SlideShare a Scribd company logo

Integrate 3rd party security solution into CloudStack

Download as PPTX, PDF
M
mice_xia

The document discusses integrating a security product called ElasterShield with the Cloudstack platform. It proposes developing a Cloudstack plugin to manage the integration. The plugin would leverage Cloudstack's framework to deploy and manage ElasterShield Security Virtual Appliances (ESVAs) across hypervisors. It would also interface with ElasterShield's management system to assign security profiles to virtual machines based on their lifecycle events in Cloudstack. This would provide security as a service through Cloudstack in a multi-tenant way.

Technology
1 of 29
Integrate Security Product with Cloudstack Written by: Mice Xia mice_xia@tcloudcomputing.com
About me • About me – Project manager from TCloud Computing Ltd, Beijing, China – Apache CloudStack Committer – About TCloud • Provides cloud platform product/service to Chinese customers • Based on CloudStack • About this topic – Based on the practice and on-going work – Goal: bring some insights into integration between CS and security product
Outline • Background • Three categories of solutions • Integration goal and problems • Architecture • Workflow • Future work
Background • CS does an excellent job for building clouds • Growing needs for solutions to secure the Cloud • Seek security solutions to work with CS • Works for both private and public cloud • Multi-tenant ,self-service, • Easy to provision • Resource effective • Easy to integrate
Agent-based • Widely implemented in physical Guest Network environment • Relies on the agent installed on Guest VM 1 guest OS Agent • Network connection to Pattern/Mgmt Guest VM Server Agent pattern/mgmt server • Not much IAAS level integration Guest VM Agent • Cons Guest VM • Instant-on gap Agent • Resource contention CS Virtual Router
Gateway-based • Agentless, widely adopted in physical environment • Detect and prevent by capturing Router network traffics Offline mode Inline mode • Works fine with simple L3 Core Switch requirements • Cons • Network traffic based Available Zone • Uneasy to provide Inter-user and inter-VM protection … … … Pod 1 Pod N
Hypervisor-based • Dedicated for virtual environment User VM • Agentless for user VM, need an User VM ‘agent’ on hypervisor • Capture network traffics • Scan VM memory Module • Can work with any complex Hypervisor network environment
Brief intro to ElasterShield • Hypervisor based security product • Features <VM, Profile/Rules> • Firewall (L2, L3, L4) • IDS/IPS • Application Control • Web server protection • Anti-malware (roadmap) ElasterShield • For IT admin, no multi-tenant • Rules: defines what triggers event • Profiles: a set of enabled rules Events/Alerts
Brief intro to ElasterShield (cont.) • ElasterShield Manager (ESM) ESM • Storing rules/profiles • Provide UI/ web service API • Send command to ESVA Hypervisor • Security Virtual Appliance (ESVA) ESVA User VM • One for each hypervisor, stateless • Hypervisor redirects VM’s traffic to ESVA • Includes an engine to do the Hypervisor detection/prevention • Bi-directional communicate ESVA User VM between ESM and ESVA • No impact to user VM if ESVA stops
Integration goal • CS Integrates ES • Security as a service, ES as a service provider • Multi-tenant, defined by admins, subscribed by users, provisioned to VMs • Security offering == Security Profiles • Export new CS APIs • Generic to hypervisor-based solution (hopefully) • No change to ES code, keep it as it is • Minimum change to CS 4.0 existing code
Problems : Networking Public Network • Bi-directional communication is Shared Guest Network required between ESM and ESVA Management • Deploy ESVA as a user VM Network ESM ? – Connects to guest network Isolated Guest – Basic Zone Network • Ingress rules – Advanced zone ESVA • Virtual router NAT problem • Another dedicated shared network? User VM • Solution: Via management network – Works for both basic and adv zone User VM – ESVA as a special VM managed by CS – Connect it to management network programmatically VRouter
Problems: ESVA management • Make sure ESVA is running on each hypervisor – When a new host is added, ESVA should be deployed automatically on the host – When hypervisor is rebooted, ESVA should be started automatically – Can be destroyed manually and re-deployed • Similar to SystemVM/VRouter – Managed by CS, transparent to end user – Per hypervisor basis
Problems: VM life cycle conflicts • User VM State mismatch – ES can detect VM state changes by polling events directly from Hypervisor • Enable VM’s profile when it gets started • Disable VM’s profile when it gets stopped • Un-assign profile when it gets destroyed – It does not work. CS removes VM from hypervisor when it gets stopped CS VM state Stopped Destroyed Removed Hypervisor VM state Destroyed (Missing) – Solution: CS controls profile (un)assignment to VM , based on VM state in the CS
Architecture Overview New CS API ESM API ES Plug-in ESM Mgmt network CloudStack Manager Mgmt network Managed by CS ESVA ESVA User VM User VM Hypervisor Hypervisor
Integrate as a CS Plug-in • Provide security related APIs • Treat ESM as a resource and send commands to it • ESVA monitor and management • Tailor User VM lifecycle with existing framework • Tailor Hypervisor management
Plug-in • New manager/service for ESVA and ESM • Extends several CS Rest API manager to tailor process • A new resource for calling ESMResource ESVAManager ESM APIs ESMManager Plugin API • DAOs for security related … database operation ESMUserVMManagerImpl Data Access Layer
