openstack/security-doc
Code Issues Proposed changes

Updating Bob's API Case Studies

Browse Source 
Contrasting Bob's case studies with Alice's, Bob uses Nginx and
AppArmor

Change-Id: I9605932cf94c6c20134fa8d57fa95ed8fa12a4e5
Partial-Bug: 1349540
This commit is contained in:
sicarie 2015-10-07 09:59:10 -07:00
parent bb7405235f
commit 53c0ed9a61
1 changed files with 14 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
security-guide/source/api-endpoints/case-studies.rst
View File

@ -38,14 +38,17 @@ applied to the services.
Bob's public cloud
~~~~~~~~~~~~~~~~~~
Bob must also protect the access to the public and private endpoints, so he
elects to use the Apache TLS proxy on both public and internal services. On
the public services, he has configured the certificate key files with
certificates signed by a well-known Certificate Authority. He has used his
organization's self-signed CA to sign certificates in the internal services on
the Management network. Bob has registered his services in the Identity
service's catalog, using the internal URLs for access by internal services.
Bob's public cloud runs services on SELinux, which he has configured with a
mandatory access control policy to reduce the impact of any publicly accessible
services that may be compromised. He has also configured the endpoints with a
host-based IDS.
Bob must also protect the access to the public and private endpoints, so
he elects to use the more lightweight Nginx web server on both public
and internal services. On the public services, he has configured Nginx
for high availability and has installed the certificate key files with
certificates signed by a well-known Certificate Authority. He has used
his organization's self-signed CA to sign certificates in the internal
services on the Management network. Bob has registered his services in
the Identity service's catalog, using the internal URLs for access by
internal services. Bob has also installed and configured AppArmor to
secure the API and prevent the API processes from having access to other
system resources. He adds an additional level of assurance by installing
a host-based IDS system that will forward all system-level log events as
well as the API logs. He then ensures a dashboard has been created to
monitor and correlate events that may indicate a security issue.