Cloud Operations Flashcards
How do you secure a KVM?
Combine Physical and Logical controls to protect against unauthorized electronic emanation surveillance
Features of a Secure KVM
- Push button control - physical access needed to control KVM
- Firmware that has authenticated protection
- Isolated data channels
- Restricted USB functionality
- Does not allow buffering
Secure Shell (SSH)
A protocol used to administer remote devices over network using TCP, Port 22
uses symmetric and asymmetric cryptography
If using asymmetric, the ssh-keygen command is used to generate the public private key pair
Remote Desktop Protocol (RDP)
List features
Allows a remote connection to a workstation or server via port 3389
Features include:
- Encryption of the data in transit
- Authentication via use of smart cards
- Bandwidth reduction which optimizes the data transfer rate if a low speed connection is used
- Resource sharing
- Can disconnect the RDP connection temporarily without logging off the remote connection
Customer Management Console-based Access
What securing features should it include?
A proprietary API that the CSP creates to allow the cloud customer to access, configure, and manage virtual machines
Securing Features should include:
- NTK admin controls
- Least privilege technical controls
- Role-based access with MFA controls
- Isolated and protected communication channels via TLS and VPN
- Any command line interface (CLI) should be protected by using SSH
DNSSEC
provides for integrity of DNS resolver request, responses and zone transfer
List DNSSEC resource records?
DNSKEY - holds public key that resolvers can use to verify DNSSEC signatures in RRSIG records
RRSIG - a record that holds DNSSEC digital signature for a records
To prevent DNS hijacking and unauthorized manipulation of resolve request what should you ensure of your email domain?
Ideally ensure your email domain has a
DMARC - Domain Based Message Authentication Reporting and Compliance
policy with
SPF - Sender Policy Framework
and/or
DKIM - Domain Keys Identified Mail
and that you enforce such policies provided by other domains on your email system
List DNS Attacks
DNS cache poisoning
Hijack DNS servers
MiTM can send a fake DNS response
DNS Shawdowing - attacker compromises registry account and registers subdomains to host fake sites
How can MiTM DNS attacks be addressed?
DNS Security - DNSSEC - designed to prevent DNS cache poisoning - uses digital signatures to verify that DNS data is coming from authenticated source
Virtual LAN (VLAN)
Methods of separating layer 3 networks using a layer 2 switch
You still need a router and ACLs to properly forward and control
Used to create isolation beyond traffic segmentation
Maximum allowed networks in VLAN is 4096
VXLAN
VXLAN (X is for extensible) is an encapsulation protocols that provide data center connectivity using tunneling to stretch Layer 2 connections over an underlying Layer 3 network
VXLAN is the most commonly used protocol to create overlay networks that encapsulates layer 2 over layer 3 (L2oL3) enabling the user of virtual networks, and allows for 16.7 million separate networks or VXLANs
How does VXLAN enable cloud?
It supports virtualization of the data center network while addressing the needs of multi tenant data centers by providing the necessary segmentation on a large scale.
VXLAN allows for scalability and allows cloud providers to effectively separate and isolate tenants from each other.
VXLAN Tunnel End Point (VTEP)
is a hypervisor based function that allows VMs to communicate via source and destination IP addresses
Virtual Private Network (VPN)
Allows two private networks to communicate with each other over a public network (Internet)
OpenVPN
A open source VPN solution that provides up to 256-bit encryption.
It is very customizable, can bypass firewalls and can support several types of encryption algorithms.
Point to Point Tunneling (PPTP)
AKA
Uses a 128 bit encryption called Microsoft Point to Point Encryption (MPPE) which is weak and has been compromised.
Secure Socket Tunneling Protocol
Developed by Microsoft to replace PPTP and is proprietary. Offers 256-bit encryption.
SoftEther
An open source VPN protocol that uses 256-bit encryption.
Used on workstations and mobile devices.
Layer 2 Tunneling Protocol (L2TP)
A VPN joint effort by Cisco and Microsoft. Typically secured by using IPSEC.
256 bit encryption.
Used everywhere.
Supports multi threading, but slower.
Internet Key Exchange v2 (IKE)
An IPSEC protocol based on the ISAKMP framework and the Oakley key negotiation protocol
IKE is for building and managing Security Associations (SA’s), it encrypts the AH or ESP
2 ways to exchange keys Diffie Helman (DH) style negotiation (routers) or public keys (users)
IP Security (IPSEC)
A layer 3 protocol used to secure IP traffic for VPNs
IP SEC Transport Mode
Only the payload portion of each packet is protected (end to end encryption for ex between client and server)
IP SEC Tunnel Mode
The entire original packet is protected including IP header (link encryption e.g. firewall to firewall)
IPSEC Authentication Header
Authenticates sender (source IP) and does an integrity check
AH Transport mode protects integrity of payload only
AH Tunnel mode protects integrity of header and payload
IPSEC Encapsulating Security Payload
Same as Authentication Header plus encrypts for confidentiality
ESP Transport mode encrypts payload only, the original IP header is left unecrypted
ESP Tunnel mode encryptions headers and payload
IPSEC Security Association (SA’s)
One way connection using either AH or ESP services
Each SA is uniquely identified in packet using 3 indicators
- Security Parameter index (session ID# used for tracking)
- Destination IP Address
- An AH or ESP identifier to indicate which is being used
Internet Security Association and Key Management Protocol (ISAKMP)
A framework for choosing encryption algorithms and key exchange methods
Oakley
A key negotiation protocol using the Diffie Hellman approach
Transport Layer Security 1.3 (TLS)
Originally used SSL v1, 2, 3 but SSL has been deprecated
TLS v1.1 and 1.2 should not be used as they are vulnerable to attacks. Use TLS v 1.3.
Commonly used for end to end encryption,
TLS Negotiation
- Client Hello contains:
- Protocol Version - TLS 1.3
- Asymmetric Algorithm for session Key - RSA
- Symmetric Algorithm for encrypting data in transit - Salsa
- Hashing Algorithm - SHA256 - Server chooses TLS 1.3, RSA, Salsa, SHA256
- Answers these conditions and sends server certificate to client
- Optional: If client has a certificate, client sends to server (mutual authentication) - Session Key negotiated between client and server.
- All traffic encrypted
Firewalls
Firewalls can be software or hardware based form of protecting a host or network. Every firewall comes with an implicit deny-all rule.
Ingress filtering - analyzing traffic coming into the firewall
Egress filtering - analyzing traffic leaving the firewall
Stateless Firewall
A firewall that filters egress and ingress based on IP and port number regardless of session
Dynamic firewall
does the same as stateless but adds engines defined by signatures, behavior, anomalies, heuristics and artificial intelligence
Next-Generation (Next-Gen) Firewall
A standard firewall but adds intrusion detection/prevention technology and traffic management through segmentation policies
List Firewall Categories
Software Firewall
Hardware Firewall
Application Firewall
Database Firewall
Software Firewall
A firewall that is installed on the host or is built into the operating system of the host
Hardware Firewall
An actual piece of HW that serves as a firewall
Application Firewall
Works at Layer 7 of OSI, example WAF used to protect web application and backend DB, and performs input validation
Database Firewall
A layer 7 firewall used to protect DB, ex DB Activity Monitor