Workflow: Add ESM 1) Call plug-in API 2) Connect to ES manager ElasterShield Plug-in ElasterShield CloudStack Manager Manager Database 3) Persist into DB 1) Admin user or external UI calls Plug-in API (addElasterShield) • Parameters include ESM url/account/password • One ESM per zone or per installation? 2) Plug-in calls ESM’s APIs to: • test connection with specified authentication • Get ESM info such like version, license, etc. 3) Plug-in persists the ESM info into CS database
Workflow: Enable Security protection 1 ) Call plug-in API: 1) Admin user or external UI calls plug-in enableSecurityProtection API (enableSecurityProtection) • Cluster wide enable 3) Activate ESVA 2) ES Plug-in deploys ESVA • Deploy ESVA on each host of the ES Plug-in ESM cluster • With specified service offering CloudStack and template Manager • Start ESVA 2) Start ESVA on each 3) Activate ESVA hypervisor of the cluster • Plug-in calls ESM API to activate each ESVA ESVA ESVA Hypervisor Hypervisor
Workflow: List Security Offering 2) Call ESM API, listSecurityProfiles ElasterShield Plug-in ElasterShield 1) Call plug-in API Manager listSecurityOffering CloudStack Manager 1) User or external UI calls Plug-in API (listSecurityOffering) • Fetch all security offerings with query parameters • Id, name, description 2) Plug-in calls ESM’s APIs to: • List security profiles from ESM
Workflow: Define Security Profiles Admin defines Rules/profiles 2) Call ESM API listSecurityProfiles ElasterShield Plug-in ElasterShield 1) Call plug-in API Manager listSecurityOffering CloudStack Manager • For this Stage, this will be not implemented in plug-in, because it’s product-specific • Admins use ESM’s UI to define profiles • Users use Plug-in API to list and apply profiles
Workflow: Apply security offering 1) Call plug-in API 3) Call ESM API, applySecurityOffering assignSecurityProfile ElasterShield Plug-in ElasterShield CloudStack Manager Manager Database 2) Persist into DB 1) User or external UI calls plug-in API (applySecurityOffering) • Specify VM id and security offering id 2) Plug-in persists <VM, offering> mapping into DB • Address multi-tenant problem 3) Plug-in calls ESM API to assign corresponding profile if VM is running
Workflow: Start Virtual Machine 4) Call ESM API, 3) Get profile assignSecurityProfile ElasterShield Plug-in ElasterShield Database Manager CloudStack Manager 1) Call CS API 2) Start User VM startVirtualMachine User VM 5) ESM notifies ESVA to take effect ESVA Hypervisor 1) User or UI calls CS API (startVirtualMachine) 2) CS checks ESVA status and starts user VM as usual 3) After user VM is started, plug-in gets this VM’s profile (VirtualMachineGuru.finalizeStart) 4) Plug-in call ESM API to assign profile to the VM 5) ESM notifies ESVA in the same hypervisor with VM to take effect profile
Workflow: Stop Virtual Machine 4) Call ESM API, 3) Get profile unassignSecurityProfile ElasterShield Plug-in ElasterShield Database Manager CloudStack Manager 1) Call CS API 2) Stop user VM stopVirtualMachine User VM 5) ESM notifies ESVA to take effect ESVA Hypervisor 1) User or UI calls CS API (stopVirtualMachine) 2) CS powers off user VM as usual 3) After user VM is shut down, plug-in gets this VM’s profile (VirtualMachineGuru.finalizeStop) 4) Plug-in calls ESM API to unassign profile to the VM 5) ESM notifies ESVA in the same hypervisor with VM to take profile effect
Workflow: Destroy Virtual Machine ElasterShield Plug-in 1) Call CS API Database 2) Remove from DB destroyVirtualMachine CloudStack Manager 1) User or UI calls CS API (destroyVirtualMachine) • VM is destroyed as usual by CS 2) When VM gets expunged, plug-in removes <VM, profile> mapping from DB • VirtualMachineGuru.finalizeExpunge
Workflow: Add a new host 5) Call ESM API to activate ElasterShield Plug-in ElasterShield Manager CloudStack Manager 1) Call CS API 2) Add host 3) Deploy ESVA addHost ESVA Hypervisor 1) User or UI calls CS API (addHost) 2) CS add a new hypervisor host as usual 3) Deploy ESVA 4) Plug-in persist ESVA info
Workflow: Maintain a host 3) Call ESM API to de-activate ESVA ElasterShield Plug-in ElasterShield Manager CloudStack Manager 1) Call CS API 2) Power off ESVA prepareHostForMaintenance ESVA Hypervisor 1) User or UI calls CS API (prepareHostForMaintenance) 2) Stop ESVA on it • update ESVA status into DB 3) Plug-in call ESM API to deactivate ESVA • unassign security profiles to VMs that cannot be migrated
Workflow: Query Events/Alerts ElasterShield Plug-in ElasterShield 1) Call plug-in API 2) Call ESM API Manager querySecurityEvents CloudStack Manager 1) User or external UI calls plug-in API (querySecurityEvents) • With query parameters such as time, VM id, user id, etc 2) Plug-in calls ESM’s API to fetch events/alerts
Workflow: ESVA upgrading 2) Call ESM API to upgrade ElasterShield Plug-in ElasterShield Manager 1) Call plug-in API CloudStack Manager upgradeESVA 3) Notify ESVA 4) Download upgrade package Web server ESVA Hypervisor 1) Call plug-in API to upgrade ESVA , with a URL parameter 2) Plug-in forward the API to ESM 3) ESM notifies all ESVA to upgrade 4) ESVA downloads upgrading package from the URL specified 5) ESVA upgrade itself, it still functions during the upgrading.
Summary & Future work • Summary – Develop plug-in with existing CS framework – Leverage CS to manage security virtual appliance – Tailor process • Future work – Make the security offering more generic – Make it easier for CS to introduce a new system VM

