diff --git a/doc/src/docbkx/common/glossary/glossary-terms.xml b/doc/src/docbkx/common/glossary/glossary-terms.xml index a691a6d9c4..023f43cd85 100644 --- a/doc/src/docbkx/common/glossary/glossary-terms.xml +++ b/doc/src/docbkx/common/glossary/glossary-terms.xml @@ -13,7 +13,7 @@ http://www.apache.org/licenses/LICENSE-2.0 - + Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR @@ -22,7 +22,6 @@ permissions and limitations under the License. - A @@ -34,11 +33,19 @@ maximum disk size. + + access control list + + A list of permissions attached to an object. An ACL specifies which users or system processes have access to objects. It also +defines which operations can be performed on specified objects. +Each entry in a typical ACL specifies a subject and an operation. For instance, ACL entry, (Alice, delete), for a file gives Alice permission to delete the file. + + access key - Alternative term for an Amazon EC2 access - key. Refer to EC2 Access key. + Alternative term for an Amazon EC2 access key. + See EC2 Access key. @@ -99,6 +106,12 @@ facilities. + + ACL + + See access control list. + + Active Directory @@ -170,24 +183,33 @@ Amazon Kernel Image (AKI) - Both a VM container format and a VM disk format. + Both a VM container format and disk format. Supported by glance. Amazon Machine Image (AMI) - Both a VM container format and a VM disk format. + Both a VM container format and disk format. Supported by glance. Amazon Ramdisk Image (ARI) - Both a VM container format and a VM disk format. + Both a VM container format and disk format. Supported by glance. + + AMQP + + Advanced Message Queue Protocol. An open + Internet protocol for reliably sending and + receiving messages. It enables building a diverse, + coherent messaging ecosystem. + + Anvil @@ -198,12 +220,20 @@ Apache - The Apache Software Foundation provides support - for the Apache community of open-source software - projects, which provide software products for the + The Apache Software Foundation supports + the Apache community of open-source software + projects. These projects provide software products for the public good. + + Apache License 2.0 + + All OpenStack core projects are provided under + the terms of the Apache License 2.0 + license. + + Apache Web Server @@ -212,11 +242,9 @@ - Apache License 2.0 + API - All OpenStack core projects are provided under - the terms of the Apache License 2.0 - license. + Application programming interface. @@ -233,7 +261,7 @@ API extension - A feature of nova and neutron that allows custom + A nova and neutron feature that allows custom modules to extend the core APIs. @@ -458,25 +486,15 @@ - + AWS - + Amazon Web Services. - B - back-end @@ -581,6 +599,17 @@ Supported by nova. + + BMC + + Baseboard Management Controller. The + intelligence in the IPMI architecture, which is a + specialized micro-controller that is embedded on + the motherboard of a computer and acts as a + server. Manages the interface between system + management software and platform hardware. + + bootable disk image @@ -638,10 +667,27 @@ - C + + CA + + Certificate Authority or Certification + Authority. In cryptography, an entity that issues + digital certificates. The digital certificate + certifies the ownership of a public key by the + named subject of the certificate. This allows + others (relying parties) to rely upon signatures + or assertions made by the private key that + corresponds to the certified public key. In this + model of trust relationships, a CA is a trusted + third party for both the subject (owner) of the + certificate and the party relying upon the + certificate. CAs are characteristic of many public + key infrastructure (PKI) schemes. + + cache pruner @@ -920,6 +966,12 @@ Linux. + + CMDB + + Configuration Management Database. + + command filter @@ -949,9 +1001,10 @@ Compute API - The nova-api daemon that provides access to the - nova services. Can also communicate with some - outside APIs such as the Amazons EC2 API. + The nova-api +daemon that provides + access to nova services. Can communicate with + other APIs, such as the Amazon EC2 API. @@ -1069,12 +1122,6 @@ on. - controller node @@ -1159,7 +1206,6 @@ - D @@ -1171,6 +1217,17 @@ UDP port. Do not confuse with a worker. + + DAC + + Discretionary access control. Governs the + ability of subjects to access objects, while + enabling users to make policy decisions and assign + security attributes. The traditional UNIX system + of users, groups, and read-write-execute + permissions is an example of DAC. + + dashboard @@ -1178,12 +1235,6 @@ OpenStack. An alternative name for horizon. - data encryption @@ -1211,12 +1262,6 @@ nodes. - deallocate @@ -1233,12 +1278,6 @@ OpenStack. - deduplication @@ -1333,6 +1372,20 @@ environments. + + DHCP + + Dynamic Host Configuration Protocol. A network + protocol that configures devices that are + connected to a network so they can communicate on + that network by using the Internet Protocol (IP). + The protocol is implemented in a client-server + model where DHCP clients request configuration + data such as, an IP address, a default route, and + one or more DNS server addresses from a DHCP + server. + + Diablo @@ -1407,6 +1460,16 @@ horizon. + + DNS + + Domain Name Server. A hierarchical and + distributed naming system for computers, services, + and resources connected to the Internet or a + private network. Associates a human-friendly names + to IP addresses. + + DNS record @@ -1471,6 +1534,12 @@ files, from one computer to another. + + DRTM + + Dynamic root of trust measurement. + + durable exchange @@ -1504,7 +1573,6 @@ - E @@ -1738,7 +1806,6 @@ - F @@ -1796,18 +1863,6 @@ chosen. - - firewall @@ -1900,12 +1955,6 @@ (cinder). - FormPost @@ -1929,7 +1978,6 @@ - G @@ -2023,7 +2071,6 @@ - H @@ -2053,14 +2100,14 @@ Horizon - The project that provides the OpenStack - Dashboard. + The OpenStack project that provides a + dashboard, which is a web interface. - + horizon plugin - A plugin for the OpenStack Dashboard + A plugin for the OpenStack dashboard (horizon). @@ -2086,6 +2133,34 @@ channel or network card. + + HTTP + + Hypertext Transfer Protocol. HTTP is an + application protocol for distributed, + collaborative, hypermedia information systems. It + is the foundation of data communication for the + World Wide Web. Hypertext is structured text that + uses logical links (hyperlinks) between nodes + containing text. HTTP is the protocol to exchange + or transfer hypertext. + + + + HTTPS + + Hypertext Transfer Protocol Secure (HTTPS) is a + communications protocol for secure communication + over a computer network, with especially wide + deployment on the Internet. Technically, it is not + a protocol in and of itself; rather, it is the + result of simply layering the Hypertext Transfer + Protocol (HTTP) on top of the SSL/TLS protocol, + thus adding the security capabilities of SSL/TLS + to standard HTTP communications. + + + Hyper-V @@ -2140,10 +2215,23 @@ - I + + IaaS + + Infrastructure as a Service. IaaS is a provision + model in which an organization outsources the + equipment used to support operations, including + storage, hardware, servers and networking + components. The service provider owns the + equipment and is responsible for housing, running + and maintaining it. The client typically pays on a + per-use basis. IaaS is a model for providing cloud + services. + + ID number @@ -2180,6 +2268,13 @@ Service provided through keystone. + + IDS + + Intrusion Detection System + + + image @@ -2294,7 +2389,7 @@ A running VM, or a VM in a known state such as suspended that can be used like a hardware server. - + @@ -2363,17 +2458,38 @@ - ip6tables + IPL - Used along with arptables, ebtables, and - iptables to create firewalls in nova. + Initial Program Loader. + + + + IPMI + + Intelligent Platform Management Interface. IPMI + is a standardized computer system interface used + by system administrators for out-of-band + management of computer systems and monitoring of + their operation. In layman's terms, it is a way to + manage a computer using a direct network + connection, whether it is turned on or not; + connecting to the hardware rather than an + operating system or login shell. iptables - Used along with arptables, ebtables, and - ip6tables to create firewalls in nova. + Used along with arptables and ebtables, iptables + create firewalls in nova. iptables are the tables + provided by the Linux kernel firewall (implemented + as different Netfilter modules) and the chains and + rules it stores. Different kernel modules and + programs are currently used for different + protocols; iptables applies to IPv4, ip6tables to + IPv6, arptables to ARP, and ebtables to Ethernet + frames. Requires root privilege to + manipulate. @@ -2405,7 +2521,6 @@ - J @@ -2445,7 +2560,6 @@ - K @@ -2471,7 +2585,6 @@ - L @@ -2558,7 +2671,6 @@ - M @@ -2651,12 +2763,6 @@ within nova. - message queue @@ -2709,7 +2815,6 @@ - N @@ -2936,7 +3041,6 @@ - O @@ -3052,12 +3156,6 @@ OpenStack. - Open vSwitch neutron Plug-in @@ -3101,22 +3199,9 @@ - P - - parent cell @@ -3141,12 +3226,6 @@ within the ring. - partition shift value @@ -3193,12 +3272,6 @@ configuration. - plugin @@ -3207,12 +3280,6 @@ APIs, depending on the context. - policy service @@ -3242,12 +3309,6 @@ distributions. - private image @@ -3275,15 +3336,9 @@ controlled by the flat_interface