In my role, I have access to a Metacloud environment which I manage as a user. This involves running demos, managing users, setting quotas as well as provisioning the scarce resource of public/floating IPs! Luckily I don't have to worry about the bare metal OS, patching of it or any of the OpenStack complexities like upgrades, stability, and security. That is all handled as part of the managed service that Metacloud provides. I am however at the end of the day responsible for all the virtual machines running in the environment. This can be challenging at times when as an admin I can't see what is actually running inside all of the VMs across all the tenants.
A little while ago due to a Docker vulnerability with one of my VMs, I was alerted to a large amount of traffic with one of my VMs. Luckily, I was alerted by the OPS team (again part of the managed service). After some investigation, we determined there was a large amount of traffic communicating with China. Naturally, I wanted to avoid this happening again so started looking at some ways I could prevent this from happening again.
Low and behold, I stumbled upon OpenDNS, now Cisco Umbrella. The free home version is still referred to as OpenDNS. By configuring my VMs to use Cisco Umbrella to resolve DNS queries I could provide an additional level of security. Basically, ensuring that if any of the VMs tried talking to any known malware, phishing, or ransomware sites it would be blocked by Cisco Umbrella because it has been identified as malicious.
Turns out this was a piece of cake to configure in OpenStack. I simply set the default DNS servers for the virtual network to use Cisco Umbrella instead of the previously used DNS. This way whenever a VM is launched on the network, the VM's OS will be configured to use these DNS servers.
From the Admin >> Networks >> NETWORK-NAME, click Edit Subnet next to the subnet you want to configure
Then under Subnet Detail add the DNS servers you want to use with each on a separate line (Cisco Umbrella/OpenDNS is 184.108.40.206 and 220.127.116.11)
That was it from a configuration standpoint. Any VMs spun up on this network, will now be configured with Cisco Umbrella. There are many benefits to this like SmartCache (ensuring that DNS works pretty well even during events like massive DDOS attacks like the one we experienced a few months ago). I also wanted some security features for this network so I took the additional step of adding my network to my Cisco Umbrella account.
From the Cisco Umbrella interface, Identity >> Networks I added my network (in this case the public IP range for my cloud) and shortly afterwards it was showing as active:
That's it from a configuration standpoint. I now had an additional layer of security!
After a short period of time, I noticed some activity in my dashboard:
I now had an additional layer of protection in my cloud and was immediately seeing some interesting things. Let's take a look at one of them!
In a single click I ran a security report and saw the following:
I'm not too sure what about this controlyourself.online site but it was marked as malicious by Cisco Umbrella. Specifically, a large number of calls were made around the same point in time (within a minute) to this suspicious domain but luckily they were all blocked by Cisco Umbrella.
In a single click I drilled down into this domain in Investigate and saw the following:
This is showing me requests made globally to this domain. OpenDNS / Cisco Umbrella has this visibility via the 95+ billion queries it resolves at its Data Centers around the world. What's interesting is there were no requests to this domain until Jan 26th when there was a spike. In fact the domain came online on Jan 25th. After about four days, there were hardly any requests seen for this domain globally.
I can also see that there was a fairly high likelihood that this domain was generated via a DGA (Domain Generation Algorithm):
Luckily, the numerous requests my VM made to this were not resolved and any further communication was prevented with these domains! I'm sure there are many other strategies to take for securing your cloud, but I found this one a piece of cake to get up and running. Would be interested to know what other people have tried.