52 lines
2.4 KiB
ReStructuredText
52 lines
2.4 KiB
ReStructuredText
============
|
|
Case studies
|
|
============
|
|
|
|
Earlier in :doc:`../introduction/introduction-to-case-studies` we
|
|
introduced the Alice and Bob case studies where Alice is deploying a
|
|
private government cloud and Bob is deploying a public cloud each with
|
|
different security requirements. Here we discuss how Alice and Bob
|
|
would ensure that their instances are properly isolated. First we consider
|
|
hypervisor selection, and then techniques for hardening QEMU and applying
|
|
mandatory access controls.
|
|
|
|
|
|
Alice's private cloud
|
|
~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Alice chooses Xen for the hypervisor in her cloud due to a strong internal
|
|
knowledge base and a desire to use the Xen security modules (XSM) for
|
|
fine-grained policy enforcement.
|
|
|
|
Alice is willing to apply a relatively large amount of resources to software
|
|
packaging and maintenance. She will use these resources to build a highly
|
|
customized version of QEMU that has many components removed, thereby reducing
|
|
the attack surface. She will also ensure that all compiler hardening options
|
|
are enabled for QEMU. Alice accepts that these decisions will increase
|
|
long-term maintenance costs.
|
|
|
|
Alice writes XSM policies (for Xen) and SELinux policies (for Linux domain 0,
|
|
and device domains) to provide stronger isolation between the instances. Alice
|
|
also uses the Intel TXT support in Xen to measure the hypervisor launch in the
|
|
TPM.
|
|
|
|
|
|
Bob's public cloud
|
|
~~~~~~~~~~~~~~~~~~
|
|
|
|
Bob is very concerned about instance isolation since the users in a public
|
|
cloud represent anyone with a credit card, meaning they are inherently
|
|
untrusted. Bob has just started hiring the team that will deploy the cloud, so
|
|
he can tailor his candidate search for specific areas of expertise. With this
|
|
in mind, Bob chooses a hypervisor based on its technical features,
|
|
certifications, and community support. KVM has an EAL 4+ common criteria
|
|
rating, with a labeled security protection profile (LSPP) to provide added
|
|
assurance for instance isolation. This, combined with the strong support for
|
|
KVM within the OpenStack community drives Bob's decision to use KVM.
|
|
|
|
Bob weighs the added cost of repackaging QEMU and decides that he cannot commit
|
|
those resources to the project. Fortunately, his Linux distribution has already
|
|
enabled the compiler hardening options. So he decides to use this QEMU package.
|
|
Finally, Bob leverages sVirt to manage the SELinux polices associated with the
|
|
virtualization stack.
|