with flat managers. A VLAN network interface is controlled by the vlan_interface option with VLAN managers. - + - project @@ -3359,18 +3414,6 @@ public_interface option. - - Puppet @@ -3386,7 +3429,6 @@ - Q @@ -3407,29 +3449,34 @@ Neutron - A core OpenStack project that provides a network connectivity abstraction - layer to OpenStack Compute. + A core OpenStack project that provides a network + connectivity abstraction layer to OpenStack + Compute. neutron API - API used to access neutron, provides and extensible architecture to allow - custom plugin creation. + API used to access neutron, provides and + extensible architecture to allow custom plugin + creation. neutron manager - Allows nova and neutron integration thus allowing neutron to perform network - management for nova VMs. + Allows nova and neutron integration thus + allowing neutron to perform network management for + nova VMs. neutron plugin - Interface within neutron that allows organizations to create custom plugins - for advanced features such as QoS, ACLs, or IDS. + Interface within neutron that allows + organizations to create custom plugins for + advanced features such as QoS, ACLs, or + IDS. @@ -3441,18 +3488,6 @@ a correct copy is re-replicated. - - Quick EMUlator (QEMU) @@ -3470,7 +3505,6 @@ - R @@ -3556,7 +3590,7 @@ platform should ensure that the reboot action has completed successfully even in cases in which the underlying domain/vm is paused or halted/stopped. - + @@ -3570,8 +3604,7 @@ Recon - A swift component that collects - metrics. + A swift component that collects metrics. @@ -3610,18 +3643,6 @@ OpenStack. - - reference architecture @@ -3696,18 +3717,6 @@ nova. - - rescue image @@ -3830,7 +3839,6 @@ - S @@ -3850,12 +3858,6 @@ support a variety of scheduler types. - scoped token @@ -3886,13 +3888,6 @@ key injection is supported by nova. - security group @@ -3993,12 +3988,6 @@ the Django sessions framework. - shared IP address @@ -4014,7 +4003,7 @@ Shared IP addresses can be used with many standard heartbeat facilities, such as keepalive, that monitor for failure and manage IP failover. - + @@ -4029,12 +4018,6 @@ be a member of one shared IP group. - shared storage @@ -4065,12 +4048,6 @@ unsupported in OpenStack. - SmokeStack @@ -4085,7 +4062,7 @@ volume or image. Use storage volume snapshots to back up volumes. Use image snapshots to back up data, or as "gold" images for additional servers. - + @@ -4286,18 +4263,6 @@ (VM) instances. - - system usage @@ -4307,28 +4272,9 @@ - T - - - TempAuth @@ -4346,18 +4292,6 @@ project. - - TempURL @@ -4417,24 +4351,6 @@ another node after it has been deleted. - - - topic publisher @@ -4490,24 +4406,16 @@ - U Ubuntu - A Debian-based Linux distribution that is compatible with - OpenStack. + A Debian-based Linux distribution. - - + unscoped token Alternative term for a keystone default @@ -4541,12 +4449,6 @@ boot. - User Mode Linux (UML) @@ -4560,16 +4462,9 @@ - V - VIF UUID @@ -4606,7 +4501,7 @@ a service that is load balanced. Incoming connections are distributed to back-end nodes based on the configuration of the load balancer. - + @@ -4712,20 +4607,7 @@ Alternative term for an image. - - - + VM Remote Control (VMRC) Method to access VM instance consoles using a @@ -4834,7 +4716,6 @@ - W @@ -4862,19 +4743,12 @@ start a new VM instance in nova. - worker - A daemon that carries out tasks. For example, - the cinder-volume worker attaches storage to an VM - instance. Workers listen to a queue and take - action when new messages arrive. + A daemon that listens to a queue and carries out tasks in response to messages. For example, + the cinder-volume worker attaches + storage to instances. @@ -4884,7 +4758,6 @@ - X @@ -4922,7 +4795,6 @@ - Y @@ -4933,7 +4805,6 @@ - Z @@ -4960,6 +4831,5 @@ - diff --git a/doc/src/docbkx/openstack-security/bk_openstack-sec-guide.xml b/doc/src/docbkx/openstack-security/bk_openstack-sec-guide.xml index a188a49d23..6667c087db 100644 --- a/doc/src/docbkx/openstack-security/bk_openstack-sec-guide.xml +++ b/doc/src/docbkx/openstack-security/bk_openstack-sec-guide.xml @@ -101,4 +101,5 @@ + diff --git a/doc/src/docbkx/openstack-security/ch004_book-introduction.xml b/doc/src/docbkx/openstack-security/ch004_book-introduction.xml index 3a5bb92214..02ef724e44 100644 --- a/doc/src/docbkx/openstack-security/ch004_book-introduction.xml +++ b/doc/src/docbkx/openstack-security/ch004_book-introduction.xml @@ -1,7 +1,13 @@ Introduction to OpenStack - This guide provides security insight into OpenStack deployments. The intended audience includes cloud architects, deployers, and administrators.  