More Related Content
Similar to Ibm security virtual server protection
Similar to Ibm security virtual server protection (20)
More from E-Government Center Moldova
More from E-Government Center Moldova (20)
Ibm security virtual server protection
- 1. IBM Security Systems
Protecting Virtualized Environments with
IBM Security Virtual Server Protection
Chisinau
Feb 15, 2013
Adrian Aldea
EMEA Security Tiger Team
© 2012 IBM Corporation
1 © 2012 IBM Corporation
- 2. IBM Security Systems
Agenda
Protecting Virtual Servers in a Cloud
Environment
Virtualization Security Landscape
IBM Security Virtual Server Protection
Conclusion
2
© 2012 IBM Corporation
2 © 2012 IBM Corporation
© 2012 IBM Corporation
- 3. IBM Security Systems
Roadmap Information Notice – Information subject to change until products
are announced.
IBM’s statements regarding its plans, directions and intent are subject to change or
withdrawal without notice at IBM’s sole discretion. Information regarding potential future
products is intended to outline our general product direction and it should not be relied on in
making a purchasing decision. The information mentioned regarding potential future
products is not a commitment, promise or legal obligation to deliver any material, code or
functionality. Information about potential future products may not be incorporated into any
contract. The development, release and timing of any future features or functionality
described for our products remains at our sole discretion.
© 2012 IBM Corporation
- 5. IBM Security Systems
Summary of Virtualization System Security Challenges
New Vulnerabilities
•259 new virtualization vulnerabilities over the last 5 years
•New attack types (e.g. Hyperjacking, hypervisor escape, VM attacks)
Larger Attack Surface
•Virtual endpoints have same security challenges as their physical counterparts
•Virtualization management systems provide new attack vector
•Hypervisor itself is an attack vector
Increased flexibility can increase security risk
•Migration of VMs for load balancing can make them more difficult to secure
•Ease of addition of VMs increases likelihood that insecure systems will go online
•Malicious insiders can inflict massive damage very quickly
© 2012 IBM Corporation
- 7. IBM Security Systems
Three reasons you need virtualization infrastructure protection
Need How IBM Virtual Server Protection for VMware® helps
Mitigate new risks and Provides dynamic
complexities introduced protection for every layer of
by Virtualization the virtual infrastructure
Maintain compliance Helps meet regulatory compliance
standards and by providing security and reporting
regulations functionality customized for the
virtual infrastructure
Increases ROI of the virtual
Drive operational
infrastructure by maximizing
efficiency
capacity utilization (VM density)
© 2012 IBM Corporation
- 9. IBM Security Systems
IBM Security Virtual Server Protection for VMware
Integrated threat protection for VMware vSphere
Helps customers to be more secure, compliant and cost-effective by delivering integrated and
optimized security for virtual data centers.
VMsafe Integration
Firewall and Intrusion
Prevention
Rootkit
Detection/Prevention
Inter-VM Traffic Analysis
Automated Protection for
Mobile VMs (VMotion)
Virtual Network Segment
Protection
Virtual Network-Level
Protection
Virtual Infrastructure
Auditing (Privileged User)
Virtual Network Access
Control
© 2012 IBM Corporation
- 10. IBM Security Systems
Host-based Protection vs. Hypervisor Integrated Protection
Host-Based Agent Virtual Server Protection
Firewall functions only in the Firewall enforces virtual
Isolation context of the VM Isolation network-wide policy
Attack Attack Secures all virtual machines
Requires agent to be present
Prevention Prevention automatically
VM State Security is impacted by VM Security is not impacted by
state change
VM State VM state change
Policy is enforced only within Policy is enforced outside of
Security Policies Security Policies the VM and irrespective of the
the VM
VMs location
© 2012 IBM Corporation
- 11. IBM Security Systems
Virtualization Vulnerability Protection
Optimal Security Controls
Optimal Security Controls
IBM Security Server
Virtualization has introduced new
Virtualization has introduced new Protection (HIPS)
Virtual Server Protection
attack vectors, risks, and components
attack vectors, risks, and components
BigFix (Patch, SCM)
to the IT environment: the hypervisor
to the IT environment: the hypervisor
and its management system.
and its management system.
Vuln
Vuln
Admin
vCenter
clients
Hypervisor escape, hyperjacking, and
Hypervisor escape, hyperjacking, and Vuln
Vuln vCenter Vuln
Vuln
VM man-in-the-middle attacks require
VM man-in-the-middle attacks require servers
an attacker to first compromise the
an attacker to first compromise the Vuln
Vuln Service Unprotected VM
system through aaGuest VM or the
system through Guest VM or the Console
management infrastructure.
management infrastructure.
Virtual
Devices
Vuln
Vuln
VSP can reduce the risk of this type of
VSP can reduce the risk of this type of
Privileged
Privileged
Access
Access
breach by helping to prevent aa
breach by helping to prevent
successful attack against the guest VMs
successful attack against the guest VMs
through integration at the hypervisor
through integration at the hypervisor
Vuln
Vuln
level.
level.
A multi-pronged solution that matches
A multi-pronged solution that matches
the right security product to the
the right security product to the
vulnerable component can help to
vulnerable component can help to
prevent aasuccessful attack on the
prevent successful attack on the
virtualization system.
virtualization system.
