Security and Compliance in a Virtualized Environment


Published on

As your organization moves to adopt virtual infrastructure you need to ensure that you understand the
security and compliance implications of virtualization technology and the platform you choose. This session
introduces the topics of vSphere’s secure architecture and design, how to accelerate IT compliance and
the validation against standards set by Common Criteria, NIST and other organizations. It will also cover
the recent announcements of VMware’s secure and robust virtualization solutions for virtual data centers
and cloud infrastructures. VMware vShield solutions virtualize security and edge services, including Stateful
firewall, VPN, Load Balancer, DHCP, and NAT, freeing them from the constraints of physical infrastructure and
providing a single, adaptive and programmable auto-wired security infrastructure.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The biggest concern here (which maybe I didn't have on my original slides) is that it is relatively easy to "steal" a VM and hence steal data. Since a VM is just a bunch of files, an entire server can be copied onto a USB drive, or innocuously copied off somewhere during a backup procedure to a place that is not protected.
  • In addition to isolation of the platform, another critical aspect is to build isolation into the architecture of the virtualized datacenter. The most critical part is to isolate the production network traffic from the non-production traffic, which includes management services, IP-based storage, etc. These non-production networks expose interfaces which can be used to control the entire deployment, and hence need to be guarded with multiple layers of protection and strong access controls. By doing so, you greatly minimize any chance of outside attacks succeeding, since these would have to breach the isolation barrier of the VMs first in order to do any damage to the virtualized infrastructure.
  • So it’s clear that virtualized infrastructure requires virtualized security. Implementing security in the virtual environment allows for introspection at the hypervisor layer – something which physical solutions are simply not designed to do. And since security isn’t hard-wired to the physical infrastructure, policies can be created once – with the assurance that they will be enforced regardless of how virtual machines are created, defined, or decommissioned. And transforming all the hardware capabilities into virtualization software allows for security which is cost-effective, simple, and adaptive.
  • TO DO: keep 2 VMs, hypervisor between 2**from messaging doc**Unique Introspection Capabilities Provide Comprehensive Host and VM ProtectionTraditional approaches to protecting the operating system and applications have relied exclusively on agents, which are vulnerable themselves, offer protection only within limited layers of the application + OS stack, and create sprawl and management/update issues on a large scale.  The vSphere platform has unique introspection abilities and can therefore provide very comprehensive and efficient access for security controls, while obviating the need for security agents in each virtual machine. The introspection capabilities of vSphere are to security what CAT-scanners are to medical diagnostics: they can help identify hard-to-detect problems precisely and efficiently, and enable comprehensive security controls such as File Integrity Monitoring (FIM), root-kit virus protection, discovery of sensitive information, and Data Leak Protection (DLP). The introspection capabilities of vSphere result in much better performance, reduced complexity, more comprehensive host and VM protection. VMware is leveraging these introspection capabilities in the vShield security products and also exposing interfaces to our key security industry partners for integration with broader solutions such as Security Information and Event Management (SIEM), and Data Leak Protection (DLP) .
  • Traditional IT security is very complex to provision and deploy. VI admins, network and security teams have overlapping roles and it takes a lot of manual coordination to properly configure and setup the network, firewall rules and vSphere configurations. Agents also get deployed in every virtual machine for basic AV, anti-malware protection. These teams are also limited in terms of the proper role based views into policy and implementation. This results in slow provisioning, very complex configuration and sprawl in VLANs /rules/agents, significant requirements on coordination, and lack of role based views into policy and implementation details.
  • vShield drastically reduces the complexity and the number of steps it takes for VI admins to implement clearly defined policies , and along with vCenter this solution enables security, network and VI admin teams to work closely together where the policies can be clearly defined, implemented, viewed and changed seamlessly.With role-based access to administration and reporting interfaces, administration is clear and simple. VI admins are empowered to implement the security policies .The lead times it takes to provision the right set of security services is greatly reduced, and these can be done through UI’s or through scriptable, REST based APIs.vShield technology also helps eliminate the sprawl in VLANs, firewall rules and agents. We’ll talk more about this in a few minutes when we get into the products overview.
