Skip to content
flexiOPS edited this page Mar 3, 2017 · 9 revisions

Welcome to the BEACON-VM-Security wiki!

The BEACON Scanner/Firewall suite is a series of Java based executables which interface with the Openvas security scanner. The main features of this toolset is to automatically perform a security scan on newly created Virtual Machines(VMs), apply firewalls to these VMs and deploy Chef to the VMs.

These applications provide a solution across multiple cloud platforms to gain an understanding of current security vulnerabilities that exist on VMs, and also to establish a security baseline through the means of firewall creation. Upon completion of a security scan, the VM owner is emailed a Vulnerability report. This report consists of the security vulnerabilities detected on the VM, and the level of threat they pose. After this report is sent, the application builds a firewall inside the cloud platform the VM is located on, and applies this firewall directly to the VM. Finally, Chef is deployed on the VM and various security related cookbooks are applied in order to provide a final layer of security.

The main platforms currently supported are:

  • Flexiant Cloud Orchestrator (FCO)
  • Openstack (Nova)
  • Open Nebula
  • Amazon AWS The main application used to perform this task is the VulnerabilityScanner. This is a runnable JAR file which interfaces with the OpenVAS Scanner to perform security scans on a VM. Deep user-level scans can also be conducted if a username/password combo is provided. This can provide a much more detailed Vulnerability report, as the individual packages installed on the VM are thoroughly checked for any security issues. After the security scan is complete, this application will then apply a firewall to the VM directly using the platform on which the VM is hosted.

FCOExecutable is another runnable JAR file which is used to forward VM details to the VulnerabilityScanner. This is done by passing arguments to the JAR, such as the UUID of the server, the I.P of the server and the email address of the VM owner. Additional arguments are also supported, such as a VM username/password combo. Once the arguments are received, the FCOExecutable JAR encrypts them and sends them to the VulnerabilityScanner JAR.

FCOFirewallExecutable is a forwarder similar to FCOExecutable, except the only arguments it supports are a firewall key and a server I.P. This is used for sending a firewall key and server I.P combo to the VulnerabilityScanner. These details can then be utilised by the VulnerabilityScanner in order to customise the firewall template which will be applied to the VM.

ActivationScripts contains the various scripts/hooks used by the specific cloud platform in order to detect the creation of new VMs, and call the FCOExecutable using the VM details as arguments.