east-1/pv-grub-hd00-V1.01-i386.gz.manifest.xml i386
aki-d03ce3cd ec2-public-images-sa-east-1/pv-grub-hd00-V1.01-x86_64.gz.manifest.xml x86_64
aki-823ce39f ec2-public-images-sa-east-1/pv-grub-hd00_1.02-i386.gz.manifest.xml i386
aki-d23ce3cf ec2-public-images-sa-east-1/pv-grub-hd00_1.02-x86_64.gz.manifest.xml x86_64
aki-bc3ce3a1 ec2-public-images-sa-east-1/pv-grub-hd0_1.02-i386.gz.manifest.xml i386
aki-cc3ce3d1 ec2-public-images-sa-east-1/pv-grub-hd0_1.02-x86_64.gz.manifest.xml x86_64

CloudyScripts WebSite

Our free of use online service has been updated as well to support this new region in each of its scripts.

As requested by users of CloudyScripts, we also have added support for auditing VPC SecurityGroups.

  • VPC Critical Ports Audit: This script scrutinizes for VPC SecurityGroups of your infrastructure if the SecurityGroups configuration allows public access to ports that are considered such sensitive that accessibility may cause critical damage to your machines – such as ports for administrating machines

/fred

Filed under: AWS, Cloud Computing, , , , , ,

November 22, 2011 • 18:32 0

Elastic Security: Vulnerability Assessment

Elastic Detector, our FREE Vulnerability Assessment tool for Amazon EC2, has been recently updated with NEW features. Of course, the NEW Amazon US-West (Oregon) has been added at the meantime (see the AWS blogpost for more information).

Sometimes, security is considered boring (as shown in one of our previous posts on Open Ports Check), I take this opportunity to give some explanation on the recent Security Features that have been added and to point out two features of Elastic Detector, that are essential for providing a security solution that can cope with the elasticity of cloud infrastructures.

New Security Features of Elastic Detector

  • Blacklist Checks: Check against well-known RBLs if your Elastic IP Address (EIP according to Amazon naming), or the IP address taken from Amazon pool address is blacklisted.
    This allows cloud users to detect configuration errors in a mail server that is used as an Open-Relay or to detect a malicious insider that is using your infrastructure to install a bot-net (part of CloudSecurityAlliance Top Threats).
  • Critical Ports Audit: Check against a tunnable list of sensitive ports that there are no critical ports open to the public.
    This allows cloud users to be protected from dictionary attacks on administrative services such as SSH, Webmin (for Linux instances), or RDP (for Windows instances).
  • Security Zones Auditor: Define Security Zones according to the port that are accessible (using 3 Levels of Security: public, sensitive and critical) and the source IP addresses that have access to those ports (using 3 Levels of Trust: untrusted, fairly-trusted, trusted). Based on that information, Elastic Detector verifies if there is a perfect separation between servers of different trust levels with regard to their Security Zones. For example, in a three tiered architecture (Web server, Application server, Database server), an instance running a Web server should not be able to directly access an instance running the database server as this will potentially expose your data in case of compromise of the web server.

Two Characteristics of Elastic Detector

  • AgentLess: No additional agent or software to install on your instance (AMI according to Amazon convention naming).
    Using APIs, there is no risk of loosing connectivity with an agent (due to a network problem, a misconfiguration, or a human error) and no need to maintained the agents that are deployed. Moreover, the agent is itself a target for attack, so using APIs give us an additional level of isolation.
  • Auto-Check Technology: Any cloud resources (especially instances) are under control during the complete life-cycle, as continuous Security Checks based on customizable templates are automatically put in place as soon as the resource is detected by a real time polling system til the resource is shutdown.

Feel free to comment or ask more details on the security points.
/fred

Filed under: AWS, Cloud Computing, Elastic Security, Secure Cloud, , , , ,

November 17, 2011 • 19:08 0

Amazon US West Oregon Region Support in CloudyScripts

A few days ago Amazon announced that a new AWS Region in Oregon is supported (see AWS blogpost for more information).

Amazon’s documentation for PVGRUB AKI IDs (which can be found here) was not updated at the same time, that’s why fully supporting the NEW US-West Oregon region in CloudyScripts took some additional days (especially for Copy AMI To Different Region scripts).

NB: The importance of being able to map PVGRUB AKIs between different Amazon Regions has been explained in a previous post How-To: Copy an EBS-Backed AMI from one region to another one

CloudyScripts Ruby gem

SecludIT has released a new version of the Ruby library containing the last update on RUBYForge. The gem is also available on RubgyGems.org.

CloudyScripts WebSite

SecludIT has now added support for NEW US West Region in CloudyScripts.

As a reminder, here is some information on one of our most used scripts (more than 5 thousands executions until now):

  • Copy Ami to Different Region: Creates a copy of a given AMI and make it available in another region. Therefore, instances are created in both regions that perform copying (via rsync) of all files from a volume in the original region based on a snapshot created for the original AMI to a clean volume in the target region. After successful copying, a snapshot is performed in the target region and registered as AMI.