  • VMware is introducing the vShield family of products at VMworld. 2010.vShield solutions secure the edge of the virtual datacenter, protect virtualized application deployments from network-based threats, and streamline antivirus protection for all VMs by offloading AV processing to dedicated security VMs.vShield Edge protects the perimeter of a virtual data center, and provides services such as DHCP (Dynamic Host Config Protocol), NAT (Network Address Translation), Firewall, VPN and Web Load Balancing.vShield App protects application deployments from network based threats. It allows for flexible and elastic groupings of VMs based on business needs such as PCI, HIPAA, DMZ deployments. vShield App extends the basic vShield Zones capability that is included as part of vSphere advanced onward SKUs, by adding flexible VM grouping by user defined policies and supporting vCenter container based policies.vShield Endpoint enables efficient, offloaded AV processing. Partners such as Trend Micro, Symantec and McAfee will ship the security virtual machines that integrate with vShield Endpoint for offloaded AV processing. vShield Manager is the centralized deployment, management, reporting, logging, tracking and integration (REST based APIs) for all vShield products.
  • So what is vshield edge and how is it LIKE what you’ve already seen in the physical data center? The solution provides a virtual appliance with the following capabilities:DHCP – to automate IP address assignment to virtual machines in the vDCNAT – network address translation to mask private IP addresses in the vDC when they send traffic to untrusted networksFirewall – inbound and outbound connection control based on source/destination IP address and application portSite to site VPN: to encrypt traffic between vDCs to allow for confidentiality between organizations or partner extranetsWeb load balancer – actually load balancing based on IP address but in practice, since over 70% of server virtualization is for the web tier, organizations use load balancing for HTTP/S trafficAnd for each vSphere host, the virtual network can be carved up just as a physical network can be carved up using VLANs. This “Network Isolation” keeps traffic within the organization contained within a single port group.But while there are similarities with security in the physical world, there are key differences – and benefits – to vshield Edge over the alternatives:1. No additional hardware: the virtual appliance with all the aforementioned edge features is provisioned using existing vsphere resources2. No complicated VLAN rules: network isolation is enforced at the hypervisor layer, not requiring VLAN-enabled switches3. Rapid and scalable provisioning: each ‘tenant’ gets their edge security virtually on-demand, rather than through some complicated change management process which would require budget and rack space for new edge security hardware4. Centralized management and logging: with traditional security, each point solution would require its own management interface and logging infrastructure. With vShield, all policy management is done from one interface and logs written in syslog format to a single location. Demonstrating compliance is a breeze.
  • vShield App picks up where vShield Edge leaves off – the interior of the vDC. Since edge security cannot completely lock down all
  • Trend will provide the solution on 9/8
  • Security and Compliance in a Virtualized Environment

    1. 1. © 2010 VMware Inc. All rights reserved Security and Compliance in a Virtualized Environment Jan Tiri ( CISSP – System Engineer
    2. 2. 2 Agenda  Security of the platform  How virtualization affects security  How do we approach virtualization security and compliance  Why virtualization is a security enabler  vShield solutions overview
    3. 3. 3 Security of the Platform
    4. 4. 4 The Basics: Types of Server Virtualization Hosted (Type 2) Bare-Metal (Type 1) VMware ESX/ESXi Host OS changes security profile VMware Workstation VMware Server VMware Player VMware Fusion Windows, Linux, Mac Virtualization Layer APP
    5. 5. 5 The Basics: Isolation in the Platform Virtual Machines • Are not able to interact with each other (except via network) • Are not aware of underlying storage -- only their own virtual disk(s) • Are subject to strict resource controls Virtual Switches • Are complete, VLAN-capable, layer-2 switches • Have no mechanism for sharing network traffic VLAN A VLAN B
