Security and Compliance in a Virtualized Environment
 

Like this? Share it with your network

Share

Security and Compliance in a Virtualized Environment

on

  • 915 views

As your organization moves to adopt virtual infrastructure you need to ensure that you understand the security and compliance implications of virtualization technology and the platform you choose. ...

As your organization moves to adopt virtual infrastructure you need to ensure that you understand the security and compliance implications of virtualization technology and the platform you choose. This session introduces the topics of vSphere's secure architecture and design, how to accelerate IT compliance and the validation against standards set by Common Criteria, NIST and other organizations.

Statistics

Views

Total Views
915
Views on SlideShare
915
Embed Views
0

Actions

Likes
1
Downloads
43
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The biggest concern here (which maybe I didn't have on my original slides) is that it is relatively easy to "steal" a VM and hence steal data. Since a VM is just a bunch of files, an entire server can be copied onto a USB drive, or innocuously copied off somewhere during a backup procedure to a place that is not protected.
  • In addition to isolation of the platform, another critical aspect is to build isolation into the architecture of the virtualized datacenter. The most critical part is to isolate the production network traffic from the non-production traffic, which includes management services, IP-based storage, etc. These non-production networks expose interfaces which can be used to control the entire deployment, and hence need to be guarded with multiple layers of protection and strong access controls. By doing so, you greatly minimize any chance of outside attacks succeeding, since these would have to breach the isolation barrier of the VMs first in order to do any damage to the virtualized infrastructure.
  • So it’s clear that virtualized infrastructure requires virtualized security. Implementing security in the virtual environment allows for introspection at the hypervisor layer – something which physical solutions are simply not designed to do. And since security isn’t hard-wired to the physical infrastructure, policies can be created once – with the assurance that they will be enforced regardless of how virtual machines are created, defined, or decommissioned. And transforming all the hardware capabilities into virtualization software allows for security which is cost-effective, simple, and adaptive.
  • TO DO: keep 2 VMs, hypervisor between 2**from messaging doc**Unique Introspection Capabilities Provide Comprehensive Host and VM ProtectionTraditional approaches to protecting the operating system and applications have relied exclusively on agents, which are vulnerable themselves, offer protection only within limited layers of the application + OS stack, and create sprawl and management/update issues on a large scale.  The vSphere platform has unique introspection abilities and can therefore provide very comprehensive and efficient access for security controls, while obviating the need for security agents in each virtual machine. The introspection capabilities of vSphere are to security what CAT-scanners are to medical diagnostics: they can help identify hard-to-detect problems precisely and efficiently, and enable comprehensive security controls such as File Integrity Monitoring (FIM), root-kit virus protection, discovery of sensitive information, and Data Leak Protection (DLP). The introspection capabilities of vSphere result in much better performance, reduced complexity, more comprehensive host and VM protection. VMware is leveraging these introspection capabilities in the vShield security products and also exposing interfaces to our key security industry partners for integration with broader solutions such as Security Information and Event Management (SIEM), and Data Leak Protection (DLP) .
  • Traditional IT security is very complex to provision and deploy. VI admins, network and security teams have overlapping roles and it takes a lot of manual coordination to properly configure and setup the network, firewall rules and vSphere configurations. Agents also get deployed in every virtual machine for basic AV, anti-malware protection. These teams are also limited in terms of the proper role based views into policy and implementation. This results in slow provisioning, very complex configuration and sprawl in VLANs /rules/agents, significant requirements on coordination, and lack of role based views into policy and implementation details.
