49
SB62: Virtual Reality: How to Securely Embrace Virtualization Joshua Corman, IBM Internet Security Systems Principal Security Strategist
| Date post: | 22-Jan-2015 |
| Category: |
Technology |
| Upload: | cameroon45 |
| View: | 1,259 times |
| Download: | 3 times |
SB62: Virtual Reality: How to Securely Embrace
Virtualization
Joshua Corman, IBM Internet Security SystemsPrincipal Security Strategist
Agenda
• Virtualization Overview• Threat Landscape• What Can I Do?
– Current technologies and solutions– The future of virtualization and enterprise
security• Questions
Virtual Security
• Security Trade Offs…• What Drives our Security Decisions…• For Servers… Rank these Objectives:
– Confidentiality– Integrity– Availability
• Isolation, Isolation, Isolation• Compliance, Compliance, Compliance
Primer…
There are several specific aspects of the security trade-off that can go wrong. For example:
1. The severity of the risk.2. The probability of the risk.3. The magnitude of the costs.4. How effective the countermeasure is at mitigating the risk.5. How well disparate risks and costs can be compared.
– As mentioned in The Psychology of Security keynote from Black Hat USA 2007
Security Trade Offs… as told by Bruce Schneier
4/25/2008Virtualization and Enterprise Security
• The logical abstraction of physical computing resources (OS, application, switches, storage, networks) designed to create computing environments that are not restricted by physical configuration or implementation.
6
What is Virtualization
4/25/20087 Virtualization and Enterprise Security
Virtualization Market Anecdotes
• Virtualization demand has exploded–“…spending on virtualization technology will reach $15 billion by 2009.” – IDC
–“…80% of all data centers are using virtualization in some form.” – IDC
–“…Enterprises which do not leverage virtualization will pay up to 40% more in acquisition costs by 2008, and roughly 20% more in administrative costs” –Gartner
4/25/20088 Virtualization and Enterprise Security
Virtualization Market Anecdotes
–35% of North American and European firms use server virtualization today. An additional 11% are in the piloting process. - Forrester
–A separate global survey of large and SMB enterprises across a variety of vertical industries indicates that in 2006 76% of companies already use or plan to deploy server virtualization technologies.
• 62 of the 76% have already deployed or are of the process of deploying the technology. – Yankee Group
Large Enterprise Perspective –Server Virtualization
– Recent worldwide surveys of 1,221 enterprises with 1,000 employees or more. - Forrester
• Twenty-six percent report they have implemented server virtualization, and another 8% plan to pilot within 12 months.
• Global 2000 firms — those with 20,000 or more employees —had the strongest overall results in terms of awareness, adoption, and pilot plans, with 79% overall awareness, 33% already using virtualization, and 13% with plans to pilot within12 months.
• North American firms lead, with 41% already implemented or planning to pilot.
Virtualization Benefits• Cost savings
– Space, power, cooling• More efficient use of
hardware resources• Common hardware
environments• Instant provisioning• Disaster recovery• Data partitioning• Distributed resource
scheduling– Load balancing
Virtualization and Security• Accelerate testing and
deployment of patches• Restoration of
compromised VMs to known good state
Platform Virtualization
Hardware Assisted Virtualization
• Intel– VT (Virtualization Technology or “Vanderpool” Technology)
• VT-x (IA-32 extensions) – CPU virtualization only• VT-i (IA-64 extensions) – CPU virtualization only• Announced Futures
– VT-d (Directed I/O) – I/O virtualization– Memory virtualization
• AMD– AMD-V or Pacifica – CPU virtualization only– Futures
• IOMMU – I/O virtualization• Memory virtualization
• NetXen– Ethernet I/O virtualization
4/25/200814 Virtualization and Enterprise Security
Virtualization impact on the enterprise
• Virtualization changes the enterprise landscape completely–Virtual networking –New management framework
• Security must be part of the virtual infrastructure just as it is part of the physical infrastructure–Defense in depth–Integrated protection–Security management–Audit
Scope
• The scope of this presentation is x86 virtualization and its associated security implications in the Enterprise
• Primarily focused on Server uses
The Major Players
• Founded in 1998• Division of EMC
– $9.6B in Revenue– 4 million users, 20K
corporate customers• IPO (~13% shares) in
2007
• Pioneered virtualization over 40 years ago
• Acquired XenSource in 2007 for $500 million
• Based on open-source Xenhypervisor
• Virtual server, acquired VirtualPC in 2003 from Connectix
• Hyper-V (fka Viridian) to be released in 2008
• Based on open-source Xenhypervisor
What does Virtualization Change?
