Why Security Teams should care about VMware


Published on

This presentation showcases the security attributes of VMware vSphere

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 4 areas – continue to enhance core platform Pulling out console OS and vulinerable pience 32M code to eliminate attaches or code Integrate in extrenal technologies – use what they have Protection at the host level instead of the Host and policy driven security – clouds and SLAs and managing at an environment individual Platform security is a core area of focus on making sure the platform is hardened against attack. VMware takes the primary responsibility for this activity. The second is to ensure that existing security processes within the enterprise are enabled to make sure that VI can be operated in a secure fashion in the enterprise Virtual appliances help customers deploy more security than possible in physical datacenters, increasing the overall “density” of security in a virtualized datacenter Lastly, we believe that virtual can be more secure than physical systems. This is all built on the foundation of VMsafe-enabled products, but in addition, changes to the way customers can deploy and operate their systems in a virtual environment will make things more secure.
  • Application vServices – to recap, are services provided by our platform to applications – uniformly, enabled by simple point and click in most cases. Let’s review the current application vServices provided by VMware and new vServices in 2009
  • Partner solutions that utilize VMsafe have the following advantages over existing security mechanisms: They can protect VMs without needing to install agents inside each VM They can perform a multitude of tasks that protect a VM holistically ( monitor VM components on the host, nw traffic through the distributed switch) AV, Firewall, IPS can all be in one appliance. They can do all these tasks efficiently in a dynamic environment where the virtual machine moves from host to host. For e.g. if a VM is being monitored on a particular host, it carries its security state with it to the next host where another appliance starts monitoring it.
  • vShield Zones is a new Application vService providing fundamental and critical network security for the VDC-OS Expanding virtualization deployments in the datacenter are encompassing multiple areas of trust such as DMZ (demilitarized zone) buffers to the Internet and senstive data such as credit card information subject to Payment Card Industry (PCI) compliance or corporate financial data covered by Sarbanes-Oxley. These varying trust zones must be segmented with firewalls and other network security. Existing physical appliances require diverting traffic to external chokepoints, splintering ESX resource pools into small fragments and disrupting the seamless vision of an internal computing cloud. vShield Zones is a vritual appliance that allows you to monitor and restrict inter-VM traffic within and between ESX hosts to provide security and compliance within shared resource pools. vCenter integration lets you create network zones based on familiar VI containers such as hosts, clusters, vswitches and VLAN’s vShield Zones scans VM’s for known applications to present network flows and security policies by application protocol rather than as raw network flows. Virtualization awareness and application awareness increases accuracy and reduces risk of misconfiguration and noncompliance. Consistent security policies can be assured throughout a VM lifecycle, from initial provisioning to VMotion across various hardware to final decommissioning. Comiplete view of virtual machines, networks and security policies allows you to audit security posture fully within the virtual environment to meet defined security SLA’s, irrespective of changes to your external physical network and perimeter.
  • Here is a screenshot of what you see with the VM Flow monitoring capability The UI allows you to drill down and see what’s happening in more and more detail. Allowed vs. disallowed traffic; Protocol (UDP, TCP, etc); Incoming vs. outgoing Categorized (i.e. traffic which can be attributed to a particular application) vs. uncategorized (other) Application (i.e. which protocol is responsible); Source and destination
  • The firewall feature in vShield Zones is called VM Wall. This configuration screen reveals one of the most important aspect of the product: the fact that you can create rules based not simply upon individual IP addresses, but upon logical zones. The zones in this case are the ones mentioned earlier: datacenter, cluster, VLAN Because you can create rules based upon zones instead of individual IP addresses, the total number of rules is far fewer than if you simply ported a physical firewall to a virtual appliance. For example, for a typical three-tier app with 4 hosts and 8 VMs per tier, you’d need more than 700 rules if you were using individual IP addresses! By contrast, using logical zones, the number of rules collapses down to a mere 12. A second important point is the fact that these rules need not simply be based on port number, but can be based on application. Due to the built-in application awareness, you can block traffic even for applications that use a range of ports or ephemeral ports. vShield Zones knows when an application is trying to communicate, and block all traffic for that application regardless of which port it tries to use
  • ! Compliance and governance managers. This group is interested in the fact that a license has been deployed that requires authorization to use, and an audit trail exists that documents use procedures are established and followed. In this case, there need not be a difference between the virtualized and native applications, as either configuration will allow tracking and management of the license through the same tools used today. ThinApp virtualized applications register with WMI (similar to natively installed applications) and can be tracked by the same mechanisms used to inventory and track natively installed applications. Because the virtual package is an .MSI or .EXE, it can also be registered with the Definitive Software Library and tracked through normal change and configuration management and asset management systems used today by natively installed applications.
