Security and Compliance in a Virtualized Environment <br />Jan Tiri (jtiri@vmware.com)<br />CISSP – System Engineer<br />
Agenda<br />Security of the platform<br />How virtualization affects security<br />How do we approach virtualization secur...
Security of the Platform<br />
The Basics: Types of Server Virtualization<br />Windows, Linux, Mac<br />Hosted (Type 2)<br />Bare-Metal (Type 1)<br />APP...
The Basics: Isolation in the Platform<br />Virtual Machines<br />Are not able to interact with each other (except via netw...
Secure Implementation<br />VMware ESXi<br />Compact footprint (less than 100MB)<br />Fewer patches<br />Smaller attack sur...
Validated for use by Government and Defense<br />Common Criteria EAL 4+ Certification<br />Highest internationally recogni...
How Virtualization Affects Security<br />
Faster Deployment of Servers<br />
Collapse of Switches and Servers into One Device<br />ESX/ESXi<br />Hardware<br />
Virtual Machine Encapsulation<br />
Consolidation of Servers<br />
How do we approach Virtualization Security and Compliance?<br /><ul><li>Use the Principles of Information Security</li></u...
Secure the Guests<br />Provide Same Protection as for Physical Servers<br />Host<br />Anti-Virus<br />Patch Management<br ...
Harden the Virtualization Layer<br />vCenter <br />Other ESX/ESXi hosts<br />VMware Security Hardening Guides<br />Being p...
Broad scope<br />Access Controls<br />Narrowscope<br />
Why Virtualization is a Security Enabler?<br />Unique introspection<br />Policy abstraction<br />Cost Effective<br /><ul><...
Single framework for comprehensive protection</li></ul>Simple<br /><ul><li>No sprawl in rules, VLANs, agents
Relevant visibility for VI Admins, network and security teams
Simplified compliance</li></ul>Adaptive<br /><ul><li>Virtualization and change aware
Program once, execute everywhere
Rapid remediation</li></li></ul><li>Security Enabler: Unique Introspection<br />Introspect detailed VM state and VM-to-VM ...
memory
Network
Disk
File System
Process control blocks</li></ul>Benefits<br /><ul><li>Comprehensive host and VM protection
Reduced configuration errors
Upcoming SlideShare
Loading in …5
×

Security and Compliance in a Virtualized Environment

905 views

Published on

As your organization moves to adopt virtual infrastructure you need to ensure that you understand the security and compliance implications of virtualization technology and the platform you choose. This session introduces the topics of vSphere's secure architecture and design, how to accelerate IT compliance and the validation against standards set by Common Criteria, NIST and other organizations.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
905
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
49
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • The biggest concern here (which maybe I didn&apos;t have on my original slides) is that it is relatively easy to &quot;steal&quot; a VM and hence steal data. Since a VM is just a bunch of files, an entire server can be copied onto a USB drive, or innocuously copied off somewhere during a backup procedure to a place that is not protected.
  • In addition to isolation of the platform, another critical aspect is to build isolation into the architecture of the virtualized datacenter. The most critical part is to isolate the production network traffic from the non-production traffic, which includes management services, IP-based storage, etc. These non-production networks expose interfaces which can be used to control the entire deployment, and hence need to be guarded with multiple layers of protection and strong access controls. By doing so, you greatly minimize any chance of outside attacks succeeding, since these would have to breach the isolation barrier of the VMs first in order to do any damage to the virtualized infrastructure.
  • So it’s clear that virtualized infrastructure requires virtualized security. Implementing security in the virtual environment allows for introspection at the hypervisor layer – something which physical solutions are simply not designed to do. And since security isn’t hard-wired to the physical infrastructure, policies can be created once – with the assurance that they will be enforced regardless of how virtual machines are created, defined, or decommissioned. And transforming all the hardware capabilities into virtualization software allows for security which is cost-effective, simple, and adaptive.