• Everything – Dynamic, fluid data-center– Resource pools– Commoditization of everything– Increased efficiency
• Nothing– Virtual IT is still IT
• Security, sprawl, management, complexity, heterogeneity
Virtualization and Enterprise Security
• Virtualization != Security– Standard servers are as secure as standard VMs
• Partitioning divides VMs, but does not secure them
• Same principles apply– Defense in depth– Network design and segmentation– Unified security management
Threat Landscape
• Points of Exposure– Applications– Operating systems– Virtual machine software– Management infrastructure– Virtualization-aware hardware– Virtual Network
Threat Landscape - Continued
• New Swath of Availability Attacks– Owning a single guest– Breaking out of the guest– Compromise of Virtual Console/Management
• Provision their own evil guest(s)• Adjust resource quotas• Shut OFF guest(s)
– Compromise of the VMM/Hypervisor• IsGameOver()
Threat Landscape - Continued
• Real Evil…– Regulatory– Auditors– Org-Charts... Separation of Duties
Pre-Virtualization and Post-Virtualization Eras
Pre-Virtualization
Existing Vulns
New Vulns
New Vulns
Post Virtualization
More Components = More Exposure
Threat Vectors and Exposures (Type 1)
Existing Vulnerabilities
New Vulnerabilities
More Components = More Exposure
New Vulnerabilities
Hardware
Hardware VirtualizationHypervisor/VMM
Operating SystemA
pplic
atio
n/S
ervi
ce
App
licat
ion/
Ser
vice
App
licat
ion/
Ser
vice
App
licat
ion/
Ser
vice
App
licat
ion/
Ser
vice
Man
agem
ent
Threat Vectors and Exposures (Type 2)
Existing Vulnerabilities
New Vulnerabilities
More Components = More Exposure
New Vulnerabilities New Vulnerabilities
Existing Vulnerabilities
Threat Vectors and Exposures (Hardware-Based)
Existing Vulnerabilities
New Vulnerabilities, but much more
difficult to exploit
More Components = More Exposure
New Vulnerabilities
TARGET: Operating Systems and Applications
• Traditional threats remain as long as VMs communicate with the network, virtual or physical– Worms– Rootkits– Trojans– DoS– SQL Injection – Cross Site Scripting
• Risk to mission-critical applications hosted in a virtual environment
TARGET: Virtual Machine Software
• There are going to be bugs that lead to security risks• As adoption increases, vulnerability disclosures will follow• New classes of threats and more advanced existing threats
– breaking isolation • Existing techniques (e.g. rootkits) with greater stealth
capabilities– VM nesting
• Examples– Subvirt Rootkit
• University of Michigan and Microsoft Research
Many potentially risky packages removed, however…
http://xforce.iss.net/xforce/xfdb/26878 (XSS)
http://xforce.iss.net/xforce/xfdb/28098 (BO)
http://xforce.iss.net/xforce/xfdb/27881 (insecure permissions)
http://kb.vmware.com/KanisaPlatform/Publishing/466/5915871_f.SAL_Public.html (XSS)
TARGET: Management Infrastructure
• Keys to the castle• Vulnerabilities in management applications• Insider threat• Example is VMware ESX Service Console
VMware offers 3i, which does not have a Service Console component; however, some management application has to connect to the ESX server for management.