Recommended

VMware vSphere 5.1 Overview
VMware vSphere 5.1 OverviewVMware vSphere 5.1 Overview
VMware vSphere 5.1 OverviewESXLab
 
V mware v sphere boot camp
V mware v sphere boot campV mware v sphere boot camp
V mware v sphere boot campbestip
 
VMware vSphere 5 seminar
VMware vSphere 5 seminarVMware vSphere 5 seminar
VMware vSphere 5 seminarMarkiting_be
 
Virtual Infrastructure Overview
Virtual Infrastructure OverviewVirtual Infrastructure Overview
Virtual Infrastructure Overviewvalerian_ceaus
 
Security Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server VirtualizationSecurity Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server Virtualizationrsnarayanan
 
V mware v sphere advanced administration
V mware v sphere advanced administrationV mware v sphere advanced administration
V mware v sphere advanced administrationbestip
 
Virtualization and Cloud Computing with Elastic Server On Demand
Virtualization and Cloud Computing with Elastic Server On DemandVirtualization and Cloud Computing with Elastic Server On Demand
Virtualization and Cloud Computing with Elastic Server On DemandYan Pritzker
 
VMware vSphere5.1 Training
VMware vSphere5.1 TrainingVMware vSphere5.1 Training
VMware vSphere5.1 Training零壹科技股份有限公司
 

Recommended

VMware vSphere 5.1 Overview
VMware vSphere 5.1 OverviewVMware vSphere 5.1 Overview
VMware vSphere 5.1 OverviewESXLab
 
V mware v sphere boot camp
V mware v sphere boot campV mware v sphere boot camp
V mware v sphere boot campbestip
 
VMware vSphere 5 seminar
VMware vSphere 5 seminarVMware vSphere 5 seminar
VMware vSphere 5 seminarMarkiting_be
 
Virtual Infrastructure Overview
Virtual Infrastructure OverviewVirtual Infrastructure Overview
Virtual Infrastructure Overviewvalerian_ceaus
 
Security Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server VirtualizationSecurity Best Practices For Hyper V And Server Virtualization
Security Best Practices For Hyper V And Server Virtualizationrsnarayanan
 
V mware v sphere advanced administration
V mware v sphere advanced administrationV mware v sphere advanced administration
V mware v sphere advanced administrationbestip
 
Virtualization and Cloud Computing with Elastic Server On Demand
Virtualization and Cloud Computing with Elastic Server On DemandVirtualization and Cloud Computing with Elastic Server On Demand
Virtualization and Cloud Computing with Elastic Server On DemandYan Pritzker
 
VMware vSphere5.1 Training
VMware vSphere5.1 TrainingVMware vSphere5.1 Training
VMware vSphere5.1 Training零壹科技股份有限公司
 
Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2vivekbhat
 
Vmware training presentation
Vmware training presentationVmware training presentation
Vmware training presentationAmit Kapadia
 
Virtualization VMWare technology
Virtualization VMWare technologyVirtualization VMWare technology
Virtualization VMWare technologysanjoysanyal
 
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...Edureka!
 
VMworld2011 Recap
VMworld2011 RecapVMworld2011 Recap
VMworld2011 Recap1CloudRoad.com
 
Xen server 6.1 customer presentation
Xen server 6.1 customer presentationXen server 6.1 customer presentation
Xen server 6.1 customer presentationNuno Alves
 
An Implementation of Virtual Cluster on a Cloud
An Implementation of Virtual Cluster on a CloudAn Implementation of Virtual Cluster on a Cloud
An Implementation of Virtual Cluster on a CloudPongsakorn U-chupala
 
XS Boston 2008 Fault Tolerance
XS Boston 2008 Fault ToleranceXS Boston 2008 Fault Tolerance
XS Boston 2008 Fault ToleranceThe Linux Foundation
 
Managing ESXi - Tools and Techniques
Managing ESXi - Tools and TechniquesManaging ESXi - Tools and Techniques
Managing ESXi - Tools and TechniquesChristopher Janoch
 
VMware Esx Short Presentation
VMware Esx Short PresentationVMware Esx Short Presentation
VMware Esx Short PresentationBarcamp Cork
 
Xen server 6.1 technical sales presentation
Xen server 6.1 technical sales presentationXen server 6.1 technical sales presentation
Xen server 6.1 technical sales presentationNuno Alves
 
Linux, Virtualisation, and Clouds
Linux, Virtualisation, and CloudsLinux, Virtualisation, and Clouds
Linux, Virtualisation, and CloudsRobert Sutor
 
Virtualization
VirtualizationVirtualization
VirtualizationMehdi Poustchi Amin
 
Virtualization Questions
Virtualization QuestionsVirtualization Questions
Virtualization QuestionsTrupti Jethva
 
XS Oracle 2009 Vm Snapshots
XS Oracle 2009 Vm SnapshotsXS Oracle 2009 Vm Snapshots
XS Oracle 2009 Vm SnapshotsThe Linux Foundation
 
VMware vSphere technical presentation
VMware vSphere technical presentationVMware vSphere technical presentation
VMware vSphere technical presentationaleyeldean
 
Adaptive SLA-aware Cloud Federations
Adaptive SLA-aware Cloud FederationsAdaptive SLA-aware Cloud Federations
Adaptive SLA-aware Cloud Federationskeratt
 
VMware vSphere 6 & Horizon View 6.1 – What's New ?
VMware vSphere 6 & Horizon View 6.1 – What's New ?VMware vSphere 6 & Horizon View 6.1 – What's New ?
VMware vSphere 6 & Horizon View 6.1 – What's New ?Digicomp Academy Suisse Romande SA
 
VMware vSphere
VMware vSphereVMware vSphere
VMware vSphere零壹科技股份有限公司
 
Overview of VMware & VMware Education from IBM
Overview of VMware & VMware Education from IBMOverview of VMware & VMware Education from IBM
Overview of VMware & VMware Education from IBMctc TrainCanada
 
Knife CloudStack
Knife CloudStackKnife CloudStack
Knife CloudStackbuildacloud
 
BtrCloud CloudStack Plugin
BtrCloud CloudStack PluginBtrCloud CloudStack Plugin
BtrCloud CloudStack Pluginbuildacloud
 

More Related Content

What's hot

Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2vivekbhat
 
Vmware training presentation
Vmware training presentationVmware training presentation
Vmware training presentationAmit Kapadia
 
Virtualization VMWare technology
Virtualization VMWare technologyVirtualization VMWare technology
Virtualization VMWare technologysanjoysanyal
 
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...Edureka!
 
