VMware vSphere 4.1 and Security Briefing

Matt Graybiel, CISSP

Manager, Systems Engineering

ESXi Free or not…

ESXi is an architecture, not a license

An Enterprise License works the same with traditional ESX and ESXi

The free version of ESXI is being renamed to:

VMware Hypervisor

Product Updates

vSphere 4.1

• Last release to include ESX architecture

• ESXi functionality equal to ESX (API’s, Security, Boot from SAN, Auto Deploy)

• Active Directory Integration for ESX/ESXi

• Better Storage API’s

• HA/DRS support up to 320 VM’s per host

• Host Affinity and virtual cores

• vMotion is faster

• Network I/O (DRS for Network traffic) – Requires Enterprise +

• Storage I/O (DRS for Storage traffic) - Requires Enterprise +

• Memory Compression

• vMotion available in Standard and Multipathing available in Enterprise

• Virtual Serial Port Concentrator

vSphere 4.1 Editions

ADVANCED

High Availability

STANDARD ENTERPRISE

4-way vSMP

VC Agent

vMotion™

High Availability

4-way vSMP

VC Agent

Fault Tolerance

Data Recovery

vShield Zones

vMotion™

High Availability

4-way vSMP

VC Agent

Fault Tolerance

Data Recovery

vShield Zones

DRS / DPM

Storage vMotion

Multipathing*

Update Manager Update Manager Update Manager

Thin Provisioning Thin Provisioning Thin Provisioning

vStorage APIs (DP) vStorage APIs (DP) vStorage APIs (DP)

Hot Add Hot Add devices

vSPC vSPC

= New feature with 4.1 release= Existing feature moving down edition

= Edition specific feature or entitlement

= Carry-over feature

vMotion™

ENTERPRISE +

vMotion™

High Availability

8-way vSMP

VC Agent

Fault Tolerance

Data Recovery

vShield Zones

Distributed Switch

DRS / DPM

Storage vMotion

Multipathing*

Update Manager

Thin Provisioning

vStorage APIs (DP)

Hot Add devices

vSPC

I/O Controls

vAAI

vAAI

Host Profiles

Key

6 Physical Cores / CPU256 GB Physical Memory

12 Physical Cores / CPU256 GB Physical Memory

6 Physical Cores / CPU256 GB Physical Memory

12 Physical Cores / CPUNo License Memory Limit

5

Enhanced vCenter Scalability – “Cloud Scale”

vSphere 4 vSphere 4.1 Ratio

VMs per host 320 320 1x

Hosts per cluster 32 32 1x

VMs per cluster 1280 3000 3x

Hosts per VC 300 1000 3x

Registered VMs per VC 4500 15000 3x+

Powered-On VMs per VC 3000 10000 3x

Concurrent VI Clients 30 120 4x

Hosts per DC 100 500 5x

VMs per DC 2500 5000 2x

SLES for VMware

Unlimited instances per host

Patches and updates are free

Support is sold separately from vSphere support

Level 1 and Level 2 Support provided by VMware

Level 3 support is from Novell

Pricing and more details to come around VMWorld

Summary: VMware Approach to Security

Secure Implementation

VMware ESXi

• Compact footprint (less than 100MB)

Fewer patches Smaller attack surface

• Absence of general-purpose management OS

No arbitrary code running on server

Not susceptible to common threats

Secure Implementation

Platform Hardening

• Integrity in Memory Protection ASLR – Randomizes where core

kernel modules load into memory

NX/XD – Marks writable areas of memory as non-executable

• Kernel Integrity Digital signing – ensures the integrity

of drivers and modules as they are loaded by the VMkernel.

