1
C4:Virtualization and Security
Complexity is a Virtual Certainty
Dennis Moreau
Virtualization and Security
Executive Summary
Operating System
App App App
Operating System
App App AppNon-VM
ConfigurationManagement
Effort
Hardware
Operating System
Virtual Machine Monitor
Emulated Hardware Emulated Hardware
Server Virtualization
Hardware
2
• Reduces Diversity• Some Degree of Guest Sandboxing• Rapid Deployment of Next Desired State• Rapid Deployment of Next Desired State …
Once It Is Determined• Re-Imaging … When That is Appropriate• Increased Control Over Network Activity• Insulation from Specific Vulnerability Types
Virtualisation Can Improve Aspects ofSecurity Management
• Insulation from Specific Vulnerability Types• …
I. Description
VMware virtualization software provides Network Address Translation (NAT) for guest systems to access networks. The VMware NAT Service ( ) g ydoes not adequately validate parameters to the PORT and EPRT commands. …
To exploit this vulnerability, an attacker would need to convince a user to run code provided by the attacker on a VMware guest/virtual system. The attacker could then cross the boundary of the guest system and run arbitrary code within the context of the NAT process on the VMware y phost system. …
CVE-2005-4459
3
5
• Empirical Exploitation of Live Virtual Machine Migration: http://www.eecs.umich.edu/techreports/cse/2007/CSE TR 539 07 pdfCSE-TR-539-07.pdf
• Demonstration of changing VM code in flight.• Resulting Guidance:
– Encrypt VMotion channels– Restrict access
Ti h l l NIC fi i
Virtualization Specific Vulnerabilities
– Tightly control vNIC configuration– Isolate LANs (management, transactional, VMotion)
2005 2006 2007
• CVE-2005-4583•• CVECVE--20052005--44594459• CVE-2005-3619• CVE-2005-3618• CVE-2005-4082• …
• CVE-2006-5990• CVE-2006-2481 • CVE-2006-3589 • CVE-2006-3547 • CVE-2006-2662• ...
•• CVECVE--20072007--44964496• CVE-2007-2491 • CVE-2007-1877• CVE-2007-1876 • CVE-2007-1271 • CVE-2007-1270
……
Virtualization Software VulnerabilitiesReference: NIST National Vulnerability Database, http://nvd.nist.gov/
4
Storage Virtualization
StorageNetwork
SAN1.World Wide Name (WWN) Spoofing
iSCSI1.iSCSI Qualifier Name Spoofing
2.Name Server Pollution3.Session Hijacking4.Man in the Middle5.Zone Hopping6.E-Port Replication
S
2.Authentication3.CHAP Offline Password Compromise4.CHAP Message Reflection5.CHAP User Name Sniffing6 Authorization
Virtualized Storage Vulnerabilities
7.LUN Mask Subversion8.F-Port Replication …
6.Authorization7.Encryption
Reference: Securing Storage, Himanshu Dwivedi,Addison-Wesley, 2006
5
• INI• COM• DLLs
Virtual Applications Operating
Virtual Application •INI•COM
• RegistryServer
• INI• COM• DLLs• Registry
Virtual Applications
Server
p gSystem
•INI•COM•DLLs•Registry•Files
COM•DLLs•Registry•Files
Virtual Application •INI•COM•DLLs•Registry
Application Virtualization (SoftGrid-ish)
• RegistryServer •Files
Hosting
Virtual Serverand Application•INI•COM•DLLs
Desktop•INI•COM•DLLs•Registry•Files
RDP, ICA, VNC, NX X, AIP
HostingSystem•Configuration•Controls•Signatures
•DLLs•Registry•Files
Virtual Serverand Application•INI•COM•DLLs•Registry•Files
Files
Desktop•INI•COM•DLLs•Registry
•Vulnerabilities•Key loggers
•Rootkits
Desktop Virtualization (VDI-ish)
g y•Files
6
Host OS Guest OS
VNIC VNICVNIC
Guest OS
VSwitch
VNIC VNICVNIC
VM Bus
Virtual Traffic
Physical NIC
(visibility, instrumentationconfiguration, currency…)
Virtual
Cluster
Latent Image Assess-ability
Unloaded:Latent Instances
Heavily Loaded:All Instances Active
7
NextDesired State
Time
Desired State Transition
CurrentDesired State
ProvisionedConfiguration