Xen server 6.1 customer presentation
Xen server 6.1 customer presentationXen server 6.1 customer presentation
Xen server 6.1 customer presentationNuno Alves
 
An Implementation of Virtual Cluster on a Cloud
An Implementation of Virtual Cluster on a CloudAn Implementation of Virtual Cluster on a Cloud
An Implementation of Virtual Cluster on a CloudPongsakorn U-chupala
 
Managing ESXi - Tools and Techniques
Managing ESXi - Tools and TechniquesManaging ESXi - Tools and Techniques
Managing ESXi - Tools and TechniquesChristopher Janoch
 
VMware Esx Short Presentation
VMware Esx Short PresentationVMware Esx Short Presentation
VMware Esx Short PresentationBarcamp Cork
 
Xen server 6.1 technical sales presentation
Xen server 6.1 technical sales presentationXen server 6.1 technical sales presentation
Xen server 6.1 technical sales presentationNuno Alves
 
Linux, Virtualisation, and Clouds
Linux, Virtualisation, and CloudsLinux, Virtualisation, and Clouds
Linux, Virtualisation, and CloudsRobert Sutor
 
Virtualization Questions
Virtualization QuestionsVirtualization Questions
Virtualization QuestionsTrupti Jethva
 
VMware vSphere technical presentation
VMware vSphere technical presentationVMware vSphere technical presentation
VMware vSphere technical presentationaleyeldean
 
Adaptive SLA-aware Cloud Federations
Adaptive SLA-aware Cloud FederationsAdaptive SLA-aware Cloud Federations
Adaptive SLA-aware Cloud Federationskeratt
 
Overview of VMware & VMware Education from IBM
Overview of VMware & VMware Education from IBMOverview of VMware & VMware Education from IBM
Overview of VMware & VMware Education from IBMctc TrainCanada
 

What's hot (20)

Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2
 
Vmware training presentation
Vmware training presentationVmware training presentation
Vmware training presentation
 
Virtualization VMWare technology
Virtualization VMWare technologyVirtualization VMWare technology
Virtualization VMWare technology
 
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
 
VMworld2011 Recap
VMworld2011 RecapVMworld2011 Recap
VMworld2011 Recap
 
Xen server 6.1 customer presentation
Xen server 6.1 customer presentationXen server 6.1 customer presentation
Xen server 6.1 customer presentation
 
An Implementation of Virtual Cluster on a Cloud
An Implementation of Virtual Cluster on a CloudAn Implementation of Virtual Cluster on a Cloud
An Implementation of Virtual Cluster on a Cloud
 
XS Boston 2008 Fault Tolerance
XS Boston 2008 Fault ToleranceXS Boston 2008 Fault Tolerance
XS Boston 2008 Fault Tolerance
 
Managing ESXi - Tools and Techniques
Managing ESXi - Tools and TechniquesManaging ESXi - Tools and Techniques
Managing ESXi - Tools and Techniques
 
VMware Esx Short Presentation
VMware Esx Short PresentationVMware Esx Short Presentation
VMware Esx Short Presentation
 
Xen server 6.1 technical sales presentation
Xen server 6.1 technical sales presentationXen server 6.1 technical sales presentation
Xen server 6.1 technical sales presentation
 
Linux, Virtualisation, and Clouds
Linux, Virtualisation, and CloudsLinux, Virtualisation, and Clouds
Linux, Virtualisation, and Clouds
 
Virtualization
VirtualizationVirtualization
Virtualization
 
Virtualization Questions
Virtualization QuestionsVirtualization Questions
Virtualization Questions
 
XS Oracle 2009 Vm Snapshots
XS Oracle 2009 Vm SnapshotsXS Oracle 2009 Vm Snapshots
XS Oracle 2009 Vm Snapshots
 
VMware vSphere technical presentation
VMware vSphere technical presentationVMware vSphere technical presentation
VMware vSphere technical presentation
 
Adaptive SLA-aware Cloud Federations
Adaptive SLA-aware Cloud FederationsAdaptive SLA-aware Cloud Federations
Adaptive SLA-aware Cloud Federations
 
VMware vSphere 6 & Horizon View 6.1 – What's New ?
VMware vSphere 6 & Horizon View 6.1 – What's New ?VMware vSphere 6 & Horizon View 6.1 – What's New ?
VMware vSphere 6 & Horizon View 6.1 – What's New ?
 
