Real Security for Server Virtualization
Preview:
DESCRIPTION
Real Security for Server Virtualization. Rajiv Motwani 2 nd October 2010. Agenda. Introduction to server virtualization Best practices Patch Management VM Server Sprawl Third party products. What is Server Virtualization?. - PowerPoint PPT Presentation
Citation preview
Presentation Title (Arial 42pt)Rajiv Motwani
Agenda
2
Concept of virtualization has existed in various forms in computing
since the early 1960s
In virtualization, physical resources are abstracted and shared by
multiple operating systems
What is Server Virtualization?
Presentation Title Goes Here
Insert Version Number Here
3
What is a Hypervisor?
A hypervisor provides an abstraction layer that allows a physical
server to run one or more virtual servers, effectively decoupling
the operating system and its applications from the underlying
hardware.
A hypervisor is sometimes also called Virtual Machine Monitor or
VMM
Citrix XenServer uses the open-source Xen Hypervisor
Presentation Title Goes Here
Insert Version Number Here
4
Key part of disaster recovery strategy
Improve application availability
Higher utilization leads to greater consolidation
Promotes greater centralization and security
"Green Computing"
Support DevTest environments
Why Virtualize?
Creating New Servers is fast and easy
No driver hassles moving to new hardware
Zero downtime hardware maintenance with XenMotion
Disaster recovery plans simplified
Presentation Title Goes Here
Insert Version Number Here
5
spending by 50-70%
Protect IT assets
and service against
Improve service levels and eliminate planned downtime
Automate routine management tasks and deliver better IT services to
users
Virtualization is the single hottest topic in IT today. But what is
it? There are 4 basic ways to look at how virtualization can be
used to deliver business benefits in your organisation:
Server Virtualization: Creates a separate OS environment that is
logically isolated from the host server. This allows greater
density of resource use (hardware, utilities, space) while
providing operational isolation and security.
Desktop Virtualization: Creates a separate OS environment on the
desktop, allowing a non-compatible legacy or LOB application to
operate within a more current desktop operating system.
Application Virtualization: Separates the application configuration
layer from the OS in a desktop environment, reducing application
conflicts, bringing patch and upgrade management to a central
location and accelerating the deployment of new applications and
updates.
Presentation Virtualization: Isolates processing from the graphics
and I/O, making it possible to run an application in one location
but have it be controlled in another. This is helpful in a variety
of situations, including ones where data confidentiality and
protection are critical.
6
7
Storage Architecture independent
• Centralizes Application Management
9
Regular patching
VLAN’s
Prevent DoS attacks
Access to the service console & management interface
Communication between service console and management
interface
Root privileges
DoS – limit size
Best Practices (2)
Hypervisor vulnerability in Microsoft Hyper V (blue pill)
Several checks in place
No shared memory between guest VM’s
Isolation of virtual network adapters
Restrict third party code in hypervisor
(Depends on vendor)
Best Practices (3)
Management Interface
VM Image files on disk
Remember to secure
Difficult but necessary
Patches for OS + all applications installed on the VM’s
Ideally server environments should have few applications
Take advantage of virtual patching
Signatures deployed on VM’s
Traffic scanned at hypervisor or by a virtual appliance
Patches
Application virtualization helps
Tools available from all vendors to patch OS + some third party
applications
Online and Offline VM’s
Third party tools also available for both modes
Patch Management (2)
More at risk
Ensure they have Anti-virus, IPS, Firewall
Next-gen security products have ability to scan these VM’s offline
for
Malware
Vulnerabilities and exploits
Once they come online, ensure they are patched first before they
can do any other operation (NAC)
Offline VM’s
“A large amount of virtual machines on your network without proper
IT management or control” - Steven Warren -
blogs.techrepublic.com
Create servers at the click of a button
Who can create in the production environment?
Should be an IT process
Admins create copies of production environment to test and stage
applications.
New tools are available to do this automatically.
Virtual Server Sprawl
Some mitigations
Policy that if a VM is unused for X days, it can be removed
Annotate VM’s with an end date while creating them
Scan network for new VM Server traffic
Who can create VM’s?
Use third party products