Skip to main content

Chapter 12: Security on AWS

Yes, I know I'm going backwards. I ignored this long boring looking chapter as long as I could. It seems to be more of the same stuff as elsewhere related to security.

I'll start by highlighting things I don't know about.

Service Health Dashboard


Service Health Dashboard - this is where you here about nasty things from AWS.

This has an exhaustive list of regions and services and any issues impacting them. Nice.

There's also a phd, a personal health dashboard (how to get an instant PhD)

I guess this just tells you about regions/services that you having running? Mines empty at present.
Oh, it's listed under premium services. It would nice it they told you that when you tried using it?

Time-Based One-Time Password (TOTP) Standard


Sure, I've heard of this before, it's used for two-factor authentication/multi-factor authentication (MFA). But how does it work?

Here's a good overview of OTP and the 2 main approaches for generating them, HOTP and TOTP:

One-Time Passwords (OTP) are pretty much what their name says: a password that can be only used one time. Comparing to regular passwords OTP is considered safer since the password keeps on changing, meaning that it isn’t vulnerable against replay attacks.
When it comes to authentication mechanisms, usually OTP is used as an additional authentication mechanism (hence OTP is commonly referred to as two factor authentication/second factor authentication/step-up authentication). The main/first authentication step is still using regular passwords, so in order your authentication to be successful you need to prove two things: knowledge and possession of a secret.
Since the OTP is only usable once, memorizing them isn’t quite simple. There is two main way of acquiring these One-Time Passwords:
  • hardware tokens: for example YubiKey devices, which you can plug in to your USB port and will automatically type in the OTP code for you.
  • software tokens: like Google Authenticator, in this case a simple Android application displays you the OTP code which you can enter on your login form.
There is two main standard for generating One-Time Passwords: HOTP and TOTP, both of which are governed by the Initiative For Open Authentication (OATH). In the followings we will discuss the differences between these algorithms and finally we will attempt to use these authentication mechanisms with OpenAM.

HMAC-BASED ONE-TIME PASSWORD ALGORITHM

This algorithm relies on two basic things: a shared secret and a moving factor (a.k.a counter). As part of the algorithm an HmacSHA1 hash (to be precise it’s a hash-based message authentication code) of the moving factor will be generated using the shared secret. This algorithm is event-based, meaning that whenever a new OTP is generated, the moving factor will be incremented, hence the subsequently generated passwords should be different each time.

TIME-BASED ONE-TIME PASSWORD ALGORITHM

This algorithm works similarly to HOTP: it also relies on a shared secret and a moving factor, however the moving factor works a bit differently. In case of TOTP, the moving factor constantly changes based on the time passed since an epoch. The HmacSHA1 is calculated in the same way as with HOTP.

WHICH ONE IS BETTER?

The main difference between HOTP and TOTP is that the HOTP passwords can be valid for an unknown amount of time, while the TOTP passwords keep on changing and are only valid for a short window in time. Because of this difference generally speaking the TOTP is considered as a more secure One-Time Password solution.
Wikipedia explains TOTP as simply a variation of HOTP:
TOTP is based on HOTP with a timestamp replacing the incrementing counter.
The current timestamp is turned into an integer time-counter (TC) by defining the start of an epoch (T0) and counting in units of a time step (TS). For example:
TC = floor((unixtime(now) − unixtime(T0)) / TS),
TOTP = HOTP(SecretKey, TC),
TOTP-Value = TOTP mod 10d, where d is the desired number of digits of the one-time password.

The Linux Hypervisor: PV or HVM?

The book says that EC2 uses a customised version of the the Xen hypervisor, using paravirtualization (Linux). And the advantage is better security. Applications run in the outer ring (3), and the guest OS runs in level 1 rather than 0.
In the AMI list these are PV images. There are also HVM - Hardware Virtual Machine images. What are these? This blog compares them and suggests that HVMs may be better:
This is confusing. The book doesn't mention HVM.  Cloudacademy blog says that PV may be faster, but that HVM is catching up and that:
Amazon currently recommends users choose HVM instead of PV.
Given that this chapter is about security I'm now confused about what the security tradeoffs are between PV and HVM?
Can you (like?) to why Xen will be going back to PVM for higher performance?  HVM has its limitations in scaling large IO (Why service providers are abandoning it for KVM for Network Virtualization stuff, even if KVM's management stack isn't as robust).  
VMware has ParaVirtual vSCSI HBA"s and Network IO devices. They quit using paravirutalization for compute from my understanding because...
1.  modern virutaliation expansions are fast, and the memory management stuff at scale was way faster. 
2. security of RING-0 for memory is WAY more important than trying to squeeze a few extra % out. 
3. PV actually was never as important with a microkernel design for high throughput operations as your not having to hairpin stuff through a DOM0/ManagementVM like Xen/Hyper-V. KVM enjoys this benefit in the network throughput world.
Amazon's testing of PVM vs. PV-HVM (The use of HVM with PV drivers) found that PV-HVM was just as fast with PV IO devices. PVM's lack of access to advanced memory page table's offload (SLAT?) can even give HVM some advantages. Legacy boot emulation is the only other thing I can think that PVM does better (Not a major consideration).  