VMware vSphere
VMware vSphereVMware vSphere
VMware vSphere
 
Overview of VMware & VMware Education from IBM
Overview of VMware & VMware Education from IBMOverview of VMware & VMware Education from IBM
Overview of VMware & VMware Education from IBM
 

Viewers also liked

Knife CloudStack
Knife CloudStackKnife CloudStack
Knife CloudStackbuildacloud
 
BtrCloud CloudStack Plugin
BtrCloud CloudStack PluginBtrCloud CloudStack Plugin
BtrCloud CloudStack Pluginbuildacloud
 
Shapeblue BACD Amsterdam
Shapeblue BACD AmsterdamShapeblue BACD Amsterdam
Shapeblue BACD Amsterdambuildacloud
 
Elastic and Flexible Cloud with ProActive & CloudStack
Elastic and Flexible Cloud with ProActive & CloudStackElastic and Flexible Cloud with ProActive & CloudStack
Elastic and Flexible Cloud with ProActive & CloudStackBrian AMEDRO
 
Supporting and Using EC2/CIMI on top of Cloud Environments via Deltacloud
Supporting and Using EC2/CIMI on top of Cloud Environments via DeltacloudSupporting and Using EC2/CIMI on top of Cloud Environments via Deltacloud
Supporting and Using EC2/CIMI on top of Cloud Environments via DeltacloudOved Ourfali
 
Apache CloudStack Google Summer of Code
Apache CloudStack Google Summer of CodeApache CloudStack Google Summer of Code
Apache CloudStack Google Summer of CodeSebastien Goasguen
 
Cloud Automation with ProActive
Cloud Automation with ProActiveCloud Automation with ProActive
Cloud Automation with ProActiveBrian AMEDRO
 
PaaS on top of CloudStack
PaaS on top of CloudStackPaaS on top of CloudStack
PaaS on top of CloudStackbuildacloud
 
CloudStack NVP Integration - BACD
CloudStack NVP Integration - BACDCloudStack NVP Integration - BACD
CloudStack NVP Integration - BACDHugo Trippaers
 
INRIA continuous integration plaftorm
INRIA continuous integration plaftormINRIA continuous integration plaftorm
INRIA continuous integration plaftormbuildacloud
 
Intro to CloudStack Build a Cloud Day
Intro to CloudStack Build a Cloud DayIntro to CloudStack Build a Cloud Day
Intro to CloudStack Build a Cloud DaySebastien Goasguen
 
UShareSoft Image Management for CloudStack
UShareSoft Image Management for CloudStackUShareSoft Image Management for CloudStack
UShareSoft Image Management for CloudStackbuildacloud
 
Cloudstack at Spotify
Cloudstack at SpotifyCloudstack at Spotify
Cloudstack at SpotifyNoa Resare
 
Apalia/Amysta Cloud Usage Metering and Billing
Apalia/Amysta Cloud Usage Metering and BillingApalia/Amysta Cloud Usage Metering and Billing
Apalia/Amysta Cloud Usage Metering and Billingbuildacloud
 

Viewers also liked (20)

Knife CloudStack
Knife CloudStackKnife CloudStack
Knife CloudStack
 
BtrCloud CloudStack Plugin
BtrCloud CloudStack PluginBtrCloud CloudStack Plugin
BtrCloud CloudStack Plugin
 
Shapeblue BACD Amsterdam
Shapeblue BACD AmsterdamShapeblue BACD Amsterdam
Shapeblue BACD Amsterdam
 
CloudStack Clients and Tools
CloudStack Clients and ToolsCloudStack Clients and Tools
CloudStack Clients and Tools
 
Building FOSS clouds
Building FOSS cloudsBuilding FOSS clouds
Building FOSS clouds
 
Elastic and Flexible Cloud with ProActive & CloudStack
Elastic and Flexible Cloud with ProActive & CloudStackElastic and Flexible Cloud with ProActive & CloudStack
Elastic and Flexible Cloud with ProActive & CloudStack
 
Supporting and Using EC2/CIMI on top of Cloud Environments via Deltacloud
Supporting and Using EC2/CIMI on top of Cloud Environments via DeltacloudSupporting and Using EC2/CIMI on top of Cloud Environments via Deltacloud
Supporting and Using EC2/CIMI on top of Cloud Environments via Deltacloud
 
Apache CloudStack Google Summer of Code
Apache CloudStack Google Summer of CodeApache CloudStack Google Summer of Code
Apache CloudStack Google Summer of Code
 
Cloud Automation with ProActive
Cloud Automation with ProActiveCloud Automation with ProActive
Cloud Automation with ProActive
 
Build a Cloud Day Paris
Build a Cloud Day ParisBuild a Cloud Day Paris
Build a Cloud Day Paris
 
PaaS on top of CloudStack
PaaS on top of CloudStackPaaS on top of CloudStack
PaaS on top of CloudStack
 
CloudStack Scalability
CloudStack ScalabilityCloudStack Scalability
CloudStack Scalability
 
Intro to CloudStack API
Intro to CloudStack APIIntro to CloudStack API
Intro to CloudStack API
 
CloudStack NVP Integration - BACD
CloudStack NVP Integration - BACDCloudStack NVP Integration - BACD
CloudStack NVP Integration - BACD
 
INRIA continuous integration plaftorm
INRIA continuous integration plaftormINRIA continuous integration plaftorm
INRIA continuous integration plaftorm
 
CloudMonkey
CloudMonkeyCloudMonkey
CloudMonkey
 
Intro to CloudStack Build a Cloud Day
Intro to CloudStack Build a Cloud DayIntro to CloudStack Build a Cloud Day
Intro to CloudStack Build a Cloud Day
 
UShareSoft Image Management for CloudStack
UShareSoft Image Management for CloudStackUShareSoft Image Management for CloudStack
UShareSoft Image Management for CloudStack
 
Cloudstack at Spotify
Cloudstack at SpotifyCloudstack at Spotify
Cloudstack at Spotify
 