  • vShield drastically reduces the complexity and the number of steps it takes for VI admins to implement clearly defined policies , and along with vCenter this solution enables security, network and VI admin teams to work closely together where the policies can be clearly defined, implemented, viewed and changed seamlessly.With role-based access to administration and reporting interfaces, administration is clear and simple. VI admins are empowered to implement the security policies .The lead times it takes to provision the right set of security services is greatly reduced, and these can be done through UI’s or through scriptable, REST based APIs.vShield technology also helps eliminate the sprawl in VLANs, firewall rules and agents. We’ll talk more about this in a few minutes when we get into the products overview.
  • VMware is introducing the vShield family of products at VMworld. 2010.vShield solutions secure the edge of the virtual datacenter, protect virtualized application deployments from network-based threats, and streamline antivirus protection for all VMs by offloading AV processing to dedicated security VMs.vShield Edge protects the perimeter of a virtual data center, and provides services such as DHCP (Dynamic Host Config Protocol), NAT (Network Address Translation), Firewall, VPN and Web Load Balancing.vShield App protects application deployments from network based threats. It allows for flexible and elastic groupings of VMs based on business needs such as PCI, HIPAA, DMZ deployments. vShield App extends the basic vShield Zones capability that is included as part of vSphere advanced onward SKUs, by adding flexible VM grouping by user defined policies and supporting vCenter container based policies.vShield Endpoint enables efficient, offloaded AV processing. Partners such as Trend Micro, Symantec and McAfee will ship the security virtual machines that integrate with vShield Endpoint for offloaded AV processing. vShield Manager is the centralized deployment, management, reporting, logging, tracking and integration (REST based APIs) for all vShield products.
  • So what is vshield edge and how is it LIKE what you’ve already seen in the physical data center? The solution provides a virtual appliance with the following capabilities:DHCP – to automate IP address assignment to virtual machines in the vDCNAT – network address translation to mask private IP addresses in the vDC when they send traffic to untrusted networksFirewall – inbound and outbound connection control based on source/destination IP address and application portSite to site VPN: to encrypt traffic between vDCs to allow for confidentiality between organizations or partner extranetsWeb load balancer – actually load balancing based on IP address but in practice, since over 70% of server virtualization is for the web tier, organizations use load balancing for HTTP/S trafficAnd for each vSphere host, the virtual network can be carved up just as a physical network can be carved up using VLANs. This “Network Isolation” keeps traffic within the organization contained within a single port group.But while there are similarities with security in the physical world, there are key differences – and benefits – to vshield Edge over the alternatives:1. No additional hardware: the virtual appliance with all the aforementioned edge features is provisioned using existing vsphere resources2. No complicated VLAN rules: network isolation is enforced at the hypervisor layer, not requiring VLAN-enabled switches3. Rapid and scalable provisioning: each ‘tenant’ gets their edge security virtually on-demand, rather than through some complicated change management process which would require budget and rack space for new edge security hardware4. Centralized management and logging: with traditional security, each point solution would require its own management interface and logging infrastructure. With vShield, all policy management is done from one interface and logs written in syslog format to a single location. Demonstrating compliance is a breeze.
  • vShield App picks up where vShield Edge leaves off – the interior of the vDC. Since edge security cannot completely lock down all
  • Trend will provide the solution on 9/8

