Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Disclaimer
This session may contain product features that are currently under development.
This session/overview of the new technology represents no commitment from VMware to deliver these features in any generally available product.
Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind
Technical feasibility and market demand will affect final delivery
Pricing and packaging for any new technologies or features discussed or presented have not been determined
Top questions from Security Architects
Isolation
How is the isolation between VMs achieved?
Can information cross different virtual networks?
Security and Virtual Networking
How can I block network traffic going into a VM?
How can I inspect network traffic between VMs?How can I inspect network traffic between VMs?
Control
Do I lose control in moving to virtualization
Credibility - Can I trust this stuff?
Alleged Virtualization Vulnerabilities
I read that you can hack virtualization -- is this true?
VMware Security Strategy
SecureVirtualization
Platform
OperationalizeSecurity
Unique Security Through
VirtualizationPlatformSecurity
Virtualization
Today Future
VMware: Enterprise-grade Virtualization
VMware Infrastructure
SecureArchitectureand Design
• Purpose-built, Lightweight• Customization of 3rd party drivers
Isolationand
Containment
• Low-level separation enforcement
• Fine-grained resource controls
Continuing • Audits
Time-testedTechnology
• VMM: 6th generation, millions of customers
• ESX Server: 3rd generation, 100,000+ customers
ContinuingSecurity
Validation
• Audits• Certifications• Security Response
Security Design of the VMware Infrastructure 3 Architecture
http://www.vmware.com/resources/techresources/727
Isolation by design
CPU & Memory Virtual Network Virtual StorageCPU & Memory
• VMs have limited access to CPU
• Memory isolation enforced by Hardware TLB
• Memory pages zeroed out before being used by a VM
Virtual Network
• No code exists to link virtual switches
• Virtual switches immune to learning and bridging attacks
Virtual Storage
• Virtual Machines only see virtual SCSI devices, not actual storage
• Exclusive virtual machine access to virtual disks enforced by VMFS using SCSI file locks
6
Security Design of the VMware Infrastructure 3 Architecturehttp://www.vmware.com/resources/techresources/727
Secure Implementation
VMware ESXi
Compact 32MB footprint
Fewer patches
Smaller attack surface
Absence of general-purpose management OS
ESXi
purpose management OS
No arbitrary code running on server
Not susceptible to common threats
Only OS-independent design focused on virtualization
VMware: Proven and Trusted
Thousands of customers in production
Passed security audit
and put into production and put into production
use by largest banks in
the US
Passed Defense and
Security Agencies
scrutiny and audit
8
Independently validated
Common Criteria Certification EAL (Evaluation Assurance Level)
CC EAL 4+ certificationhttp://www.cse-cst.gc.ca/services/ccs/vmware-e.html
Highest recognized level
VMware Technologychosen as basis forNSA VirtualizedWorkstation
9
What is different with Virtualization
Faster deployment of servers
� IT responsiveness
� Lack of adequate planning
� Incomplete knowledge of current state of infrastructure
What is different with Virtualization
Collapse of switches and servers into one device
� Flexibility
� Cost-savings
� Lack of intra-server network visibility
� No separation-by-defaultof administration
� Elevated risk of misconfiguration
ESX Server
Hardware
What is different with Virtualization
VM Mobility
� Improved Service Levels
� Identity divorced from physical location
What is different with Virtualization
VM Encapsulation
� Ease of business continuity
� Consistency of deployment
� Hardware Independence
� Updating of offline systems
What is different with Virtualization
Consolidation of Servers
� Capital and Operational Cost-savings
� Higher Impact of Attack
Biggest Security Risk: Misconfiguration
Neil MacDonald – “How To Securely Implement Virtualization”
“Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration and mismanagement”
What not to worry about
Hypervisor Attacks
• Examples: Blue Pill, SubVirt, etc.
• These are ALL theoretical, highly complex attacks
• Widely recognized
Irrelevant Architectures
• Example: numerous reports claiming guest escape
• Most apply only hosted architecture (e.g. Workstation),
Contrived Scenarios
• Example: VMotion intercept
• Involved exploits where
• Best practices around hardening, • Widely recognized
by security community as being only of academic interest
(e.g. Workstation), not bare-metal (i.e. ESX)
• Hosted architecture generally suitable only when you can trust the guest VM
around hardening, lockdown, design, for virtualization etc, not followed, or
• Poor general IT infrastructure security is assumed
How do we address these differences?
Use the Principles of Information Security
Hardening and Lockdown
Defense in Depth
Authorization, Authentication, and Accounting
Separation of Duties and Least Privileges
Administrative Controls
Principles apply for all aspects of the infrastructure
Focus of this presentation is on ESX and VC
Don’t forget to address the network and storage components
vmkernel
VM VMVM
VMM VMMVMM
VC3rd party
VI APIVI Client
RCLI
VI SDK
hostd
vpxa
3rd party software
ESX Server Threat Model
Trust Boundary
vmkernel
ServiceConsole
3 partyagents
vpxa
Loginclient(ssh)
LoginServer(sshd)
OtherLinux
services
?
