• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
pt
 

pt

on

  • 1,250 views

 

Statistics

Views

Total Views
1,250
Views on SlideShare
1,250
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    pt pt Presentation Transcript

    • Virtualization (& paravirtualization), [x86] Background, Risks, Controls, Audit Steps
        • Monday April 23, 2007 Track 3 Session 133
        • Michael Hoesing cisa, cissp, ccp, cia, cpa, cma
        • [email_address] (402) 981-7747
        • Disclaimer: I never said THAT, if you heard THAT, it wasn’t from me. None of the content of this presentation can be attributed to any of my employers, family members, acquaintances, conference sponsors, quail hunting partners, U-tube co-stars past present or future.
    • Contents 133
      • Drivers – why virtualize (including virtualization enhancing security) (3)
      • Practical Applications and History (4-5)
      • Tools – VMWare, XEN, MS, VirtualIron (workstation & server) & Recent News (6-8)
      • Definitions, Architecture, Components (9-11)
      • General Virtualization Risks (12)
      • VMWare ESX 2.X (how-to, security, defaults) (13-20)
      • VMWare ESX 3 What’s New, Security (21- 23)
      • VMWare ESX 3 Vulnerabilities, Logical Access, Security Settings, (24-28)
      • Assessment Tools, Resources, Questions (29-31)
      • Day 2 =Installation & Configuration, Risk, Controls & Audit (Xen) (31-38)
      • Day 3 = SuSE 10.1 pro Xen “built-in”, Fedora 6 scripts (39-44)
    • Drivers (why are we talking about this) 133
      • Reduced TCO
        • 1 (or more) CPU can support many servers
        • 1 Storage Device & KVM can support many servers (generally no memory savings)
        • less footprint (rent, utilities,..)
      • Security Facilitation
        • Cheaper redundancy increasing continuity options
        • Segregate Development from Testing
        • Run different O/S based assessment tools simultaneously
      • Operations
        • Support various O/S’s and configurations
        • Legacy application migration
    • Practical Applications 133
      • Testing – run a version in a sandbox before deployment
      • Testing – have multiple OS's and browsers and see how the website looks in different environments
      • Academic – build a network the students can take home on a disk, assess an OS
      • any other cost saving opportunity
    • History 133
      • one person, one machine life was good
      • one person 2 machines (expensive)
      • one person, one machine , dual boot (more choice, but only one choice at a time)
      • (para)virtualization - many choices all available concurrently
    • Workstation Versions 133 Files Files Files,LVM or Partitions MS and OS/2, Linux add-on MS and LINUX, hosts and guests MS * (requires VT or AMD-V) Each guest unmodified Each guest unmodified Kernel xenU unprivileged Host kernel unmodified (sw layer) Host kernel unmodified (sw layer) Kernel xen0 modified Guests Guests DomainUs Host Host Domain0 Virtualization Virtualization Paravirtualization Virtual PC $0 VMWare $189 ( workstation) (or VMWare Server free) XEN $0 3.0.4
    • Enterprise Versions 133 Hot Move Guests, P2V Hot Move Guests & P2V Hot Move Guests, P2V 32bit and 64bit guest servers supported 8 guests optimal, 128 max up to 32 domU's 32 bit only 96 gig maximum 16 gig/guest 64 gig maximum no max (PAE and SMP) IDE mgmt, SATA , NAS, SAN for host & guests IDE or SATA for VC NAS or SAN for guests IDE minimum, lvm, NAS, SAN VT or AMD-V 64 bit CPU required for host node 64 bit processor, supported 64bit processor supported (since 3.0.0, supports VT 8 sockets and 32 CPUs max Dual processor min, dual core support,16 physical max Multi, dual core & VT in 3.0.2 , no max CPUs Paravirtualization Host special 2.4 kernel Guest unmodified kernel Paravirtualization VirtualIron 3.5 $499/socket +50 support VMWare $1,000 $3,750 $5,750 (VI= ESX 3.0 VC 2.0) XenEnterprise 3.0.2 $750 + 150 or $488)
    • Recent News 133
      • Mar 06 – Intel VT , AMD-V (ring –1)
      • May 06 – MS Virtual PC & Server free
      • July 06 – VMWare Server 1.0.2 build 39867 – FREE, old GSX, can be totally free if host is Linux
      • July 06 – VMWare VirtualCenter 2.0.1, ESX 3.0.1 $$
      • Sept 06 – Xen Enterprise, mgmt console $750
      • Oct 06 – Xen 3.0.3 unmodified ("hvm") guests
      • Oct 06 – Fedora Core 6 , Xen 3.0.2 , virt-manager
