The document discusses VMware's security strategy and how virtualization provides security benefits. It outlines how virtualization allows automation of manual security processes, improves forensics capabilities, and makes patching and recovery faster. VMware focuses on integrating products into existing security policies while enabling broad security for all VMs. Features like vShield Zones and VMsafe appliances provide centralized security management and protection of virtual environments. Virtualization also extends these security advantages from the datacenter to endpoint devices through portable client-side virtual machines.

1. VMware Security Briefing VMware Team Dan Schoch Scott Favorite JJ DiGeronimo

2. Agenda VMware Strategy Security Benefits in vSphere’s Virtualization Extending Virtualization to the EndPoint Research and Whitepapers

3. Security Advantages of Virtualization Allows Automation of Many Manual Error Prone Processes Better Forensics Capabilities Faster Recovery After an Attack Patching is Safer and More Effective More Cost Effective Security Devices Better Lifecycle Controls Security Through VM Introspection Cleaner and Easier Disaster Recovery/Business Continuity

4. VMware Security Strategy New platform hardening features further enhance robust security capabilities Thin-hypervisor strategy Integrate VMware products into existing operational policies in the enterprise Enable broad-based security for every VM in the environment “ Democratize” security Self-describing, Self-configuring security Impact security by taking advantage of unique VMware technologies Focus on products and operations Core Platform Security Operationalize Security Security Virtual Appliances Better Than Physical: Adaptive Security Infrastructure .OVF VMware Confidential/Proprietary

5. Extended Computing Stack and Guest Isolation Hypervisor Standard x86 VMware ESX

6. Isolation by design Security Design of the VMware Infrastructure Architecture http://www.vmware.com/resources/techresources/727

7. How Virtualization Affects Datacenter Security

8. Agenda VMware Strategy Security Benefits in vSphere’s Virtualization Extending Virtualization to the EndPoint Research and Whitepapers

9. vSphere - Virtual Datacenter OS from VMware Off-premise Cloud vCenter On-premise Infrastructure Make applications more scalable, secure and resilient in a virtual environment than physical. SaaS Linux Grid Windows J2EE .Net VMware Infrastructure -> virtual datacenter OS Application vServices Scalability Infrastructure vServices Security Availability vNetwork vStorage vCompute Cloud vServices …… . Web 2.0

10. DPM Hot Add Fault Tolerance Thin Provisioning Data Recovery VMsafe Distributed Switch Host Profiles Consolidates workloads onto fewer servers when the cluster needs fewer resources – - Distributed Power Management will be fully supported in production. DPM with WoL will still be supported experimentally only. Dynamically add additional compute, memory or network/storage resources as applications grow -Hot Add Enables admins the ability to scale VM’s without disruption to end user Ensure continuous availability for virtual machines against hardware failures. - VMware FT creates virtual machine “pairs” that run in lock step - essentially mirroring the execution state of a VM & eliminating data loss or downtime to any application. Optimizes storage costs through the most efficient use of storage in virtual environments - Use Thin Provisioning to reduce storage costs by up to 50%. Quick, simple and complete data protection for your VM’s -Data Recovery provides you with agent-less, disk-based backup and recovery (VM or file level) of your VM’s Comply with corporate security policies and regulations on data privacy while still running applications efficiently on shared computing resource pools. - vShield Zones makes it easy to centrally manage and enforce compliance with security policies across large pools of servers and virtual machines. Enables the use of security products that work in conjunction with the virtualization layer to provide higher levels of security to virtual machines Partners working on VMSafe products: Symantec, trend micro, checkpoint, Internet security systems and McAfee Simplifies and enhances the provisioning, administration and control of virtual machine networking - VMware Distributed Switch is a new type of virtual switch which spans the entire Virtual Infrastructure which enables the network to be treated s an aggregated resource. Standardize and simplify how customers configure and manage ESX host configurations. - Host profiles simplify and standardize ESX host configuration. This feature in vCenter Server 4.0 allows the creation of a “golden profile” from an existing host and using this as a template to configure other hosts vShield Zones vSphere – New & Improved Enterprise OS

