Your SlideShare is downloading. ×
0
INUITS The real voyage of discovery consists in  having new eyes . Marcel Proust
Kris Buytaert <ul><li>Senior Linux and Open Source Consultant @inuits.be
„ Infrastructure Architect“
Surviving the 10 th  floor test
OSSTMM
Co-Author Virtualization with Xen
Guest Editor at  Virtualization.com </li></ul>
Today <ul><li>What is Virtualization
What is VirtSec
Fud and Reality
VirtSec and Open Source
CloudSec  </li></ul>
What is Virtualization ? <ul><li>Running different operating systems together on one machine
Isolate Operating system from the underlying hardware resources
Running multiple identical operating systems together on one machine </li></ul>
Why Virtualization Matters <ul><li>Consolidation
Saving Idle CPU Cycles
Separating Development/Staging/Production
Hardware independency
Security
Greener Environment
All the cool kids are doing it </li></ul>
Why Virtualization is dangerous <ul><li>A vendor view of High availability
Live Migration is not a HA Solution
Vendor Lock In
Heavy IO
Hardware dependencies & Live Migration
Security ?  </li></ul>
Virtualization and Open Source <ul><li>Leading the Pack
Paravirtualization
VT Support
The core Virtual Infrastructure is open
Proprietary vendors try to catch up
And Build the Management FrameWorks </li></ul>
Virtualization to Me  Xen  KVM VirtualBox Linux Vserver OpenVZ Linux Containers LibVirt Convirt Qemu OpenQRM Enomaly UML
What is VirtSec ? <ul><li>Securing Virtual Platforms , Hypervisors, Host OS
Securing the Guest OS in a Virtual Environment
Running Security tools in a Virtual Environment </li></ul>
Isn't VirtSec just a way for the security people to jump on the Virtualization Hype ?
 
What changes with Virtualization ?  <ul><li>The Network stack </li><ul><li>System vs Network vs Virtualization
Upcoming SlideShare
Loading in...5
×

VirtSec, and the Open Source impact

1,967

Published on

or the lack thereof..

1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
1,967
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
40
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "VirtSec, and the Open Source impact"

