• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Virtually Secure: Uncovering the risks of virtualization
 

Virtually Secure: Uncovering the risks of virtualization

on

  • 2,544 views

Virtually Secure: Uncovering the risks of virtualization ...

Virtually Secure: Uncovering the risks of virtualization

Organizations have been quickly leveraging the benefits of virtualized platforms in their datacenters, often unknowingly increasing the exposure of their most prized assets.
Michael will highlight the key concerns around virtualization technologies including the answers to questions such as are virtualized servers PCI compliant and what minimum controls must exist to protect the hypervisor? He will walk the audience through the latest technical threats and shed light on the solutions and controls available to secure your virtual environments.

Statistics

Views

Total Views
2,544
Views on SlideShare
2,537
Embed Views
7

Actions

Likes
4
Downloads
17
Comments
0

2 Embeds 7

http://www.slideshare.net 5
http://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Virtually Secure: Uncovering the risks of virtualization Virtually Secure: Uncovering the risks of virtualization Presentation Transcript

    • Virtually Secure Uncovering the risks of virtualization
    • Virtual Insecurity Unknown Denial of Service on core servers IT can not identify root cause Copyright 2007 – Seccuris Inc.
    • Virtual Insecurity Financial System controls subverted in unknown fashion Audit systems and forensic process unable to assist Copyright 2007 – Seccuris Inc.
    • Virtual Insecurity Employees bypassing technical controls & policies Policies & processes fail to identify & respond Copyright 2007 – Seccuris Inc.
    • Virtual Insecurity 60% of production virtual machines will be less secure than their physical counterparts… …through 2009. Copyright 2007 – Seccuris Inc.
    • WELCOME TO THE REST OF YOUR LIFE What do we need to understand regarding design, management and control to implement virtualization successfully in our critical environments? Copyright 2007 – Seccuris Inc.
    • What is virtualization? (Overview) Concept not new: Done since the 1960’s Physical Hardware = Host Machine Operating System / Virtual Appliance = Guest VMs = Virtual Machine(s) Hypervisor (VMM) = Virtual Machine Monitor Virtual Infrastructure = Composite of VMM & Mgmt tools Copyright 2007 – Seccuris Inc.
    • Hybrid VMM Type-2 VMM Guest Guest 1 2 Guest Guest VMM 1 2 Host OS Host OS VMM Hardware Hardware Examples: Windows Server Virtualization Xen VMWare ESX Copyright 2007 – Seccuris Inc. http://port25.technet.com/archive/2007/08/13/Interoperab-on-the-metal-and-on-the-wire.aspx
    • Virtualization Implementations Full Virtualization • Binary Translation – Privileged Instructions Rewritten • Hypervisor in “Ring 0”, Guest in “Ring -1” Copyright 2007 – Seccuris Inc.
    • Virtualization Implementations Full Virtualization • Hardware Supported Virtualization (Accelerated Virtualization, Hardware Virtual Machine, Native Virtualization) • Hardware Hypervisor in “Privileged Level”, Guest in Ring 0 Copyright 2007 – Seccuris Inc.
    • Virtualization Implementations Paravirtualization • System Call Proxy & Exception Trapping • Hypervisor in Ring 0, Guest in Ring 3 Copyright 2007 – Seccuris Inc.
    • On-going development of Virtualization Generational Development of Virtualization 1. Development & Test 2. Consolidation 3. Virtualized Data Center Increased complexity, controls & management processes Copyright 2007 – Seccuris Inc.
    • Players in the Virtualization Market The image cannot be display ed. Your computer may not hav e enough memory to open the image, or the image may hav e been corrupted. Restart y our computer, and then open the file again. If the red x still appears, y ou may hav e to delete the image and then insert it again. The image cannot be display ed. Your computer may not hav e enough memory to open the image, or the image may hav e been corrupted. Restart y our computer, and then open the file again. If the red x still appears, y ou may hav e to delete the image and then insert it again. Copyright 2007 – Seccuris Inc.
    • Players in the Virtualization Market Copyright 2007 – Seccuris Inc.
    • VMWare – How does it work? Binary Translation (System Call Proxy) Like an emulator, VMware software provides a completely virtualized set of hardware to the guest operating system. VMware software virtualizes the hardware for a video adapter, a network adapter, and hard disk adapters. The host provides pass-through drivers for guest USB, serial, and parallel devices. Copyright 2007 – Seccuris Inc.
