Cloud computing is already a very hot concept, involving a very large number of services, flexible computing services, file storage services, relational database services, key-value database services, and many others. This article will briefly explain the security issues of elastic computing services, as flexible computing is the most commonly used cloud service and also the cloud service with the highest security risk.
1 Introduction
Because many things involve corporate secrets, technical details, implementation, or new directions, this article does not explain. Interested can vote for a resume, we work together for cloud computing.
2. Cloud computing brings new risks
In the pre-cloud computing era, traditional IDC rooms faced many security risks. And then these questions are passed without any omission to the era of cloud computing. Not only that, the unique operating mode of cloud computing has brought more new problems.
2.1. Attacks inside the cloud
l Security zone is broken
Prior to providing cloud computing services to external parties, Internet companies used independent IDC rooms separated by internal and external firewalls. Inside the firewall is a trusted area, its own exclusive, external belong to the untrusted area, all the attackers are here. Security personnel only need to heighten the wall of this one, thickened to protect the security, you can also set up more walls behind the wall to form a defense in depth.
However, this simple security solution, both inside and outside isolation, has become impractical after it started offering cloud computing services. By buying a cloud server, attackers have penetrated the perimeter of the provider's network and across the border firewall. On the other hand, the internal resources of cloud computing are no longer shared by a single enterprise, but tens of thousands, hundreds of thousands or even more do not know each other have common, of course, contains some malicious users. Obviously, in accordance with the traditional way to divide the security domain isolation does not work, the security domain is broken.
l new attack mode
In the traditional IDC era, the attacker was outside the border firewall, and only the IP protocol was reachable to the enterprise server and router. That is to say, the attacks that the attacker can initiate can only be located on the third floor.
But for the cloud computing, the situation has changed. In a large layer 2 network, the attacker-controlled cloud server is connected to the cloud service provider's router layer 2, and attackers can attack these devices at a lower level, such as ARP-based attacks, such as common ARP spoofing attacks and even fake attacks on the underlying Ethernet header.
I've encountered it once about the forgery of Ethernet headers. The attacker sends the packet is very small, only contains the Ethernet header a total of 14 bytes, the source and destination physical address is forged, the upper protocol type is 2 bytes of random data, not common IP protocol or ARP Agreement, the switch caused some adverse effects.
Virtual layer penetration
Cloud computing era, a host may run on 10 virtual machines, these virtual machines may belong to 10 unreachable users. In a sense, this physical machine has the same functions as a traditional IDC era switch. It is a switch that takes over all traffic from these 10 virtual machines.
Invasion of a host, the dangers and invasion of a traditional exchange of new era party. But compared with the switch, this host is more easily invaded or the switch is more vulnerable to invasion? Obviously the host is more vulnerable to intrusion.
First, the attacker's VM runs directly on the host's internal memory, using only one virtualization layer. Once an attacker has mastered the vulnerability that can penetrate the virtualization layer, it can effortlessly complete the intrusion. The common virtualization Layered software such as xen, kvm can find similar security vulnerabilities.
Second, the switch system is relatively simple, open service is very limited. The host is a standard Linux server, running a standard Linux operating system and a variety of standard services, and attackers can use much more channels.
2.2. Large-scale effects
l Traditional attack risk increases
In order to facilitate the VM to drift and other reasons, the cloud computing network will generally be based on a large two-tier architecture, or even across the engine room, across the city's large two-tier architecture. A VLAN is no longer the traditional era of 200 to Taiwan server, the number will reach hundreds, thousands. In the large two-tier network, the second floor of the data exchange depends on the switch CAM table addressing. When the MAC address reaches a certain size, it may even cause the CAM table to be bursts.
Similarly, attacks such as ARP spoofing, spoofing of Ethernet ports, ARP storms, NBNS storms, and so on within the second floor greatly exceed their impact in the traditional era.
L attack frequency increased dramatically
Due to the diversity of users and their size, the frequency of attacks is also dramatically increasing. In the current scale of Aliyun, it suffers hundreds of DDoS attacks on average every day, of which 50% attacks more than 5GBit / s. Against the WEB attacks and password cracking attacks is calculated in billions.
This kind of frequency attack brings great challenges to the safe operation and maintenance.
2.3. The responsibility for safety is broad
As more cloud users stay, cloud deployments are more versatile. The security sector needs to be responsible for the area also gradually expanded, from the beginning to protect the internal security of enterprises, and gradually move to the upper business risk.
Abuse of cloud computing resources
Misuse of cloud computing resources mainly includes two aspects, one is the use of plug-in to seize free trial host, or even malicious arrears, because many cloud computing business belongs to post-paid business, malicious users may use false information to register, keep changing information using resources , Resulting in cloud service providers have suffered losses. As a security department, this kind of behavior needs to be controlled.
On the other hand, many attackers also rent cloud servers for spam, attack scanning, fraudulent fishing and even C & C for botnets. Security departments need to be able to accurately and real-time discovery of this situation, and through technical means to intercept.
l bad information processing
Bad information mainly refers to the cloud server users to provide some pornography, gambling and other services, cloud service providers need to be able to identify stop in time to prevent business risks.
3. Technical challenges
To solve these risks, based on traditional defense ideas, we need to deploy access control policies and implement traffic monitoring systems in the network. But for the cloud, implementing these things presents a huge challenge.