Instance Isolation

This is very interesting and I'll think I'll have to come back to this for more detailed examination. Of particular note is that "the AWS firewall resides within the hypervisor layer" and "customer instance have no access to raw disk devices, but instead are presented with virtualized disks". The AWS proprietary disk virtualisation layer resets very block of storage used by the customer ... memory is scrubbed by the hypervisor when it is unallocated to a guest and not returned to the free pool until memory scrubbing is complete.
TODO Where is the best AWS documentation for this???

Host Operating System

Administrative hosts protect the "management plane" of the cloud. What's this???




A plane, in a networking context, is one of three integral components of a telecommunications architecture. These three elements -- the data plane, the control plane and the management plane – can be thought of as different areas of operations. Each plane carries a different type of traffic and is conceptually (and often in reality) an overlay network (a telecommunications network that runs independently on top of another one, although supported by its infrastructure).
The data plane (sometimes known as the user plane, forwarding plane, carrier plane or bearer plane) carries the network user traffic. The control plane carries signaling traffic. Control packets originate from or are destined for a router. The management plane, which carries administrative traffic, is considered a subset of the control plane.
In conventional networking, all three planes are implemented in the firmware of routers and switches. Software-defined networking (SDNdecouples the data and control planes, removes the control plane from network hardware and implements it in software instead, which enables programmatic access and, as a result, makes network administration much more flexible.  
Moving the control plane to software allows dynamic access and administration. A network administrator can shape traffic from a centralized control console without having to touch individual switches. The administrator can change any network switch's rules when necessary -- prioritizing, de-prioritizing or even blocking specific types of packets with a very granular level of control. 
Blog - Data Control and Management Planes.jpg


Elastic Load Balancing Security

AWS ELB can take over many of the security functions of a firewall. What puzzled me was supports end to end encryption using TLS. What's this? (formerly SSL). It's called Transport Layer Security and has been around since 1999. Not sure why I havn't come across it. The differences between SSL and TLS look many and varied.


SSL versus TLS infographic


They conclude that:

SSL v3.0 is effectively “dead” as a useful security protocol.  Places that still allow its use for web hosting as placing their “secure web sites” at risk; Organizations that allow SSL v3 use to persist for other protocols (e.g. IMAP) should take steps to remove that support at the soonest software update maintenance window.

So still puzzled that I havn't come across it before now. Good that AWS uses TLS.

Finally (for now) ELB allows the use of "Perfect Forward Secrecy", session keys that are ephemeral.  The problem is that the docs refer to it but don't document it!


Your search for "Perfect Forward Secrecy" returned no results.

Please try the following recommendations to optimize your search:
  • Double check your spelling
  • Try different keywords

This deep dive mentions it. The AWS support forums don't discuss it either. Is it real? useful? dead?

Slide 27 SSL Offloading

SSL Offloading Support for both SSL and HTTPs is provided. Support for latest ciphers and protocols, including Elliptical Curve Ciphers and Perfect Forward Secrecy. Ability to fully customize ciphers and protocols to be used by each load balancer. SSL Negotiation Suites provided to remove complexity of selecting ciphers and protocols.

So what is Perfect Forward Secrecy? PFS.
This ASD page discusses it.

AWS does mention it here (under KMS)

And the ELB release notes for 2014 mention it and refer you to the docs.
I guess the Perfect Forward Secrecy content is the different ciphers available using ECDHE?

New Security FeaturesWith this release, Elastic Load Balancing adds support for Perfect Forward Secrecy through Elliptic Curve key exchange (ECDHE), Server Order Preference, and a new Predefined Security Policy that includes TLS 1.1 and 1.2 protocols and ciphers. For more information on the new security features, see SSL Negotiation Configurations for Elastic Load Balancing in the Amazon Elastic Load Balancing Developer Guide.

Comments

  1. Nice post,and good information Thanks for sharing
    further check it once at AWS Online Training

    ReplyDelete
  2. Want to change your career in Selenium? Red Prism Group is one of the best training coaching for Selenium in Noida. Now start your career for Selenium Automation with Red Prism Group. Join training institute for selenium in noida.

    ReplyDelete

Post a Comment

Popular posts from this blog

Chapter 11: AWS Directory Service, Cloud Directory

AWS Solution Architecture Certification Postscript

Chapter 2: Amazon Simple Storage Service (S3) and Amazon Glacier Storage (for storing your beer?)