TARGET: Virtualization-Aware Hardware
• Intel VT, AMD SVM, NetXen• Low level makes detection significantly more
difficult• Risk to non-virtualized deployments• Risk to non-virtualized deployments• Brand new opportunities for Stealth Rootkits…
– Vitriol– Blue Pill
THREAT: Vitriol
• Intel VT-x• Dino Dai Zovi• BlackHat USA 2006
THREAT: Blue Pill
• AMD SVM/Pacifica• Joanna Rutkowska• BlackHat USA 2006• Updated at BlackHat USA 2007
– “Blue Chicken”
TARGET: Virtual Networking
• New paradigm may result in increased risk• Intra-VM communications• Virtual network infrastructure
vulnerabilities– Elective risk
Physical Network Virtual Network
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
ProcessManagement
Virtual Switch
Virtual Switch
Virtual Switch
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
ProcessPhysical N
ICs
Who’s Watching?Traditional Security
Protection Solutions - Current
• Intrusion Prevention Systems (“bad guys” out)– Open-source and commercial HIPS solutions– Network-based IPS can only guard the gate
• Access-control (“good guys” in)– sHype ACM (Integrity and Attestation)
• MAC (Mandatory Access Controls)• IBM Watson Labs for XEN• The Trust of Trusting Trust (chaining)
• Existing options do not scale
Protection Solutions - Current
• Prudent Use– Know when to Hold’Em…– Some Applications are worth the risks– Some Applications are not worth the risks
• Only couple servers of same trust/risk level– Physical Isolation by Risk– DMZ Zones example (Internet/Applications/Databases)
• See Gartner’s Server Virtualization Can Break DMZ Security
Guest OS Protection
36
Protecting Virtual Infrastructure
37
Securing Virtual Servers Today• Protect each guest
OS as if it were a physical server
• Cumulative overhead (CPU, memory) significant
• Protection not automated
– rogue VMs
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
ProcessManagement
Virtual Switch
Virtual Switch
Virtual Switch
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
ProcessPhysical N
ICs
HIPS Agent
HIPS Agent
HIPS Agent HIPS
Agent
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
ProcessManagement
Virtual Switch
Virtual Switch
Virtual Switch
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
ProcessPhysical N
ICs
Virtual Appliance
Virtual Appliance
Virtual Appliance
Virtual Appliance
Virtual Appliance
• Significant management overhead as virtual network complexity increases
• No coverage for inter-VM communication without a VA in front of each VM
• Lack of automated discovery and protection
The Future of Protection for Virtual Environments
• Beyond virtual form-factor solutions– signification management overhead as virtual network
complexity increases• exponentially when inter-VM communication must be protected
• Integrated and automated solutions– finding optimal analysis points to reduce redundancy and
overhead (improved performance)– automated discovery and security provisioning
• pre-defined security postures for new virtual machines
• Collaboration between Security and Virtualization Providers– partnering with virtualization software provides
The Future of Protection for Virtual Environments – part 2
• Minimal footprint and impact on performanceimpact on performance– guest OS presence include on necessary components
• Transparency throughout fail-over, disaster recovery, and migration solutions– solution must be as dynamic and the virtual environment
• security follows virtual machines (e.g. VMotion)• Multiple layers
– defense-in-depth– Risk mitigation solution goes combines compliance, data
security and threat mitigation• Combination of intelligent analysis and access
control– “good guys in” and “bad guys out” solution
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
ProcessManagement
Virtual Switch
Virtual Switch
Virtual Switch
VM
AppService
Process
VM
AppService
Process
VM
AppService
Process
VM
AppService
ProcessPhysical N
ICs
A Possible Future• Isolated security
partition• Reduced complexity
and footprint through introspection
• Automated discovery and protection
Security Partition
Introspection
Security PartitionSecurity Partition
CPUCPU
Guest OS
Guest OS
Guest OS
Guest OS
Guest OS
Guest OS
MemoryMemory NetworkNetwork
Analysis Engines
Analysis Engines
HardwareHardware
Virtual SecurityReal Security for
Virtual Environments
46
VMware System Architecture
47
Xen System Architecture
48
Viridian System Architecture
Operating System-Level Virtualization
49
![INTERNET-DRAFT EAP Session-ID Derivation 23 July 2019 · INTERNET-DRAFT EAP Session-ID Derivation 23 July 2019 1. Introduction EAP [RFC3748] Session-Id derivation has not been defined](https://static.documents.pub/doc/80x56/5f358e53f4a65d478f48bea9/internet-draft-eap-session-id-derivation-23-july-2019-internet-draft-eap-session-id.jpg)