  • TO DO: keep 2 VMs, hypervisor between 2**from messaging doc**Unique Introspection Capabilities Provide Comprehensive Host and VM ProtectionTraditional approaches to protecting the operating system and applications have relied exclusively on agents, which are vulnerable themselves, offer protection only within limited layers of the application + OS stack, and create sprawl and management/update issues on a large scale.  The vSphere platform has unique introspection abilities and can therefore provide very comprehensive and efficient access for security controls, while obviating the need for security agents in each virtual machine. The introspection capabilities of vSphere are to security what CAT-scanners are to medical diagnostics: they can help identify hard-to-detect problems precisely and efficiently, and enable comprehensive security controls such as File Integrity Monitoring (FIM), root-kit virus protection, discovery of sensitive information, and Data Leak Protection (DLP). The introspection capabilities of vSphere result in much better performance, reduced complexity, more comprehensive host and VM protection. VMware is leveraging these introspection capabilities in the vShield security products and also exposing interfaces to our key security industry partners for integration with broader solutions such as Security Information and Event Management (SIEM), and Data Leak Protection (DLP) .
  • Traditional IT security is very complex to provision and deploy. VI admins, network and security teams have overlapping roles and it takes a lot of manual coordination to properly configure and setup the network, firewall rules and vSphere configurations. Agents also get deployed in every virtual machine for basic AV, anti-malware protection. These teams are also limited in terms of the proper role based views into policy and implementation. This results in slow provisioning, very complex configuration and sprawl in VLANs /rules/agents, significant requirements on coordination, and lack of role based views into policy and implementation details.
  • vShield drastically reduces the complexity and the number of steps it takes for VI admins to implement clearly defined policies , and along with vCenter this solution enables security, network and VI admin teams to work closely together where the policies can be clearly defined, implemented, viewed and changed seamlessly.With role-based access to administration and reporting interfaces, administration is clear and simple. VI admins are empowered to implement the security policies .The lead times it takes to provision the right set of security services is greatly reduced, and these can be done through UI’s or through scriptable, REST based APIs.vShield technology also helps eliminate the sprawl in VLANs, firewall rules and agents. We’ll talk more about this in a few minutes when we get into the products overview.
  • VMware is introducing the vShield family of products at VMworld. 2010.vShield solutions secure the edge of the virtual datacenter, protect virtualized application deployments from network-based threats, and streamline antivirus protection for all VMs by offloading AV processing to dedicated security VMs.vShield Edge protects the perimeter of a virtual data center, and provides services such as DHCP (Dynamic Host Config Protocol), NAT (Network Address Translation), Firewall, VPN and Web Load Balancing.vShield App protects application deployments from network based threats. It allows for flexible and elastic groupings of VMs based on business needs such as PCI, HIPAA, DMZ deployments. vShield App extends the basic vShield Zones capability that is included as part of vSphere advanced onward SKUs, by adding flexible VM grouping by user defined policies and supporting vCenter container based policies.vShield Endpoint enables efficient, offloaded AV processing. Partners such as Trend Micro, Symantec and McAfee will ship the security virtual machines that integrate with vShield Endpoint for offloaded AV processing. vShield Manager is the centralized deployment, management, reporting, logging, tracking and integration (REST based APIs) for all vShield products.
  • So what is vshield edge and how is it LIKE what you’ve already seen in the physical data center? The solution provides a virtual appliance with the following capabilities:DHCP – to automate IP address assignment to virtual machines in the vDCNAT – network address translation to mask private IP addresses in the vDC when they send traffic to untrusted networksFirewall – inbound and outbound connection control based on source/destination IP address and application portSite to site VPN: to encrypt traffic between vDCs to allow for confidentiality between organizations or partner extranetsWeb load balancer – actually load balancing based on IP address but in practice, since over 70% of server virtualization is for the web tier, organizations use load balancing for HTTP/S trafficAnd for each vSphere host, the virtual network can be carved up just as a physical network can be carved up using VLANs. This “Network Isolation” keeps traffic within the organization contained within a single port group.But while there are similarities with security in the physical world, there are key differences – and benefits – to vshield Edge over the alternatives:1. No additional hardware: the virtual appliance with all the aforementioned edge features is provisioned using existing vsphere resources2. No complicated VLAN rules: network isolation is enforced at the hypervisor layer, not requiring VLAN-enabled switches3. Rapid and scalable provisioning: each ‘tenant’ gets their edge security virtually on-demand, rather than through some complicated change management process which would require budget and rack space for new edge security hardware4. Centralized management and logging: with traditional security, each point solution would require its own management interface and logging infrastructure. With vShield, all policy management is done from one interface and logs written in syslog format to a single location. Demonstrating compliance is a breeze.