SecureConfiguration
e
ConfigurationRemediation
Re-Provisioning is Inadequate
ConfigurationRe-Provisioning
DriftedConfiguration
NextDesired State
Time
Desired State Transition
Drivers:•Technology Evolution/Migr.•Regulatory Change•Pre-requisite Footprint•Capability Expansion•Emergent Exploits
Current DesiredState
ProvisionedConfiguration
SecureConfiguration
e
ConfigurationRe-Alignment
Gap•Compliance•∆Log•Discovery
Often multiple possible change/remediation paths. Path selection may be driven by risk
IT Decision Support
DriftedConfiguration
ConfigurationCorrection
y yassessment, resource
availability, TTR, cost …
8
Virtual MachinesSecure Virtual Machines as
Physical *Disable Unnecessary Functions
Service ConsoleIsolate Management Network *Configure Firewall for Maximum
SecurityDisable Unnecessary FunctionsPrevent Virtual Machines from
Taking Over Resources *Limit Data Flow from VM to ESX
Host *Isolate VM Networks *Minimize use of VI Console
SecurityUser Directory Service for
AuthenticationStrictly Control Root Privileges;
Limit Access to “sudo”Establish Password Policy for
Local Accounts
Security Guidance: VMWare
Minimize use of VI ConsoleFile System SecurityMaintain Proper Logging
Local AccountsLimit Services Running in SCDon’t Manage SC as a Linux Host
19 pages – 103+ Controls - 9343 words
ESX Server HostLabel Virtual NetworksDo Not Create Default Port GroupsUse Dedicated Isolated Networks
Virtual CenterSetup Windows Host for Proper
Security *Limit Administrative AccessUse Dedicated Isolated Networks
for VMotion and iSCSI *Do Not Use Promiscuous Mode on
Net InterfacesProtect Against MAC SpoofingSecure ESX Server ConsoleMask and Zone SAN Resources *
Limit Administrative AccessLimit Network Connectivity to
VC *Ensure VC Database is SecuredEnable Full and Secure Use of
Certificate-based EncryptionUse VC Custom Roles
Security Guidance: VMWare
Protect Against Root Files System Exhaustion *
Document and Monitor Changes to Configuration *
9
Lock down and configure each VM as appropriate to the organization's standard guidelines for the OS being hosted… *
Baseline the correct virtual server configuration. Internal virtual network configuration likely will not be visible … *
All partitions must be patched. Keep the host OS and all guest OS partitions patched. … *Patch offline images. … *Require virtualization vendors to document their vulnerability response process…. Regularly scan all partitions for vulnerabilities. *Vendors such as Configuresoft are looking at extending their configuration management
capabilities to the host OS in 2007. Regularly scan for correct VMM and VM configuration: network bindings, internal virtual
network connections and other configurations *
Guidance: Gartner
network connections and other configurations. Don't overlook VM and application appliances. Deactivate hyper-threading for guest OSs. *
The security issues related to vulnerability and configuration management get worse, not better, when virtualized … 17 pages – 6483 words
(VCESX0570: CAT II) The IAO/SA will ensure public virtual switches only allow virtual machines that require access to the physical network adapters. *
(VCESX0572: CAT II) The IAO/SA will ensure the permissions on the /usr/sbin/esxcfg-* utilities are 500, except for esxcfg-auth which should be 544.
(VCESX0574: CAT II) The IAO/SA will ensure all private and public virtual switches ( ) p pnot in use are disabled. *
(VCESX0576: CAT II) The IAO/SA will ensure the all virtual switches are labeled within the ESX Server environment.
(VCESX0578: CAT II) The IAO/SA will ensure the all virtual switches labels do not begin with a number.