ESX Server Threat Model
Component Risk Comment
VMM Low Exploits rare and difficult
Hostd Low
vpxa Medium Only as secure as VC
Login Medium As strong as trust in staff and
network
3rd party agents Medium Depends on vendor practices3 party agents Medium Depends on vendor practices
Other Linux
services
High Source of majority of
vulnerabilities
Low: relatively secure code, lower risk of exploitation
Medium: moderately secure code and/or greater risk of exploitation
High: low or unknown code security
VI APIVI Client
RCLI
VI SDK
VCDB WebClient
ActiveDirectory
Tomcat
VirtualCenter Threat Model
Trust Boundary
vpxdESX Server
HostsLoginclient(RDP)
LoginServer
(Term Svcs)Other
Windowsservices
?
Tomcat
VirtualCenter Threat Model
Component Risk Comment
vpxd Low
Tomcat Medium
Login Medium As strong as trust in staff
and network
Other
Windows
High Source of majority of
vulnerabilitiesWindows
services
vulnerabilities
Low: relatively secure code, lower risk of exploitation
Medium: moderately secure code and/or greater risk of exploitation
High: low or unknown code security
Hardening and Lockdown
Manage Configuration Settings
Most configuration settings involve a tradeoff between manageability (convenience) and security
VI3 is designed to be secure out of the box; HOWEVER
Make sure to understand default settings for ALL objects
� VMs, ESX hosts, vSwitches, datastores, clusters, etc.
For each option, decide if functionality is desirableFor each option, decide if functionality is desirable
� If yes, then use and deploy mitigation
� If no, then disable
Prescriptive guidance is quite useful here, e.g.
VMware Infrastructure 3 Security Hardeninghttp://www.vmware.com/resources/techresources/726
Hardening and Lockdown
Restrict or eliminate functionality
Turn off unneeded services
Evaluate need and security of agent-based software
Disable insecure protocols
Closely control secure access
E.G. disallow remote root access to ESX Service Console
Defense in Depth or Layered Security
Many layers of defense
make it more difficult for
an attacker to penetrate
your systems
The more layers you have
the harder it is to attackthe harder it is to attack
More defense layers
means more management
The defense layers need
to be transparent to end
users
Defense in Depth - Securing Virtual Machines
Host
Anti-Virus
Patch Management
Provide Same Protection
as for Physical Servers
Patch Management
Network
Intrusion Detection/Prevention (IDS/IPS)
Edge
Firewalls
Defense in Depth for VI: Network Design
Isolate all management interfaces in separate networks
VI Management Network
ESX to VirtualCenter
ESX to ESX
VMotion Network
Note: VMotion traffic is not encrypted
Network Storage Networks
iSCSI
SAN
None of these should see any VM traffic
What about VLANs?
Virtual switches provide protection by design against typical VLAN attacks:
MAC flooding, 802.1q and ISL tagging attacks, Double-encapsulation attacks, Multicast brute-force attacks, Spanning-tree attacks, Random frame attacks
Reason for immunity
vSwitches don’t have to learn MAC address -- they know exactly what vSwitches don’t have to learn MAC address -- they know exactly what endpoints are attached to them
vSwitches have as many ports as you need -- don’t require any mechanism to trunk or bridge them
VMware recommends use of VLANs for isolation
However, we understand that many customers not comfortable with this
What about access by administrators?
Several options
Extend VI Management network to the administrators’ offices, etc.
