Network encryption between hosts


#1

hey folks,

we are looking to provide host-to-host encryption between every instance that resides on our network. We’ve been looking at a few different options (OpenSwan, OpenVPN, NeoRouter, or stunnel), and I’m curious if anyone has any experience that they would be willing to share.

The primary goal is to protect the data moving between systems on virtualized resources (ie, ec2 and rackspace). The primary goal is not focused on being able to quickly lock out an ex-employee or provide a controlled access point from work into the cloud. And I am aware of how ec2 controls network traffic (active packet switching, network acls, security groups, etc). But we want to add another layer of encryption which we control and is on top of what is, even if done well, an untrusted network.

So initial focus was on focusing on host-to-host (which scratches openVPN) at the sysconfig level. But each instance will need to be connected to 6-12 different hosts at any given time (each has monitoring, metric gathering, and syslog, and then depending on the role, might have connections to multiple datastores, etc).

We are also exploring moving it up into the application stack and for the connections which cannot be encrypted (web proxy to app roles, app roles to some datastores) wrapping those connections in stunnel.

what makes this interesting is the power that chef search can bring to the table with configuration management and what not. So while something like stunnel sounds silly when managing hundreds of host-to-host connections, we are taking a look at it because of chef.

Anyway, just throwing out a general question to see what people’s experiences have been and if chef changes how they approach an issue such as this.

thanks!
adam


#2

If the desire is to ensure that communications between instances are secure, have you given any thoughts to leveraging Amazon’s VPC? At least for that portion of it?

On Nov 23, 2011, at 12:13 PM, Adam Greene wrote:

hey folks,

we are looking to provide host-to-host encryption between every instance that resides on our network. We’ve been looking at a few different options (OpenSwan, OpenVPN, NeoRouter, or stunnel), and I’m curious if anyone has any experience that they would be willing to share.

The primary goal is to protect the data moving between systems on virtualized resources (ie, ec2 and rackspace). The primary goal is not focused on being able to quickly lock out an ex-employee or provide a controlled access point from work into the cloud. And I am aware of how ec2 controls network traffic (active packet switching, network acls, security groups, etc). But we want to add another layer of encryption which we control and is on top of what is, even if done well, an untrusted network.

So initial focus was on focusing on host-to-host (which scratches openVPN) at the sysconfig level. But each instance will need to be connected to 6-12 different hosts at any given time (each has monitoring, metric gathering, and syslog, and then depending on the role, might have connections to multiple datastores, etc).

We are also exploring moving it up into the application stack and for the connections which cannot be encrypted (web proxy to app roles, app roles to some datastores) wrapping those connections in stunnel.

what makes this interesting is the power that chef search can bring to the table with configuration management and what not. So while something like stunnel sounds silly when managing hundreds of host-to-host connections, we are taking a look at it because of chef.

Anyway, just throwing out a general question to see what people’s experiences have been and if chef changes how they approach an issue such as this.

thanks!
adam


#3

yes; we are using VPC…but the connections between instances aren’t encrypted. They use some really nice firewall features (at VM and network level) to route and shape traffic, some of which we can control, but it isn’t encrypted. Configuration errors at the amazon or individual level can expose data to other customers (the netflix instance from a month ago was the most widely publicized but it is fairly common, or so I understand).

we also have to support RackSpace, where the network doesn’t seem to be as tightly controlled as amazon’s VPC.

so the root problem still stands (I think! :wink: ; adding a layer of protection on top of a network that is multi-tenant and not in our direct control.


Adam Greene
SweetSpot – Diabetes Management, Simplified

http://www.SweetSpotDiabetes.com
ph: 503.893.2448 | cell: 503.784.2104 | fax: 888.893.6029

On Wednesday, November 23, 2011 at 10:48 AM, Aaron Abramson wrote:

If the desire is to ensure that communications between instances are secure, have you given any thoughts to leveraging Amazon’s VPC? At least for that portion of it?

On Nov 23, 2011, at 12:13 PM, Adam Greene wrote:

hey folks,

we are looking to provide host-to-host encryption between every instance that resides on our network. We’ve been looking at a few different options (OpenSwan, OpenVPN, NeoRouter, or stunnel), and I’m curious if anyone has any experience that they would be willing to share.

The primary goal is to protect the data moving between systems on virtualized resources (ie, ec2 and rackspace). The primary goal is not focused on being able to quickly lock out an ex-employee or provide a controlled access point from work into the cloud. And I am aware of how ec2 controls network traffic (active packet switching, network acls, security groups, etc). But we want to add another layer of encryption which we control and is on top of what is, even if done well, an untrusted network.

So initial focus was on focusing on host-to-host (which scratches openVPN) at the sysconfig level. But each instance will need to be connected to 6-12 different hosts at any given time (each has monitoring, metric gathering, and syslog, and then depending on the role, might have connections to multiple datastores, etc).

We are also exploring moving it up into the application stack and for the connections which cannot be encrypted (web proxy to app roles, app roles to some datastores) wrapping those connections in stunnel.

what makes this interesting is the power that chef search can bring to the table with configuration management and what not. So while something like stunnel sounds silly when managing hundreds of host-to-host connections, we are taking a look at it because of chef.

Anyway, just throwing out a general question to see what people’s experiences have been and if chef changes how they approach an issue such as this.

thanks!
adam


#4

On Nov 23, 2011, at 12:13 PM, Adam Greene wrote:

Anyway, just throwing out a general question to see what people’s experiences have been and if chef changes how they approach an issue such as this.

We’ve been looking at Virtual Private LAN configurations that would support Rackspace, and the pickings have been very slim. The only solution I’ve found so far is vCider, but it requires more recent versions of Linux than we are currently using – they support multiple distributions, but for example with CentOS they only support CentOS 6+ and for the moment we’re stuck on CentOS 5.6. Otherwise, it looks like a really cool drop-in kind of solution.

They also support multiple cloud providers, as well as extending your local physical LAN through a gateway to one or more cloud providers.

Of course, it is commercial as opposed to being freely available. We have yet to find anything that could potentially work for us that is also freely available.


Brad Knowles bknowles@ihiji.com
SAGE Level IV, Chef Level 0.0.1


#5

Thanks brad for the tip!

Just to update this thread in case people are looking at the same sort of
issue, we ended up using this cookbook from the heavywater folks:
http://github.com/heavywater/chef-ipsec

as noted, it is still under development, but so far it has worked well for
us!
adam

On Wednesday, November 23, 2011 at 1:16 PM, Brad Knowles wrote:

On Nov 23, 2011, at 12:13 PM, Adam Greene wrote:

Anyway, just throwing out a general question to see what people’s
experiences have been and if chef changes how they approach an issue such
as this.

We’ve been looking at Virtual Private LAN configurations that would support
Rackspace, and the pickings have been very slim. The only solution I’ve
found so far is vCider, but it requires more recent versions of Linux than
we are currently using – they support multiple distributions, but for
example with CentOS they only support CentOS 6+ and for the moment we’re
stuck on CentOS 5.6. Otherwise, it looks like a really cool drop-in kind of
solution.

They also support multiple cloud providers, as well as extending your local
physical LAN through a gateway to one or more cloud providers.

Of course, it is commercial as opposed to being freely available. We have
yet to find anything that could potentially work for us that is also freely
available.


Brad Knowles bknowles@ihiji.com
SAGE Level IV, Chef Level 0.0.1