Apalia/Amysta Cloud Usage Metering and Billing
Apalia/Amysta Cloud Usage Metering and BillingApalia/Amysta Cloud Usage Metering and Billing
Apalia/Amysta Cloud Usage Metering and Billing
 

Similar to Integrate 3rd party security solution into CloudStack

Cloud stack overview
Cloud stack overviewCloud stack overview
Cloud stack overviewgavin_lee
 
Virtualization: Hyper-V, VMM, App-V and MED-V.
Virtualization: Hyper-V, VMM, App-V and MED-V.Virtualization: Hyper-V, VMM, App-V and MED-V.
Virtualization: Hyper-V, VMM, App-V and MED-V.Microsoft Iceland
 
Virtualization Technology Overview
Virtualization Technology OverviewVirtualization Technology Overview
Virtualization Technology OverviewOpenCity Community
 
5 scalability Cloudstack Developer Day
5 scalability Cloudstack Developer Day5 scalability Cloudstack Developer Day
5 scalability Cloudstack Developer DayKimihiko Kitase
 
CloudStack Architecture Future
CloudStack Architecture FutureCloudStack Architecture Future
CloudStack Architecture FutureKimihiko Kitase
 
Virtualization 101 - DeepDive
Virtualization 101 - DeepDiveVirtualization 101 - DeepDive
Virtualization 101 - DeepDiveAmit Agarwal
 
CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2vivekbhat
 
Xen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XTXen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XTThe Linux Foundation
 
vCloud Automation Center 6.0 -My Notes on Architecture
vCloud Automation Center 6.0 -My Notes on ArchitecturevCloud Automation Center 6.0 -My Notes on Architecture
vCloud Automation Center 6.0 -My Notes on Architecturetechstarts
 
12th Japan CloudStack User Group Meetup MidoNet with scalable virtual router
12th Japan CloudStack User Group Meetup MidoNet with scalable virtual router12th Japan CloudStack User Group Meetup MidoNet with scalable virtual router
12th Japan CloudStack User Group Meetup MidoNet with scalable virtual routerTakeshi Nakajima
 
12th Japan CloudStack User Group Meetup
12th Japan CloudStack User Group Meetup12th Japan CloudStack User Group Meetup
12th Japan CloudStack User Group MeetupMidokura
 
Introduction to Cloud Computing
Introduction to Cloud ComputingIntroduction to Cloud Computing
Introduction to Cloud ComputingTom Eberle
 
It camp veeam presentation (no videos)
It camp veeam presentation (no videos)It camp veeam presentation (no videos)
It camp veeam presentation (no videos)Harold Wong
 
Lecture5 virtualization
Lecture5 virtualizationLecture5 virtualization
Lecture5 virtualizationhktripathy
 

Similar to Integrate 3rd party security solution into CloudStack (20)

Cloud stack overview
Cloud stack overviewCloud stack overview
Cloud stack overview
 
Virtualization: Hyper-V, VMM, App-V and MED-V.
Virtualization: Hyper-V, VMM, App-V and MED-V.Virtualization: Hyper-V, VMM, App-V and MED-V.
Virtualization: Hyper-V, VMM, App-V and MED-V.
 
Nexus 1000_ver 1.1
Nexus 1000_ver 1.1Nexus 1000_ver 1.1
Nexus 1000_ver 1.1
 
Virtualization Technology Overview
Virtualization Technology OverviewVirtualization Technology Overview
Virtualization Technology Overview
 
5 scalability Cloudstack Developer Day
5 scalability Cloudstack Developer Day5 scalability Cloudstack Developer Day
5 scalability Cloudstack Developer Day
 
CloudStack Architecture Future
CloudStack Architecture FutureCloudStack Architecture Future
CloudStack Architecture Future
 
Private Cloud Day Session 2: Creating & Configure your Private Cloud
Private Cloud Day Session 2: Creating & Configure your Private CloudPrivate Cloud Day Session 2: Creating & Configure your Private Cloud
Private Cloud Day Session 2: Creating & Configure your Private Cloud
 
Virtualization 101 - DeepDive
Virtualization 101 - DeepDiveVirtualization 101 - DeepDive
Virtualization 101 - DeepDive
 
CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2CSA Presentation 26th May Virtualization securityv2
CSA Presentation 26th May Virtualization securityv2
 
What is a virtual tap?
What is a virtual tap?What is a virtual tap?
What is a virtual tap?
 
Server virtualization
Server virtualizationServer virtualization
Server virtualization
 
Xen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XTXen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XT
 
vCloud Automation Center 6.0 -My Notes on Architecture
vCloud Automation Center 6.0 -My Notes on ArchitecturevCloud Automation Center 6.0 -My Notes on Architecture
vCloud Automation Center 6.0 -My Notes on Architecture
 
Eucalyptus 3 Product Overview
Eucalyptus 3 Product OverviewEucalyptus 3 Product Overview
Eucalyptus 3 Product Overview
 
12th Japan CloudStack User Group Meetup MidoNet with scalable virtual router
12th Japan CloudStack User Group Meetup MidoNet with scalable virtual router12th Japan CloudStack User Group Meetup MidoNet with scalable virtual router
12th Japan CloudStack User Group Meetup MidoNet with scalable virtual router
 
12th Japan CloudStack User Group Meetup
12th Japan CloudStack User Group Meetup12th Japan CloudStack User Group Meetup
12th Japan CloudStack User Group Meetup
 
Introduction to Cloud Computing
Introduction to Cloud ComputingIntroduction to Cloud Computing
Introduction to Cloud Computing
 
It camp veeam presentation (no videos)
It camp veeam presentation (no videos)It camp veeam presentation (no videos)
It camp veeam presentation (no videos)
 