  • vShield App picks up where vShield Edge leaves off – the interior of the vDC. Since edge security cannot completely lock down all
  • Trend will provide the solution on 9/8
  • Security and Compliance in a Virtualized Environment

    1. 1. Security and Compliance in a Virtualized Environment <br />Jan Tiri (jtiri@vmware.com)<br />CISSP – System Engineer<br />
    2. 2. Agenda<br />Security of the platform<br />How virtualization affects security<br />How do we approach virtualization security and compliance<br />Why virtualization is a security enabler<br />vShield solutions overview<br />
    3. 3. Security of the Platform<br />
    4. 4. The Basics: Types of Server Virtualization<br />Windows, Linux, Mac<br />Hosted (Type 2)<br />Bare-Metal (Type 1)<br />APP<br />Virtualization Layer<br />Host OSchanges security profile<br />VMware ESX/ESXi<br />VMware Workstation<br />VMware Server<br />VMware Player<br />VMware Fusion<br />
    5. 5. The Basics: Isolation in the Platform<br />Virtual Machines<br />Are not able to interact with each other (except via network)<br />Are not aware of underlying storage -- only their own virtual disk(s)<br />Are subject to strict resource controls<br />Virtual Switches<br />Are complete, VLAN-capable, layer-2 switches<br />Have no mechanism for sharing network traffic<br />VLAN A<br />VLAN B<br />
    6. 6. Secure Implementation<br />VMware ESXi<br />Compact footprint (less than 100MB)<br />Fewer patches<br />Smaller attack surface<br />Absence of general-purpose management OS<br />No arbitrary code running on server<br />Not susceptible to common threats<br />
    7. 7. Validated for use by Government and Defense<br />Common Criteria EAL 4+ Certification<br />Highest internationally recognized level<br />Achieved for ESX 3.0, ESX 3.5 and vSphere<br />DISA STIG for ESX<br />Approval for use in DoD information systems<br />NSA Central Security Service<br />Guidance for both datacenter and desktop scenarios<br />7<br />
    8. 8. How Virtualization Affects Security<br />
    9. 9. Faster Deployment of Servers<br />
    10. 10. Collapse of Switches and Servers into One Device<br />ESX/ESXi<br />Hardware<br />
    11. 11. Virtual Machine Encapsulation<br />
    12. 12. Consolidation of Servers<br />
    13. 13. How do we approach Virtualization Security and Compliance?<br /><ul><li>Use the Principles of Information Security</li></ul>Secure the Guests<br />Harden the Virtualization layer<br />Access Controls<br />Administrative Controls<br />Neil MacDonald (Gartner) - “How To Securely Implement Virtualization”<br />“Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration and mismanagement”<br />
    14. 14. Secure the Guests<br />Provide Same Protection as for Physical Servers<br />Host<br />Anti-Virus<br />Patch Management<br />Network<br />Intrusion Detection/Prevention (IDS/IPS)<br />Edge<br />Firewalls<br />14<br />
    15. 15. Harden the Virtualization Layer<br />vCenter <br />Other ESX/ESXi hosts<br />VMware Security Hardening Guides<br />Being provided for major platform products<br />vSphere 4.0<br />VMware Cloud Director<br />View<br />Important for architecture and deployment related controls<br />10 GigE pNICs<br />iSCSI<br />FT<br />NFS<br />vMotion<br />TCP/IP<br />vSwitch<br />10 GigE<br />IP-based Storage<br />15<br />
    16. 16. Broad scope<br />Access Controls<br />Narrowscope<br />
    17. 17. Why Virtualization is a Security Enabler?<br />Unique introspection<br />Policy abstraction<br />Cost Effective<br /><ul><li>Single virtual appliance with breadth of functionality
    18. 18. Single framework for comprehensive protection</li></ul>Simple<br /><ul><li>No sprawl in rules, VLANs, agents
    19. 19. Relevant visibility for VI Admins, network and security teams
    20. 20. Simplified compliance</li></ul>Adaptive<br /><ul><li>Virtualization and change aware
