Embed Size (px)
DESCRIPTION
Securing and Leveraging the Power of Virtual Servers and Desktops. Conrado Wang Cheng Niemeyer < chengw (at) sacredheart.edu> Information Security Officer, Sacred Heart University. Virtualization Advantages. Virtualization? “Cheap”, fast, easy to setup Application isolation - PowerPoint PPT Presentation
Citation preview
SECURING AND LEVERAGING THE POWER OF VIRTUAL SERVERS AND DESKTOPS
Conrado Wang Cheng Niemeyer <chengw (at) sacredheart.edu>Information Security Officer, Sacred Heart University
Virtualization Advantages
Virtualization? “Cheap”, fast, easy to setup Application
isolation Template Deployment Disaster Recovery High Availability Forensic Analysis w/P2V & in place with
memory snapshots Honeypotting
Virtualization Disadvantages Using a template image
One vulnerability is shared by all Same admin/root passwords??!!
Possibly sequential IP range Single file Servers & Workstations
Just copy one file and you’re done! Poor multimedia support Many eggs in fewer baskets Virtual Machine Sprawl
Virtualization Vulnerabilities
Guest to Guest Attacks Guest to Host Attacks Guest Client Vulnerabilities Management Console/Host OS
Vulnerabilities Hypervisor Vulnerabilities
Not well developed and widespread, YET…
VM Security Best Practices
Security Best Practices (Firewalls, IPS, Patching, Patching, Patching, Patching) Secure your VMs as you would physical machines
Secure the Network Use Separate Private backup and SAN network Use Separate Private Management Console network
Favor Type 1 Hypervisors for Production and Testing Servers VMWare ESX Server, Citrix XenServer, MS Hyper-V, etc.
Favor Type 2 use in Security applications Disable Hardware Acceleration Use QEmu (full emulation mode w/out kqemu) Disable all sharing features
Favor Type 2 for Development environments Run different security zones VMs on separate physical hosts
Use separate physical switches or VLANs in physical switches Run different Management stations
Disable/remove unnecessary virtual hardware
Monitoring in a vSwitch
VMWare ESX Specific
VMWare Update (ESX 3.5 & VC 2.5) Fix maximum size and rotation for Log
Files Use Resource Management Secure the VI Console Access Verify the ESX Console Firewall rules Use SSL Certificates Encrypt Access to
Virtual Center Secure Console’s Linux environment
Virtualization Applications
Setting up Development Environments Setting up Testing Environments Setting up Research Environments Honeypotting Consolidate Physical Servers
Virtual Secure Desktops… Provide a desktop environment for users
Quickly deployed Secured Easily maintained
Provide access from those environments to all work tools, systems, and services
Secure Desktop Advantages Secured Access to Sensitive
Systems
Separation of Critical Business data from User data
Quick and Easy Deployment Stand a new VM(s) in under
2mins Ease of Policy Enforcement Can Provide local admin
elevation when necessary Anywhere anytime access
(or not) Easy Integration into
Identity Management
Currently ERP (Datatel Colleague
R17, R18) Registrar’s Human Resources Business Office
Admissions (Recruitment Plus)
Financial Aid (PowerFAIDS, EDConnect)
Institutional Advancement (Raiser’s Edge)
Payroll (ADP) Future Expansion
Document Imaging Department Shares MicroFAIDS (MS-DOS!!!!!)
Secure Desktop Disadvantages Poor Multimedia
Support ACL/Firewall Rule
Maintenance Vulnerable to Screen
Scrapping Increased Disaster
Recovery Complexity SSL Gateway Connection Broker Provisioning Server ESX Servers SAN & Blade
Infrastructure
“Quality of Life” Issues Cannot browse the
web Cannot persist
software changes Cannot connect
certain USB devices Coming Soon
Cannot access e-mail Cannot copy & paste
to host Cannot connect any
USB devices
Secure Desktop Backend at SHU
HP c7000 Blade Enclosure HP BL460c
2 x Quad Core 2.3Ghz (Intel E5345)
16 GB RAM 4 x 1Gb Ethernet (on 2
separate boards) Netapp 3020c Filers
7TB (4TB Usable ??!!) for VMs 12TB for User/Department
Data iSCSI all the way baby!!!
Cisco Catalyst 3750 Switches 1Gb Ethernet (Copper) 10Gb Uplink
VMWare VI3 (ESX 3.5 and Virtual Center 2.5)
Provision Networks Virtual Access Suite 5.9 SSL Gateway RDP Connection Broker
Citrix Provisioning Server Desktops v4.5 Sp1 PXE Boot HDD Streaming
Microsoft DHCP Server Microsoft Windows XP Sp2
Hardware Software
Connection Broker Architecture
SSL Gateway Architecture
HDD Streaming Architecture
Physical vs. Virtual Hardware
Dell OptiPlex 755 Intel Core2 2.4Ghz 2GB RAM 160GB HDD Integrated Graphics 1Gb Ethernet ~$1,000
VMWare ESX 3.5 Virtual Dual to
Quad Core 2.3Ghz 256MB RAM 1MB HDD RDP Graphics 1Gb Ethernet ~$290 w/existing
hardware
Physical Virtual
Getting Buy-in
Initial deployment as test environments Clarifying the difference between a purely
work environment and a hybrid work/personal one
No other alternatives with new versions Ease of use and virtually no training
required Unreliability of VPN and Citrix Ability to access legacy environments with
new simultaneously
Demo
https://securedesk.sacredheart.edu/
New Developments
Embedded Hypervisors ESX 3i, XenServer OEM, etc.
VMSafe VDI SAN Snapshot Clones
Netapp FlexClone Sophisticated Virtual Machine Detection
Resources, Q & A
http://www.cisecurity.org/ http://www.securityfocus.com/ http://www.vmware.com/resources/
techresources/cat/91 http://www.citrix.com/ http://www.provisionnetworks.com/