11. VMware VMsafe Multi-function Security Appliance Security VM vNetwork Distributed Switch Security VM Integrated, more effective, comprehensive security solutions within the virtual infrastructure Better than physical: automatic protection, right-sized security capacity Agent-less deployment of partner security services Single security VM for multiple security services AV, Firewall, IPS Mobility-awareness: Security policy and state moves with virtual machine VMware ESX App OS App OS App OS App OS App OS VMware ESX App OS

12. VMsafe™ APIs API’s for all virtual hardware components of the VM CPU/Memory Inspection Inspection of specific memory pages being used by the VM or it applications Knowledge of the CPU state Policy enforcement through resource allocation of CPU and memory pages Networking View all IO traffic on the host Ability to intercept, view, modify and replicate IO traffic from any one VM or all VM’s on a single host. Capability to provide inline or passive protection Storage Ability to mount and read virtual disks (VMDK) Inspect IO read/writes to the storage devices Transparent to the device and inline of the ESX Storage stack

13. VMware vShield Zones Capabilities Bridge, firewall, or isolate VM zones based on familiar VI containers Monitor allowed and disallowed activity by application-based protocols One-click flow-to-firewall blocks precise network traffic Benefits Well-defined security posture within virtual environment Monitoring and assured policies, even through Vmotion and VM lifecycle events Simple zone-based rules reduces policy errors

14. Virtual Network Visibility Network flows at DC, Cluster, VLAN and down to the guest VM level Take guess work out of troubleshooting firewalls: see allowed and blocked traffic Identify malicious traffic: visibility for rogue services, botnets, improver server configuration

15. VMware VM Wall - Virtual Firewall Shorthand rule notation : use cluster, VLAN as container groups Hierarchical rule assignment : scope of rules can be datacenter, cluster or VLAN – all centrally managed Application-aware rule provisioning : opens dynamic / ephemeral ports as needed and specify app names – not ports

16. Secure Design for Virtualization Layer Fundamental Design Principles Isolate all management networks Disable all unneeded services Tightly regulate all administrative access

17. Agenda VMware Security Strategy Security Benefits in vSphere’s Virtualization Extending Virtualization to the EndPoint Research and Whitepapers

18. Difficult to Manage and Secure Device PC management is difficult to centralize due to the broadly distributed nature of PC hardware. Users often require access to their desktop environment from anywhere. PC desktop standardization is difficult in the face of hardware discrepancies and the wide variety of brands and models. End users often require customized desktop environments. High Total Cost of Ownership Ongoing PC management is costly and labor-intensive. Multiple PC hardware configurations need to be tested and validated prior to deployment. Support costs are further exacerbated by the need to support a geographically dispersed PC infrastructure. Physical Desktop Challenges

19. Benefits of Centralized Desktops Bring back previously decentralized applications and data into the corporate data center. Centrally control and manage all off-site access to these sensitive applications and data. Extend their corporate network security levels to off-site facilities. Sensitive applications and data are no longer stored on off-site computers. Data integrity and business continuity (DR) is more easily maintained. Most users , not just for off-shore users and contractors, but for mobile workers and branch office employees, too. Regulatory compliance requirements are more easily adhered to. (HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley)

20. Server-based Desktop Virtualization Profile Moving the desktop to a virtualized image in the data center allows the complex components to be protected and managed. File Server User Data Profile File Server App App App

21. Universal Operating System “Gold” Image Profile A single encapsulated hardware build for all users allows for better tuning and hardening of the underlying operating system. File Server User Data Profile File Server App App App

22. Patch Management in the Data Center Profile Patches can be delivered at data center network speeds, or virtual machines can be periodically destroyed and rebuilt cleanly. File Server User Data Profile File Server App App Patch Server App

23. Access Control Profile Controlling access to the virtualized desktops provides further protection to applications and user data. File Server User Data Profile File Server App App X App

24. Elimination of Complex Devices at the Edge Profile Users can be issued tamper-proof thin clients with no moving parts to complete the solution. File Server User Data Profile File Server App App App

25. Data Security - Backing Up With a fully virtualized desktop, backups are not only simplified, they’re actually possible. ? Profile File Server User Data Profiles File Server App App VM Template App

26. Secured Client-Side Virtualization Control network access of the VM X Encryption of the Virtual Disk Link a VM to a specific device Block devices to secure data Phone home or deactivate Secure Virtual Machines can be overlaid on a insecure or unmanaged device. Central Management of Security Policies

27. Portable Client-Side Virtualization The client device and it’s unsecured OS become irrelevant – the VM is the true working environment.

