Security Audits of Multi-tier Virtual Infrastructures inPublic Infrastructure CloudsSören BleikertzIBM Zurich [email protected] SchunterIBM Zurich [email protected] W. ProbstTechnical University [email protected] PendarakisIBM T.J. Watson [email protected] ErikssonInfraSight [email protected] computing has gained remarkable popularity in therecent years by a wide spectrum of consumers, ranging fromsmall start-ups to governments. However, its b enefits interms of flexibility, scalability, and low upfront investments,are shadowed by security challenges which inhibit its adop-tion. Managed through a web-services interface, users canconfigure highly fle xible but complex cloud computing en-vironments. Furthermore, users misconfiguring such cloudservices poses a severe security risk that can lead to securityincidents, e.g., erroneous ex posure of services due to faultynetwork security configurations.In this article we present a novel approach in the securityassessment of the end-user configuration of multi-tier archi-tectures deployed on infrastructure clouds such as AmazonEC2. In order to perform this assess ment for the currently de-ployed configuration, we automated the process of extractingthe configuration using the Amazon API. In the assessmentwe focused on the reachability and vulnerability of servicesin the virtual infrastructure, and presented a way for thevisualization and automated analysis based on reachabilityand attack graphs. We proposed a query and policy languagefor the analysis which can be used to obtain insights intothe configuration and to specify desired and undesired con-figurations. We have implemented the security assessmentin a prototyp e and evaluated it for practical scenarios. Ourapproach effectively allows to remediate today’s security con-cerns through validation of configurations of complex cloudinfrastructures.1. INTRODUCTIONCloud computing aims at providing standardized resourcesover a network that are perceived to provide unlimited scal-ability while being paid per use with limited up-front cost.These general principles of cloud computing can be imple-mented on different abstraction levels. While Infrastructureas a Service such as Amazon EC2 [3] provides virtual ma-chines, storage, and networks, higher abstractions includePlatform as a Service as well as Software as a Service thatprovide the actual web-based applications to end-users.While the benefits are clear and end-users demand suchservices, security is a major inhibitor of cloud computingadoption on all levels of abstraction [16]. Today, publicclouds such as Amazon’s Elastic Compute Cloud (EC2) isused to host multi-tier infrastructures. Such infrastructures,e.g., comprise interconnected web, application, and databaseservers that may then be synchronized with databases in theenterprise. While this approach provides scalability, it mayexpose private personal or critical company data to attacks.In order to mitigate such risks, security concepts similar toto day’s well-known security zones have been introduced. Theso-called security groups of Amazon allow users to groupmachines while restricting communication through firewall-like rules. Nevertheless, the resulting configurations can becomplex and security error prone. An indication of this factis the complexity of correct firewall set-ups: When analyzingfirewall configurations for 12 common mistakes [34], morethan half of 37 cases exposed 9 of these 12 problems .While security zones provide isolation and add robustnessto the overall set-up, there are multiple sources of potentialvulnerabilities in such a multi-tier cloud setting. In thispap er we focus on end-user booting vulnerable images orcreating erroneous and insecure configurations. Other risksare cloud providers incorrectly configuring or implementingtheir infrastructures as well as security incidents throughinsiders or component failures.1.1 Our ContributionsIn this paper we demonstrate how to audit the correct con-figuration of complex cloud infrastructures from an end-userp erspective. Our approach allows to validate the correctset-up of security policies such as Amazon’s security groups.This result allows to validate whether all servers in each tiercan only be reached from the desired originating systemsand, e.g., ensure that back-end database se rvers can indeedonly be reached from the corresponding application servers.We then show how to further assess the security of suchan infrastructure. We automatically assess the vulnerabil-ities of each VM in an infrastructure and, by using attackgraphs, compose these findings into an overall vulnerabilityassessment of the given multi-tier infrastructure.Both results together then allow us to correct potential mis-configurations and to refine our multi-tier set-up to minimizethe actual security risk as modeled by the range of exploitablevulnerabilities. Overall, this guarantees secure configurationas well as reduced vulnerabilities of our infrastructure de-ployed in the cloud.Note that unlike earlier work (e.g., [23, 7]) we do not focus onhow to securely implement a cloud. Given the Amazon cloudimplementation we focus on how to securely use such an in-frastructure without misconfiguration or creating additionalvulnerabilities.2. BACKGROUND2.1 Scenario Illustrating an Multi-tier Infras-tructureThroughout this paper we will use the same scenario toillustrate the different audit and analysis methods. Weconsider an example configuration of a multi-tier web ap-plication widely used in real-world deployments consistingof web, application, and database servers. The web serversare reachable on the two common web server ports 80 (http)and 443 (https) ove r TCP from any source. The applica-tion servers are only reachable on an application specificp ort, e.g., 8080 TCP, from the web servers. Furthermore,the database servers are only reachable from the applica-tion servers on port 3306 (mysql) TCP. For maintenancepurp oses , all servers allow ssh access (22 TCP) from thecorporate network, e.g., 1.2.3.4/24, and the servers acceptICMP packets from any source.2.2 An Overview on Amazon Elastic ComputeCloud (EC2)In this section we will explain relevant aspects of the Amazonarchitecture necessary for understanding the remaining partsof the paper.Amazon’s Elastic Compute Cloud (EC2).is Amazon’sservice infrastructure