    6. 6. 6 Secure Implementation VMware ESXi • Compact footprint (less than 100MB) • Fewer patches • Smaller attack surface • Absence of general-purpose management OS • No arbitrary code running on server • Not susceptible to common threats
    7. 7. 7 Validated for use by Government and Defense Common Criteria EAL 4+ Certification • Highest internationally recognized level • Achieved for ESX 3.0, ESX 3.5 and vSphere DISA STIG for ESX • Approval for use in DoD information systems NSA Central Security Service • Guidance for both datacenter and desktop scenarios 7
    8. 8. 8 How Virtualization Affects Security
    9. 9. 9 Faster Deployment of Servers Benefit Security Concerns IT responsiveness  Lack of adequate planning  Incomplete knowledge of current state of infrastructure
    10. 10. 10 Collapse of Switches and Servers into One Device Hardware ESX/ESXi Benefits Security Concerns  Flexibilities  Cost savings  Lack of intra-server network visibility  No separation-by-default of administration  Elevated risk of misconfiguration
    11. 11. 11 Virtual Machine Encapsulation Benefits Security Concern  Improved service levels  Ease of business continuity  Consistency of deployment  Hardware independence  Easier to steal data  Updating of offline systems  Identity divorced from physical location
    12. 12. 12 Consolidation of Servers Benefit Security Concern Capital and operational cost-savings  Greater impact of misconfiguration or attack
    13. 13. 13 How do we approach Virtualization Security and Compliance? Use the Principles of Information Security • Secure the Guests • Harden the Virtualization layer • Access Controls • Administrative Controls Neil MacDonald (Gartner) - “How To Securely Implement Virtualization” “Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration and mismanagement”
    14. 14. 14 Secure the Guests Host • Anti-Virus • Patch Management Network • Intrusion Detection/Prevention (IDS/IPS) Edge • Firewalls 14 Provide Same Protection as for Physical Servers
    15. 15. 15 Harden the Virtualization Layer  VMware Security Hardening Guides • Being provided for major platform products • vSphere 4.0 • VMware Cloud Director • View • Important for architecture and deployment related controls 15 vCenter IP-based Storage Other ESX/ESXi hosts FT vMotion NFS vSwitch TCP/IP iSCSI 10 GigE pNICs 10 GigE
    16. 16. 16 Broad scope Access Controls Narrow scope Super Admin Networking Admin Server Admin Operator VM Owner Operator VM Owner Storage Admin
    17. 17. 17 Why Virtualization is a Security Enabler? 1. Unique introspection 2. Policy abstraction Cost Effective • Single virtual appliance with breadth of functionality • Single framework for comprehensive protection Simple • No sprawl in rules, VLANs, agents • Relevant visibility for VI Admins, network and security teams • Simplified compliance Adaptive • Virtualization and change aware • Program once, execute everywhere • Rapid remediation
    18. 18. 18 Security Enabler: Unique Introspection Introspect detailed VM state and VM-to-VM communications vSphere + vShield Processor memory Network Disk File System Process control blocks Benefits • Comprehensive host and VM protection • Reduced configuration errors • Quick problem identification • Reduced complexity – no security agents per VM required
    19. 19. 19 Security Enabler: Policy Abstraction BEFORE vShield Policy is tied to the physical host; lost during vMotion Policy seamlessly follows virtual machine AFTER vShield Benefits • Create and enforce security policies with live migration, automated VM load balancing and automated VM restart • Rapid provisioning of security policies • Easier compliance with continuous monitoring and comprehensive logging Separate the policy definition from the policy implementation Policy seamlessly follows virtual machine
    20. 20. 20 VMware Transforms Security from Complex… VLAN’s agent Complex • Policies, rules implementation - no clear separation of duties; organizational confusion • Many steps – configure network, firewall and vSphere • Spaghetti of VLANs, Sprawl - Firewall rules, agents Policies, Rules Network admin Security admin VI admin Overlapping Roles / Responsibilities Many steps. Configure •Network •Firewall •vSphere Define, Implement , Monitor, Refine, agent agent agent agent agent agent agent
    21. 21. 21 … To Disruptively Simple Few steps: Configure vShield Simple • Clear separation of duties • Few steps – configure vShield • Eliminate VLAN sprawl – vNIC firewalls • Eliminate firewall rules, agents sprawl Network admin Security admin VI admin Clear separation of Roles / Responsibilities Define, Monitor, Refine, Implement
