mitigating information security risks of virtualization ...€¦ · mitigating information security...
TRANSCRIPT
© 2009 VMware Inc. All rights reserved
Mitigating Information Security Risks
of Virtualization Technologies
Toon-Chwee, Wee
VMWare (Hong Kong)
Agenda
Virtualization Overview
Key Components of Secure Virtualization Technologies
Achieving and Demonstrating Compliance
Use Case: Securely Mixing Trust Zones
Virtualization Basics
Traditional View
Pools of Shared Resources
Virtual Infrastructure
Exchange
Operating System
PCI
Operating System
DNS
Operating System
CRM
Operating System
Interconnect Pool
CPU Pool Memory Pool
Storage Pool
VMware Infrastructure
VMware Infrastructure
VMware Infrastructure
VMware Infrastructure
VMware Infrastructure
How Virtualization Affects Security and Compliance
Abstraction and Consolidation
• ↑ Capital and Operational Cost Savings
• ↓ New infrastructure layer to be secured
• ↓ Greater impact of attack or misconfiguration
Collapse of switches and servers into one device
• ↑ Flexibility
• ↑ Cost-savings
• ↓ Lack of virtual network visibility
• ↓ No separation-by-defaultof administration
5
How Virtualization Affects Security and Compliance
Faster deployment of servers
• ↑ IT responsiveness
• ↓ Lack of adequate planning
• ↓ Incomplete knowledge of current state of infrastructure
• Poorly Defined Procedures
• ↓ Inconsistent Configurations
VM Mobility
• ↑ Improved Service Levels
• ↓ Identity divorced from physical location
VM Encapsulation
• ↑ Ease of business continuity
• ↑ Consistency of deployment
• ↑ Hardware Independence
• ↓ Outdated offline systems
• Unauthorized copy
6
What not to worry about
Hypervisor Rootkits
• Examples: Blue Pill, SubVirt, etc.
• These are ALL theoretical, highly complex attacks
• Widely recognized by security community as being only of academic interest
Irrelevant Architectures
• Example: numerous reports claiming guest escape
• Apply only to hosted architecture (e.g. Workstation), not bare-metal (i.e. ESX)
• Hosted architecture deliberately include numerous channels for exchanging information between guest and host.
Contrived Scenarios
• Example: VMotionintercept
• Involved exploits where
• Best practices around hardening, lockdown, design, for virtualization etc, not followed, or
• Poor general IT infrastructure security is assumed
Security Advantages of Virtualization
• Allows Automation of Many Manual Error Prone Processes
• Cleaner and Easier Disaster Recovery/Business Continuity
• Better Forensics Capabilities
• Faster Recovery After an Attack
• Patching is Safer and More Effective
• Better Control Over Desktop Resources
• More Cost Effective Security Devices
• App Virtualization Allows de-privileging of end users
• Better Lifecycle Controls
• Security Through VM Introspection
Primary Compliance Issue:
Collocation of VMs on Same Physical Hardware
Virtual Infrastructure
Interconnect Pool
CPU Pool Memory Pool
Storage Pool
VMware Infrastructure
• Virtual Machines are dedicated
and isolated entities abstracted
from the physical hardware
• Isolation characteristics of VMs
and virtual networks meet
compliance requirements
• Configuration choices are key
in meeting compliance
requirements
• Misconfiguration is greatest risk
to virtual infrastructure
KEYS TO A SECURE
VIRTUALIZED DEPLOYMENT
How do we secure our Virtual Infrastructure?
Use the Principles of Information Security• Hardening and Lockdown
• Defense in Depth
• Authorization, Authentication, and Accounting
• Separation of Duties and Least Privileges
• Administrative Controls
For virtualization this means:• Secure the Guests
• Harden the Virtualization layer
• Setup Access Controls
• Leverage Virtualization Specific Administrative Controls
Securing Virtual Machines
Host
• Anti-Virus
• Patch Management
Network
• Intrusion Detection/Prevention (IDS/IPS)
• Firewalls
12
Provide Same Protection
as for Physical Servers
Isolation in the Architecture
Segment out all non-production networks
• Use VLAN tagging, or
• Use separate vSwitch (see diagram)
Strictly control access to management network, e.g.
• RDP to jump box, or
• VPN through firewall
13
vSwitch1
vmnic1 2 3 4
Production
vSwitch2
VMkernel
Mgmt Storagevnic
vnic
vnic
vCenter IP-based
StorageOther ESX/ESXi
hosts
Mgmt
Network
Prod
Network
Secure/Compliant Virtualization Platform Requirements
Enterprise Features for Management Controls
Strong Access Controls Centralized Authentication
Granular Authorization Controls
Configuration Management
Audit and Logging
A Flexible and Well Defined API
Enforce Strong Access Controls
Security
Principle
Implementation in
Virtual
Infrastructure
Least
Privileges
Roles with only
required privileges
Separation of
Duties
Roles applied only to
required objects
Administrator
Operator
UserAnne
Harry
Joe
Maintain Tight Administrative Controls
Requirement
Configuration management, monitoring, auditing
Track and Manage VM
Updating of offline VMs
Virtual network security
Achieving Regulatory Compliance
Think Security First
Design for Compliance
Understand the Scope of the Requirements
Ensure that Controls are Comprehensive
Don’t Rely on Technology Alone
Assign the Right Project Manager
Collaborate with the Auditor
Use Case: Securely Mixing Trust Zones
Three Primary Configurations
• Physical Separation of Trust Zones
• Virtual Separation of Trust Zone with Physical Security Devices
• Fully collapsing all servers and security devices into a Virtual Infrastructure
Physical Separation of Trust Zones
Physical Separation of Trust Zones
Advantages
•Simpler, less complex
configuration
•Less change to physical
environment
•Little change to separation of
duties
•Less change in staff knowledge
requirements
•Smaller chance of
misconfiguration leading to a
security issue
Disadvantages
•Lower consolidation and utilization of
resources
•Higher cost
Virtual Separation of Trust Zones with Physical Security Devices
Virtual Separation of Trust Zones
with Physical Security Devices
Advantages
•Better utilization of resources
•Take Full Advantage of Virtualization
Benefits
•Lower cost
Disadvantages (can be mitigated)
•More complexity
•Greater chance of misconfiguration
Fully Collapsed Trust Zones including Security Devices
Advantages
•Full utilization of resources, replacing
physical security devices with virtual
•Lowest-cost option
•Management of entire DMZ and network from
a single management workstation
Disadvantages (can be mitigated)
•Greatest complexity, which in turn creates
highest chance of misconfiguration
•Requirement for explicit configuration to
define separation of duties to help mitigate
risk of misconfiguration; also requires
regular audits of configurations
•Potential loss of certain functionality, such
as VMotion (Being mitigated by vendors
and VMsafe)
Fully Collapsed Trust Zones including Security Devices
Conclusion
Understand Virtualization Technology
Isolation Characteristics of VMs make Collocation of VMs Compliant
Key Components of Secure Virtualization Technologies a Must
Understand the Steps Necessary for Compliance
© 2009 VMware Inc. All rights reserved
Questions?