[nova-network] Neutron API - Unencrypted Submission of Credentials

[claco]

This is from the internal security review recommendations.

Severity: High

Description / Exploit: The RPC Neutron API endpoint transmits sensitive or security-critical data (API keys) in cleartext in a communication channel that can be sniffed by unauthorized actors.

Impact: Anyone can read the information by gaining access to the channel being used for communication.

Systems Vulnerable: http://198.101.133.159:9696

Suggested Mitigation: Encrypt the data with a reliable encryption scheme before transmitting (SSL, TLS).

Further References: http://cwe.mitre.org/data/definitions/319.html https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

This will likely require attribute default changes, http -> https upgrade testing, https client cert/bundle testing (see other open issues around https and client certs), and changes to novarc files, monitoring/monit checks.

Affects:

cookbooks/horizon/templates/default/local_settings.py.erb
159:NEUTRON_PORT = '9696'

cookbooks/nova-network/attributes/default.rb
100:default["neutron"]["services"]["api"]["port"] = 9696

[odyssey4me]

I don't think a configuration with neutron-server as a wsgi process in Apache to facilitate SSL encryption is a CI tested option, so my vote would go to using the native SSL configuration: http://docs.openstack.org/havana/config-reference/content/networking-options-ssl.html

The alternative is to use an Apache reverse proxy instead, which I know works.