    21. 21. Program once, execute everywhere
    22. 22. Rapid remediation</li></li></ul><li>Security Enabler: Unique Introspection<br />Introspect detailed VM state and VM-to-VM communications<br /><ul><li>Processor
    23. 23. memory
    24. 24. Network
    25. 25. Disk
    26. 26. File System
    27. 27. Process control blocks</li></ul>Benefits<br /><ul><li>Comprehensive host and VM protection
    28. 28. Reduced configuration errors
    29. 29. Quick problem identification
    30. 30. Reduced complexity – no security agents per VM required</li></ul>vSphere + vShield<br />
    31. 31. Security Enabler: Policy Abstraction <br />Separate the policy definition from the policy implementation<br />BEFORE<br /> vShield<br />AFTER <br />vShield<br />Benefits<br /><ul><li>Create and enforce security policies with live migration, automated VM load balancing and automated VM restart
    32. 32. Rapid provisioning of security policies
    33. 33. Easier compliance with continuous monitoring and comprehensive logging</li></ul>Policy is tied to the physical host; lost during vMotion<br />Policy seamlessly follows virtual machine<br />Policy seamlessly follows virtual machine<br />VMware vSphere <br />vShield<br />
    34. 34. VMware Transforms Security from Complex…<br />Many steps. Configure<br /><ul><li>Network
    35. 35. Firewall
    36. 36. vSphere</li></ul>Overlapping Roles / Responsibilities<br />Network admin<br />Define, Implement , Monitor, Refine, <br />Policies, Rules<br />Security admin<br />VI admin<br />agent<br />agent<br />agent<br />agent<br />agent<br />agent<br />agent<br />agent<br />VMware vSphere<br />VLAN’s<br />Complex<br /><ul><li>Policies, rules implementation - no clear separation of duties; organizational confusion
    37. 37. Many steps – configure network, firewall and vSphere
    38. 38. Spaghetti of VLANs, Sprawl - Firewall rules, agents</li></li></ul><li>… To Disruptively Simple<br />Network admin<br />Clear separation of Roles / Responsibilities<br />Define, Monitor, Refine, <br />Few steps:<br />Configure vShield<br />Security admin<br />Implement <br />VI admin<br />vShield Manager + vCenter<br />VMware vSphere<br />Simple<br /><ul><li>Clear separation of duties
    39. 39. Few steps – configure vShield
    40. 40. Eliminate VLAN sprawl – vNIC firewalls
    41. 41. Eliminate firewall rules, agents sprawl </li></li></ul><li>2010 – Introducing vShield Solutions<br />Securing the Private Cloud End to End: from the Edge to the Endpoint<br />vShield App 1.0 and Zones<br />Security Zone<br />Edge<br />vShield Edge 1.0<br />vShield Endpoint 1.0<br />Endpoint = VM <br />Application protection from network based threats<br />Secure the edge of the virtual datacenter<br />Enables offloaded anti-virus<br />Virtual Datacenter 1<br />Virtual Datacenter 2<br />DMZ<br />PCI compliant<br />HIPAA compliant<br />Test & Dev<br />Web<br />VMware vSphere + vCenter<br />
    42. 42. <ul><li>Simplify IT compliance with centralized logging &, reporting
    43. 43. Simplify provisioning with vCenter Integration and programmable management
    44. 44. Third-party solution integration</li></ul>VMware vShield – Foundation for Cloud Security<br />vShield Manager <br /> Centralized Management of Security across the vDC<br />vShield Endpoint Offload anti-virus processing for endpoints<br />vShield Edge Secure the edge of the virtual datacenter<br />vShield App and Zones Application protection from network based threats<br /><ul><li>Improve performance by offloading anti-virus (AV) functions
    45. 45. Reduce costs by freeing up virtual machine resources
    46. 46. Reduce risk by streamlining AV functions to a hardened security virtual machine (SVM)
    47. 47. Satisfy audit requirements with detailed logging of AV tasks
    48. 48. Increase visibility for inter-VM communications and eliminate blind spots
