From 712c15149233c901fea02328578b9da17f36900c Mon Sep 17 00:00:00 2001 From: sicarie Date: Thu, 28 May 2015 12:59:41 -0700 Subject: [PATCH] Updating Case Studies - Alice's API Endpoints Section + Apache, TLS, HAProxy + Load-balancing details w/SSL offloading + Removing redundant 'and' Change-Id: I89bb71e4e8cd0037e4c565c2d0431681c9cbb145 Partial-Bug: #1349540 --- .../section_case-studies-api-endpoints.xml | 34 +++++++++++-------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/security-guide/section_case-studies-api-endpoints.xml b/security-guide/section_case-studies-api-endpoints.xml index e6964f4f..4255a58f 100644 --- a/security-guide/section_case-studies-api-endpoints.xml +++ b/security-guide/section_case-studies-api-endpoints.xml @@ -11,22 +11,28 @@ Alice's private cloud Alice's organization requires that the security architecture - protect the access to the public and private endpoints, so she - elects to use the Apache TLS proxy on both public and internal - services. Alice's organization has implemented its own - certificate authority. Alice contacts the PKI office in her - agency that manages her PKI and certificate issuance. Alice - obtains certificates issued by this CA and configures the - services within both the public and management security - domains to use these certificates. Since Alice's OpenStack - deployment exists entirely on a network disconnected from the - Internet, she makes sure to remove all default CA bundles that - contain external public CA providers to ensure the OpenStack - services only accept client certificates issued by her - agency's CA. Alice has registered all of the services in the + protect the access to the private endpoints, so she elects to + use Apache with TLS enabled and HAProxy for load balancing in + front of the web service. As Alice's organization has + implemented its own certificate authority, she configures the + services within both the guest and management security domains + to use these certificates. Since Alice's OpenStack deployment + exists entirely on a network disconnected from the Internet, she + makes sure to remove all default CA bundles that contain + external public CA providers to ensure the OpenStack services + only accept client certificates issued by her agency's CA. As + she is using HAProxy, Alice configures SSL offloading on her + load balancer, and a virtual server IP (VIP) on the load + balancer with the http to https redirection policy to her API + endpoint systems. + + Alice has registered all of the services in the Identity service's catalog, using the internal URLs for access by internal services. She has installed host-based intrusion - detection on all of the API endpoints. + detection (HIDS) to monitor the security events on the + endpoints. On the hosts, Alice also ensures that the API + services are confined to a network namespace while confirming + that there is a robust SELinux profile applied to the services.