Eucalyptus 3 Product Overview
Eucalyptus 3 Product OverviewEucalyptus 3 Product Overview
Eucalyptus 3 Product Overview
 
Lecture5 virtualization
Lecture5 virtualizationLecture5 virtualization
Lecture5 virtualization
 

Recently uploaded

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Integrate 3rd party security solution into CloudStack

  • 1. Integrate Security Product with Cloudstack Written by: Mice Xia mice_xia@tcloudcomputing.com
  • 2. About me • About me – Project manager from TCloud Computing Ltd, Beijing, China – Apache CloudStack Committer – About TCloud • Provides cloud platform product/service to Chinese customers • Based on CloudStack • About this topic – Based on the practice and on-going work – Goal: bring some insights into integration between CS and security product
  • 3. Outline • Background • Three categories of solutions • Integration goal and problems • Architecture • Workflow • Future work
  • 4. Background • CS does an excellent job for building clouds • Growing needs for solutions to secure the Cloud • Seek security solutions to work with CS • Works for both private and public cloud • Multi-tenant ,self-service, • Easy to provision • Resource effective • Easy to integrate
  • 5. Agent-based • Widely implemented in physical Guest Network environment • Relies on the agent installed on Guest VM 1 guest OS Agent • Network connection to Pattern/Mgmt Guest VM Server Agent pattern/mgmt server • Not much IAAS level integration Guest VM Agent • Cons Guest VM • Instant-on gap Agent • Resource contention CS Virtual Router
  • 6. Gateway-based • Agentless, widely adopted in physical environment • Detect and prevent by capturing Router network traffics Offline mode Inline mode • Works fine with simple L3 Core Switch requirements • Cons • Network traffic based Available Zone • Uneasy to provide Inter-user and inter-VM protection … … … Pod 1 Pod N
  • 7. Hypervisor-based • Dedicated for virtual environment User VM • Agentless for user VM, need an User VM ‘agent’ on hypervisor • Capture network traffics • Scan VM memory Module • Can work with any complex Hypervisor network environment
  • 8. Brief intro to ElasterShield • Hypervisor based security product • Features <VM, Profile/Rules> • Firewall (L2, L3, L4) • IDS/IPS • Application Control • Web server protection • Anti-malware (roadmap) ElasterShield • For IT admin, no multi-tenant • Rules: defines what triggers event • Profiles: a set of enabled rules Events/Alerts
  • 9. Brief intro to ElasterShield (cont.) • ElasterShield Manager (ESM) ESM • Storing rules/profiles • Provide UI/ web service API • Send command to ESVA Hypervisor • Security Virtual Appliance (ESVA) ESVA User VM • One for each hypervisor, stateless • Hypervisor redirects VM’s traffic to ESVA • Includes an engine to do the Hypervisor detection/prevention • Bi-directional communicate ESVA User VM between ESM and ESVA • No impact to user VM if ESVA stops
  • 10. Integration goal • CS Integrates ES • Security as a service, ES as a service provider • Multi-tenant, defined by admins, subscribed by users, provisioned to VMs • Security offering == Security Profiles • Export new CS APIs • Generic to hypervisor-based solution (hopefully) • No change to ES code, keep it as it is • Minimum change to CS 4.0 existing code
  • 11. Problems : Networking Public Network • Bi-directional communication is Shared Guest Network required between ESM and ESVA Management • Deploy ESVA as a user VM Network ESM ? – Connects to guest network Isolated Guest – Basic Zone Network • Ingress rules – Advanced zone ESVA • Virtual router NAT problem • Another dedicated shared network? User VM • Solution: Via management network – Works for both basic and adv zone User VM – ESVA as a special VM managed by CS – Connect it to management network programmatically VRouter
  • 12. Problems: ESVA management • Make sure ESVA is running on each hypervisor – When a new host is added, ESVA should be deployed automatically on the host – When hypervisor is rebooted, ESVA should be started automatically – Can be destroyed manually and re-deployed • Similar to SystemVM/VRouter – Managed by CS, transparent to end user – Per hypervisor basis
  • 13. Problems: VM life cycle conflicts • User VM State mismatch – ES can detect VM state changes by polling events directly from Hypervisor • Enable VM’s profile when it gets started • Disable VM’s profile when it gets stopped • Un-assign profile when it gets destroyed – It does not work. CS removes VM from hypervisor when it gets stopped CS VM state Stopped Destroyed Removed Hypervisor VM state Destroyed (Missing) – Solution: CS controls profile (un)assignment to VM , based on VM state in the CS
  • 14. Architecture Overview New CS API ESM API ES Plug-in ESM Mgmt network CloudStack Manager Mgmt network Managed by CS ESVA ESVA User VM User VM Hypervisor Hypervisor
  • 15. Integrate as a CS Plug-in • Provide security related APIs • Treat ESM as a resource and send commands to it • ESVA monitor and management • Tailor User VM lifecycle with existing framework • Tailor Hypervisor management
  • 16. Plug-in • New manager/service for ESVA and ESM • Extends several CS Rest API manager to tailor process • A new resource for calling ESMResource ESVAManager ESM APIs ESMManager Plugin API • DAOs for security related … database operation ESMUserVMManagerImpl Data Access Layer