    49. 49. Eliminate dedicated hardware and VLANs for different security groups
    50. 50. Optimize resource utilization while maintaining strict security
    51. 51. Simplified compliance with comprehensive logging of inter VM activities
    52. 52. Reduce cost and complexity by eliminating multiple special purpose appliances
    53. 53. Ensure policy enforcement with network isolation
    54. 54. Simplify management with vCenter integration
    55. 55. Easier scalability with one edge per org/tenant
    56. 56. Speed up provisioning of edge security services
    57. 57. Simplify IT compliance with detailed logging</li></li></ul><li>vShield EdgeSecure the Edge of the Virtual Data Center<br />Features<br /><ul><li>Multiple edge security services in one appliance
    58. 58. Stateful inspection firewall
    59. 59. Network Address Translation (NAT)
    60. 60. Dynamic Host Configuration Protocol (DHCP)
    61. 61. Site to site VPN (IPsec)
    62. 62. Web Load Balancer
    63. 63. Network isolation(edge port group isolation)
    64. 64. Detailed network flow statistics for chargebacks, etc
    65. 65. Policy management through UI or REST APIs
    66. 66. Logging and auditing based on industry standard syslog format</li></ul>Tenant A<br />Tenant C<br />Tenant X<br />VMware vSphere<br />Benefits<br /><ul><li>Lower cost and complexity by eliminating multiple special purpose appliances
    67. 67. Ensure policy enforcement with network isolation
    68. 68. Simplify management with vCenter integration and programmable interfaces
    69. 69. Easier scalability with one edge per org/tenant
    70. 70. Rapid provisioning of edge security services
    71. 71. Simplify IT compliance with detailed logging</li></li></ul><li>vShield AppApplication Protection for Network Based Threats<br />Features<br /><ul><li>Hypervisor-level firewall
    72. 72. Inbound, outbound connection control applied at vNIC level
    73. 73. Elastic security groups - “stretch” as virtual machines migrate to new hosts
    74. 74. Robust flow monitoring
    75. 75. Policy Management
    76. 76. Simple and business-relevant policies
    77. 77. Managed through UI or REST APIs
    78. 78. Logging and auditing based on industry standard syslog format</li></ul>DMZ<br />PCI<br />HIPAA<br />VMware vSphere<br />Benefits<br /><ul><li>Increase visibility for inter-VM communications
    79. 79. Eliminate dedicated hardware and VLANs for different security groups
    80. 80. Optimize resource utilization while maintaining strict security
    81. 81. Simplified compliance with comprehensive logging of inter VM activity</li></li></ul><li>vShield EndpointOffload Anti-virus processing for endpoints<br />VMware vSphere<br />Features<br /><ul><li>Eliminate anti-virus agents in each VM; anti-virus off-loaded to a security VM delivered by AV partners
    82. 82. Enforce remediation using driver in VM
    83. 83. Policy and configuration Management: through UI or REST APIs
    84. 84. Logging and auditing</li></ul>VM<br />VM<br />VM<br />SVM<br />APP<br />APP<br />APP<br />Introspection<br />AV<br />OS<br />OS<br />OS<br />OS<br />Hardened<br />Kernel<br />Kernel<br />Kernel<br />BIOS<br />BIOS<br />BIOS<br />Benefits<br /><ul><li>Improve performance by offloading anti-virus functions in tandem with AV partners
    85. 85. Improve VM performance by eliminating anti-virus storms
    86. 86. Reduce risk by eliminating agents susceptible to attacks and enforced remediation
    87. 87. Satisfy audit requirements with detailed logging of AV tasks</li></li></ul><li>Where to Learn More<br />Security<br />Hardening Best Practices<br />Implementation Guidelines<br />http://vmware.com/go/security<br />Compliance<br />Partner Solutions<br />Advice and Recommendation<br />http://vmware.com/go/compliance<br />Operations<br />Peer-contributed Content<br />http://viops.vmware.com<br />
    88. 88. Questions?<br />

    ×