• Integrity on Disk TPM – helps assure that image that is

booting off the disk has not been tampered with since the last reboot. (future)

VMware Secure Development Lifecycle Process

VMworld 2009 Session TA2543:VMware’s Secure Software Development Lifecycle

Architecture Risk Analysis

Best Practice and Compliance

Requirements

Code Analysis & Inspection

Security Testing

Security Response

Training

Product Security Policy

Protect Customer Data& Infrastructure

Enable Policy Compliance

3rd party experts continually involved at

various points

Independently validated

• Common Criteria Certification EAL (Evaluation Assurance Level) CC EAL 4+ certification

Highest recognized level

Achieved for VI 3.0 and 3.5; in process for vSphere 4

• DISA STIG for ESX Approval for use in DoD

information systems

• NSA Central Security Service guidance for both datacenter

and desktop scenarios

Summary: VMware Approach to Security

How Virtualization Affects Datacenter Security

13 Confidential

Abstraction and ConsolidationCollapse of switches and servers

into one device

• ↑ Flexibility• ↑ Cost-savings• ↓ Lack of virtual network visibility

• ↓ No separation-by-defaultof administration

• ↑ Capital and Operational Cost Savings

• ↓ New infrastructure layer to be secured

• ↓ Greater impact of attack or misconfiguration

How Virtualization Affects Datacenter Security

14 Confidential

Faster deployment of servers

VM Mobility VM Encapsulation

• ↑ Ease of business continuity

• ↑ Consistency of deployment

• ↑ Hardware Independence

• ↓ Outdated offline systems

• ↓ Unauthorized Copy

• ↑ Improved Service Levels

• ↓ Identity divorced from physical location

• ↑ IT responsiveness• ↓ Lack of adequate

planning• ↓ Incomplete

knowledge of current state of infrastructure

• ↓ Poorly Defined Procedures

• ↓ Inconsistent Configurations

How do we secure and make our Virtual Infrastructure compliant?

Use the Principles of Information Security

• Hardening and Lockdown

• Defense in Depth

• Authorization, Authentication, and Accounting to enforce Separation of Duties and Least Privileges

• Administrative Controls

What Auditors Want to See:

• Network Controls

• Change Control and Configuration Management

• Access Controls & Management

• Vulnerability Management

For virtualization this means:

• Secure the Guests

• Harden the Virtualization layer

• Setup Access Controls

• Leverage Virtualization Specific Administrative Controls

Network Segmentation

• A trust zone is a network segment within which data flows relatively freely. Data flowing in and out is subject to stronger restrictions.

Trust Zones in a Cloud environment

Isolation in the Architecture

Segment out all non-production networks

• Use VLAN tagging, or

• Use separate vSwitch (see diagram)

Strictly control access to management network, e.g.

• RDP to jump box, or

• VPN through firewall

18

vSwitch1

vmnic1 2 3 4

Production

vSwitch2

VMkernel

Mgmt Storagevn

ic

vnic

vnic

vCenter IP-based Storage

Other ESX/ESXi

hosts

Mgmt Network

ProdNetwork

VMware Infrastructure 3 Security Hardening Guidehttp://www.vmware.com/resources/techresources

/726

Broad scope

Separation of Duties with vSphere

Narrowscope

Administrative Controls for Security and Compliance

Requirement VMware Products/Features Partner Products

Configuration management, monitoring, auditing

Host ProfilesTemplatesvCenter Event-based AlarmsvCenter OrchestratorScriptingVMware vCenter Configuration Manager

Hytrust ApplianceNetIQ Secure Configuration ManagerTripwire Enterprise for VMware

Vulnerability Management

VMware Update Manager Shavlik NetChk Protect

Access Controls and Management

vCenter Roles and PermissionsvCenter event loggingESX/ESXi logging

Hytrust ApplianceCatbird

Network Controls

VMware vShieldvNetwork Distributed Switch

Cisco, Checkpoint, Reflex, Third Brigade, Altor, ISS/IBM, and more.

Summary: VMware Approach to Security

Secure VDC – Key Building Block of the Private Cloud

Edge

AppProtection

vmsafeEndPoint

VMware vSphere

Security & Network vServices

Edge

APP Protection

vmsafeEndPoint

Edge

App Protection

vmsafeEndPoint

1. Encapsulate secure, auto-wired VDC

2. Standup VDC per Org, on demand

3. Migrate, burst, federate VDC to vCloud

Finance

Sales

Intranet

Edge

App Protection

vmsafeEndPoint

Customer SiteSECURE

Security for the Private Cloud

Private Cloud Properties

• Multiple Use: same infrastructure used for various purposes (“multi-tenancy”)

• Dynamic: Ever-changing environment, responding to load, demands, SLAs, etc.