  1. 1. INUITS The real voyage of discovery consists in having new eyes . Marcel Proust
  2. 2. Kris Buytaert <ul><li>Senior Linux and Open Source Consultant @inuits.be
  3. 3. „ Infrastructure Architect“
  4. 4. Surviving the 10 th floor test
  5. 5. OSSTMM
  6. 6. Co-Author Virtualization with Xen
  7. 7. Guest Editor at Virtualization.com </li></ul>
  8. 8. Today <ul><li>What is Virtualization
  9. 9. What is VirtSec
  10. 10. Fud and Reality
  11. 11. VirtSec and Open Source
  12. 12. CloudSec </li></ul>
  13. 13. What is Virtualization ? <ul><li>Running different operating systems together on one machine
  14. 14. Isolate Operating system from the underlying hardware resources
  15. 15. Running multiple identical operating systems together on one machine </li></ul>
  16. 16. Why Virtualization Matters <ul><li>Consolidation
  17. 17. Saving Idle CPU Cycles
  18. 18. Separating Development/Staging/Production
  19. 19. Hardware independency
  20. 20. Security
  21. 21. Greener Environment
  22. 22. All the cool kids are doing it </li></ul>
  23. 23. Why Virtualization is dangerous <ul><li>A vendor view of High availability
  24. 24. Live Migration is not a HA Solution
  25. 25. Vendor Lock In
  26. 26. Heavy IO
  27. 27. Hardware dependencies & Live Migration
  28. 28. Security ? </li></ul>
  29. 29. Virtualization and Open Source <ul><li>Leading the Pack
  30. 30. Paravirtualization
  31. 31. VT Support
  32. 32. The core Virtual Infrastructure is open
  33. 33. Proprietary vendors try to catch up
  34. 34. And Build the Management FrameWorks </li></ul>
  35. 35. Virtualization to Me Xen KVM VirtualBox Linux Vserver OpenVZ Linux Containers LibVirt Convirt Qemu OpenQRM Enomaly UML
  36. 36. What is VirtSec ? <ul><li>Securing Virtual Platforms , Hypervisors, Host OS
  37. 37. Securing the Guest OS in a Virtual Environment
  38. 38. Running Security tools in a Virtual Environment </li></ul>
  39. 39. Isn't VirtSec just a way for the security people to jump on the Virtualization Hype ?
  40. 41. What changes with Virtualization ? <ul><li>The Network stack </li><ul><li>System vs Network vs Virtualization
  41. 42. The network goes inside the machine </li></ul><li>Live Migration </li><ul><li>Across different VLAN's
  42. 43. Vlan Spaghetti </li></ul><li>Scale </li><ul><li>1 physical machine = MANY VM's </li></ul></ul>
  43. 44. Legacy Apps <ul><li>Claim: Legacy Apps can't be secured properly </li><ul><li>That old badge logging app running on Win95
  44. 45. That old batch job running on SCO </li></ul><li>Doesn't matter if they are virtual or not </li></ul>
  45. 46. The Virtual Network <ul><li>Claim: NIDS can't see Inter VM traffic
  46. 47. What about Inter App traffic on the same host , only now we've isolated app from eachother
  47. 48. Bridging / Routing InterVM traffic rather than using proprietary sockets </li></ul>
  48. 49. Flux and Scale <ul><li>Claim: Traditional HIDS can't follow the quick changing state of Hosts
  49. 50. My HA Clusters, are Active Passive, Active Active, or N+M too. Their state is in constant flux too
  50. 51. The role Config Management and Platform Automation grows every second. </li></ul>
  51. 52. Static Security was DEAD before Virtualization <ul><li>High Availability Clusters
  52. 53. But the problem is still growing
  53. 54. VM Relocation
  54. 55. Live VM Migration
  55. 56. Rapid ReDeployment
  56. 57. Multiple Instances of a service </li></ul>
  57. 58. Thank you App Developer <ul><li>Virtual Apliances are Awesome
  58. 59. A flying start
  59. 60. They save you time
  60. 61. They give you a nice preview of technology </li></ul>
  61. 62. Virtual Appliance & Security <ul><li>Who build it ?
  62. 63. Is the app secured
  63. 64. What about authentication integration ?
  64. 65. How to update it ?
  65. 66. They KILL your time </li></ul>
  66. 67. Image Sprawl, your update nightmare <ul><li>Image sprawl </li><ul><li>Copy VM, Deploy VM, Modify VM, Copy VM </li></ul><li>How do you patch 1 VM ?
  67. 68. Did you patch before or after that one was copied ?
  68. 69. How do you patch 100 VM's ?
  69. 70. What about machines that are offline ? </li></ul>
  70. 71. Image Sprawl, your update nightmare The biggest challenges we have in virtualization are operational and organizational rather than technical. Christofer Hoff
  71. 72. Image Sprawl, your update nightmare <ul><li>Automate Deployment
  72. 73. Implement Configuration Management
  73. 74. Map Security management to Config Mgmt </li></ul><ul><li>Prepare to Survive the 10 th floor test ! </li></ul>
  74. 75. Hypervisor Security
  75. 76. Deus Ex Machina <ul><li>Remember the E10K fiasco ? </li><ul><li>No you won't be able to get from one VM to another VM ?
