SBC 2012 - Một số vấn đề bảo mật trong Virtualization (Nguyễn Hinh)

1,397 views

Published on

Published in: Technology
  • Be the first to comment

SBC 2012 - Một số vấn đề bảo mật trong Virtualization (Nguyễn Hinh)

  1. 1. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 1 2Common issues of Virtualization Security Nguyễn Hinh | hinhnguyen00@gmail.com
  2. 2. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 2 About Me Hinh Nguyen 2 hinhnguyen00@gmail.com UIT Focus on Virtualization & Cloud Computing
  3. 3. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 3 Content I. Overview 2 II. Benefits of Virtualization III. Risks for Virtualized Environments IV. RecommendationsCommon issues of Virtualization Security 2
  4. 4. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Virtualization Overview 4 2 With vMotion instances launching every second, there are more VMs in motion globally than actual aircraft.” -- Paul Maritz, CEO, VMwareCommon issues of Virtualization Security 3
  5. 5. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Virtualization Security Overview 5 • Gartner: 60% of VMs will be LESS SECURE than the 2 Physical Servers they replace (through 2012) http://www.gartner.com/it/page.jsp?id=1322414 Better Less SecureCommon issues of Virtualization Security 4
  6. 6. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 6 Why??? Why - “Hypervisor creates new attack surface” 2 - Designer/OperatorCommon issues of Virtualization Security 5
  7. 7. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 7 2 II. BENEFITS OF VIRTUALIZATIONCommon issues of Virtualization Security 6
  8. 8. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! II.1. Reduce cost 8 • Reduce maintenance cost, save power 2 • Reduce quantity of hardware & software to purchase • Reduce “server sprawl”Common issues of Virtualization Security 7
  9. 9. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! II.2. More Secure 9 Disaster Recovery & Forensic analysisSandboxing 2 HA capabilities unstable app & compromised HA, FT, …. snapshot server Mixed: 1 physical server (master) Risk: “VM Escape” – VMs (slave) Common issues of Virtualization Security 8
  10. 10. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 10 2 III. RISKS FOR VIRTUALIZED ENVIRONMENTSCommon issues of Virtualization Security 9
  11. 11. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! III. Risks for Virtualized Environments 11 2Common issues of Virtualization Security 10
  12. 12. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! III. Risks for Virtualized Environments 12 • Hypervisor • Host/platform 2 • Communication • Isolation between guest and guest • Isolation between guest and hostCommon issues of Virtualization Security 11
  13. 13. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 13 2 IV. RECOMMENDATIONSCommon issues of Virtualization Security 12
  14. 14. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! IV.14Recommendations • Restrict physical access • Implement defense2 in depth • Enforce least privilege and separation of duties • Harden the hypervisor • Harden virtual machines and other componentsCommon issues of Virtualization Security 13
  15. 15. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! IV.15Recommendations 2Common issues of Virtualization Security 14
  16. 16. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! IV.16Recommendations 2Common issues of Virtualization Security 15
  17. 17. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! IV.17Recommendations 2Common issues of Virtualization Security 15
  18. 18. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! • Update OS,… like physical server 18 VM • Limit sharing console: 2 • Control access resource, disconnet unauthorized device • Use AD, verify “ESX Admin” group ESXi 2 • passwork policy • Config FW (SSH), NTP, SNMP… • SSL for NFC • Assign role to specific users • Verify vSphere plug-in vCenter • Client connect vCenter by SSL with trusted CA-signed cert • Disable datastore browser • Management, vMotion & storage traffic is isolated vNetwork • Forged Transmits & MAC address change policy: reject • Port groups are not native VLAN
  19. 19. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 19 Q&A 2Common issues of Virtualization Security
  20. 20. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 20 2

×