  • 17. Workflow: Add ESM 1) Call plug-in API 2) Connect to ES manager ElasterShield Plug-in ElasterShield CloudStack Manager Manager Database 3) Persist into DB 1) Admin user or external UI calls Plug-in API (addElasterShield) • Parameters include ESM url/account/password • One ESM per zone or per installation? 2) Plug-in calls ESM’s APIs to: • test connection with specified authentication • Get ESM info such like version, license, etc. 3) Plug-in persists the ESM info into CS database
  • 18. Workflow: Enable Security protection 1 ) Call plug-in API: 1) Admin user or external UI calls plug-in enableSecurityProtection API (enableSecurityProtection) • Cluster wide enable 3) Activate ESVA 2) ES Plug-in deploys ESVA • Deploy ESVA on each host of the ES Plug-in ESM cluster • With specified service offering CloudStack and template Manager • Start ESVA 2) Start ESVA on each 3) Activate ESVA hypervisor of the cluster • Plug-in calls ESM API to activate each ESVA ESVA ESVA Hypervisor Hypervisor
  • 19. Workflow: List Security Offering 2) Call ESM API, listSecurityProfiles ElasterShield Plug-in ElasterShield 1) Call plug-in API Manager listSecurityOffering CloudStack Manager 1) User or external UI calls Plug-in API (listSecurityOffering) • Fetch all security offerings with query parameters • Id, name, description 2) Plug-in calls ESM’s APIs to: • List security profiles from ESM
  • 20. Workflow: Define Security Profiles Admin defines Rules/profiles 2) Call ESM API listSecurityProfiles ElasterShield Plug-in ElasterShield 1) Call plug-in API Manager listSecurityOffering CloudStack Manager • For this Stage, this will be not implemented in plug-in, because it’s product-specific • Admins use ESM’s UI to define profiles • Users use Plug-in API to list and apply profiles
  • 21. Workflow: Apply security offering 1) Call plug-in API 3) Call ESM API, applySecurityOffering assignSecurityProfile ElasterShield Plug-in ElasterShield CloudStack Manager Manager Database 2) Persist into DB 1) User or external UI calls plug-in API (applySecurityOffering) • Specify VM id and security offering id 2) Plug-in persists <VM, offering> mapping into DB • Address multi-tenant problem 3) Plug-in calls ESM API to assign corresponding profile if VM is running
  • 22. Workflow: Start Virtual Machine 4) Call ESM API, 3) Get profile assignSecurityProfile ElasterShield Plug-in ElasterShield Database Manager CloudStack Manager 1) Call CS API 2) Start User VM startVirtualMachine User VM 5) ESM notifies ESVA to take effect ESVA Hypervisor 1) User or UI calls CS API (startVirtualMachine) 2) CS checks ESVA status and starts user VM as usual 3) After user VM is started, plug-in gets this VM’s profile (VirtualMachineGuru.finalizeStart) 4) Plug-in call ESM API to assign profile to the VM 5) ESM notifies ESVA in the same hypervisor with VM to take effect profile
  • 23. Workflow: Stop Virtual Machine 4) Call ESM API, 3) Get profile unassignSecurityProfile ElasterShield Plug-in ElasterShield Database Manager CloudStack Manager 1) Call CS API 2) Stop user VM stopVirtualMachine User VM 5) ESM notifies ESVA to take effect ESVA Hypervisor 1) User or UI calls CS API (stopVirtualMachine) 2) CS powers off user VM as usual 3) After user VM is shut down, plug-in gets this VM’s profile (VirtualMachineGuru.finalizeStop) 4) Plug-in calls ESM API to unassign profile to the VM 5) ESM notifies ESVA in the same hypervisor with VM to take profile effect
  • 24. Workflow: Destroy Virtual Machine ElasterShield Plug-in 1) Call CS API Database 2) Remove from DB destroyVirtualMachine CloudStack Manager 1) User or UI calls CS API (destroyVirtualMachine) • VM is destroyed as usual by CS 2) When VM gets expunged, plug-in removes <VM, profile> mapping from DB • VirtualMachineGuru.finalizeExpunge
  • 25. Workflow: Add a new host 5) Call ESM API to activate ElasterShield Plug-in ElasterShield Manager CloudStack Manager 1) Call CS API 2) Add host 3) Deploy ESVA addHost ESVA Hypervisor 1) User or UI calls CS API (addHost) 2) CS add a new hypervisor host as usual 3) Deploy ESVA 4) Plug-in persist ESVA info
  • 26. Workflow: Maintain a host 3) Call ESM API to de-activate ESVA ElasterShield Plug-in ElasterShield Manager CloudStack Manager 1) Call CS API 2) Power off ESVA prepareHostForMaintenance ESVA Hypervisor 1) User or UI calls CS API (prepareHostForMaintenance) 2) Stop ESVA on it • update ESVA status into DB 3) Plug-in call ESM API to deactivate ESVA • unassign security profiles to VMs that cannot be migrated
  • 27. Workflow: Query Events/Alerts ElasterShield Plug-in ElasterShield 1) Call plug-in API 2) Call ESM API Manager querySecurityEvents CloudStack Manager 1) User or external UI calls plug-in API (querySecurityEvents) • With query parameters such as time, VM id, user id, etc 2) Plug-in calls ESM’s API to fetch events/alerts
  • 28. Workflow: ESVA upgrading 2) Call ESM API to upgrade ElasterShield Plug-in ElasterShield Manager 1) Call plug-in API CloudStack Manager upgradeESVA 3) Notify ESVA 4) Download upgrade package Web server ESVA Hypervisor 1) Call plug-in API to upgrade ESVA , with a URL parameter 2) Plug-in forward the API to ESM 3) ESM notifies all ESVA to upgrade 4) ESVA downloads upgrading package from the URL specified 5) ESVA upgrade itself, it still functions during the upgrading.
  • 29. Summary & Future work • Summary – Develop plug-in with existing CS framework – Leverage CS to manage security virtual appliance – Tailor process • Future work – Make the security offering more generic – Make it easier for CS to introduce a new system VM