      • Nov 06 – Virtual Desktop (VMWare VDI)
      • Feb 07 – Lab Manager (VMWare)
      • Mar 07 – Blue Lane Virtual Shield vuls & patches
      • Apr 07 – Gartner warning, RHEL ES 5 Xen built in
    • Definitions 133
      • Paravirtualization
        • Faster?
        • Altered kernel fulfilling requests rather than an app sitting on top of the kernel
        • User space applications need no modification
        • http://www.cl.cam.ac.uk/Research/SRG/netos/papers/2003-xensosp.pdf
      • Virtualization
        • Safer?
        • A software component sits between the guest OS and the host OS interpreting resource requests
      • HVM
        • Bare metal, fastest?, O/S not altered
    • Xen 2.0 Architecture 133 Source: Ian Pratt of Cambridge & XenSource Event Channel Virtual MMU Virtual CPU Control IF Hardware (SMP, MMU, physical memory, Ethernet, SCSI/IDE) Native Device Driver GuestOS (XenLinux) Device Manager & Control s/w VM0 Native Device Driver GuestOS (XenLinux) Unmodified User Software VM1 Front-End Device Drivers GuestOS (XenLinux) Unmodified User Software VM2 Front-End Device Drivers GuestOS (XenBSD) Unmodified User Software VM3 Safe HW IF Xen Virtual Machine Monitor Back-End Back-End
    • Components 133
      • VMWare (VI runs on MS, ESX is it’s own “OS”)
      • XenEnterprise (mgmt console runs on MS, XE hosts it’s own OS)
      • Virtual Iron (mgmt console runs on MS & or Linux, VI node has its’s own OS)
      • XEN (runs on Linux & netBSD only) [all can be free]
        • xen-x.x.x (paravirtualization tool, xend vmm)
        • twisted-x.x.x (networking framework [whatever that means])
        • linux -2.6.x.x (the kernel I virtualized)
        • bridge-utils (layer 2 protocol free bridging)
        • sysfs-utils (file system virtualization)
        • Zope-interface, iproute2, libcurl, zlib
    • Virtualization Risks - General 133
      • Availability - Host (Dom0) single point of failure
      • Confidentiality – Memory Sharing http://www.cs.nps.navy.mil/people/faculty/irvine/publications/2000/VMM-usenix00-0611.pdf
      • Integrity- Complexity:
        • Connectivity
        • Hardware provisioning
        • Application Compatibility
      • Access Control, correct assignment of user rights
      • Talent gap, Linux, VMWare, Networking, Storage
    • VM ESX 2.5 133
      • VMWare Security White Paper http://www.vmware.com/pdf/esx2_security.pdf
        • No public interfaces
        • Minimal host installation (apache in default install)
        • Guest isolation (using files)
        • AV & Firewall recommended (but not supplied)
        • Su to root
        • Default non-promiscuous NIC
        • Code was audited (scope & methodology not stated)
        • Use VLANs and place management console on separate vlan
        • Recommends disabling logging of VM messages in guest (?!)
        • Host OS is 100% VM ??, only drivers are open source
        • Management Console is from Red Hat 7.2
    • VM ESX 2.5 (cont) 133
      • VMWare ESX Other
        • Logical Access Control Provided at the OS level in addition to MUI users
        • Can overprovision memory , but throttle with weights called “shares”
        • (min host mem 192mg for 8 guests)
        • Watch routing, eth0 DHCP default install
        • /etc/vmware the goodies like hwconfig and vm-list
        • VMotion requires a SAN
        • Provide for swap or core dump on a separate partition
        • “ IBM blade:
          • USB CDROM won’t work on RDM installed guests
          • Bonded NIC failure of both, fix with Net.Zerospeedlinkdown 1
    • VM ESX 2.5 (cont 2) 133
      • VMWARE ESX More
        • Console OS – host operating system
        • Service Console – administers host & guests, do not run X
          • VMWare Management Interface – http browser based controls the host and guests, 509 certificated, SSL, 90 second refresh window possible multi-user conflict, DOS possible with:
            • /usr/lib/vmware-mui/apache/conf/access.conf vmware_SESSION_LENGTH 0
          • API – HP Insight, Veritas,
          • SNMP – feed other tools
          • Remote Console – control the guest
          • Check /proc/vmware for allowed methods
        • .vmx the guest configuration file /root/vmware/ , text editor can alter
        • .vmdk the guest image file VM MUI has a file manager
