Date post: | 10-May-2015 |
Category: |
Documents |
Upload: | jjdigeronimo |
View: | 1,395 times |
Download: | 1 times |
VMware Security Briefing
VMware TeamDan SchochScott FavoriteJJ DiGeronimo
Agenda
VMware Strategy
Security Benefits in vSphere’s Virtualization
Extending Virtualization to the EndPoint
Research and Whitepapers
Security Advantages of Virtualization Allows Automation of Many Manual Error Prone
Processes
Better Forensics Capabilities
Faster Recovery After an Attack
Patching is Safer and More Effective
More Cost Effective Security Devices
Better Lifecycle Controls
Security Through VM Introspection
Cleaner and Easier Disaster Recovery/Business Continuity
VMware Security Strategy
New platform hardening features further enhance robust security capabilities
Thin-hypervisor strategy
Integrate VMware products into existing operational policies in the enterprise
Enable broad-based security for every VM in the environment
“Democratize” security
Self-describing, Self-configuring security
Impact security by taking advantage of unique VMware technologies
Focus on products and operations
Core Platform Security
Operationalize Security
Security Virtual Appliances
Better Than Physical:
Adaptive Security Infrastructure
4
.OVF
VMware Confidential/Proprietary
Extended Computing Stack and Guest Isolation
Hypervisor
Standard x86 VMware ESX
Isolation by design
Security Design of the VMware Infrastructure Architecturehttp://www.vmware.com/resources/techresources/727
How Virtualization Affects Datacenter Security
Agenda
VMware Strategy
Security Benefits in vSphere’s Virtualization
Extending Virtualization to the EndPoint
Research and Whitepapers
vSphere - Virtual Datacenter OS from VMware
Off-premise Cloud
vCenter
On-premise Infrastructure
SaaSLinux GridWindows J2EE.Net
VMware Infrastructure -> virtual datacenter OS
Application vServices
Application vServices
Scalability
Infrastructure vServices
Infrastructure vServices
SecurityAvailability
vNetworkvStoragevCompute Cloud vServices
Cloud vServices
…….
Web 2.0Make applications more scalable, secure and resilient in a virtual environment than physical.
DPM
Hot Add
Fault Tolerance
Thin Provisioning
Data Recovery
VMsafe
Distributed Switch
Host Profiles
Consolidates workloads onto fewer servers when the cluster needs fewer resources –- Distributed Power Management will be fully supported in production. DPM with WoL will still be
supported experimentally only.
Dynamically add additional compute, memory or network/storage resources as applications grow -Hot Add Enables admins the ability to scale VM’s without disruption to end user
Ensure continuous availability for virtual machines against hardware failures. - VMware FT creates virtual machine “pairs” that run in lock step - essentially mirroring the execution state of a VM & eliminating data loss or downtime to any application.
Optimizes storage costs through the most efficient use of storage in virtual environments - Use Thin Provisioning to reduce storage costs by up to 50%.
Quick, simple and complete data protection for your VM’s -Data Recovery provides you with agent-less, disk-based backup and recovery (VM or file level) of your VM’s
Comply with corporate security policies and regulations on data privacy while still running applications efficiently on shared computing resource pools. - vShield Zones makes it easy to centrally manage and enforce compliance with security policies across large pools of servers and virtual machines.
Enables the use of security products that work in conjunction with the virtualization layer to provide higher levels of security to virtual machines
-Partners working on VMSafe products: Symantec, trend micro, checkpoint, Internet security systems and McAfee
Simplifies and enhances the provisioning, administration and control of virtual machine networking - VMware Distributed Switch is a new type of virtual switch which spans the entire Virtual Infrastructure which enables the network to be treated s an aggregated resource.
