5 Things to Know About Securely Managing PowerVC and OpenStack
AxelBuecker 270000KUKR Visits (7582)
First, let's say a little about IBM PowerVC. PowerVC is the advanced virtualization management solution built on OpenStack to support IBM Power Systems running IBM AIX, IBM i, and Power Linux. PowerVC adopts major components of OpenStack (such as Keystone for Identity, Nova for Compute, Neutron for Network, Cinder for Storage, Glance for Image, and Ceilometer for monitoring and logging). PowerVC extends the features of these components and introduces new components for IBM Power Systems support so that IBM Power Systems can be used as Infr
Configuring and managing IBM PowerVC securely is not much different from OpenStack. Though OpenStack leaves security to the implementer or deployer, IBM PowerVC automates key security configurations by default and introduces dedicated tools for handy security management.
Now, let's talk about the five most critical security concerns in PowerVC and OpenStack security which should be considered when implementing and managing PowerVC or OpenStack IaaS environments:
1. Visibility - seeing into the unknown
Even with the best security solution in place, you don't know when your system is being targeted or when hackers have decided to try to break your security systems and steal critical IT assets. That is why it is so important to implement security events and logging. If not, it is like locking the door but never watching the house - or taking note of changes around the door. Consider the importance of logging for system management systems, such as PowerVC, OpenStack or even HMC (Hardware Management Console). These systems security log features should be properly implemented and these logs should be continuously monitored to find any anomalies which could be an attempted security attack. Logs can also be used to assist computer forensics to reveal the scene after a breach has occurred. PowerVC and OpenStack support cloud auditing functionality and the audit feature follows an open standard (DMTF Cloud Auditing Data Federation (CADF) standard). The current PowerVC implementation (PowerVC 1.2.2) audits API accesses to APIs and provides a tool to retrieve audit logs for investigation. Proper logging and pro-actively using your logs increases your visibility into the unknown.
2. Identity management
PowerVC and OpenStack provides a web-based user interface which allows cloud users and administrators to manage their VMs and other related cloud resources. This web interface is protected by implementing a user ID and password and the functionalities of users is restricted using role-based access control. Also, PowerVC and OpenStack expose various functions through REST APIs so that cloud applications utilize their functions and build cloud applications through extension. This access is also authenticated by user ID and password, and users are being authorized based on the role assigned to them. Identity management is critical to protect all these resources, so it is recommended to use LDAP for identity management (instead of using a default identity repository such as the operating system user repository). PowerVC provides an option to use LDAP for identity management, and it supports OpenLDAP version 2.0 or higher and Microsoft Active Directory 2003 or higher. PowerVC provides the powervc-ldap-config command for configuring LDAP. OpenStack Keystone also supports LDAP backend for secure identity management, but the configuration is not as simple as PowerVC. For LDAP configuration in OpenStack, refer to the following link for LDAP enablement for OpenStack:
3. Network access control
The components of IBM PowerVC and OpenStack are communicating with each other though the TCP/IP network. Though the components for PowerVC are all deployed in a single management server and can be accessed internally, it does expose API services to external applications and the web user interface is open to the external network. Even though the access to APIs and the web user interface are protected by user ID and password, it is recommended to restrict access to these services using the network access control method to prevent hacking (such as a brute-force attack or DoS attack). You can use PowerVC's iptables firewall configured in the management host or you can place a firewall in front of that feature. The default iptables firewall policy configured by PowerVC is a good start and blocks all unnecessary incoming network access to run PowerVC. Consider to modify this policy after installation in order to achieve a higher network security level. For example, if the corporate security policy requires access restriction to PowerVC from a specific set of users or hosts, then the default iptables firewall rule needs to be changed to only allow access from a specific set of IP addresses instead of all.
4. Securing communication channel
So even though you have implemented strong access control and dealt with APIs and web user interfaces, there is still another area to consider: what can be leaked or modified? A password could be leaked or even a modification to API request could happen that would be disruptive for operations. To prevent these risks, all PowerVC and OpenStack services should be accessible through a secure communication channel, such as SSL/TLS. For example, IBM PowerVC deploys Apache HTTP servers as proxy to API services (this restricts remote applications and web traffic to use HTTPS protocol for any access). PowerVC also allows other applications like IBM Cloud Manager with OpenStack to access PowerVC's messaging service secured by AMQPS (AMQP over SSL/TLS). When PowerVC is configured to use LDAP for identity management, it is recommended to use LDAP over SSL/TLS, (aka LDAPS) instead of the unencrypted LDAP protocol. Also be aware that self-signed certificates are installed for SSL/TLS protocol, so consider to replace them with certificates signed by a trusted internal or external CA (this is done in order to prevent a Man-in-the-middle attack).
5. Vulnerability and security patch management
PowerVC and OpenStack are composed of several software components other than their own components. For example, DB2 or MySQL for database, Apache HTTP server for web and API services, and Apache Qpid or RabbitMQ for message queue. All these components complicate security management against vulnerabilities. If you implements IaaS using OpenStack from the scratch, you need to manage all the packages used to build the OpenStack environment. PowerVC provides security fixes through IBM Fix Central for the components that ship with the product. IBM also provides security notification emails to alert about any new PowerVC or related product vulnerabilities.
How many of these security considerations have you considered for your Cloud Deployment? To understand the broader spectrum of securely managing a cloud deployment based on IBM Power Systems, you should grab the latest IBM Redbooks publication "Clo
Mu Hyun Kim is an AIX development support specialist focusing on AIX network kernel, network device drivers, TCP/IP, AIX, and IBM Power Systems performance and security. He has 11 years of experience in AIX and IBM Power Systems in IBM and 3 years of experience in the IT security area performing security assessments and penetration tests with his previous company. He also has engaged in cloud projects on migration strategy planning, PoC (Proof on Concept) of migrating cloud workload to IBM Softlayer, and presented cloud and virtualization security topics to IBM clients. He has written extensively on security on IBM PowerVC and IBM Cloud Manager with OpenStack.