Optimal Security Controls
Proventia GX(NIPS)
© 2012 IBM Corporation
- 12. IBM Security Systems
Protecting a Dynamic, Distributed Environment
SIEM SiteProtector
Reporting
Web
Application
Automated
Database
Response
© 2012 IBM Corporation
- 13. IBM Security Systems
Lack of Visibility Into Activity Within the Virtual Network
Unauthorized
communication
between is prevented
Attacks through
authorized
communication
channels are stopped.
© 2012 IBM Corporation
- 14. IBM Security Systems
Dynamic Environment Protection
Maintain security posture Abstraction from underlying
irrespective of the physical server physical servers provides
on which the VM resides dynamic security optimized for
SiteProtector mobility
ESX Server ESX Server
SVM VM VM VM VM VM SVM
VMSafe VMSafe
vSwitch vSwitch vSwitch vSwitch
© 2012 IBM Corporation
- 15. IBM Security Systems
Virtual Machine Rootkit Detection
Rootkits are an integral tool in aa
Rootkits are an integral tool in
malicious attacker’s toolkit and can be
malicious attacker’s toolkit and can be Physical Host
dangerous in the wrong hands. For
dangerous in the wrong hands. For
example, rootkits were aakey component in
example, rootkits were key component in VSP
VM VM VM
SVM
the spread of the Stuxnet worm.
the spread of the Stuxnet worm.
Rootkits are notoriously difficult to
Rootkits are notoriously difficult to
detect because they can conceal their
detect because they can conceal their
presence from the guest OS.
presence from the guest OS.
VSP can protect against rootkits by
VSP can protect against rootkits by
scanning the guest VM memory tables for
scanning the guest VM memory tables for
rootkits from the hypervisor, as opposed to
rootkits from the hypervisor, as opposed to
the guest VM.
the guest VM.
© 2012 IBM Corporation
- 16. IBM Security Systems
Virtual Machine Sprawl
Mitigation Strategy: Automated VM Discovery and Virtual Network Access Control
•VM Sprawl: Obsolete or rogue VMs proliferating in the virtualized environment
Automatically quarantine
•Control VM sprawl through from network
auto-discovery of assets 1.Detect VMs
•Detect new VMs as they automatically
Apply relevant security
come on-line 2.Assess security posture
policy
Known Known
Known Unknow Rogue
Rogue SVM Guest Guest
SVM Guest n Guest
VM
VM
VM VM
VM VM
Hypervisor Hypervisor
•Assess security posture
•Ensure only approved
VMs gain network
access
© 2012 IBM Corporation
- 17. IBM Security Systems
Virtual Patch Protection for VMs
The IBM X-Force Research tracks and analyzes
The IBM X-Force Research tracks and analyzes
every critical software vulnerability each year.
every critical software vulnerability each year.
Vendors quickly patch aamajority of these
Vendors quickly patch majority of these
vulnerabilities. However, approximately 37% of
vulnerabilities. However, approximately 37% of
all disclosed vulnerabilities remain
all disclosed vulnerabilities remain
unpatched.
unpatched.
Physical Host
VSP VM VM VM
SVM
VSP can protect against un-patched
VSP can protect against un-patched
vulnerabilities across all Guest VMs, using IBM
vulnerabilities across all Guest VMs, using IBM
Virtual Patch technology.
Virtual Patch technology.
IBM Virtual Patch can provide zero-day
IBM Virtual Patch can provide zero-day
protection and reduce the need for emergency
protection and reduce the need for emergency
software patching.
software patching.
© 2012 IBM Corporation
- 18. IBM Security Systems
Optimal Security Footprint
Redundant instances of traditional agent-based
Redundant instances of traditional agent-based
security solutions can consume significant
security solutions can consume significant
machine resources.
machine resources.
Tradeoff between running aatraditional security agent
Tradeoff between running traditional security agent
in each VM and providing no security at all. Neither
in each VM and providing no security at all. Neither
approach is optimal.
approach is optimal.
VSP optimizes the security footprint by providing aa
VSP optimizes the security footprint by providing
single security VM that protects all guest VMs on that
single security VM that protects all guest VMs on that
physical host, providing agentless security.
physical host, providing agentless security.
VMware ESX/i Host The resources consumed by VSP can be carefully
The resources consumed by VSP can be carefully
VSP VM VM
controlled.
controlled.
VM VM
SVM
VSP impact to network performance is
VSP impact to network performance is
minimal, as are memory and disk footprint.
minimal, as are memory and disk footprint.
VM VM VM VM
VSP can protect all OS platforms supported by
VSP can protect all OS platforms supported by
VMware.
VMware.
© 2012 IBM Corporation
- 21. IBM Security Systems
IBM Virtual Server Protection for VMware increases ROI of the virtual
infrastructure, while reducing risk
Automated Protection as each Less management overhead eliminates
redundant processing tasks
VM comes online
– One Security Virtual Machine (SVM) per physical
• Automatic Discovery server
• Automated vulnerability assessment – 1:many protection-to-VM ratio
• IBM Virtual Patch® technology – CPU-intensive processing removed from the
guest OS and consolidated in SVM
Non-intrusive
Centralized Management
• No reconfiguration of the virtual network – IBM Proventia® Management
• No presence in the guest OS SiteProtector™ system
Improved stability
More CPU/memory available
for workloads
Reduced attack surface
Protection for any guest OS
• Reduction in security agents for
multiple OSs
© 2012 IBM Corporation
21