VMware Security Briefing

VMware TeamDan SchochScott FavoriteJJ DiGeronimo

Agenda

VMware Strategy

Security Benefits in vSphere’s Virtualization

Extending Virtualization to the EndPoint

Research and Whitepapers

Security Advantages of Virtualization Allows Automation of Many Manual Error Prone

Processes

Better Forensics Capabilities

Faster Recovery After an Attack

Patching is Safer and More Effective

More Cost Effective Security Devices

Better Lifecycle Controls

Security Through VM Introspection

Cleaner and Easier Disaster Recovery/Business Continuity

VMware Security Strategy

New platform hardening features further enhance robust security capabilities

Thin-hypervisor strategy

Integrate VMware products into existing operational policies in the enterprise

Enable broad-based security for every VM in the environment

“Democratize” security

Self-describing, Self-configuring security

Impact security by taking advantage of unique VMware technologies

Focus on products and operations

Core Platform Security

Operationalize Security

Security Virtual Appliances

Better Than Physical:

Adaptive Security Infrastructure

4

.OVF

VMware Confidential/Proprietary

Extended Computing Stack and Guest Isolation

Hypervisor

Standard x86 VMware ESX

Isolation by design

Security Design of the VMware Infrastructure Architecturehttp://www.vmware.com/resources/techresources/727

How Virtualization Affects Datacenter Security

Agenda

VMware Strategy

Security Benefits in vSphere’s Virtualization

Extending Virtualization to the EndPoint

Research and Whitepapers

vSphere - Virtual Datacenter OS from VMware

Off-premise Cloud

vCenter

On-premise Infrastructure

SaaSLinux GridWindows J2EE.Net

VMware Infrastructure -> virtual datacenter OS

Application vServices

Application vServices

Scalability

Infrastructure vServices

Infrastructure vServices

SecurityAvailability

vNetworkvStoragevCompute Cloud vServices

Cloud vServices

…….

Web 2.0Make applications more scalable, secure and resilient in a virtual environment than physical.

DPM

Hot Add

Fault Tolerance

Thin Provisioning

Data Recovery

VMsafe

Distributed Switch

Host Profiles

Consolidates workloads onto fewer servers when the cluster needs fewer resources –- Distributed Power Management will be fully supported in production. DPM with WoL will still be

supported experimentally only.

Dynamically add additional compute, memory or network/storage resources as applications grow -Hot Add Enables admins the ability to scale VM’s without disruption to end user

Ensure continuous availability for virtual machines against hardware failures. - VMware FT creates virtual machine “pairs” that run in lock step - essentially mirroring the execution state of a VM & eliminating data loss or downtime to any application.

Optimizes storage costs through the most efficient use of storage in virtual environments - Use Thin Provisioning to reduce storage costs by up to 50%.

Quick, simple and complete data protection for your VM’s -Data Recovery provides you with agent-less, disk-based backup and recovery (VM or file level) of your VM’s

Comply with corporate security policies and regulations on data privacy while still running applications efficiently on shared computing resource pools. - vShield Zones makes it easy to centrally manage and enforce compliance with security policies across large pools of servers and virtual machines.

Enables the use of security products that work in conjunction with the virtualization layer to provide higher levels of security to virtual machines

-Partners working on VMSafe products: Symantec, trend micro, checkpoint, Internet security systems and McAfee

Simplifies and enhances the provisioning, administration and control of virtual machine networking - VMware Distributed Switch is a new type of virtual switch which spans the entire Virtual Infrastructure which enables the network to be treated s an aggregated resource.

Standardize and simplify how customers configure and manage ESX host configurations.  - Host profiles simplify and standardize ESX host configuration. This feature in vCenter Server 4.0 allows the creation of a “golden profile” from an existing host and using this as a template to configure other hosts

vShield Zones

vSphere – New & Improved Enterprise OS

VMware VMsafe

Multi-function Security ApplianceMulti-function Security Appliance

VMware ESX

AppOS

App

OS

App

OS

App

OS

App

OS Secu

rity

VMSe

curit

yVM

vNetwork Distributed Switch

VMware ESX

AppOSSe

curit

yVM

Secu

rity

VM

Integrated, more effective, comprehensive security solutions within the virtual infrastructure