Standardize and simplify how customers configure and manage ESX host configurations. - Host profiles simplify and standardize ESX host configuration. This feature in vCenter Server 4.0 allows the creation of a “golden profile” from an existing host and using this as a template to configure other hosts
vShield Zones
vSphere – New & Improved Enterprise OS
VMware VMsafe
Multi-function Security ApplianceMulti-function Security Appliance
VMware ESX
AppOS
App
OS
App
OS
App
OS
App
OS Secu
rity
VMSe
curit
yVM
vNetwork Distributed Switch
VMware ESX
AppOSSe
curit
yVM
Secu
rity
VM
Integrated, more effective, comprehensive security solutions within the virtual infrastructure
Better than physical: automatic protection, right-sized security capacity
Integrated, more effective, comprehensive security solutions within the virtual infrastructure
Better than physical: automatic protection, right-sized security capacity
Agent-less deployment of partner security services
Single security VM for multiple security services AV, Firewall, IPS
Mobility-awareness: Security policy and state moves with virtual machine
Agent-less deployment of partner security services
Single security VM for multiple security services AV, Firewall, IPS
Mobility-awareness: Security policy and state moves with virtual machine
VMsafe™ APIsAPI’s for all virtual hardware components of the VM
CPU/Memory Inspection Inspection of specific memory pages being used by the VM or it applications Knowledge of the CPU state Policy enforcement through resource allocation of CPU and memory pages
Networking View all IO traffic on the host Ability to intercept, view, modify and replicate IO traffic from any one VM or
all VM’s on a single host. Capability to provide inline or passive protection
Storage Ability to mount and read virtual disks (VMDK) Inspect IO read/writes to the storage devices Transparent to the device and inline of the ESX Storage stack
Capabilities
Bridge, firewall, or isolate VM zones based on familiar VI containers
Monitor allowed and disallowed activity by application-based protocols
One-click flow-to-firewall blocks precise network traffic
Benefits
Well-defined security posture within virtual environment
Monitoring and assured policies, even through Vmotion and VM lifecycle events
Simple zone-based rules reduces policy errors
VMware vShield Zones
Virtual Network Visibility
Network flows at DC, Cluster, VLAN and down to the guest VM level
Take guess work out of troubleshooting firewalls: see allowed and blocked traffic
Identify malicious traffic: visibility for rogue services, botnets, improver server configuration
Secure Design for Virtualization Layer
16
Fundamental Design Principles• Isolate all management
networks• Disable all unneeded services• Tightly regulate all
administrative access
Agenda
VMware Security Strategy
Security Benefits in vSphere’s Virtualization
Extending Virtualization to the EndPoint
Research and Whitepapers
Difficult to Manage and Secure Device
PC management is difficult to centralize due to the broadly distributed nature of PC hardware.
Users often require access to their desktop environment from anywhere.
PC desktop standardization is difficult in the face of hardware discrepancies and the wide variety of brands and models.
End users often require customized desktop environments.
High Total Cost of Ownership
Ongoing PC management is costly and labor-intensive.
Multiple PC hardware configurations need to be tested and validated prior to deployment.
Support costs are further exacerbated by the need to support a geographically dispersed PC infrastructure.
Physical Desktop Challenges
Benefits of Centralized Desktops Bring back previously decentralized applications and data into the
corporate data center.
Centrally control and manage all off-site access to these sensitive applications and data.
Extend their corporate network security levels to off-site facilities.
Sensitive applications and data are no longer stored on off-site computers.
Data integrity and business continuity (DR) is more easily maintained.
Most users, not just for off-shore users and contractors, but for mobile workers and branch office employees, too.
Regulatory compliance requirements are more easily adhered to. (HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley)
Server-based Desktop Virtualization
Profile
Moving the desktop to a virtualized image in the data center allows the complex components to be protected and managed.
File Server
UserData
Profile
File Server
App
App
App
Universal Operating System “Gold” Image
Profile
A single encapsulated hardware build for all users allows for better tuning and hardening of the underlying operating system.
File Server
UserData
Profile
File Server
App
App
App
Patch Management in the Data Center
Profile
Patches can be delivered at data center network speeds, or virtual machines can be periodically destroyed and rebuilt cleanly.
File Server
UserData
Profile
File Server
App
App
App
PatchServer
Access Control
Profile
Controlling access to the virtualized desktops provides further protection to applications and user data.
File Server
UserData
Profile
File Server
App
App
App
X
Elimination of Complex Devices at the Edge
Profile
Users can be issued tamper-proof thin clients with no moving parts to complete the solution.
File Server
UserData
Profile
File Server
App
App
App
Data Security - Backing Up
With a fully virtualized desktop, backups are not only simplified, they’re actually possible.
?