28. Application Virtualization Applications are encapsulated in their own container Each application is separated from other applications and the operating system Application virtualization intercepts file and system calls between the application and the OS

29. Security Benefits of Application Virtualization Single App to Patch No need to “install” software on systems Can be run as a usermode application with no admin rights Can be run from a central location

30. Integrated Virtualization Solution Profile Users can be issued tamper-proof ACE Instances with virtualized apps and network access only through VIEW instances to complete the solution. File Server User Data Profile File Server App App App

31. Agenda VMware Strategy Security Benefits in vSphere’s Virtualization Extending Virtualization to the EndPoint Research and Whitepapers

32. References Security Design of the VMware Infrastructure 3 Architecture ( http://www.vmware.com/resources/techresources/727 ) VMware Infrastructure Security Hardening ( http://www.vmware.com/vmtn/resources/726 ) Managing VMware VirtualCenter Roles and Permissions ( http://www.vmware.com/resources/techresources/826 ) DISA STIG and Checklist for VMware ESX ( http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf ) ( http://iase.disa.mil/stigs/checklist/esx_server_checklist_v1r1_30_apr_2008.pdf ) CIS (Center for Internet Security) Benchmark ( http://www.cisecurity.org/bench_vm.html ) Xtravirt Virtualization Security Risk Assessment ( http://www.xtravirt.com/index.php?option=com_remository&Itemid=75&func=fileinfo&id=15 )

33. Common Criteria Certified Versions Common Criteria EAL 4+ Certification for ESX 3.0.2 and VC 2.0.2 http://www.cse-cst.gc.ca/its-sti/services/cc/vmware-eng.html Common Criteria EAL 4+ Certification for ESX 3.5, ESXi 3.5 and VC 2.5 (In Progress) http://www.cse-cst.gc.ca/its-sti/services/cc/oe-pece-eng.html Common Criteria EAL 4+ Certification for ESX 4, ESXi 4 and VC 4 to be submitted for certification shortly

34. VMware Security Briefing VMware Team Dan Schoch Scott Favorite JJ DiGeronimo

35. Enforce Strong Access Controls Anne Harry Joe Security Principle Implementation in VI Least Privileges Roles with only required privileges Separation of Duties Roles applied only to required objects Administrator Operator User

36. View is much simpler to set up and support

37. Competitive Pricing/Packaging Comparison * Experimental support only XenDesktop VMware View Advanced Enterprise Platinum Enterprise Premier Virtualization Platform Connection broker Secure remote access Storage Optimization Multi-backend support Application Virtualization Offline Desktop* High Availability Dynamic Provisioning Desktop Monitoring Partner Partner Pricing $195 $295 $395 $150 $250                                 x x x x x x x x x x x x x x x 

38. Cost Comparison Vmware cost per user Premier Bundle $ 250.00 List price per user Premier Bundle Support and Maintenance $ 62.00 ESX Server HW $ 156.25 ESX server $10,000 64 users on 8 core system Provisioning Server HW Cost $ - Virtual Machine on ESX Connection Broker HW Cost $ - Virtual Machine on ESX Storage Costs $ 30.00 Space for Linked clone $ 498.25 Total per user cost Citrix cost per user Xen Desktop Advanced $ 295.00 List price per user XenDesktop Platinum Support and Maintenance $ 48.75 Xen Desktop Server Hw $ 312.50 XEN server $10,000 32 users on 8 core system Provisioning Server HW Cost $ 16.67 Physical server per documentation 300 users for $5,000 Connection Broker HW Cost $ 4.17 Physical server per documentation 1200 users for $5,000 Storage Costs $ 30.00 In theory, some costs but will be minimal $ 707.09 Total per user cost (+ additional server for XenApp, + TSCAL, +,+)