  76. 77. You bet they will ! </li></ul><li>Buffer overflow in Management soft ? </li></ul>
  77. 78. Ballooning <ul><li>Critical feature from a proprietary vendor
  78. 79. Not available in off the shelf Xen/OracleVM </li></ul>Go away or I will replace you with a small shellscript
  79. 80. Blue Pill vs Red Pill <ul><li>Blue Pill by Invisible Labs
  80. 81. Placing a Hypervisor under an OS
  81. 82. Hoping no one realizes it </li></ul><ul><li>Existing Source for POC
  82. 83. Ignorance vs Truth </li></ul>
  83. 84. Blue Pill, a real threat ? <ul><li>POC vs Real Life </li><ul><ul><li>Become root first
  84. 85. Then exploit the VM vulnerability ? </li></ul></ul></ul>
  85. 86. Managing Virtual Machines <ul><li>Early Management Frameworks
  86. 87. Any client can connect ... </li></ul><ul><li>An example .. </li></ul>
  87. 88. What is openQRM <ul><li>open-source project at sourceforge.net (GPL)
  88. 89. data-center management platform
  89. 90. Not just your virtual platforms
  90. 91. provides generic virtualization layer
  91. 92. Deploy on demand
  92. 93. Support for physical , Xen, VMWare, Vserver, KVM
  93. 94. OpenQRM 4 is a full rewrite
  94. 95. Cloud Deployment </li></ul>
  95. 96. OpenQRM & Security <ul><li>Authentication based on IP
  96. 97. No Encryption
  97. 98. No handshake
  98. 99. Anyone who can spoof the openQRM server IP can reboot / redeploy your infrastructure
  99. 100. Being fixed </li></ul>
  100. 101. Open Source <ul><li>Not Marketing Driven
  101. 102. Written because there is a need
  102. 103. To scratch an itch
  103. 104. Peer review
  104. 105. Typically more secure than Proprietary
  105. 106. Leading Innovation in Virtualization </li></ul>
  106. 107. Open Source & VirtSec <ul><li>No known projects
  107. 108. No Need for specialized projects / tools
  108. 109. The VirtSec Vendors claim </li><ul><li>First proprietary -> Then Open Source
  109. 110. Open Source doesn't innovate </li></ul><li>The Open Source Experts claim </li><ul><li>Better Architectures
  110. 111. No need for bloated hyped tools </li></ul></ul>
  111. 112. Is VirtSec a market? It's an instantiation of technology, practice and operational adjustment brought forth as a derivative of a disruptive technology and prevailing market conditions. Does that mean it's a feature as opposed to a market? No. In my opinion, it's an evolution of an existing market, rife with existing solutions and punctuated by emerging ones. The next stop is how &quot;security&quot; will evolve from VirtSec to CloudSec... Christofer Hoff
  112. 113. Isn't CloudSec just a way for the security people to jump on the Cloud Hype ?
  113. 114. The Cloud ? Cloud computing refers to the use of Internet (&quot;cloud&quot;) based computer technology for a variety of services. It is a style of computing in which dynamically scalable and often virtualised resources are provided as a service over the Internet. The concept incorporates software as a service (SaaS), Web 2.0 and other recent, well-known technology trends, in which the common theme is reliance on the Internet for satisfying the computing needs of the users.
  114. 115. SAAS <(>) Cloud
  115. 116. SaaSSec <ul><li>One Vendor
  116. 117. Full control over </li><ul><li>His application
  117. 118. His application stack </li></ul><li>Supposed to manage his platform in Secure Fashion
  118. 119. But do you TRUST him ? </li></ul>
  119. 120. CloudSec <ul><li>Deploying in an untrusted domain </li><ul><li>This is not your average DMZ
  120. 121. You don't even own the Vhost </li></ul><li>Cloud Datacenters Attrackt Attackers </li><ul><li>Identical Hypervisors => Only 1 exploit needed
  121. 122. Cloud Hijacking </li></ul><li>Pre and Post Deployment </li><ul><li>What was there and what stays behind ? </li></ul></ul>
  122. 123. CloudSec <ul><li>Increase security as never before
  123. 124. Encrypt all inter Vhost traffic
  124. 125. FireWall as Never before
  125. 126. Don't store critical data in the cloud </li><ul><li>Use it for analytics
  126. 127. Workload offload
  127. 128. Volatile data </li></ul><li>Build your own Private Cloud </li></ul>
  128. 129. Conclusion <ul><li>Risks Change
  129. 130. Scale Changes
  130. 131. Automation matters
  131. 132. Complexity is the Enemy of Reliability
  132. 133. Watch out for FUD </li><ul><li>Specially in the closed world </li></ul></ul>
  133. 134. Security still isn't a product you can buy It's not even a process It's a lifestyle
  134. 135. ` Kris Buytaert < [email_address] > Further Reading http://www.krisbuytaert.be/blog/ http://www.inuits.be/ http://www.virtualization.com/ http://www.oreillygmt.com/ ? !
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×