Security and Compliance in a Virtualized Environment Presentation Transcript

  • 1. Security and Compliance in a Virtualized Environment 
    Jan Tiri (jtiri@vmware.com)
    CISSP – System Engineer
  • 2. Agenda
    Security of the platform
    How virtualization affects security
    How do we approach virtualization security and compliance
    Why virtualization is a security enabler
    vShield solutions overview
  • 3. Security of the Platform
  • 4. The Basics: Types of Server Virtualization
    Windows, Linux, Mac
    Hosted (Type 2)
    Bare-Metal (Type 1)
    APP
    Virtualization Layer
    Host OSchanges security profile
    VMware ESX/ESXi
    VMware Workstation
    VMware Server
    VMware Player
    VMware Fusion
  • 5. The Basics: Isolation in the Platform
    Virtual Machines
    Are not able to interact with each other (except via network)
    Are not aware of underlying storage -- only their own virtual disk(s)
    Are subject to strict resource controls
    Virtual Switches
    Are complete, VLAN-capable, layer-2 switches
    Have no mechanism for sharing network traffic
    VLAN A
    VLAN B
  • 6. Secure Implementation
    VMware ESXi
    Compact footprint (less than 100MB)
    Fewer patches
    Smaller attack surface
    Absence of general-purpose management OS
    No arbitrary code running on server
    Not susceptible to common threats
  • 7. Validated for use by Government and Defense
    Common Criteria EAL 4+ Certification
    Highest internationally recognized level
    Achieved for ESX 3.0, ESX 3.5 and vSphere
    DISA STIG for ESX
    Approval for use in DoD information systems
    NSA Central Security Service
    Guidance for both datacenter and desktop scenarios
    7
  • 8. How Virtualization Affects Security
  • 9. Faster Deployment of Servers
  • 10. Collapse of Switches and Servers into One Device
    ESX/ESXi
    Hardware
  • 11. Virtual Machine Encapsulation
  • 12. Consolidation of Servers
  • 13. How do we approach Virtualization Security and Compliance?
    • Use the Principles of Information Security
    Secure the Guests
    Harden the Virtualization layer
    Access Controls
    Administrative Controls
    Neil MacDonald (Gartner) - “How To Securely Implement Virtualization”
    “Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration and mismanagement”
  • 14. Secure the Guests
    Provide Same Protection as for Physical Servers
    Host
    Anti-Virus
    Patch Management
    Network
    Intrusion Detection/Prevention (IDS/IPS)
    Edge
    Firewalls
    14
  • 15. Harden the Virtualization Layer
    vCenter
    Other ESX/ESXi hosts
    VMware Security Hardening Guides
    Being provided for major platform products
    vSphere 4.0
    VMware Cloud Director
    View
    Important for architecture and deployment related controls
    10 GigE pNICs
    iSCSI
    FT
    NFS
    vMotion
    TCP/IP
    vSwitch
    10 GigE
    IP-based Storage
    15
  • 16. Broad scope
    Access Controls
    Narrowscope
  • 17. Why Virtualization is a Security Enabler?
    Unique introspection
    Policy abstraction
    Cost Effective
    • Single virtual appliance with breadth of functionality
    • 18. Single framework for comprehensive protection
    Simple
    • No sprawl in rules, VLANs, agents
    • 19. Relevant visibility for VI Admins, network and security teams
    • 20. Simplified compliance
    Adaptive
    • Virtualization and change aware
    • 21. Program once, execute everywhere
    • 22. Rapid remediation
  • Security Enabler: Unique Introspection
    Introspect detailed VM state and VM-to-VM communications
    • Processor
    • 23. memory
    • 24. Network
    • 25. Disk
    • 26. File System
    • 27. Process control blocks
    Benefits
    • Comprehensive host and VM protection
    • 28. Reduced configuration errors
    • 29. Quick problem identification
    • 30. Reduced complexity – no security agents per VM required
    vSphere + vShield
  • 31. Security Enabler: Policy Abstraction
    Separate the policy definition from the policy implementation
    BEFORE
    vShield
    AFTER
    vShield
    Benefits
    • Create and enforce security policies with live migration, automated VM load balancing and automated VM restart
    • 32. Rapid provisioning of security policies
    • 33. Easier compliance with continuous monitoring and comprehensive logging
    Policy is tied to the physical host; lost during vMotion
    Policy seamlessly follows virtual machine
    Policy seamlessly follows virtual machine
    VMware vSphere
    vShield
  • 34. VMware Transforms Security from Complex…
    Many steps. Configure
    • Network
    • 35. Firewall
    • 36. vSphere
    Overlapping Roles / Responsibilities
    Network admin
    Define, Implement , Monitor, Refine,
    Policies, Rules
    Security admin
    VI admin
    agent
    agent
    agent
    agent
    agent
    agent
    agent
    agent
    VMware vSphere
    VLAN’s
    Complex
    • Policies, rules implementation - no clear separation of duties; organizational confusion
    • 37. Many steps – configure network, firewall and vSphere
    • 38. Spaghetti of VLANs, Sprawl - Firewall rules, agents
  • … To Disruptively Simple
    Network admin
    Clear separation of Roles / Responsibilities
    Define, Monitor, Refine,
    Few steps:
    Configure vShield
    Security admin