Set up VPN access to VI Management network
Create one or more “jump boxes” inside the VI Management Network
Client applications (VI Client, VI SDK application) run on these
Access jump box only via RDP or other remote display protocolAccess jump box only via RDP or other remote display protocol
Close off all other means of access to jump boxes
Choose according to factors such as
Amount of trust placed in administrators and their environs
Level of inconvenience that’s tolerable
Cost
Security Principle Implementation in VMware Infrastructure
AuthenticationConfirming a user‘s
identity
Leverages Active Directory and LDAP to provide
authentication services for granting access to
the VI3 Infrastructure
Authorization Has more than 100 granular privileges for
Authentication, Authorization, and Accounting
AuthorizationRestricting access to data and the functions of a system
Has more than 100 granular privileges for
allowing individual tasks on each object in
inventory
AccountingMonitoring and logging the activities of a user
Logs all administrative activity within the VI3
Infrastructure and stores the activity in the
VirtualCenter database
Separation of Duties and Least Privilege
Security Principle
Implementation in VI
Least
Privileges
Roles with only
required privileges
Separation of
Duties
Roles applied only to
required objectsHarry
Joe
Administrator
Operator
User
Anne
Separation of Duties and Least Privilege
Strictly control Administrative Privileges
VirtualCenter
Remove administrator functionality from general Domain Admin population
� Create special local viadmin account
� Place password under break-glass for emergency
� Remove VC Administrator role from Windows Administrator account
Always have admins use their own accounts -- viadmin only for emergencies
ESX Server
use sudo aliases to limit scope of what users can do
Never operate using root account --- create local users as necessary
Details available in
Managing VirtualCenter Roles and Permissionshttp://www.vmware.com/resources/techresources/826
Sudo home pagewww.gratisoft.us/sudo/
Maintain Tight Administrative Controls
Requirement Example Products
Configuration management,
monitoring, auditing
Tripwire Enterprise for VMware ESX
NetIQ Secure Configuration Manager
Configuresoft ECM for Virtualization
Track and Manage VM VMware Lifecycle Manager
VMware Stage Manager
Updating of offline VMs VMware Update ManagerUpdating of offline VMs VMware Update Manager
Shavlik NetChk Protect
Virtual network security Checkpoint
Reflex
Third Brigade
34
Diverse and growing ecosystem of products to help provide secure VMware Infrastructure
Example: VM Tracking and Management
Request for VM
Provisioning
Intelligent Placement
Route for Approval
Automated Deployme
nt
VM Tracking
Policy & Control
VMware Lifecycle Manager
DeleteArchive
nt
Decommission
Example: Updating of offline VMs
VI Client
VirtualCenter
Server
Update
Manager
Server
Zero-downtime
VMware ESX Server
host patching using
DRS
VMware Update Manager
Virtualized
Infrastructure
External
Patch Feeds
• Secure offline VM and
template patching
• Enable rollback in
case of patching
failures with
automated snapshots
Proper Management
Avoid using remote console for VMs
Use only for initial configuration and troubleshooting
equivalent to iLO access to a physical server
Rely upon traditional remote access: ssh, RDP, etc.
Easier to audit, limit, and control
Prefer controlled management interfaces over unstructured interfaces
Favor VI Client, Web Access, RCLI, scripts, VI SDK apps, etc.Favor VI Client, Web Access, RCLI, scripts, VI SDK apps, etc.
Automatically performs full logging
Migrate away from running scripts & agents in Service Console
Every access to the COS enables a potential attack
With VI API, ESX config commands can be executed securely and with auditing on an external system
More and more management tools don’t require COS agents
� Pressure your vendor to follow suit
Resources
The VMware Security Resource Center
http://www.vmware.com/security
One-stop shop for ongoing security
Advisories, alerts, patches
Whitepapers
BlogBlog
VMware Technology Resource Center for Security
http://www.vmware.com/overview/security/
http://viops.vmware.com/home/index.jspa
Provides an introduction to virtualization security
Good for educating your customers and teams about virtualization security
Resources
Detailed Prescriptive Guidance
VMware Infrastructure 3 Security Hardening(http://www.vmware.com/vmtn/resources/726)
Managing VMware VirtualCenter Roles and Permissions(http://www.vmware.com/resources/techresources/826)
STIG (Secure Technology Implementation Guide) [coming soon]STIG (Secure Technology Implementation Guide) [coming soon](http://iase.disa.mil/stigs/)
CIS (Center for Internet Security) Benchmark in-progress(http://cisecurity.org/bench_vm.html)
Xtravirt Virtualization Security Risk Assessment(http://www.xtravirt.com/index.php?option=com_remository&Itemid=75&func=fileinfo&id=15)
VMware Security Strategy
SecureVirtualization
Platform
OperationalizeSecurity
Unique Security Through
VirtualizationPlatformSecurity
Virtualization
Today Future
VMsafe™ Enables Application Protection
VMsafe API and Partner Program
Protect the VM by inspection of virtual components (CPU, Memory, Network and Storage)
Run outside the VM
Complete integration and awareness of VMotion, Storage VMotion, HA, etc.
Fundamentally changes protection
VMsafe
Fundamentally changes protection available for VMs running on VMware Infrastructure vs. physical machines
Provides an unprecedented level of security – “Virtual is more secure than Real”
ESXESX with VMsafe
http://vmware.com/go/vmsafe
VMsafe: Broad Security Industry Support
Enterprise to SMB
End-points to Gateways
Anti-Virus to IPS
44
Networks to Host
Audit to Patching
And Anywhere in between…
Summary
Focus on configuration, lockdown, and secure operations
Understand Security by Design aspect of VMware Platform
Apply Principles of Information security
Hardening and Lockdown
Defense in Depth
Authorization, Authentication, and AccountingAuthorization, Authentication, and Accounting
Separation of Duties and Least Privileges
Administrative Controls
Don’t let talk of “vulnerabilities” scare you – focus on effective security operations