Profile
File Server
UserData
Profiles
File Server
App
App
App
VM Template
Secured Client-Side Virtualization
Control network access of the VM
X
Encryption of the Virtual DiskLink a VM to a
specific device
Block devices to secure data
Phone home or deactivate
Secure Virtual Machines can be overlaid on a insecure or unmanaged device.
Central Management of Security Policies
Portable Client-Side Virtualization
The client device and it’s unsecured OS become irrelevant – the VM is the true working environment.
Application Virtualization
Applications are encapsulated in their own container
Each application is separated from other applications and the operating system
Application virtualization intercepts file and system calls between the application and the OS
Security Benefits of Application Virtualization
Single App to Patch
No need to “install” software on systems
Can be run as a usermode application with no admin rights
Can be run from a central location
Integrated Virtualization Solution
Profile
Users can be issued tamper-proof ACE Instances with virtualized apps and network access only
through VIEW instances to complete the solution.
File Server
UserData
Profile
File Server
App
App
App
Agenda
VMware Strategy
Security Benefits in vSphere’s Virtualization
Extending Virtualization to the EndPoint
Research and Whitepapers
References
Security Design of the VMware Infrastructure 3 Architecture(http://www.vmware.com/resources/techresources/727)
VMware Infrastructure Security Hardening(http://www.vmware.com/vmtn/resources/726)
Managing VMware VirtualCenter Roles and Permissions(http://www.vmware.com/resources/techresources/826)
DISA STIG and Checklist for VMware ESX(http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf)(http://iase.disa.mil/stigs/checklist/esx_server_checklist_v1r1_30_apr_2008.pdf)
CIS (Center for Internet Security) Benchmark(http://www.cisecurity.org/bench_vm.html)
Xtravirt Virtualization Security Risk Assessment (http://www.xtravirt.com/index.php?option=com_remository&Itemid=75&func=fileinfo&id=15)
Common Criteria Certified Versions
Common Criteria EAL 4+ Certification for ESX 3.0.2 and VC 2.0.2http://www.cse-cst.gc.ca/its-sti/services/cc/vmware-eng.html
Common Criteria EAL 4+ Certification for ESX 3.5, ESXi 3.5 and VC 2.5 (In Progress)http://www.cse-cst.gc.ca/its-sti/services/cc/oe-pece-eng.html
Common Criteria EAL 4+ Certification for ESX 4, ESXi 4 and VC 4 to be submitted for certification shortly
VMware Security Briefing
VMware TeamDan SchochScott FavoriteJJ DiGeronimo
Enforce Strong Access Controls
Security Principle
Implementation in VI
Least Privileges
Roles with only required privileges
Separation of Duties
Roles applied only to required objects
35
Administrator
Operator
User
Anne
Harry
Joe
View is much simpler to set up and support
Competitive Pricing/Packaging Comparison
XenDesktop VMware ViewAdvanced Enterprise Platinum Enterprise Premier
Virtualization Platform
Connection broker
Secure remote access
Storage Optimization
Multi-backend support
Application Virtualization
Offline Desktop*
High Availability
Dynamic Provisioning
Desktop Monitoring Partner Partner
Pricing $195 $295 $395 $150 $250
* Experimental support only
xxx
xxx
xxxx
x
xx
x x
Cost Comparison
Vmware cost per userPremier Bundle $ 250.00 List price per user Premier Bundle
Support and Maintenance $ 62.00
ESX Server HW $ 156.25 ESX server $10,000 64 users on 8 core system
Provisioning Server HW Cost $ - Virtual Machine on ESX
Connection Broker HW Cost $ - Virtual Machine on ESX
Storage Costs $ 30.00 Space for Linked clone
$ 498.25 Total per user cost
Citrix cost per userXen Desktop Advanced $ 295.00 List price per user XenDesktop Platinum
Support and Maintenance $ 48.75
Xen Desktop Server Hw $ 312.50 XEN server $10,000 32 users on 8 core system
Provisioning Server HW Cost $ 16.67 Physical server per documentation 300 users for $5,000
Connection Broker HW Cost $ 4.17 Physical server per documentation 1200 users for $5,000
Storage Costs $ 30.00 In theory, some costs but will be minimal
$ 707.09 Total per user cost (+ additional server for XenApp, + TSCAL, +,+)