(VCESX0580: CAT II) The IAO/SA will ensure VMotion virtual switches contain at least one physical network adapter and are configured to use a dedicated VLAN. *
Guidance: DISA Virtual Computing
http://iase.disa.mil/stigs/draft-stigs/index.html
Excerpt from 82 pages ‐ 117+ Controls ‐ 27,000 words…
10
Backup Configuration FilesAdministering ESX Server *Keep system patched *FirewallPasswords
Maintain Proper LoggingReview LogsEstablish/Maint. File Sys IntegritySNMPProtect against MAC SpoofingPasswords
Password AgingPassword complexitysetuidsetgidSSHDisabling Copy and PasteRemove Unnecessary HW www.cisecurity.org
Protect against MAC SpoofingSet GRUB PasswordLimiting Access to suUse “sudo”VLANsSeparate Management VLAN *Don’t Create Default Port GroupiSCSI *
Guidance: Center For Internet Security
Guest Flooding *Logs
CIS ESX Server Benchmark -70 pages - 199+ Compound Controls – 13,713 wordsCIS Genera VM Benchmark -30 pages - 62+ Compound Controls – 9.261
Use CHAP for iSCSI dev *iSCSI Naming Requirements *
Secure virtual images just as well as you secure physical systems – and then some *Malware protection, intrusion detection, firewalls, configuration management, etc.
Visibility is key – security professionals must be able to map and y y y p plocate similar security environments together *
VM relocation will require transportable security policies and proceduresAuthentication, authorization, access, administration, penetration detection,
configuration control, malware protection, enforcement, encryption, signatures and keys, etc.
Technology and disciplines for discovery, configuration, change
Guidance: EMA
gy p y, g , gmanagement, and more become critical to detecting virtual malware *
Andy Mann, EMA 2007
11
SAN03.001.00 CAT I Zoning is not used to protect the SAN.SAN03 002 00 CAT II Hard zoning is not used to protect the SANSAN03.002.00 CAT II Hard zoning is not used to protect the SAN.SAN04.005.00 CAT II Servers and hosts OS STIG RequirementsSAN04.010.00 CAT III Sensitive Data in Transit EncryptionSAN04.014.00 CAT III Management Console to SAN Fabric DOD PKI protectedSAN04.019.00 CAT I SAN Fabric Zoning List Deny-By-DefaultSAN04.023.00 CAT II Only Internal Network SNMP Access to SAN
Guidance: DISA Storage Virtualization
ySAN05.001.00 CAT II Backup of critical SAN Software and Configurations
Excerpt from 19 pages ‐ 31+ High Level Controls…
http://iase.disa.mil/stigs/checklist/span-sans-checklist-v1r1-3-20060519.pdf
Practice
VM
ware
3.0 2/07
Gartner3/07
DIS
A VC
4/07
EM
A6/07
CIS
-G9/07
CIS
-ES
X10/07
VM
w3.5
& 3i 4/08
CIS
-XE
ND
raft
CIS
-ES
X 3.5 & 3iInitiated
DIS
A S
Secure Guests as UsualPatch VM HostsIsolate T/M/S netsControl VM Resource UseControl SAN ConfigurationMonitor Configuration DriftMonitor Configuration Dep.
Virtual Security Guidance:Compared
Co-Host Similar SPPages 19 17 82 - 30 70 19
12
ApplicationConfiguration
ApplicationVirtualization
SO ApplicationPolicy
Coupling
Control
Mapping Highly VirtualizedNon-Virtualized
WS-*,
REG, File,Client, Str
ExampleIssues:
OperatingConfiguration
VMMConfiguration
SO ApplicationConfiguration
Guest OSConfiguration
Guidance
BestPractices
Virtual HWConfiguration
Additional Technology tiers =>More controls & More coupling Blue Pill
Vitriol, S
VMMPatching
Mitigation,Patching…
,WCF, …
Enterprise Compliance Complexity
Virtual StorageConfiguration
ConfigurationNeed for “situation awareness”
across the technology stack WWNSpoofing
SubVirt
The same complexity affects mitigation and remediation planning
+ +
1. Monitor Σ ws2. Limit Memory (Guest)
Server Virtualization
Storage Virtualization
Coupling: Working Sets
13
• Hyper-threading Processor – Turn Off• Memory - Constrain• NIC - Isolate• Virtual Switch– Instrument, Configure• Virtualization Host – Provisioning
Equivalence Classes: Common Trust Levels, Security Postures
• SAN Configure
Resource Coupling Examples
• SAN – Configure• Protocol Visibility – Side Channel Attacks…
Challenge: Visibility is Risk … Invisibility is More Risk
VMsafe
Guest 1
Guest 2
Guest 3
Guest N
Security
App.…
Hypervisor
1 2 3 NVMsafe API
Single point of instrumentation for each ESX serverGreatly improved visibility into HV and Guests
VMsafe: Virtual Security Appliance Framework
Greatly improved visibility into HV and GuestsStandardized integration for security appliance vendors
14
Services
Applications
Low Risk:
Less
Controlled
High Risk:
Tightly
Controlled
VirtualizedGuests
VirtualizationHosts
NetworkVirtualization
The Risks of Risk-Driven Compliance
SAN - StorageVirtualization
Storage Network
Will shift as virtual I/O facilities mature.