  • Pricing considerations are of paramount interest for some customers, but make sure that they also see the value for what they are buying. VMware View is packaged starting at Citrix’s mid tier package offerings, but also compare what is purchased for each option. VMware View Premier offers capabilities not available in Citrix’s top offering, and is priced 36% less.
  • Why Security Teams should care about VMware

    1. 1. VMware Security Briefing <ul><li>VMware Team </li></ul><ul><ul><li>Dan Schoch </li></ul></ul><ul><ul><li>Scott Favorite </li></ul></ul><ul><ul><li>JJ DiGeronimo </li></ul></ul>
    2. 2. Agenda <ul><li>VMware Strategy </li></ul><ul><li>Security Benefits in vSphere’s Virtualization </li></ul><ul><li>Extending Virtualization to the EndPoint </li></ul><ul><li>Research and Whitepapers </li></ul>
    3. 3. Security Advantages of Virtualization <ul><ul><li>Allows Automation of Many Manual Error Prone Processes </li></ul></ul><ul><ul><li>Better Forensics Capabilities </li></ul></ul><ul><ul><li>Faster Recovery After an Attack </li></ul></ul><ul><ul><li>Patching is Safer and More Effective </li></ul></ul><ul><ul><li>More Cost Effective Security Devices </li></ul></ul><ul><ul><li>Better Lifecycle Controls </li></ul></ul><ul><ul><li>Security Through VM Introspection </li></ul></ul><ul><ul><li>Cleaner and Easier Disaster Recovery/Business Continuity </li></ul></ul>
    4. 4. VMware Security Strategy <ul><ul><li>New platform hardening features further enhance robust security capabilities </li></ul></ul><ul><ul><li>Thin-hypervisor strategy </li></ul></ul><ul><ul><li>Integrate VMware products into existing operational policies in the enterprise </li></ul></ul><ul><ul><li>Enable broad-based security for every VM in the environment </li></ul></ul><ul><ul><li>“ Democratize” security </li></ul></ul><ul><ul><li>Self-describing, Self-configuring security </li></ul></ul><ul><ul><li>Impact security by taking advantage of unique VMware technologies </li></ul></ul><ul><ul><li>Focus on products and operations </li></ul></ul>Core Platform Security Operationalize Security Security Virtual Appliances Better Than Physical: Adaptive Security Infrastructure .OVF VMware Confidential/Proprietary
    5. 5. Extended Computing Stack and Guest Isolation Hypervisor Standard x86 VMware ESX
    6. 6. Isolation by design Security Design of the VMware Infrastructure Architecture http://www.vmware.com/resources/techresources/727
    7. 7. How Virtualization Affects Datacenter Security
    8. 8. Agenda <ul><li>VMware Strategy </li></ul><ul><li>Security Benefits in vSphere’s Virtualization </li></ul><ul><li>Extending Virtualization to the EndPoint </li></ul><ul><li>Research and Whitepapers </li></ul>
    9. 9. vSphere - Virtual Datacenter OS from VMware Off-premise Cloud vCenter On-premise Infrastructure Make applications more scalable, secure and resilient in a virtual environment than physical. SaaS Linux Grid Windows J2EE .Net VMware Infrastructure -> virtual datacenter OS Application vServices Scalability Infrastructure vServices Security Availability vNetwork vStorage vCompute Cloud vServices …… . Web 2.0
    10. 10. DPM Hot Add Fault Tolerance Thin Provisioning Data Recovery VMsafe Distributed Switch Host Profiles <ul><li>Consolidates workloads onto fewer servers when the cluster needs fewer resources – </li></ul><ul><ul><li>- Distributed Power Management will be fully supported in production. DPM with WoL will still be supported experimentally only. </li></ul></ul>Dynamically add additional compute, memory or network/storage resources as applications grow -Hot Add Enables admins the ability to scale VM’s without disruption to end user Ensure continuous availability for virtual machines against hardware failures. - VMware FT creates virtual machine “pairs” that run in lock step - essentially mirroring the execution state of a VM & eliminating data loss or downtime to any application. Optimizes storage costs through the most efficient use of storage in virtual environments - Use Thin Provisioning to reduce storage costs by up to 50%. Quick, simple and complete data protection for your VM’s -Data Recovery provides you with agent-less, disk-based backup and recovery (VM or file level) of your VM’s Comply with corporate