Solution Characteristics for Private Cloud Security

• Virtualization-aware

• Adaptable

• Take advantage of hypervisor for efficiency, enforceability, performance

Confidential

vShield Zones 1.0 Solves Some Key Issues

Distributed firewall• vShield Zones + Cisco N1k • Mixed trust zones on shared physical resources• Simple, container based rules• vMotion-aware• Enforcement point near VM• Microflow-level Visibility• Application Aware

Better consolidation•VM placement not tied to physical zoning

Tenant A

UCS 5108s

vShield Zones

vSphere

vShield Zones

vSphere

6100s

Nexus N1k

Tenant B Tenant C

Leveraging Virtualization To Solve Security Problems

Security solutions are facing a growing problem

• Protection engines do not get complete visibility in and below the OS

• Protection engines are running in the same context as the malware they are protecting against

• Even those that are in a safe context, can’t see other contexts (e.g. network protection has no host visibility).

Virtualization can provide the needed visibility

• Better Context – Provide protection from outside the OS, from a trusted context

• New Capabilities – view all interactions and contexts CPU

Memory

Network

Storage

VMsafe™ APIs

• New security solutions can be developed and integrated into VMware virtual infrastructure

• Protect the VM by inspection of virtual components (CPU, Memory, Network and Storage)

• Complete integration and awareness of VMotion, Storage VMotion, HA, etc.

• Provides an unprecedented level of security for the application and the data inside the VM

Security VM

VMsafe Security APIs

ESX

HIPS Firewall IPS/IDS Anti-Virus

VMsafe™ APIs

API’s for all virtual hardware components of the VM

• CPU/Memory Inspections Inspection of specific memory pages being used by the VM or it applications

Knowledge of the CPU state

Policy enforcement through resource allocation of CPU and memory pages

• Networking View all IO traffic on the host

Ability to intercept, view, modify and replicate IO traffic from any one VM or all VM’s on a single host.

Capability to provide inline or passive protection

• Storage Ability to mount and read virtual disks (VMDK)

VMsafe Partner Releases

Category Partner Solution Status

Firewall VPN1-VE

UTM - Firewall, IPS, App FW

Early Access

VF 3.0

Firewall, network monitoring

GA

IDS/IPS IBM ISS Proventia

Hybrid host/network IPS + Anti-rootkit + Virtual NAC

GA

Third Brigade Deep Security 7

Hybrid host/network IPS

GA

VMC

vTrust network zoning, network IPS, virtualization mgmt

GA

Antivirus Virusscan for Offline Virtual Images (OVI) 2.0

Offline AV

GA

Core Protection for Virtual Machines 1.0

Online / Offline AV

GA

Efficient Antivirus as a Service for Virtual Datacenters

Hypervisor-based introspection for all major AV functions• File-scanning engines and virus definitions

offloaded to security VM – scheduled and realtime• Thin file-virtualization driver in-guest >95%+

reduction in guest footprint (eventually fully agentless)

Deployable as a service• No agents to manage - in-guest driver bundling

with VMTools• Turnkey, security-as-service delivery

Applicable to all virtualized deployment models• private clouds (virtual datacenters)• public clouds (service providers)• virtual desktops

VMware vSphereIntrospection

SVM

OSHardened

AV

VM

APP

OSKernelKernel

BIOS

VM

APP

OSKernelKernel

BIOS

VM

APP

OSKernelKernel

BIOS

Proof of Concept demo’edat RSA2010

Where to Learn More

Security• Hardening Best Practices

• Implementation Guidelines

http://vmware.com/security

Compliance• Partner Solutions

• Advice and Recommendation

http://vmware.com/go/compliance

Operations• Peer-contributed Content

http://viops.vmware.com

Summary: VMware Approach to Security

Questions?