        • Admin manual suggests “flagship” user that is never on vacation
        • Install manual requires at least one non-root user
    • VM ESX 2.5 (cont 3) 133
      • VMWARE ESX Still More
        • PXE Install – from a stored image, test then lock the image
        • Cannot downgrade from dual processor to single processor
        • LSI Logic SCSI adapter – see 30 pages of howto
        • VMware-console-2.x.x-xxxx.exe check authorized use
        • Reinstall VMware Tools overwrites the power level scripts
        • Move a vm, check the backup software
        • Dual CPU requires VMWare Virtual SMP
        • Backup from Service Console requires guest shutdown
    • VM ESX 2.5 (cont 4) 133
      • More more
        • No USB on Guest (2 factor impact?)
        • NT can only run on a single processor machine
        • Guest event log , user is not identified
        • /etc/pam.d/vmware-authd
        • /etc/vmware-mui/ssl/mui.crt and mui.key
        • Security Config:
          • Medium – mgmt and remote encrypted, telnet & FTP are not encrypted
          • Low – no connections to host are encrypted
          • Custom -
    • VM ESX 2.5 (cont 5) 133
      • More again
        • VMFS 2.11 file system, public shared
        • Physical extent aka partition
        • SPAN joins across partitions creating a volume, first “span” formats thus wiping out existing data
        • Logs /var/log/vmkernel and vmkwarning
        • /etc/snmp/snmpd.conf trapcommunity public (rename this)
        • vmkload_mod –l to list loaded modules
        • /etc/vmware/hwconfig and vmkmodule.conf
    • VM ESX 2.5 (cont 6) 133
      • More stuff
        • LUN masking, only allow guests to see what they need
        • vmkmultipath -q where the data goes
        • Set “security” at HIGH
    • VM ESX 2.5 Default Installation 133
      • LILO without a password
      • MOTD empty, no login banner
      • gopher, news, mail, finger, ftp, samba 2.2.7, telnet 0.17
      • login as root , su not required
      • 2.4.6 kernel 3/17/05 last update
      • cracklib present, but no pword strength enforcement
      • /proc/sys/net/ipv4/conf/all/accept_redirects 1
      • ports 902 8222 8333
    • ESX 3 - New Features from 2.5
      • Pricing – lower entry level, higher enterprise version
      • VirtualCenter 2.0.1, create, move,
      • License Server – centrally manage, & redeploy licenses
      • HA (high availability)
      • DRS (distributed resource scheduler)
      • VMWare Healthcheck $9,000 (security not mentioned)
    • ESX 3 - Security 133
          • the kernel is 2.4, does your policy require anything more current?
          • the distribution is based on RHEL 3, is this an approved distro?
          • the MOTD file is empty, is this where we want to place a warning banner?
          • the default build sets the time at PDT and NTP is not enabled by default
          • LILO is gone, grub is the boot loader, but there is still no boot loader password
          • the default install allocates 272 meg of memory to the host (add more with a grub edit)
          • CIM (Common Information Model) and WBEM (Web Based Enterprise Management) are running on ports5988, 5989 
    • ESX 3 – Security (cont) 133
          • ports 2050, 8042, 27000, 27010, ? seem to be allowed in via the iptables rules? VMotion clear, P2V clear?
          • /proc.sys/net/ipv4/source_redirects is set at "1", should this be enabled?
          • the first iptables rule is "ACCEPT all -- anywhere anywhere", how do we get past this to the other rule chains?
          • /etc/logindefs has the password life set at 90 days
          • ftp-0.17-17 is installed (but not listening), is it needed?
          • openssl--0.9.7a-33.17, is this an approved version?
          • openssh-3.6.1p2, is this an approved version?
          • umask is 022, is this in line with your standard?
    • ESX 3 – Security (cont) 133
        • ESX 3 Security Hardening Whitepaper 2007 http ://www.vmware.com/pdf/vi3_security_hardening_wp.pdf
          • “ ..attacking and individual virtual machine will result in the compromise of only the virtual machine..“ (1 hack OK?) (page 4 clarifies
          • Watch patching of dormant (turned off) virtual guests
          • Rotate logs to prevent DoS
          • Separate VLANS for management traffic
          • Configure the firewall (iptables provided)