Better than physical: automatic protection, right-sized security capacity

Integrated, more effective, comprehensive security solutions within the virtual infrastructure

Better than physical: automatic protection, right-sized security capacity

Agent-less deployment of partner security services

Single security VM for multiple security services AV, Firewall, IPS

Mobility-awareness: Security policy and state moves with virtual machine

Agent-less deployment of partner security services

Single security VM for multiple security services AV, Firewall, IPS

Mobility-awareness: Security policy and state moves with virtual machine

VMsafe™ APIsAPI’s for all virtual hardware components of the VM

CPU/Memory Inspection Inspection of specific memory pages being used by the VM or it applications Knowledge of the CPU state Policy enforcement through resource allocation of CPU and memory pages

Networking View all IO traffic on the host Ability to intercept, view, modify and replicate IO traffic from any one VM or

all VM’s on a single host. Capability to provide inline or passive protection

Storage Ability to mount and read virtual disks (VMDK) Inspect IO read/writes to the storage devices Transparent to the device and inline of the ESX Storage stack

Capabilities

Bridge, firewall, or isolate VM zones based on familiar VI containers

Monitor allowed and disallowed activity by application-based protocols

One-click flow-to-firewall blocks precise network traffic

Benefits

Well-defined security posture within virtual environment

Monitoring and assured policies, even through Vmotion and VM lifecycle events

Simple zone-based rules reduces policy errors

VMware vShield Zones

Virtual Network Visibility

Network flows at DC, Cluster, VLAN and down to the guest VM level

Take guess work out of troubleshooting firewalls: see allowed and blocked traffic

Identify malicious traffic: visibility for rogue services, botnets, improver server configuration

Secure Design for Virtualization Layer

16

Fundamental Design Principles• Isolate all management

networks• Disable all unneeded services• Tightly regulate all

administrative access

Agenda

VMware Security Strategy

Security Benefits in vSphere’s Virtualization

Extending Virtualization to the EndPoint

Research and Whitepapers

Difficult to Manage and Secure Device

PC management is difficult to centralize due to the broadly distributed nature of PC hardware.

Users often require access to their desktop environment from anywhere.

PC desktop standardization is difficult in the face of hardware discrepancies and the wide variety of brands and models.

End users often require customized desktop environments.

High Total Cost of Ownership

Ongoing PC management is costly and labor-intensive.

Multiple PC hardware configurations need to be tested and validated prior to deployment.

Support costs are further exacerbated by the need to support a geographically dispersed PC infrastructure.

Physical Desktop Challenges

Benefits of Centralized Desktops Bring back previously decentralized applications and data into the

corporate data center.

Centrally control and manage all off-site access to these sensitive applications and data.

Extend their corporate network security levels to off-site facilities.

Sensitive applications and data are no longer stored on off-site computers.

Data integrity and business continuity (DR) is more easily maintained.

Most users, not just for off-shore users and contractors, but for mobile workers and branch office employees, too.

Regulatory compliance requirements are more easily adhered to. (HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley)

Server-based Desktop Virtualization

Profile

Moving the desktop to a virtualized image in the data center allows the complex components to be protected and managed.

File Server

UserData

Profile

File Server

App

App

App

Universal Operating System “Gold” Image

Profile

A single encapsulated hardware build for all users allows for better tuning and hardening of the underlying operating system.

File Server

UserData

Profile

File Server

App

App

App

Patch Management in the Data Center

Profile

Patches can be delivered at data center network speeds, or virtual machines can be periodically destroyed and rebuilt cleanly.

File Server

UserData

Profile

File Server

App

App

App

PatchServer

Access Control

Profile

Controlling access to the virtualized desktops provides further protection to applications and user data.

File Server

UserData

Profile

File Server

App

App

App

X

Elimination of Complex Devices at the Edge

Profile

Users can be issued tamper-proof thin clients with no moving parts to complete the solution.

File Server

UserData

Profile

File Server

App

App

App

Data Security - Backing Up

With a fully virtualized desktop, backups are not only simplified, they’re actually possible.

?