    Implement
    VI admin
    vShield Manager + vCenter
    VMware vSphere
    Simple
    • Clear separation of duties
    • 39. Few steps – configure vShield
    • 40. Eliminate VLAN sprawl – vNIC firewalls
    • 41. Eliminate firewall rules, agents sprawl
  • 2010 – Introducing vShield Solutions
    Securing the Private Cloud End to End: from the Edge to the Endpoint
    vShield App 1.0 and Zones
    Security Zone
    Edge
    vShield Edge 1.0
    vShield Endpoint 1.0
    Endpoint = VM
    Application protection from network based threats
    Secure the edge of the virtual datacenter
    Enables offloaded anti-virus
    Virtual Datacenter 1
    Virtual Datacenter 2
    DMZ
    PCI compliant
    HIPAA compliant
    Test & Dev
    Web
    VMware vSphere + vCenter
  • 42.
    • Simplify IT compliance with centralized logging &, reporting
    • 43. Simplify provisioning with vCenter Integration and programmable management
    • 44. Third-party solution integration
    VMware vShield – Foundation for Cloud Security
    vShield Manager
    Centralized Management of Security across the vDC
    vShield Endpoint Offload anti-virus processing for endpoints
    vShield Edge Secure the edge of the virtual datacenter
    vShield App and Zones Application protection from network based threats
    • Improve performance by offloading anti-virus (AV) functions
    • 45. Reduce costs by freeing up virtual machine resources
    • 46. Reduce risk by streamlining AV functions to a hardened security virtual machine (SVM)
    • 47. Satisfy audit requirements with detailed logging of AV tasks
    • 48. Increase visibility for inter-VM communications and eliminate blind spots
    • 49. Eliminate dedicated hardware and VLANs for different security groups
    • 50. Optimize resource utilization while maintaining strict security
    • 51. Simplified compliance with comprehensive logging of inter VM activities
    • 52. Reduce cost and complexity by eliminating multiple special purpose appliances
    • 53. Ensure policy enforcement with network isolation
    • 54. Simplify management with vCenter integration
    • 55. Easier scalability with one edge per org/tenant
    • 56. Speed up provisioning of edge security services
    • 57. Simplify IT compliance with detailed logging
  • vShield EdgeSecure the Edge of the Virtual Data Center
    Features
    • Multiple edge security services in one appliance
    • 58. Stateful inspection firewall
    • 59. Network Address Translation (NAT)
    • 60. Dynamic Host Configuration Protocol (DHCP)
    • 61. Site to site VPN (IPsec)
    • 62. Web Load Balancer
    • 63. Network isolation(edge port group isolation)
    • 64. Detailed network flow statistics for chargebacks, etc
    • 65. Policy management through UI or REST APIs
    • 66. Logging and auditing based on industry standard syslog format
    Tenant A
    Tenant C
    Tenant X
    VMware vSphere
    Benefits
    • Lower cost and complexity by eliminating multiple special purpose appliances
    • 67. Ensure policy enforcement with network isolation
    • 68. Simplify management with vCenter integration and programmable interfaces
    • 69. Easier scalability with one edge per org/tenant
    • 70. Rapid provisioning of edge security services
    • 71. Simplify IT compliance with detailed logging
  • vShield AppApplication Protection for Network Based Threats
    Features
    • Hypervisor-level firewall
    • 72. Inbound, outbound connection control applied at vNIC level
    • 73. Elastic security groups - “stretch” as virtual machines migrate to new hosts
    • 74. Robust flow monitoring
    • 75. Policy Management
    • 76. Simple and business-relevant policies
    • 77. Managed through UI or REST APIs
    • 78. Logging and auditing based on industry standard syslog format
    DMZ
    PCI
    HIPAA
    VMware vSphere
    Benefits
    • Increase visibility for inter-VM communications
    • 79. Eliminate dedicated hardware and VLANs for different security groups
    • 80. Optimize resource utilization while maintaining strict security
    • 81. Simplified compliance with comprehensive logging of inter VM activity
  • vShield EndpointOffload Anti-virus processing for endpoints
    VMware vSphere
    Features
    • Eliminate anti-virus agents in each VM; anti-virus off-loaded to a security VM delivered by AV partners
    • 82. Enforce remediation using driver in VM
    • 83. Policy and configuration Management: through UI or REST APIs
    • 84. Logging and auditing
    VM
    VM
    VM
    SVM
    APP
    APP
    APP
    Introspection
    AV
    OS
    OS
    OS
    OS
    Hardened
    Kernel
    Kernel
    Kernel
    BIOS
    BIOS
    BIOS
    Benefits
    • Improve performance by offloading anti-virus functions in tandem with AV partners
    • 85. Improve VM performance by eliminating anti-virus storms
    • 86. Reduce risk by eliminating agents susceptible to attacks and enforced remediation
    • 87. Satisfy audit requirements with detailed logging of AV tasks
  • Where to Learn More
    Security
    Hardening Best Practices
    Implementation Guidelines
    http://vmware.com/go/security
    Compliance
    Partner Solutions
    Advice and Recommendation
    http://vmware.com/go/compliance
    Operations
    Peer-contributed Content
    http://viops.vmware.com
  • 88. Questions?