Date post: | 04-Apr-2018 |
Category: |
Documents |
Upload: | sumeet-kaur |
View: | 218 times |
Download: | 0 times |
of 29
7/30/2019 my finAL (1)
1/29
BY:
A.Tolnai,S.H. Von SolmsAcademy for information Technology
University of Johannesburg
Johannesburg,South Africa
7/30/2019 my finAL (1)
2/29
Presented By:
Gurjot Kaur
Sumeet Kaur
M.Tech-I
7/30/2019 my finAL (1)
3/29
Virtualization:
The ability to run multiple operating systems on asingle physical system and share the underlyinghardware resources
Cloud Computing:The provisioning of services in a timely (near on instant),on-demand manner, to allow the scaling up and down ofresources. Thus,Cloud computing is the delivery ofcomputing as a service rather than a product, wherebyshared resources, software, and information are providedto computers and other devices as a utility (like theelectricity grid) over a network (typically the Internet)
7/30/2019 my finAL (1)
4/29
Thus cloud computing is :
App and Infrastructure over InternetI pay ONLY for what I use
ONLY when I use it
. With the ability to SCALE capacity up anddown on-
demand
Hypervisor:
A hypervisor, also called a virtual machine manager, is a
program that allows multiple operating systems to share a
single hardware host.
7/30/2019 my finAL (1)
5/29
Multitenancy (shared resources)
Massive scalability
Elasticity
Pay as you go
Self-provisioning of resources
A Massive Concentration of Resources
7/30/2019 my finAL (1)
6/29
Host security responsibilities in SaaS, PaaS and IaaS are
the responsibility of the cloud service provider (CSP).
The integrity and availability of the hypervisor are of
utmost importance.
When control of the hypervisor is obtained, data as wellas sensitive information can be accessed and redirected.
7/30/2019 my finAL (1)
7/29
Virtual machine escape
System configuration drift
Root kits
Insider Threats
7/30/2019 my finAL (1)
8/29
SOA- Service oriented architecture
The virtualized services offered must be secure.
The virtualized services must be backed up and recovered
as though theyre physical systems.
The resources need to have workload management,workflow, provisioning and load balancing at the
foundation.
7/30/2019 my finAL (1)
9/29
7/30/2019 my finAL (1)
10/29
Some virtualization security risks are:
Virtual machine escape,
Insider threats Root kits.
These risks & root kits can potentially cause a security
breach in the virtual environment.
7/30/2019 my finAL (1)
11/29
A root kit can exist within the hardware by the act ofpatching firmware.
Firmware root kits: These types of root kits are difficult
to find, and exist even after rebooting the system.
Blue pill: Virtualization is used to attack the host,
whereby the normal boot process happens within a
virtualized environment that the user is unaware of,while the boot process is infected so that the root kitis able to boot first.
7/30/2019 my finAL (1)
12/29
Vitriol: also known as VT-x Hardware Virtual Machine
root kit. When this root kit is installed it migrates a
running virtual machine to another virtual machine while
it runs within the CPU.
7/30/2019 my finAL (1)
13/29
The compromising of the hypervisor is one of the highest
vulnerablities and threats.
Various steps to verify that security is well implemented
as follows:
Secure the hardware
Secure the host operating system
Secure the hypervisor
Secure the management interfaces Secure the virtual machine
7/30/2019 my finAL (1)
14/29
7/30/2019 my finAL (1)
15/29
The potential security solutions to detecting and patching
the root kits are presented below:
Firmware root kits: comparing the firmware checksums.
Blue pill: By looking at resource consumption of the
translation look aside buffer (TLB).
Vitriol: This version sits within the hardware and is
difficult to detect.
7/30/2019 my finAL (1)
16/29
A security assessment needs to be run to identify the
security risks and to be able to fix the security gaps in
order secure any management appliance.
Apply the relevant hardening guidelines to secure the
operating system.
7/30/2019 my finAL (1)
17/29
For securing the hypervisor, we have to secure the
following resources:
Access to CPU
Memory Assignment
Access to Network
Access to Disk
Application Programming Interfaces into the Hypervisor
7/30/2019 my finAL (1)
18/29
Physical cpu1 Physical cpu 2 Physical cpu 3 Physical cpu 4
Scheduler
7/30/2019 my finAL (1)
19/29
The memory taken from one virtual machine is
zeroed out before handing it over to another virtual
machine, meaning that there is no security risk.
Through the use of the kernels memory
management, it is not possible for one virtual
machine to see another virtual machines memory.
7/30/2019 my finAL (1)
20/29
The copies of memory can be accessed by the super user
of the virtualisation host.
To mitigate security risk, not allow anyone to log in
directly as super user.
Use of built-in auditing,to ensure files are not directly
acessed from the system.
7/30/2019 my finAL (1)
21/29
CBPS enables virtual machines to share the same
memory pages between themselves.
Hash algorithms are no longer safe,however the CBPS
is due to its bit-by-bit Comparison.
CBPS can also be Disabled,but there is no security
reason to do so.
7/30/2019 my finAL (1)
22/29
Most network devices dont have any built-in firewalls,but the protection is available through the virtual switch.
It is possible to add firewalls into virtual switches, but
currently a virtual switch will provide protection from the
following types of attacks: MAC flooding, multicast
brute force attacks etc.
7/30/2019 my finAL (1)
23/29
Ensure that backup tools create files with the proper
permissions.
The zeroed thick disk and the eager zeroed thick diskoptions are the ones which should be the primarily
used disk formats, as they are the most secure.
7/30/2019 my finAL (1)
24/29
The concept of virtual appliances and APIs create
more attack points into the kernel.
Use of digitally signed virtual appliances by the
appropriate certificate authority (CA) can help.
Special networking configurations need to take place
to further protect the kernel during runtime.
7/30/2019 my finAL (1)
25/29
The management interface consists of the management
of the entire virtual infrastructure, a specific host, or
the virtual machines.
Virtual Infrastructure Management Virtual Machine Management
7/30/2019 my finAL (1)
26/29
Instead of creating user roles and permissions, groupsshould be created.
A single administrator group should be created.
Direct access to the management appliance should be
denied where all other groups are concerned.
Default protections for the super accounts should be
preserved to guarantee auditing capability.
7/30/2019 my finAL (1)
27/29
A set of tools and drivers can be installed so that VMknows little more about its environment.
Use of isolation tools:
to limit information leakage to protect the innocent
to compliant with standards and guidelines.
7/30/2019 my finAL (1)
28/29
Hardening and security guidelines expressed by eachguest operating system should be applied
independently of the virtual infrastructure.
The virtual machine hardening should include stepsso that the remote console has limited exposure and is
only used on a need-to basis.
Hardening guidelines for guest operating systems
should include steps to protect the remote console aswell as any additional files added to the system.
7/30/2019 my finAL (1)
29/29
THANK YOU !!