    22. 22. 22 2010 – Introducing vShield Solutions DMZ PCI compliant HIPAA compliant Securing the Private Cloud End to End: from the Edge to the Endpoint Edge vShield Edge 1.0 Secure the edge of the virtual datacenter Security Zone vShield App 1.0 and Zones Application protection from network based threats Endpoint = VM vShield Endpoint 1.0 Enables offloaded anti-virus Virtual Datacenter 1 Virtual Datacenter 2 Web Test & Dev
    23. 23. 23 • Simplify IT compliance with centralized logging &, reporting • Simplify provisioning with vCenter Integration and programmable management • Third-party solution integration VMware vShield – Foundation for Cloud Security vShield Manager Centralized Management of Security across the vDC • Improve performance by offloading anti-virus (AV) functions • Reduce costs by freeing up virtual machine resources • Reduce risk by streamlining AV functions to a hardened security virtual machine (SVM) • Satisfy audit requirements with detailed logging of AV tasks • Increase visibility for inter-VM communications and eliminate blind spots • Eliminate dedicated hardware and VLANs for different security groups • Optimize resource utilization while maintaining strict security • Simplified compliance with comprehensive logging of inter VM activities vShield App and Zones Application protection from network based threats vShield Endpoint Offload anti-virus processing for endpoints • Reduce cost and complexity by eliminating multiple special purpose appliances • Ensure policy enforcement with network isolation • Simplify management with vCenter integration • Easier scalability with one edge per org/tenant • Speed up provisioning of edge security services • Simplify IT compliance with detailed logging vShield Edge Secure the edge of the virtual datacenter
    24. 24. 24 • Multiple edge security services in one appliance • Stateful inspection firewall • Network Address Translation (NAT) • Dynamic Host Configuration Protocol (DHCP) • Site to site VPN (IPsec) • Web Load Balancer • Network isolation(edge port group isolation) • Detailed network flow statistics for chargebacks, etc • Policy management through UI or REST APIs • Logging and auditing based on industry standard syslog format vShield Edge Secure the Edge of the Virtual Data Center Tenant A Tenant C Tenant X Features Benefits • Lower cost and complexity by eliminating multiple special purpose appliances • Ensure policy enforcement with network isolation • Simplify management with vCenter integration and programmable interfaces • Easier scalability with one edge per org/tenant • Rapid provisioning of edge security services • Simplify IT compliance with detailed logging
    25. 25. 25 vShield App Application Protection for Network Based Threats DMZ PCI HIPAA Features • Hypervisor-level firewall • Inbound, outbound connection control applied at vNIC level • Elastic security groups - “stretch” as virtual machines migrate to new hosts • Robust flow monitoring • Policy Management • Simple and business-relevant policies • Managed through UI or REST APIs • Logging and auditing based on industry standard syslog format Benefits • Increase visibility for inter-VM communications • Eliminate dedicated hardware and VLANs for different security groups • Optimize resource utilization while maintaining strict security • Simplified compliance with comprehensive logging of inter VM activity
    26. 26. 26 vShield Endpoint Offload Anti-virus processing for endpoints VMware vSphere Introspection SVM OS Hardened AV VM APP OS Kernel BIOS VM APP OS Kernel BIOS VM APP OS Kernel BIOS Benefits • Improve performance by offloading anti-virus functions in tandem with AV partners • Improve VM performance by eliminating anti-virus storms • Reduce risk by eliminating agents susceptible to attacks and enforced remediation • Satisfy audit requirements with detailed logging of AV tasks Features • Eliminate anti-virus agents in each VM; anti-virus off- loaded to a security VM delivered by AV partners • Enforce remediation using driver in VM • Policy and configuration Management: through UI or REST APIs • Logging and auditing
    27. 27. 27 Where to Learn More Security • Hardening Best Practices • Implementation Guidelines Compliance • Partner Solutions • Advice and Recommendation Operations • Peer-contributed Content
    28. 28. 28 Questions?