Business Objectives
How do risks here . . . translate into risks here?
Operational Tasks
Information Assets
Network Nodes
RISKRISK
28
Risk Modeling: Virtualized
15
Compliance in Virtualized Environments
Hosts
Guests
V-Relationships:Hosts, Guests, Net, Storage
16
Guest Security Posture… in Context
Security Process Optimization
17
Adaptive Optimization facilitatesAgility
• Guests must still be secured• + New vulnerabilities must be addressed• Visibility of vulnerability and exploit footprint is affected
– Harder to ask and answer:– Harder to ask and answer: • Where am I vulnerable?• Where have I already been compromised?• What relationships constrain my response?
• More controls to map at each virtualization layer• More opportunities for interference across virtualization
layers
Observations
layers • Mitigation and remediation more intertwined with
operational plausibility due to resource coupling
18
• Virtualization guidance is emerging at each layer for all products: leverage it
• Vulnerabilities and technical responses are emerging: maintain a flexible controls framework across virtualization layers
• Visibility across the technology stack is essential: cultivate discovery and decision support
• Virtualization requires deeper configuration insight
Recommendations:
to capitalize on its economic, operational and agility benefits
CIS Virtual Machine Security Benchmark - The Center for Internet Security, ESX Server Benchmark . http://www.cisecurity.org/
CIS Virtual Machine Security Benchmark - The Center for Internet Security, General Virtualization Benchmark. http://www.cisecurity.org/
DISA STIG Virtual Computing V1 http://iase.disa.mil/stigs/draft-stigs/index.html DRAFT available now.DISA STIG Storage Area Network (SAN) Checklist For Sharing Peripherals Across the Network Security Technical DISA STIG, Storage Area Network (SAN) Checklist For Sharing Peripherals Across the Network, Security Technical
Implementation Guide, Version 1 Release 1.3Security Design of the VMware Infrastructure 3 Architecture, Vmware White Paper, www.vmware .comVMware Infrastructure 3, Security Hardening, Vmware Best Practices, www.vmware.comVirtualization – The State of the Intangible Enterprise, Andi Mann, Enterprise Management AssociatesSecurity Considerations and Best Practices for Securing, Virtual Machines, Neil MacDonald, Gartner, 2007Overview: Information Security January 2007 (“Virtual Threats”)Best Practices: Advanced Server Virtualization, Auerbach, 2006, pgs. 97-99, 144-145, 444-451. Security Benefits: “Virtualization - the next step in enterprise security” (Symantec and Intel Corp.)
http://scmagazine com/us/news/article/624062/virtualization next step enterprise security/
Guidance and Research
http://scmagazine.com/us/news/article/624062/virtualization-next-step-enterprise-security/Storage Virtualization Security: Securing Storage: A Practical Guide to SAN and NAS Security, 11/2005 (Dwivedi,
Addison-Wesley)
19
Virtualization and Security
Dennis R Moreau, CTOConfiguresoft, Inc.
For more information …d i @ fi [email protected]
Intelligence Briefs
20
Virtualization and Security
Dennis R Moreau, CTOConfiguresoft, Inc.
For more information …d i @ fi [email protected]