security policies and regulations on data privacy while still running applications efficiently on shared computing resource pools. - vShield Zones makes it easy to centrally manage and enforce compliance with security policies across large pools of servers and virtual machines. <ul><li>Enables the use of security products that work in conjunction with the virtualization layer to provide higher levels of security to virtual machines </li></ul><ul><ul><li>Partners working on VMSafe products: Symantec, trend micro, checkpoint, Internet security systems and McAfee </li></ul></ul>Simplifies and enhances the provisioning, administration and control of virtual machine networking - VMware Distributed Switch is a new type of virtual switch which spans the entire Virtual Infrastructure which enables the network to be treated s an aggregated resource. Standardize and simplify how customers configure and manage ESX host configurations.  - Host profiles simplify and standardize ESX host configuration. This feature in vCenter Server 4.0 allows the creation of a “golden profile” from an existing host and using this as a template to configure other hosts vShield Zones vSphere – New & Improved Enterprise OS
    11. 11. VMware VMsafe Multi-function Security Appliance Security VM vNetwork Distributed Switch Security VM <ul><ul><li>Integrated, more effective, comprehensive security solutions within the virtual infrastructure </li></ul></ul><ul><ul><li>Better than physical: automatic protection, right-sized security capacity </li></ul></ul><ul><ul><li>Agent-less deployment of partner security services </li></ul></ul><ul><ul><li>Single security VM for multiple security services AV, Firewall, IPS </li></ul></ul><ul><ul><li>Mobility-awareness: Security policy and state moves with virtual machine </li></ul></ul>VMware ESX App OS App OS App OS App OS App OS VMware ESX App OS
    12. 12. VMsafe™ APIs <ul><li>API’s for all virtual hardware components of the VM </li></ul><ul><ul><li>CPU/Memory Inspection </li></ul></ul><ul><ul><ul><li>Inspection of specific memory pages being used by the VM or it applications </li></ul></ul></ul><ul><ul><ul><li>Knowledge of the CPU state </li></ul></ul></ul><ul><ul><ul><li>Policy enforcement through resource allocation of CPU and memory pages </li></ul></ul></ul><ul><ul><li>Networking </li></ul></ul><ul><ul><ul><li>View all IO traffic on the host </li></ul></ul></ul><ul><ul><ul><li>Ability to intercept, view, modify and replicate IO traffic from any one VM or all VM’s on a single host. </li></ul></ul></ul><ul><ul><ul><li>Capability to provide inline or passive protection </li></ul></ul></ul><ul><ul><li>Storage </li></ul></ul><ul><ul><ul><li>Ability to mount and read virtual disks (VMDK) </li></ul></ul></ul><ul><ul><ul><li>Inspect IO read/writes to the storage devices </li></ul></ul></ul><ul><ul><ul><li>Transparent to the device and inline of the ESX Storage stack </li></ul></ul></ul>
    13. 13. VMware vShield Zones <ul><ul><li>Capabilities </li></ul></ul><ul><ul><li>Bridge, firewall, or isolate VM zones based on familiar VI containers </li></ul></ul><ul><ul><li>Monitor allowed and disallowed activity by application-based protocols </li></ul></ul><ul><ul><li>One-click flow-to-firewall blocks precise network traffic </li></ul></ul><ul><ul><li>Benefits </li></ul></ul><ul><ul><li>Well-defined security posture within virtual environment </li></ul></ul><ul><ul><li>Monitoring and assured policies, even through Vmotion and VM lifecycle events </li></ul></ul><ul><ul><li>Simple zone-based rules reduces policy errors </li></ul></ul>
    14. 14. Virtual Network Visibility <ul><li>Network flows at DC, Cluster, VLAN and down to the guest VM level </li></ul><ul><li>Take guess work out of troubleshooting firewalls: see allowed and blocked traffic </li></ul><ul><li>Identify malicious traffic: visibility for rogue services, botnets, improver server configuration </li></ul>
    15. 15. VMware VM Wall - Virtual Firewall <ul><ul><li>Shorthand rule notation : use cluster, VLAN as container groups </li></ul></ul><ul><ul><li>Hierarchical rule assignment : scope of rules can be datacenter, cluster or VLAN – all centrally managed </li></ul></ul><ul><ul><li>Application-aware rule provisioning : opens dynamic / ephemeral ports as needed and specify app names – not ports </li></ul></ul>