CloudyScripts DevPay AMI

SecludIT DevPay AMI has not been yet updated, but it should be available soon. This AMI runs in your own Amazon EC2 infrastructure and is available from our CloudyScripts WebSite.

As usual, any feedback is greatly appreciated, so do not hesitate to contact us or leave a comment.

/fred

Filed under: AWS, Cloud Computing, , , , , ,

September 19, 2011 • 21:22 0

CloudyScripts for vCloud

Starting from now, CloudyScripts – our popular open-source library (more than 10000 downloads up to now) that aims at relieving administrators from finicky scripting details to secure and manage cloud infrastructures - now supports the vCloud API in addition to Amazon EC2. vCloud is the cloud stack provided by VMWare and already adopted by around 30 hosting providers worldwide.

The first script we provide retrieves all open internet services for a given vCloud organization/account and checks if a service is actually running on that port. Unused open ports represent a means for attackers to deploy rogue publicly available services and may – in the case of providers like Terremark, who charges explicitly for every publicly available internet service – even be linked to additional costs.

As usual, the script can be executed locally by installing a gem from the open-source library, by using the CloudyScripts web-service, or by starting a DevPay AMI within Amazon EC2. We will be happy for any feedback and open to implement or customize scripts on demand!

Filed under: Solutions, ,

September 15, 2011 • 15:42 2

EC2 Usage among Tech-Companies

Until recently, Guy Rosen on Jack of all Clouds published every month his “State of the Cloud” that tracked the adoption of cloud infrastructure services (IaaS) over time. For that purpose, he checked for the 500.000 top ranked web-sites if they were actually run by one of the big cloud infrastructure providers like Amazon EC2, Rackspace, GoGrid, etc. He got the web-sites from Quantcast and matched their IP address with the IP address ranges of the providers, which are publicly available. While the State of the Cloud gives very interesting quantitative information about the adoption, it doesn’t say anything about how cloud infrastructures are used and by whom. It lacks any form of qualitative information.

However, help is there: Techcrunch provides a database (the “Crunchbase“) containing almost 50.000 tech-companies with detailed information about the date of company creation, amount of funding, number of employees, and even a classification by a product domain tag – and their web-site URL, of course. What about combining this data with the adoption of cloud infrastructure (IaaS) usage? In this post, we concentrate only on Amazon EC2 companies.

How many use the cloud?

Here some general numbers:

  • Via the Crunchbase API, we retrieved 49398 companies
  • 3268 companies are using Amazon EC2 for their web-page, which represents around 6.62%.
  • The large majority (83.26%) of EC2 users are in the US East data-center (see also the chart below)

How is the cloud used?

In the crunchbase, companies are associated with tags. In total 6369 different tags are used. Below in the table, you see the most popular ones for EC2 users and for non-EC2 users.

The differences are not very big. Though, it seems that EC2 users have more affinity to consumer related stuff like social network apps, music, and video.

Who uses the cloud?

How many employees have EC2 users compared to other companies?

  • Average employees of EC2 users: 21
  • Average employees of other companies: 765

Are newer companies more open to cloud usage?

The chart below displays the number of companies created in a respective year, both for EC2 users and other companies.

Newer companies seem to be more open to adoption than established companies. The following chart clearly shows that the percentage of EC2 users is strongly growing with the year of creation.

Conclusions

From the charts above, it seem obvious that the adoption of Amazon EC2 is much stronger among smaller companies created in the last few years. This is not surprising given the fact that those companies have no legacy applications and data and can immediately benefit from cloud advantages like scaling and elimination of capital expenses.

Filed under: AWS, ,

September 6, 2011 • 16:49 1

Elastic Detector for free

Elastic Detector, our fully automated security event detection tool for Amazon EC2, is now available for free. It helps administrators and users of Amazon EC2-based infrastructures to continuously identify holes on security groups and applications, thus dramatically reducing the risk of external and internal attacks. In contrary to existing tools, you don’t need to install any additional software, such as agents, and do not need to configure any monitors up-front.

If you want to know more about Elastic Detector, watch the video below or try the service for free under elastic-detector.secludit.com.

Filed under: Internals, ,

September 2, 2011 • 14:38 0

AWS Security Alert: Insecure RDP Server Configuration

What is the Problem?

Some days ago, I received a mail from Amazon AWS telling me that one of our security groups gives public access (that is, an ACL with value “0.0.0.0/0″) to the port TCP/3389, which by default runs the Remote Desktop Protocol on Windows machines. The reason for this their mail is that “a new Internet worm has been discovered in the wild that spreads via the above protocol [...]“. To remedy this danger, they  ”suggest that you audit your Amazon EC2 security group settings and restrict access to only the instances and IP addresses that need access“.

I checked the configuration, found out that fortunately no service instance is running in that security group, but fixed the wrong configuration. While I appreciated the notification, I have two points of critique:

  • My colleague, who wanted to reproduce such an alert by adding port TCP/3389 with public address to one of his security groups, has not been notified yet. This raises the question, how often such a security group audit is run by AWS.
  • When checking my security groups, I realized that I had also other critical ports open, e.g. port SSH/22, that may be subject to future attacks, but for which I didn’t receive a security notification. What about those other sensitive ports?