In addition, cloud users will find the guide both educational and helpful in provider selection, while auditors will find it useful as a reference document to support their compliance certification efforts. This guide is also recommended for anyone interested in cloud security. + This guide provides security insight into OpenStack + deployments. The intended audience is cloud architects, deployers, + and administrators.  In addition, cloud users will find the guide + both educational and helpful in provider selection, while auditors + will find it useful as a reference document to support their + compliance certification efforts. This guide is also recommended + for anyone interested in cloud security. Each OpenStack deployment embraces a wide variety of technologies, spanning Linux distributions, database systems, messaging queues, OpenStack components themselves, access control policies, logging services, security monitoring tools, and much more. It should come as no surprise that the security issues involved are equally diverse, and their in-depth analysis would require several guides. We strive to find a balance, providing enough context to understand OpenStack security issues and their handling, and provide external references for further information. The guide could be read from start to finish or sampled as necessary like a reference. We briefly introduce the kinds of clouds: private, public, and hybrid before presenting an overview of the OpenStack components and their related security concerns in the remainder of the chapter.
@@ -9,11 +15,33 @@ OpenStack is a key enabler in adoption of cloud technology and has several common deployment use cases. These are commonly known as Public, Private, and Hybrid models. The following sections use the National Institute of Standards and Technology (NIST) definition of cloud to introduce these different types of cloud as they apply to OpenStack.
Public Cloud - According to NIST, a public cloud is one in which the infrastructure is open to the general public for consumption. OpenStack public clouds are typically run by a service provider and can be consumed by individuals, corporations, or any paying customer. A public cloud provider may expose a full set of features such as software defined networking, block storage, in addition to multiple instance types. Due to the nature of public clouds, they will be exposed to a higher degree of risk. As a consumer of a public cloud you should validate that your selected provider has the necessary certifications, attestations, and other regulatory considerations. As a public cloud provider, depending on your target customers, you may be subject to one or more regulations. Additionally, even if not required to meet regulatory requirements, a provider should ensure tenant isolation as well as protecting management infrastructure from external attacks. + According to NIST, a public cloud is one in which the + infrastructure is open to the general public for consumption. + OpenStack public clouds are typically run by a service + provider and can be consumed by individuals, corporations, or + any paying customer. A public cloud provider may expose a full + set of features such as software defined networking, block + storage, in addition to multiple instance types. Due to the + nature of public clouds, they are exposed to a higher degree + of risk. As a consumer of a public cloud you should validate + that your selected provider has the necessary certifications, + attestations, and other regulatory considerations. As a public + cloud provider, depending on your target customers, you may be + subject to one or more regulations. Additionally, even if not + required to meet regulatory requirements, a provider should + ensure tenant isolation as well as protecting management + infrastructure from external attacks.
Private Cloud - At the opposite end of the spectrum is the private cloud. As NIST defines it, a private cloud is provisioned for exclusive use by a single organization comprising multiple consumers (e.g. business units). It may be owned, managed, and operated by the organization, a third-party, or some combination of them, and it may exist on or off premises. Private cloud use cases are diverse, as such, their individual security concerns will vary. + At the opposite end of the spectrum is the private + cloud. As NIST defines it, a private cloud is provisioned for + exclusive use by a single organization comprising multiple + consumers (e.g. business units). It may be owned, managed, and + operated by the organization, a third-party, or some + combination of them, and it may exist on or off premises. + Private cloud use cases are diverse, as such, their individual + security concerns vary.
