31
Virtualisation Impact on Security Iwan ‘e1’ Rahabok Senior Systems Consultant [email protected] M: +65 9119 9226
Virtualisation Impact on Security
Iwan ‘e1’ Rahabok
Senior Systems Consultant
M: +65 9119 9226
Agenda
Assumption
Virtualisation Impacts
Technology changes
Process changes
Some Security Best Practices
At 30 minutes… we need to move Q&A to “break time”
Audience Assumption
0 10 100 500 1000 10000
# of VM deployed in your organisation
IndividualKnowledgeof VMware
No knowledge
VCDX
Virtualisation Impact on Security
Background
Virtualisation has profound impact on enterprise IT
Technology changes
People changes
Process changes
Virtualization will be the most
impactful trend in infrastructure
and operations through 2010,
changing:
� How you plan� How, what and when you buy� How and how quickly you deploy� How you manage� How you charge� Technology, process, culture
Technology changes
Some changes due to virtualisation:
A new management centre
Blurring of lines between Network, Server, Storage
Mobility of servers
Consolidation of servers
Centralised storage
VM Sprawl
Desktop moves to data centre
Many other changes.
More changes coming in 2009
All these changes have
impact on security
(good or bad)
People changes
People and Organisational changes by Virtual Infrastructure:
Need to learn new skills
Need to unlearn some old skills
Need to adopt “opposite” paradigm
New org structure and vCOE
Blurring of boundary between
Network, Server and Storage team.
Local , Regional and HQ team
All these changes have
impact on security
(good or bad)
Process changes
Some changes due to virtualisation:
Server life cycle
Server provisioning
Software licencing management
Charge back process
Performance monitoring
All these changes have
impact on security
(good or bad)
Technology Changes
Physical Topology of a Virtual Infrastructure
Fibre ChannelStorage Array
iSCSIStorage Array
NASStorage Array
VirtualCenterServer
VIClient
TerminalService
FC SwitchFabric IP Network
ESX Server
VM VM VM VM VM
ServerGroup 1
ServerGroup 2
ServerGroup 3
WebBrowser
Isolation: Virtual Machines
Design HighlightsVMs have limited access to CPU
Most instructions run natively for performancePrivileged instructions are trapped and translated
Memory isolation is imposed by segmentation and paging in x86 (hardware enforced).
Memory pages zeroed out before being used by a VMShared memory pages marked as copy-on-write --- no possibility of information leakage
VMs have no direct access to I/O hardware devicesonly have visibility to virtual I/O devices
VMM VMM
Isolation: Virtual Networks
Design HighlightsNo code exists to link virtual switchesVirtual switches provide protection by design against attack:
MAC flooding, 802.1q and ISL tagging attacks, Double-encapsulation attacks, Multicast brute-force attacks, Spanning-tree attacks, Random frame attacksCan restrict malicious network behavior: � MAC address change, impersonationSuch protection not possible with physical switches
VirtualNetwork
VirtualNetwork
Trust Boundary
vmkernel
VM VMVM
VMM VMMVMM
ServiceConsole
VC 3rd partyagents
VI APIVI Client
RCLIVI SDK
hostd
vpxa
3rd party software
Loginclient(ssh)
LoginServer(sshd)
OtherLinux
services
?
ESX Server Threat Model
ESX Server Threat Model
Component Risk Comment
VMM Low Exploits rare and difficult
Hostd Low
vpxa Medium Only as secure as VC
Login Medium As strong as trust in staff and network
3rd party agents Medium Depends on vendor practices
Other Linux services
High Source of majority of vulnerabilities
Low: relatively secure code, lower risk of exploitation
Medium: moderately secure code and/or greater risk of exploitation
High: low or unknown code security
Trust Boundary
Trust Boundary
vmkernelvmkernel
VM VMVM
VMM VMMVMM
ServiceConsole
VC 3rd partyagents
hostd
vpxa
3rd party software
Loginclient(ssh)
LoginServer(sshd)
OtherLinux
services
?