    • VMWare – How does it work? The host provides pass-through drivers for guest USB, serial, and parallel devices. Video, Cache and other hardware includes pass-through as well… Copyright 2007 – Seccuris Inc.
    • VMWare Products: What is the difference? Desktop Virtualization On Host OS • VMWare Workstation Hybrid VMM • VMWare Fusion • VMWare Player Server Virtualization On Bare Metal • VMWare ESX Server Type-1 VMM • VMWare Server - Freeware Management & Automation Above it all • VMWare Virtual Center Management Software Copyright 2007 – Seccuris Inc.
    • Technical Concepts – VMWare Implementation Datacenter Components • Computing Servers (Bare metal) • Management Server – Single Control point (Win 2k3) • Desktop clients Copyright 2007 – Seccuris Inc.
    • Technical Concepts – VMWare Implementation Datacenter Architecture • Hosts, Clusters & Resource Pools • DRS and HA • Dynamically Allocate System Resources • High Availability • VMotion • Move guest between physical systems Copyright 2007 – Seccuris Inc.
    • Technical Concepts – VMWare Implementation Copyright 2007 – Seccuris Inc.
    • Technical Concepts – VMWare Implementation Physical Security has become MORE important Copyright 2007 – Seccuris Inc.
    • Technical Concepts – VMWare Implementation Datacenter Architecture • Networking Architecture • vSwitch and Port groups • VLANS • Traffic Shaping • NIC Teaming Copyright 2007 – Seccuris Inc.
    • Technical Concepts – VMWare Implementation Copyright 2007 – Seccuris Inc.
    • Technical Concepts – VMWare Implementation Network security includes new layers of complexity Copyright 2007 – Seccuris Inc.
    • Technical Concepts Storage Architecture • Datastore • Underlying technologies • FiberChannel • iSCSI • SAN • Direct Attached Storage, NAS • Raw Device Mapping Copyright 2007 – Seccuris Inc.
    • Technical Concepts – VMWare Implementation Copyright 2007 – Seccuris Inc.
    • Technical Concepts – VMWare Implementation Data inventory & Information Classification becomes a prime time issue Copyright 2007 – Seccuris Inc.
    • Threats & Risks in Virtualization • Technical Concerns • Applied threats Copyright 2007 – Seccuris Inc.
    • Threats & Risks – Technical Concerns Technical Concerns •Denial of Service • Load issues (Time / Period) • Bottle Necks (Physical) • Bottle Necks (Logical) How well do you know your application processing time cycles? Copyright 2007 – Seccuris Inc.
    • Threats & Risks – Technical Concerns Technical Concerns •Communication Between VMs or Between VMs and Host • Shared Directories • Open Services (FTP, DHCP) • Misconfigured network cards How well built are your legacy and custom applications? Copyright 2007 – Seccuris Inc.
    • Threats & Risks – Technical Concerns Technical Concerns • VM Escape • VM Monitoring from the Host • VM Monitoring from Another VM • VM Monitoring from network based host (Network / Storage) “VM Escapes have happened” Copyright 2007 – Seccuris Inc.
    • Threats & Risks – Technical Concerns Technical Concerns • External Modification of a VM • External Modification of the Hypervisor • Sun Bing’s Example How much trust do you put in your administrators? Copyright 2007 – Seccuris Inc.
    • Threats & Risks in Virtualization • Technical Concerns • Applied threats Copyright 2007 – Seccuris Inc.
    • Threats & Risks – Applied Threats VMBR – Virtual Machine Based Root Kits APP 1 APP 2 SubVirt: Implementing malware with virtual machines BluePill: VM “Rootkit” Before Attack Copyright 2007 – Seccuris Inc.
    • Threats & Risks – Applied Threats VMBR – Virtual Machine Based Root Kits APP 1 APP 2 SubVirt: Implementing malware Evil Host OS with virtual machines App Evil OS Evil VMM BluePill: VM “Rootkit” Hardware Fundamental changes to forensic system investigation must After Attack occur! Copyright 2007 – Seccuris Inc.
    • Threats & Risks – Applied Threats VMWare DHCP Server Remote Code Execution Vulnerabilities CVE-2007-0061, CVE-2007-0062, CVE-2007-0063 (http://www.iss.net/threats/275.html) IMPACTS VMM and VMs! Copyright 2007 – Seccuris Inc.
    • Threats & Risks – Applied Threats Hardware Visibility (http://seclists.org/isn/2008/Mar/0055.html) • Hardware segmentation DOES NOT EXIST • Race conditions, covert channels, unknown overflow issues are possible! Copyright 2007 – Seccuris Inc.
    • Security Controls for Virtualization • Controls for Today • Software & Appliances • Controls in the future Copyright 2007 – Seccuris Inc.
    • Security Controls for Virtualization Controls for Today (CIS Best Practices) Configuration: • Limit Physical Access to Host • Harden Base Operating System • Configuration Maximums • Firewalling Virtual Machine Layer Service Ports • Use Encryption For Communication • Virtualization Server Authentication Copyright 2007 – Seccuris Inc.