Community cloud @@ -22,7 +50,11 @@
Hybrid Cloud A hybrid cloud is defined by NIST as a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).  For example an online retailer may have their advertising and catalogue presented on a public cloud that allows for elastic provisioning. This would enable them to handle seasonal loads in a flexible, cost-effective fashion. Once a customer begins to process their order, they are transferred to the more secure private cloud backend that is PCI compliant. - For the purposes of this document, we treat Community and Hybrid similarly, dealing explicitly only with the extremes of Public and Private clouds from a security perspective. Your security measures will depend where your deployment falls upon the private public continuum. + For the purposes of this document, we treat Community + and Hybrid similarly, dealing explicitly only with the + extremes of Public and Private clouds from a security + perspective. Your security measures depend where your + deployment falls upon the private public continuum.
@@ -39,9 +71,13 @@ OpenStack Compute OpenStack compute (Nova) provides services to support the management of virtual machine instances at scale, instances that host multi-tiered applications, dev/test environments, "Big Data" crunching Hadoop clusters, and/or high performance computing. Nova facilitates this management through an abstraction layer that interfaces with supported hypervisors, which we address later on in more detail. - Later in the guide, we will focus generically on the virtualization stack as it relates to hypervisors. - For information about the current state of feature support, see OpenStack's Hypervisor Support Matrix. - The security of Nova is critical for an OpenStack deployment. Hardening techniques should include support for strong instance isolation, secure communication between Nova sub-components, and resiliency of public facing API endpoints. + Later in the guide, we focus generically on the + virtualization stack as it relates to hypervisors. + For information about the current state of feature support, see + OpenStack Hypervisor Support Matrix. + The security of Nova is critical for an OpenStack deployment. Hardening techniques should include support for strong instance isolation, secure communication between Nova sub-components, and resiliency of public-facing API endpoints.
OpenStack Object Storage @@ -51,12 +87,16 @@
OpenStack Block Storage - OpenStack block storage service (Cinder), provides persistent block storage for compute instances. Cinder is responsible for managing the life-cycle of block devices, from the creation and attachment of volumes to instances, to their release. + The OpenStack Block Storage service (Cinder) provides + persistent block storage for compute instances. Cinder is + responsible for managing the life-cycle of block devices, from + the creation and attachment of volumes to instances, to their + release. Security considerations for block storage are similar to that of object storage.
OpenStack Networking - The OpenStack networking service (Neutron, previously called Quantum), provides various networking services to cloud users (tenants) such as IP address management, DNS, DHCP, load balancing, and security groups (network access rules, like firewall policies). It provides a framework for software defined networking (SDN) that allows for pluggable integration with various networking solutions. + The OpenStack networking service (Neutron, previously called Quantum), provides various networking services to cloud users (tenants) such as IP address management, DNS, DHCP, load balancing, and security groups (network access rules, like firewall policies). It provides a framework for software defined networking (SDN) that allows for pluggable integration with various networking solutions. OpenStack Networking allows cloud tenants to manage their guest network configurations. Security concerns with the networking service include network traffic isolation, availability, integrity and confidentiality.
@@ -75,7 +115,7 @@
Other Supporting Technology - OpenStack relies on messaging for internal communication between several of its services. By default, OpenStack uses message queues based on the Advanced Message Queue Protocol (AMQP).  Similar to most OpenStack services, it supports pluggable components. Today the implementation backend could be either RabbitMQ, Qpid, or ZeroMQ. + OpenStack relies on messaging for internal communication between several of its services. By default, OpenStack uses message queues based on the Advanced Message Queue Protocol (AMQP).  Similar to most OpenStack services, it supports pluggable components. Today the implementation backend could be RabbitMQ, Qpid, or ZeroMQ. As most management commands flow through the message queueing system, it is a primary security concern for any OpenStack deployment.  Message queueing security is discussed in detail later in this guide. Several of the components use databases though it is not explicitly called out. Securing the access to the databases and their contents is yet another security concern, and consequently discussed in more detail later in this guide.
diff --git a/doc/src/docbkx/openstack-security/ch008_system-roles-types.xml b/doc/src/docbkx/openstack-security/ch008_system-roles-types.xml index e2e3be47c3..325e085e7e 100644 --- a/doc/src/docbkx/openstack-security/ch008_system-roles-types.xml +++ b/doc/src/docbkx/openstack-security/ch008_system-roles-types.xml @@ -18,7 +18,7 @@ Documentation should provide a general description of the OpenStack environment and cover all systems used (production, development, test, etc.). Documenting system components, networks, services, and software often provides the bird's-eye view needed to thoroughly cover and consider security concerns, attack vectors and possible security domain bridging points.  A system inventory may need to capture ephemeral resources such as virtual machines or virtual disk volumes that would otherwise be persistent resources in a traditional IT system.