Profile

File Server

UserData

Profiles

File Server

App

App

App

VM Template

Secured Client-Side Virtualization

Control network access of the VM

X

Encryption of the Virtual DiskLink a VM to a

specific device

Block devices to secure data

Phone home or deactivate

Secure Virtual Machines can be overlaid on a insecure or unmanaged device.

Central Management of Security Policies

Portable Client-Side Virtualization

The client device and it’s unsecured OS become irrelevant – the VM is the true working environment.

Application Virtualization

Applications are encapsulated in their own container

Each application is separated from other applications and the operating system

Application virtualization intercepts file and system calls between the application and the OS

Security Benefits of Application Virtualization

Single App to Patch

No need to “install” software on systems

Can be run as a usermode application with no admin rights

Can be run from a central location

Integrated Virtualization Solution

Profile

Users can be issued tamper-proof ACE Instances with virtualized apps and network access only

through VIEW instances to complete the solution.

File Server

UserData

Profile

File Server

App

App

App

Agenda

VMware Strategy

Security Benefits in vSphere’s Virtualization

Extending Virtualization to the EndPoint

Research and Whitepapers

References

Security Design of the VMware Infrastructure 3 Architecture(http://www.vmware.com/resources/techresources/727)

VMware Infrastructure Security Hardening(http://www.vmware.com/vmtn/resources/726)

Managing VMware VirtualCenter Roles and Permissions(http://www.vmware.com/resources/techresources/826)

DISA STIG and Checklist for VMware ESX(http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf)(http://iase.disa.mil/stigs/checklist/esx_server_checklist_v1r1_30_apr_2008.pdf)

CIS (Center for Internet Security) Benchmark(http://www.cisecurity.org/bench_vm.html)

Xtravirt Virtualization Security Risk Assessment (http://www.xtravirt.com/index.php?option=com_remository&Itemid=75&func=fileinfo&id=15)

Common Criteria Certified Versions

Common Criteria EAL 4+ Certification for ESX 3.0.2 and VC 2.0.2http://www.cse-cst.gc.ca/its-sti/services/cc/vmware-eng.html

Common Criteria EAL 4+ Certification for ESX 3.5, ESXi 3.5 and VC 2.5 (In Progress)http://www.cse-cst.gc.ca/its-sti/services/cc/oe-pece-eng.html

Common Criteria EAL 4+ Certification for ESX 4, ESXi 4 and VC 4 to be submitted for certification shortly

VMware Security Briefing

VMware TeamDan SchochScott FavoriteJJ DiGeronimo

Enforce Strong Access Controls

Security Principle

Implementation in VI

Least Privileges

Roles with only required privileges

Separation of Duties

Roles applied only to required objects

35

Administrator

Operator

User

Anne

Harry

Joe

View is much simpler to set up and support

Competitive Pricing/Packaging Comparison

XenDesktop VMware ViewAdvanced Enterprise Platinum Enterprise Premier

Virtualization Platform

Connection broker

Secure remote access

Storage Optimization

Multi-backend support

Application Virtualization

Offline Desktop*

High Availability

Dynamic Provisioning

Desktop Monitoring Partner Partner

Pricing $195 $295 $395 $150 $250

* Experimental support only

xxx

xxx

xxxx

x

xx

x x

Cost Comparison

Vmware cost per userPremier Bundle $ 250.00 List price per user Premier Bundle

Support and Maintenance $ 62.00  

ESX Server HW $ 156.25 ESX server $10,000 64 users on 8 core system

Provisioning Server HW Cost $ - Virtual Machine on ESX

Connection Broker HW Cost $ - Virtual Machine on ESX

Storage Costs $ 30.00 Space for Linked clone

  $ 498.25 Total per user cost

Citrix cost per userXen Desktop Advanced $ 295.00 List price per user XenDesktop Platinum

Support and Maintenance $ 48.75  

Xen Desktop Server Hw $ 312.50 XEN server $10,000 32 users on 8 core system

Provisioning Server HW Cost $ 16.67 Physical server per documentation 300 users for $5,000

Connection Broker HW Cost $ 4.17 Physical server per documentation 1200 users for $5,000

Storage Costs $ 30.00 In theory, some costs but will be minimal

  $ 707.09 Total per user cost (+ additional server for XenApp, + TSCAL, +,+)