    • Security Controls for Virtualization Controls for Today Configuration: • Disabling Features (Including Screensavers and Suspend) • File Sharing Between Host and Guests • Time Synchronization • Disconnect Unused Devices Copyright 2007 – Seccuris Inc.
    • Security Controls for Virtualization Controls for Today Architecture Requirements • Remote Management • Patching and Vulnerabilities • Logging & Auditing Copyright 2007 – Seccuris Inc.
    • Security Controls for Virtualization Controls for Today Architecture & Configuration Host and Network Defences • File Integrity Checking • Strong Passwords • Disk Partitioning • Backups Copyright 2007 – Seccuris Inc.
    • Security Controls for Virtualization Software & Appliances • Host Based IDS/IPS • Host Based Anti-Virus • Host Change Control • Host Logging Copyright 2007 – Seccuris Inc.
    • Security Controls for Virtualization Security Controls in the Future • VMSafe – Hypervisor Visibility & Control • VMWare (aware) security software • Virtualizaiton (aware) security hardware Copyright 2007 – Seccuris Inc.
    • Security Controls for Virtualization Is virtualization PCI compliant? “We are currently trying to become PCI compliant, but our auditor company is saying that “in no shape or form is virtualization PCI compliant”. I disagree, but I am not an auditor.” Greg Ryan Copyright 2007 – Seccuris Inc.
    • Obstacles to Success The top obstacles to virtualization success include: • Weak assignment of activities between virtual machine administrators and security staff. • Inadequate control over patching and tamper protection of offline virtual machines other images. Copyright 2007 – Seccuris Inc.
    • Obstacles to Success The top obstacles to virtualization success include: • Limited visibility to the host operating system and virtual network to control vulnerabilities. • Inhibited visibility to inter-virtual machine traffic for intrusion prevention systems (IPSs). • Deficient solution for mobile virtual machines that need security policy and settings to migrate with them. Copyright 2007 – Seccuris Inc.
    • Business Environment improvements Policy & Procedure - What to look for? • Can the organization ensure that: • each virtual machine is appropriately configured and tested? • can support virtual machines within its computing environment? Copyright 2007 – Seccuris Inc.
    • Business Environment improvements Policy & Procedure - What to look for? • Does the organization have a plan for assessing, monitoring and reporting on the state of its physical and virtual systems? • How will deployment and compliance of new virtual machines be tracked? Copyright 2007 – Seccuris Inc.
    • Technical Environment improvements • Technology Selection • Technical Architecture & Zoning • Configuration & Tuning • Change Control & Audit Copyright 2007 – Seccuris Inc.
    • Technical Environment improvements Resources • Center for Internet Security • http://www.cisecurity.org/ • VMware Security Center • http://www.vmware.com/security/ Copyright 2007 – Seccuris Inc.
    • General Thoughts around Virtualization The fallacy* of cost reduction Copyright 2007 – Seccuris Inc.
    • General Thoughts around Virtualization The fallacy of cost reduction • Increased complexity • Increase in exposure to: • Technical misconfiguration • Central points of access / collusion for staff Copyright 2007 – Seccuris Inc.
    • Moving forward with Virtualization Understand how virtualization will change your security program, architecture and controls Make plans today for securing the virtualization roadmap in your environment Prepare for the inevitable impacts with design review, control improvements & incident handling Copyright 2007 – Seccuris Inc.
    • How Seccuris assists your solution Security Architecture & Design for Virtual Environments Virtualization Environment Risk Assessment Managed Security Services for Virtual Environments Copyright 2007 – Seccuris Inc.
    • Thanks Michael Legary, SCP, CISSP, CISM, CISA, CCSA, GCIH, CPP Founder & Chief Innovation Officer Seccuris Inc. This presentation contains reference material and direct content from Email: Michael.Legary@seccuris.com multiple copyright holders. Direct: 204-255-4490 Main: 204-255-4136 References available on request / Fax: 204-942-6705 within presentation slide notes. Resources Center for Internet Security http://www.cisecurity.org/ VMware Security Center http://www.vmware.com/sec urity/ Copyright 2007 – Seccuris Inc.