Hardware Inventory - Clouds without stringent compliance requirements for written documentation may at least benefit from having a Configuration Management Database (CMDB). CMDB's are normally used for hardware asset tracking and overall life-cycle management. By leveraging a CMDB, an organization can quickly identify cloud infrastructure hardware (e.g. compute nodes, storage nodes, and network devices) that exists on the network but may not be adequately protected and/or forgotten. OpenStack provisioning system may provide some CMDB-like functions especially if auto-discovery features of hardware attributes are available. + Clouds without stringent compliance requirements for written documentation may at least benefit from having a Configuration Management Database (CMDB). CMDB's are normally used for hardware asset tracking and overall life-cycle management. By leveraging a CMDB, an organization can quickly identify cloud infrastructure hardware (e.g. compute nodes, storage nodes, and network devices) that exists on the network but may not be adequately protected and/or forgotten. OpenStack provisioning system may provide some CMDB-like functions especially if auto-discovery features of hardware attributes are available.
Software Inventory diff --git a/doc/src/docbkx/openstack-security/ch012_configuration-management.xml b/doc/src/docbkx/openstack-security/ch012_configuration-management.xml index c957f523e4..a841d36b14 100644 --- a/doc/src/docbkx/openstack-security/ch012_configuration-management.xml +++ b/doc/src/docbkx/openstack-security/ch012_configuration-management.xml @@ -101,7 +101,7 @@ A production quality cloud should always use tools to automate configuration and deployment. This eliminates human error, and allows the cloud to scale much more rapidly. Automation also helps with continuous integration and testing. When building an OpenStack cloud it is strongly recommended to approach your design and implementation with a configuration management tool or framework in mind. Configuration management allows you to avoid the many pitfalls inherent in building, managing, and maintaining an infrastructure as complex as OpenStack. By producing the manifests, cookbooks, or templates required for a configuration management utility, you are able to satisfy a number of documentation and regulatory reporting requirements. Further, configuration management can also function as part of your BCP and DR plans wherein you can rebuild a node or service back to a known state in a DR event or given a compromise. Additionally, when combined with a version control system such as Git or SVN, you can track changes to your environment over time and remediate unauthorized changes that may occur. For example, a nova.conf or other configuration file falls out of compliance with your standard, your configuration management tool will be able to revert or replace the file and bring your configuration back into a known state. Finally a configuration management tool can also be used to deploy updates; simplifying the security patch process. These tools have a broad range of capabilities that are useful in this space. The key point for securing your cloud is to choose a tool for configuration management and use it. - There are many configuration management solutions; at the time of this writing there are two in the marketplace that are robust in their support of OpenStack environments: Chef and Puppet. A non-exhaustive listing of tools in this space is provided below: + There are many configuration management solutions; at the time of this writing there are two in the marketplace that are robust in their support of OpenStack environments: Chef and Puppet. A non-exhaustive listing of tools in this space is provided below: Chef diff --git a/doc/src/docbkx/openstack-security/ch014_best-practices-for-operator-mode-access.xml b/doc/src/docbkx/openstack-security/ch014_best-practices-for-operator-mode-access.xml index 72289d9dec..634f89efbc 100644 --- a/doc/src/docbkx/openstack-security/ch014_best-practices-for-operator-mode-access.xml +++ b/doc/src/docbkx/openstack-security/ch014_best-practices-for-operator-mode-access.xml @@ -34,7 +34,7 @@ The dashboard provides GUI support for routers and load-balancers. For example, Horizon now implements all of the main Neutron features. - It is an extensible Django web application that allows easy plug-in of third-party products and services, such as billing, monitoring, and additional management tools. + It is an extensible Django web application that allows easy plug-in of third-party products and services, such as billing, monitoring, and additional management tools. The dashboard can also be branded for service providers and other commercial vendors. @@ -137,7 +137,7 @@ Ensure that the network interfaces are on their own private(management or a separate) network. Segregate management domains with firewalls or other network gear. - If you use a web interface to interact with the BMC/IPMI, always use the SSL