Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id C743F117DD for ; Thu, 22 May 2014 15:04:47 +0000 (UTC) Received: (qmail 10752 invoked by uid 500); 22 May 2014 15:04:47 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 10713 invoked by uid 500); 22 May 2014 15:04:47 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 10705 invoked by uid 99); 22 May 2014 15:04:47 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 May 2014 15:04:47 +0000 X-ASF-Spam-Status: No, hits=2.5 required=5.0 tests=FREEMAIL_REPLY,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of shadowsor@gmail.com designates 209.85.128.171 as permitted sender) Received: from [209.85.128.171] (HELO mail-ve0-f171.google.com) (209.85.128.171) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 May 2014 15:04:41 +0000 Received: by mail-ve0-f171.google.com with SMTP id oz11so4562485veb.16 for ; Thu, 22 May 2014 08:04:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=rvZk1OeZZKKiBYLJNDtqbuyrpMMbPK85OMVS6296v/4=; b=ZmtLTvSdQEnm3O+9ZaicZi4eV/GvZFHcyUzjlt2lQsB57QjpQB7EbQP9bLU0ZvEQG2 NLU1y3xfAqaYtFUNQUjyM1jBaLrYjHhfGyJECPFSnOj8yZyJyhrnuGdrEDNwPQTHL9p+ qwaMxdNMZmfER9p0GipDXyI+gKHia/K2LVV6ai194Af2uWINyJ8DyRCtMvnyuGtGQFks jImMuBtf1R9p+c6Z8DBn8I47UHG1/r5CZ63jnF/0gzKbsZ7NSt2270JELC+Q6V7sw+uv OkmtMvRjayVOAdOKrIiIRnAQLrIKvhn47OqqDGYq5EA+k8yfuyGs9PTWD3rXrNLk42rh Fktg== MIME-Version: 1.0 X-Received: by 10.58.108.129 with SMTP id hk1mr730497veb.68.1400771061254; Thu, 22 May 2014 08:04:21 -0700 (PDT) Received: by 10.52.190.170 with HTTP; Thu, 22 May 2014 08:04:21 -0700 (PDT) In-Reply-To: References: Date: Thu, 22 May 2014 09:04:21 -0600 Message-ID: Subject: Re: Network IDS in VPC From: Marcus To: "dev@cloudstack.apache.org" Content-Type: multipart/alternative; boundary=001a11c3a28484901204f9fe6db4 X-Virus-Checked: Checked by ClamAV on apache.org --001a11c3a28484901204f9fe6db4 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Yet another vector On Thu, May 22, 2014 at 8:07 AM, Erik Weber wrote: > What prevents root from revealing and using the domain admin api / secret > Key? > > Erik > 22. mai 2014 15:54 skrev "Marcus" f=C3=B8lgende: > > > I've always viewed the permissions to be additive, if a domain admin ha= s > > the ability to set up network sniffing on the VPC I'd imagine the root > > admin should be able to as well. Although perhaps not. Even though they > > have unfettered access to destroy all vms, networks, zones, the root > admin > > may not have access to the VM hosts, and may not already have access to > the > > VMs themselves if the root passwords are not known. This would introduc= e > a > > vector whereby a root admin without host access could spin up a network > and > > vm for a tenant and see their traffic where they'd normally only be abl= e > to > > if they had access to the root passwords of the tenant's instances or t= he > > hosts. I imagine the overwhelming majority of root admins have host or > > network access, but not all. In the end I'm not sure such an untrusted > user > > should be a root admin, as there are many other attack vectors (such as > > downloading a tenant's volume). Perhaps I'm missing the point. > > > > It would certainly be easier to implement from an orchestration > perspective > > on the router. The collection could happen on the router, but the stora= ge > > of the packet data probably not, and for the analysis it seems kind of > > dangerous to run more user-accessible tools on a system that is suppose= d > to > > be locked down. Especially since it would likely be a web service of > some > > sort running on the public interface. IDS software setup and maintenanc= e > is > > pretty involved, I'm not sure the CS community would be interested in > > maintaining that. We generally promote the virtual router as an > appliance, > > and so I think we'd need to maintain that software install on the route= r. > > These (along with the migration issues) are the reasons why I was leani= ng > > toward a 'sniffer net', where the users could have what they'd normally > > have in a datacenter with a 'port mirror', and they can decide how to > > collect and analyze the data. > > > > > > On Thu, May 22, 2014 at 2:34 AM, Daan Hoogland > >wrote: > > > > > Marcus, you mention a permission issue that triggers the though: > > > should a root admin be allowed? I think not. This brings up extra > > > requirements on the IAM, does it? > > > > > > I would implement the functionality on the router. > > > > > > On Thu, May 22, 2014 at 6:42 AM, Marcus wrote: > > > > I really like the lower overhead of just port mirroring from one of > the > > > > router's interfaces to an instance interface host-side, but I reall= y > > > > dislike the affinity it creates between the router and the listener= , > > and > > > > all of the complications it creates for host maintenance and > > migrations. > > > It > > > > may also require that whomever creates a network or vms on a networ= k > > with > > > > this permission be a domain admin, since it has the ability to see > > > > everything on the wire for the whole VPC. > > > > > > > > > > > > On Wed, May 21, 2014 at 4:25 PM, Marcus wrote= : > > > > > > > >> Hi guys, > > > >> Not sure if this has been discussed before, but we are getting > > > feature > > > >> requests for an IDS or packet-sniffing/monitoring capability. I > have a > > > >> prototyped idea of how to do this (manual config), but would like > some > > > >> input. > > > >> > > > >> We create a network offering or network capability/detail that is > > > >> specifically a 'sniffer net'. This would be relatively simple, and > > just > > > do > > > >> two things: > > > >> > > > >> 1) when network is added to VPC, spin up a simple daemon on the VP= C > > > router > > > >> that does traffic mirroring (netsniff-ng or daemonlogger are debia= n > > > >> packages) from the public interface to the 'sniffer net' interface= . > > > >> > > > >> 2) disables mac learning on the bridges created for the sniffer ne= t, > > so > > > >> that an IDS system can come up in this net and see all of the > mirrored > > > >> traffic. It wouldn't handle making the IDS appliance, that would b= e > up > > > to > > > >> the customer, it would simply create a network that enables traffi= c > > > >> monitoring for the VPC. > > > >> > > > >> I think we'd prefer any VMs brought up in this network to live on > the > > > same > > > >> host as the router for performance reasons, but that's probably no= t > an > > > >> immediate requirement. I dislike the idea of trying to run an actu= al > > > >> capture saved to the VPC router, or an IDS software on the VPC > router > > > that > > > >> would need to be updated. > > > >> > > > >> We could also run traffic mirroring from the VPC router's interfac= e > > > >> directly to another VM's interface, host side (daemonlogger -i > vpcintf > > > -o > > > >> idsintf), but it would need to be on the same host. > > > >> > > > >> > > > >> > > > >> > > > > > > > > > > > > -- > > > Daan > > > > > > --001a11c3a28484901204f9fe6db4--