3.1. Uncontrolled clouds
In the traditional era, all traffic went through the switch. Through the netflow, snmp, ACL and other means can be well enough traffic monitoring and access control strategy. However, in the cloud era, the traffic between VMs that do not cross the host machine is exchanged directly in the host's memory, and the network department and the security department can not view and control these traffic.
In order to solve the problem that the cloud server is invading, the security department needs to deploy various security products on the server. Unfortunately, in the era of cloud computing, the ownership of these servers does not belong to the cloud provider, and the security department also has no right to perform these machines operating.
In other words, in the cloud era, the security department just scratched it to solve security problems.
3.2. Business diversification brings defense complexity
In the traditional IDC era, the security department combined with the network department divides one by one the security domain, the DNS server belongs to the DNS area, the WEB server belongs to the WEB area and the database server belongs to the database area, and everything is in perfect order. But in the cloud era, hundreds of thousands of users running hundreds of thousands of cloud servers run a wide variety of services. Their PV, QPS, response time requirements vary.
The security program can not have a universal panacea, take DDoS defense, for example, the most common CC attack defense program for the client meta jump, jump 302 or even verification code. There is no problem with doing this for a typical PC with a major customer base. However, for the mobile phone APP as the main customer's website, this is a drowsiness. Since the mobile APP is accessing the WEB API interface, it generally can not resolve such a client-side jump, let alone fill in the verification code. Cause the business completely unavailable.
The complexity of the business brings a lot of challenges to the security defense.
3.3. Privacy and monitoring of the balance
Worry about privacy, worry about data security is the biggest resistance to the cloud, but in order to solve cloud computing resource abuse, personalized security policies and many other issues, you need to do traffic monitoring, may cause concern for users. As a designer of cloud computing security, you need to be careful about the balance between the two.
Aliyun's solution
In Aliyun, the security department is the first batch of employees to join as a company, initially accounting for more than 10% of the total number of employees in the company. From the beginning, we took cloud security as a top priority. December 10, 2013 By The British Standards Institution (BSI) Announced that Alibaba Cloud Computing Co., Ltd. (Alibaba Cloud) has won the world's first Gold Certified Security (CSA-STAR) Gold Award, which is also the BSI's award to Global Cloud Service Providers The first gold medal.
4.1. Distributed Virtual Switch
In order to solve the cloud VM network control problems, we designed a distributed virtual switch, and provide WEB API for external calls. Distributed virtual switches deployed in each host inside, with the control center communication, reporting, receiving security policy. It mainly provides two major functions:
l Auto-migrated security group policy
In the cloud era, different users share the same IP address, and it is hard to differentiate the business based on the IP address. Therefore, we use the user ID to make a distinction, based on the user ID to achieve security domain, the implementation of security policies. When a user VM fails to migrate to another host, the VM's security policy is automatically migrated.
l Dynamic binding filtering
We learn from Cisco's DAI technology to achieve a dynamic inspection of the packet, the VM issued a virtual network adapter to do a filter before filtering out the fake message. For example, forge a packet with a source IP address and forge a packet with a source MAC address. Close to the source end of the filter, you can effectively reduce the impact of malicious traffic on the network.
4.2. Cloud Shield System Based on Data Analysis
Personalized security based on data analysis is similar to monitoring malicious behavior. We statistics and draws each cloud server BPS, PPS, QPS time curve, access to the end user's rules. According to the User-Agent, the source IP address is used to analyze the access distribution of the mobile APP and the PC. Based on these statistics, we customize the WAF defense policy, DDoS defense trigger threshold, cleaning threshold and so on for each cloud VM, which is the cloud cloud system of Aliyun.
Secondly, due to the large-scale reasons described above, our cloud-shield system can capture a large number of malicious IP addresses every day, including WEB attack behavior, DDoS attack behavior, password cracking behavior, malicious registration behavior and the like. Our security system provides these IP addresses as a unified repository, and all security products are linked to defenses before an attacker attacks a VM.
Due to the integration of these data, Aliyun's Cloud Shield forms a complete system that forms a defense at different levels and forms a strategic depth. Various sub-product data get through, assist each other, evolved together to protect the cloud platform security.
4.3. Macro Analysis Statistics
In view of privacy considerations, we do not monitor the application layer data, but through the data such as the quintuple macro statistics, malicious users found on the abuse of the cloud host.
Between 1 am and 9 am, the cloud VM scans on the outermost ports. Because many hosts do not survive, resulting in outflows much larger than incoming traffic, and with very typical attack characteristics, he only attempts to access a large number of IP addresses. , 1433,3389 port. At about 10:30 am, incoming traffic begins to get large and the destination port remains unchanged. The destination IP is a subset of the previous IP address. This shows that the attacker has extracted the open service host, in the password scan.
In this way, we avoid privacy violations and detect malicious behavior.
5. Summary
In my personal understanding, cloud security will not be done by a cloud service provider, it must be open to the network by a large number of security service providers to provide their own products for all kinds of users to provide personalized, customized products and service.
Now Ali cloud has opened the mirror market, http://market.aliyun.com/, there are a large number of third-party vendors here to provide services and products. The user-defined VPC is also about to open, and third-party security vendors will be able to distribute and deploy their products with greater flexibility.