interface (e.g. https or port 443). This SSL interface should NOT use self-signed certificates, as is often default, but should have trusted certificates using the correctly defined fully qualified domain names (FQDNs). + If you use a web interface to interact with the BMC/IPMI, always use the SSL interface (e.g. https or port 443). This SSL interface should NOT use self-signed certificates, as is often default, but should have trusted certificates using the correctly defined fully qualified domain names (FQDNs). Monitor the traffic on the management network. The anomalies may be easier to track than on the busier compute nodes diff --git a/doc/src/docbkx/openstack-security/ch017_threat-models-confidence-and-confidentiality.xml b/doc/src/docbkx/openstack-security/ch017_threat-models-confidence-and-confidentiality.xml index 9031bb7b4a..5c31a975c9 100644 --- a/doc/src/docbkx/openstack-security/ch017_threat-models-confidence-and-confidentiality.xml +++ b/doc/src/docbkx/openstack-security/ch017_threat-models-confidence-and-confidentiality.xml @@ -5,10 +5,10 @@ While it is commonly accepted that data over public networks should be secured using cryptographic measures, such as Secure Sockets Layer or Transport Layer Security (SSL/TLS) protocols, it is insufficient to rely on security domain separation to protect internal traffic. Using a security-in-depth approach, we recommend securing all domains with SSL/TLS, including the management domain services. It is important that should a tenant escape their VM isolation and gain access to the hypervisor or host resources, compromise an API endpoint, or any other service, they must not be able to easily inject or capture messages, commands, or otherwise affect or control management capabilities of the cloud. SSL/TLS provides the mechanisms to ensure authentication, non-repudiation, confidentiality, and integrity of user communications to the OpenStack services and between the OpenStack services themselves. Public Key Infrastructure (PKI) is the set of hardware, software, and policies to operate a secure system which provides authentication, non-repudiation, confidentiality, and integrity. The core components of PKI are: - End Entity - user, process, or system which is the subject of a certificate + End Entity - user, process, or system that is the subject of a certificate - Certification Authority (CA) - defines certificate policies, management, and issuance of certificates + Certification Authority (CA) - defines certificate policies, management, and issuance of certificates Registration Authority (RA) - an optional system to which a CA delegates certain management functions diff --git a/doc/src/docbkx/openstack-security/ch035_case-studies-networking.xml b/doc/src/docbkx/openstack-security/ch035_case-studies-networking.xml index 3d07a152aa..ca461edce5 100644 --- a/doc/src/docbkx/openstack-security/ch035_case-studies-networking.xml +++ b/doc/src/docbkx/openstack-security/ch035_case-studies-networking.xml @@ -8,7 +8,7 @@
Bob's Public Cloud - A major business driver for Bob is to provide an advanced networking services to his customers. Bob's customers would like to deploy multi-tiered application stacks. This multi-tiered application are either existing enterprise application or newly deployed applications. Since Bob's Public cloud is a multi-tenancy enterprise service, the choice to use for L2 isolation in this environment is to use Overlay networking. Another aspect of Bob's cloud is the self-service aspect where the customer can provision available networking services as needed. These networking services encompass L2 networks, L3 Routing, Network ACL and NAT. It is important that per-tenant quota's be implemented in this environment. + A major business driver for Bob is to provide an advanced networking services to his customers. Bob's customers would like to deploy multi-tiered application stacks. This multi-tiered application are either existing enterprise application or newly deployed applications. Since Bob's Public cloud is a multi-tenancy enterprise service, the choice to use for L2 isolation in this environment is to use Overlay networking. Another aspect of Bob's cloud is the self-service aspect where the customer can provision available networking services as needed. These networking services encompass L2 networks, L3 Routing, Network ACL and NAT. It is important that per-tenant quota's be implemented in this environment. An added benefit with utilizing OpenStack Networking is when new advanced networking services become available, these new features can be easily provided to the end customers.
diff --git a/doc/src/docbkx/openstack-security/pom.xml b/doc/src/docbkx/openstack-security/pom.xml index 13e057ed35..b87b4d2491 100644 --- a/doc/src/docbkx/openstack-security/pom.xml +++ b/doc/src/docbkx/openstack-security/pom.xml @@ -26,6 +26,13 @@ generate-sources + + + + + + + bk_openstack-sec-guide.xml . http://docs.openstack.org/${release.path.name}/openstack-security/content/