          • Use Directory Services (NIS)for admin authentication
          • Protect Root
          • SNMP is read only
    • ESX Vulnerabilities 133
      • CVE-2006-2481   
      • Summary: VMware ESX Server 2.0.x before 2.0.2 and 2.x before 2.5.2 patch 4 stores authentication credentials in base 64 encoded format in the vmware.mui.kid and vmware.mui.sid cookies, which allows attackers to gain privileges by obtaining the cookies using attacks such as cross-site scripting (CVE-2005-3619).
      • Published: 7/31/2006
      • CVSS Severity: 2.3 (Low)
      • CVE-2005-3620      VU#822476
      • Summary: The management interface for VMware ESX Server 2.0.x before 2.0.2 patch 1, 2.1.x before 2.1.3 patch 1, and 2.x before 2.5.3 patch 2 records passwords in cleartext in URLs that are stored in world-readable web server log files, which allows local users to gain privileges.
      • Published: 12/31/2005
      • CVSS Severity: 1.6 (Low) CVE-2005-3619   
      • Summary: Cross-site scripting (XSS) vulnerability in the management interface for VMware ESX 2.5.x before 2.5.2 upgrade patch 2, 2.1.x before 2.1.2 upgrade patch 6, and 2.0.x before 2.0.1 upgrade patch 6 allows remote attackers to inject arbitrary web script or HTML via messages that are not sanitized when viewing syslog log files.
      • Published: 12/31/2005
      • CVSS Severity: 10.0 (High)
    • ESX Vulnerabilities (cont) 133
      • CVE-2005-3618   
      • Summary: Cross-site request forgery (CSRF) vulnerability in the management interface for VMware ESX Server 2.0.x before 2.0.2 patch 1, 2.1.x before 2.1.3 patch 1, and 2.x before 2.5.3 patch 2 allows allows remote attackers to perform unauthorized actions as the administrator via URLs, as demonstrated using the setUsr operation to change a password. NOTE: this issue can be leveraged with CVE-2005-3619 to automatically perform the attacks.
      • Published: 12/31/2005
      • CVSS Severity: 8.0 (High)
      • Per VMWare
        • SSL keys, change the default ownership to root (assuming root is protected)
        • 2003-0386 IP restrict and enable & verify reverse mapping off, not applicable to ESX
        • 2003-0693 SSH 3.6 buffer overflow, not applicable to ESX
        • 2003-0987 Apache mod_digest replay, not applicable to ESX
        • 2005-2798 SSH GSSAPIDelegateCredentials, not applicable to ESX
        • 2006-2444 snmp trap, not applicable to ESX
        • 2006-3747 cross site scripting w http trace, use separate vlans
    • ESX 3 – Logical Access 133
      • Protect root on the host (and Administrator on the Virtual Center server)
      • Users
      • Roles
      • No History
    • ESX 3 – Security Setting 133
    • ESX 3 Assessment Tools 133
      • Ecora Auditor Pro 4.1 tool Http://www.ecora.com/ecora/pr/06-11-2006-b.asp
      • “ regular” Linux assessment of ESX Host
        • Nessus
        • CIS/Bastille --assess
        • LSAT
        • MTH script http://www.certconf.org/presentations/2006/
    • OTHER - Resources 133
      • trust a seminar speaker, but verify
      • The Source http:// www.vmware.com
        • Technology network http:// www.vmware.com/community/index.jspa
        • Security topics http:// www.vmware.com/vmtn/technology/security /
        • Security Response http:// www.vmware.com/support/policies/security_response.html
      • Book by Al Muller http://www.amazon.com/Virtualization-VMware-ESX-Server-Muller/dp/1597490199/ref=pd_bxgy_b_text_b/104-0393259-8012733
      • Arrasjid & Mills http://download3.vmware.com/vmworld/2005/sln138.pdf
      • Virtual Desktops – another multiday topic
      • VM cloning of credentials http://www.thoughtpolice.co.uk/vmware/howto/vmware-security-tips.html
      • Blogs http://www.virtualization.info/2003/09/virtualization-sites-blogs.html
    • OTHER 133
      • Questions ??
      • How many Texans does it take to………….
      • New fud
      • http://www.networkworld.com/supp/2007/ndc2/031907-ciso-insight-side-virtualization.html
      • http://www.gartner.com/it/page.jsp?id=503192
      • New Non-fud
        • Management tools http://www.nworks.com/vmware/
        • http://members.cox.net/m-d-hoesing/CACS_Virtualization_V2.ppt
      • MTH_Linux_Audit_V8.4.txt
      • chkrootkit.tar.gz
      • FC6_Xen_Installation_11_2006.doc
      • Big 3 –
        • Current Patches
        • High setting on connections
        • Appropriate user rights