How to fix this?

In order to make AWS’s recommendation of auditing security groups easy to perform by anybody, we implemented a ruby-script that retrieves all security groups and identifies permissions that give public access to critical ports, i.e. ports that we consider such sensitive that accessibility may cause critical damage to your machines. For now, we check against the ports 22 (SSH), 23 (telnet), 389 (LDAP), 1433 (MSSQL), 3306 (MySQL), 3389 (RDP), 5432 (Postgres), and 5500 (VNC).

The script is part of the CloudyScripts open source project and thus can be either installed and run locally by yourself or executed from this web-site. We hope to help make your EC2 cloud more secure! Any feedback or collaboration is welcome!

Filed under: AWS, Solutions, , ,

August 26, 2011 • 16:08 0

Detect useless Snapshots and Volumes in the Amazon EC2 Cloud

Do you know that problem? You started and stopped server instances on the Amazon Cloud, performed snapshots of instances or EBS volumes, and after some weeks or months you find the EC2 console totally cluttered. There are lots of unattached volumes with completely meaningless IDs and dozens of nameless snapshots, for which you even don’t know what they actually contain. Having all that data lying around does not only compromise your usage experience in the web-console, but also increments the probability of data leakage and accidental loss. And even worse, you need to pay for that mess and invest some time to regularly clean it up – manually and carefully to avoid the deletion of unique data or backups that might actually be needed for recovery purposes in the future.

We at SecludIT wrote an open-source script to address this problem and published it in on our CloudyScripts site. The script identifies two types of resources that might be considered for cleanup:

  • Snapshots: when the number of snapshots that exist for the same EBS volume exceed a certain configurable number, you can safely delete the oldest ones
  • Volumes: when a volume is not linked to any instance and is not used since more than a day, it is probably useless

We are aware that there are very complete AWS cost control and optimization solutions on the market (e.g. Cloudyn or Cloudrows). However, in case you simply want to clean up your account from time to time without registering for a new service, the script should be quite helpful. I run it every week now!

Let us know if you consider this useful and if you have propositions to improve it!

Filed under: AWS, Solutions, , , ,

August 4, 2011 • 17:39 2

Amazon EC2 Copy AMI and Snapshot: CloudyScripts updated

The SecludIT Team is proud to announce that CloudyScripts collection of tools to manage and automate Clouds Infrastructure Copy AMI and Copy Snapshot for Amazon EC2 have been improved.

Copy AMI from one region to another

After our users’ request in order to support Amazon EC2 Linux AMIs (pre-configured, templated image to get up and running immediately) using the EXT4 filesystem for their root partition and their own kernel through Amazon PV-Grub loader, we decided to add these features to CloudyScripts. While adding support for new kernel, we also add the detection of /dev/xvdX device node while mapping to /dev/sdX block device in Amazon EC2 Console.

New features:

  • Support of EXT4 and XFS linux filesystems
  • Amazon Kernel Image (AKI) mapping between regions

As a results of this, we have fully automated the HowTo we wrote a few time ago on Copy EBS-basked AMI between Amazon EC2 regions.
Using CloudyScripts Copy AMI scripts, you can now move the vast majority of Amazon EC2 Linux AMIs to any Amazon EC2 Region.

Graphical User Interface

CloudyScripts GUI for Amazon EC2 Copy AMI

NB: CloudyScripts does not yet support BTRFS which is, at this time, under heavy development.

Copy Snapshot from one region to another

As a result of the our users choosing AMIs with EXT4 and XFS filesystems, the support of EXT4 and XFS filesystem has been added to the Snapshot Cloudyscript. As well, we added the detection of /dev/xvdX device node while mapping to /dev/sdX block device in Amazon EC2 Console.

New feature:

  • Support of the EXT4 and XFS linux filesystems

Using CloudyScripts Copy Snapshot, you can now move the vast majority of Amazon EC2 Linux Snapshot among any Amazon EC2 Regions.

Graphical User Interface

CloudyScripts GUI for Amazon EC2 Copy Snapshot

NB: I was wondering, what do you think of creating a CloudyScripts for automatically registering an Amazon EC2 Snapshot? Does it seem helpful to you?

Security

In terms of security we strongly recommend to create temporary Amazon EC2 Credentials trough AWS Identity and Access Management (IAM) and to delete them once the task is done. We have explained how to do so, using Amazon command line tools in a precedent article: ReadOnly credentials for Amazon EC2.

Another things that must not be forgotten, is to close the specific SSH (TCP port 22). Except, if you are not using your default Amazon EC2 SecurityGroups, you must restrict administrative access to your Amazon EC2 infrastructure. Read more on Risk of publicly opened port.

References

AWS Blog: Enabling your own Linux Kernels
AWS Documentation: Use your own kernel with Amazon EC2

/fred

Filed under: AWS, Cloud Computing, , , , , , ,

Twitter Updates

Follow

Get every new post delivered to your Inbox.