    16. 16. Secure Design for Virtualization Layer <ul><ul><li>Fundamental Design Principles </li></ul></ul><ul><ul><li>Isolate all management networks </li></ul></ul><ul><ul><li>Disable all unneeded services </li></ul></ul><ul><ul><li>Tightly regulate all administrative access </li></ul></ul>
    17. 17. Agenda <ul><li>VMware Security Strategy </li></ul><ul><li>Security Benefits in vSphere’s Virtualization </li></ul><ul><li>Extending Virtualization to the EndPoint </li></ul><ul><li>Research and Whitepapers </li></ul>
    18. 18. <ul><li>Difficult to Manage and Secure Device </li></ul><ul><ul><li>PC management is difficult to centralize due to the broadly distributed nature of PC hardware. </li></ul></ul><ul><ul><li>Users often require access to their desktop environment from anywhere. </li></ul></ul><ul><ul><li>PC desktop standardization is difficult in the face of hardware discrepancies and the wide variety of brands and models. </li></ul></ul><ul><ul><li>End users often require customized desktop environments. </li></ul></ul><ul><li>High Total Cost of Ownership </li></ul><ul><ul><li>Ongoing PC management is costly and labor-intensive. </li></ul></ul><ul><ul><li>Multiple PC hardware configurations need to be tested and validated prior to deployment. </li></ul></ul><ul><ul><li>Support costs are further exacerbated by the need to support a geographically dispersed PC infrastructure. </li></ul></ul>Physical Desktop Challenges
    19. 19. Benefits of Centralized Desktops <ul><li>Bring back previously decentralized applications and data into the corporate data center. </li></ul><ul><li>Centrally control and manage all off-site access to these sensitive applications and data. </li></ul><ul><li>Extend their corporate network security levels to off-site facilities. </li></ul><ul><li>Sensitive applications and data are no longer stored on off-site computers. </li></ul><ul><li>Data integrity and business continuity (DR) is more easily maintained. </li></ul><ul><li>Most users , not just for off-shore users and contractors, but for mobile workers and branch office employees, too. </li></ul><ul><li>Regulatory compliance requirements are more easily adhered to. (HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley) </li></ul>
    20. 20. Server-based Desktop Virtualization Profile Moving the desktop to a virtualized image in the data center allows the complex components to be protected and managed. File Server User Data Profile File Server App App App
    21. 21. Universal Operating System “Gold” Image Profile A single encapsulated hardware build for all users allows for better tuning and hardening of the underlying operating system. File Server User Data Profile File Server App App App
    22. 22. Patch Management in the Data Center Profile Patches can be delivered at data center network speeds, or virtual machines can be periodically destroyed and rebuilt cleanly. File Server User Data Profile File Server App App Patch Server App
    23. 23. Access Control Profile Controlling access to the virtualized desktops provides further protection to applications and user data. File Server User Data Profile File Server App App X App
    24. 24. Elimination of Complex Devices at the Edge Profile Users can be issued tamper-proof thin clients with no moving parts to complete the solution. File Server User Data Profile File Server App App App
    25. 25. Data Security - Backing Up With a fully virtualized desktop, backups are not only simplified, they’re actually possible. ? Profile File Server User Data Profiles File Server App App VM Template App
    26. 26. Secured Client-Side Virtualization <ul><ul><li>Control network access of the VM </li></ul></ul>X <ul><ul><li>Encryption of the Virtual Disk </li></ul></ul><ul><ul><li>Link a VM to a specific device </li></ul></ul><ul><ul><li>Block devices to secure data </li></ul></ul><ul><ul><li>Phone home or deactivate </li></ul></ul>Secure Virtual Machines can be overlaid on a insecure or unmanaged device. <ul><ul><li>Central Management of Security Policies </li></ul></ul>
    27. 27. Portable Client-Side Virtualization The client device and it’s unsecured OS become irrelevant – the VM is the true working environment.