CIMbroker
CIM ClientVI APIVI Client
RCLIVI SDK
ESXi 3.5 Threat Model
Trust Boundary
vpxdESX Server
Hosts
VI APIVI Client
RCLIVI SDK
VCDB
Loginclient(RDP)
LoginServer
(Term Svcs)Other
Windowsservices
?
WebClient
ActiveDirectory
Tomcat
VirtualCenter Threat Model
VirtualCenter Threat Model
Component Risk Comment
vpxd Low
Tomcat Medium
Login Medium As strong as trust in staff and network
Other Windows services
High Source of majority of vulnerabilities
Low: relatively secure code, lower risk of exploitation
Medium: moderately secure code and/or greater risk of exploitation
High: low or unknown code security
Process Changes (examples)
Virtual Machine Life Cycle
� Much faster provisioning
� IT responsiveness go up
� A lot more servers & environment
� Lack of adequate planning
� Incomplete knowledge of current state of infrastructure
� Questions surrounding VM properties
Blurring of Network, Storage, Server
� Flexibility� Cost-savings� Lack of intra-server network visibility� No separation-by-default of administration� Elevated risk of misconfiguration
ESX Server
Hardware
VM Mobility
� Improved Service Levels (HA and DR)
� Identity divorced from physical location
� Wrong assumptions of VM whereabout
� Challenges in charge back
Some Best Practices
Security Principle Implementation in VMware Infrastructure
Authentication Leverages Active Directory and LDAP to provide authentication services for granting access to the VI3 Infrastructure
Authorization Has more than 100 granular privileges for allowing individual tasks on each object in inventory
Accounting Logs all administrative activity within the VI3 Infrastructure and stores the activity in the VirtualCenter database
Authentication, Authorization, and Accounting
Separation of Duties and Least Privilege
Security Principle
Implementation in VI
Least Privileges
Roles with only required privileges
Separation of Duties
Roles applied only to required objects
Administrator
Operator
UserAnne
Harry
Joe
Defense in Depth or Layered Security
Many layers of defense make it more difficult for an attacker to penetrate your systems
The more layers you have the harder it is to attack
More defense layers means more management
The defense layers need to be transparent to end users
Example of Defense in Depth
Isolate all management interfaces in separate networks
VI Management Network
ESX to VirtualCenter
ESX to ESX
VMotion Network
Note: VMotion traffic is not encrypted
Network Storage Networks
iSCSI
SAN
None of these should see any VM traffic
Maintain Proper Configuration
Use predefined, vetted configurations
Templates for VM deployment
Standard configurations for ESX hosts
Perform change control, monitoring, and auditing
Regularly check configuration of components against defined standards
Make sure any change to standards is studied and approved before implementing
Perform logging
VC events
ESX logs
Resources
The VMware Security Resource Centerhttp://www.vmware.com/security
One-stop shop for ongoing securityAdvisories, alerts, patches
Whitepapers
Blog
VMware Technology Resource Center for Securityhttp://www.vmware.com/overview/security/
Provides an introduction to virtualization security
Good for educating your customers and teams about virtualization security
Resources
Detailed Prescriptive Guidance
VMware Infrastructure 3 Security Hardening(http://www.vmware.com/vmtn/resources/726)
Managing VMware VirtualCenter Roles and Permissions(http://www.vmware.com/resources/techresources/826)
STIG (Secure Technology Implementation Guide) [coming soon](http://iase.disa.mil/stigs/)
CIS (Center for Internet Security) Benchmark in-progress(http://cisecurity.org/bench_vm.html)
Xtravirt Virtualization Security Risk Assessment(http://www.xtravirt.com/index.php?option=com_remository&Itemid=75&func=fileinfo&id=15)
Special Promotions – valid till 15 Dec 2008
Midsize Acceleration KitVI-Ent for 6 processors + VC Foundation + 30 PSO Credits with 1-year Platinum Support & Subscription
USD17,369
Enterprise Acceleration KitVI-Ent for 8 processors + VCMS with 1-year Platinum SNS
USD29,044
SRM Acceleration KitVI-Ent and SRM for 6 processors + VCMS with 1-year Platinum SNS
USD34,792
Visit VMware booth for details and other promotions