    28. 28. Application Virtualization <ul><ul><li>Applications are encapsulated in their own container </li></ul></ul><ul><ul><li>Each application is separated from other applications and the operating system </li></ul></ul><ul><ul><li>Application virtualization intercepts file and system calls between the application and the OS </li></ul></ul>
    29. 29. Security Benefits of Application Virtualization <ul><ul><li>Single App to Patch </li></ul></ul><ul><ul><li>No need to “install” software on systems </li></ul></ul><ul><ul><li>Can be run as a usermode application with no admin rights </li></ul></ul><ul><ul><li>Can be run from a central location </li></ul></ul>
    30. 30. Integrated Virtualization Solution Profile Users can be issued tamper-proof ACE Instances with virtualized apps and network access only through VIEW instances to complete the solution. File Server User Data Profile File Server App App App
    31. 31. Agenda <ul><li>VMware Strategy </li></ul><ul><li>Security Benefits in vSphere’s Virtualization </li></ul><ul><li>Extending Virtualization to the EndPoint </li></ul><ul><li>Research and Whitepapers </li></ul>
    32. 32. References <ul><ul><li>Security Design of the VMware Infrastructure 3 Architecture ( http://www.vmware.com/resources/techresources/727 ) </li></ul></ul><ul><ul><li>VMware Infrastructure Security Hardening ( http://www.vmware.com/vmtn/resources/726 ) </li></ul></ul><ul><ul><li>Managing VMware VirtualCenter Roles and Permissions ( http://www.vmware.com/resources/techresources/826 ) </li></ul></ul><ul><ul><li>DISA STIG and Checklist for VMware ESX ( http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf ) ( http://iase.disa.mil/stigs/checklist/esx_server_checklist_v1r1_30_apr_2008.pdf ) </li></ul></ul><ul><ul><li>CIS (Center for Internet Security) Benchmark ( http://www.cisecurity.org/bench_vm.html ) </li></ul></ul><ul><ul><li>Xtravirt Virtualization Security Risk Assessment ( http://www.xtravirt.com/index.php?option=com_remository&Itemid=75&func=fileinfo&id=15 ) </li></ul></ul>
    33. 33. Common Criteria Certified Versions <ul><li>Common Criteria EAL 4+ Certification for ESX 3.0.2 and VC 2.0.2 http://www.cse-cst.gc.ca/its-sti/services/cc/vmware-eng.html </li></ul><ul><li>Common Criteria EAL 4+ Certification for ESX 3.5, ESXi 3.5 and VC 2.5 (In Progress) http://www.cse-cst.gc.ca/its-sti/services/cc/oe-pece-eng.html </li></ul><ul><li>Common Criteria EAL 4+ Certification for ESX 4, ESXi 4 and VC 4 to be submitted for certification shortly </li></ul>
    34. 34. VMware Security Briefing <ul><li>VMware Team </li></ul><ul><ul><li>Dan Schoch </li></ul></ul><ul><ul><li>Scott Favorite </li></ul></ul><ul><ul><li>JJ DiGeronimo </li></ul></ul>
    35. 35. Enforce Strong Access Controls Anne Harry Joe Security Principle <ul><ul><li>Implementation in VI </li></ul></ul>Least Privileges Roles with only required privileges Separation of Duties Roles applied only to required objects Administrator Operator User
    36. 36. View is much simpler to set up and support
    37. 37. Competitive Pricing/Packaging Comparison * Experimental support only XenDesktop VMware View Advanced Enterprise Platinum Enterprise Premier Virtualization Platform Connection broker Secure remote access Storage Optimization Multi-backend support Application Virtualization Offline Desktop* High Availability Dynamic Provisioning Desktop Monitoring Partner Partner Pricing $195 $295 $395 $150 $250                                 x x x x x x x x x x x x x x x 
    38. 38. Cost Comparison Vmware cost per user Premier Bundle $ 250.00 List price per user Premier Bundle Support and Maintenance $ 62.00   ESX Server HW $ 156.25 ESX server $10,000 64 users on 8 core system Provisioning Server HW Cost $ - Virtual Machine on ESX Connection Broker HW Cost $ - Virtual Machine on ESX Storage Costs $ 30.00 Space for Linked clone   $ 498.25 Total per user cost Citrix cost per user Xen Desktop Advanced $ 295.00 List price per user XenDesktop Platinum Support and Maintenance $ 48.75   Xen Desktop Server Hw $ 312.50 XEN server $10,000 32 users on 8 core system Provisioning Server HW Cost $ 16.67 Physical server per documentation 300 users for $5,000 Connection Broker HW Cost $ 4.17 Physical server per documentation 1200 users for $5,000 Storage Costs $ 30.00 In theory, some costs but will be minimal   $ 707.09 Total per user cost (+ additional server for XenApp, + TSCAL, +,+)
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.