virtualization security
DESCRIPTION
null Pune May 2012 MeetTRANSCRIPT
Virtualization
-By Mangesh Gunj a l
Topics to be Covered:
Vir t ua l izat ion
Vir t ua l Machine Monit o r
T y pes o f Vir t ua l izat ion
Why Vir t ua l izat io n..?
Vir t ua l izat ion Appl icat ion Areas
Vir t ua l izat ion Risks
Vir t ua l izat ion Secur it y
VM Sprawl
Misce l l aneous
Virtualization
- Mul t ip l e Execut ion Env ir onment s,
-Hardware and So f t ware Par t it io ning ,
-T ime-Shar ing ,
-Par t ia l o r Compl et e Machine Simul at ion/ Emul at ion
- Mul t ip l e Operat ing Sy st ems on a Sing l e Phy sica l Sy st em
- Share t he Under l y ing Hardware Resources.
- Separat ion o f a Resource or Request f o r a serv ice .
S o u r c e : Vir t ua l izat io n Overv iew whit epaper , By VMWare.
- Vir t ua l Machine Monit o r (VMM)
- Emul at ion or simul at ion
- Vir t ua l Machines
- I so l at ed Env ir onment
S o u r c e : Vir t ua l izat io n Overv iew whit epaper , By VMWare.
Para Virtualization
S o u r c e : Vir t ua l izat io n Overv iew whit epaper , By VMWare.
Why Virtualization..?
Server Conso l idat ion.
Legacy Appl icat ions.
Sandbox .
Execut ion o f Mul t ip l e Operat ing Sy st ems.
Simul at ion o f Hardware and Net work ing Dev ices.
Power f ul Debugging and Per f ormance Monit o r ing
Faul t and Error Cont a inment
Appl icat io n and Sy st em Mobil it y
Shared Memory Mul t iprocessors
Business Cont inuit y
Vir t ua l izat ion is FUN...and p l ent y ot her reasons.
S o u r c e : Vir t ua l izat io n Overv iew whit epaper , By VMWare.
I n f r a s t r u c t u r e is what connect s r esources t o y our business.
V ir t u a l I n f r a s t r u c t u r e is a dy namic mapping o f y ourresources t o y our business.
R e s u l t : decreased cost s and increased ef f ic ienc ies and r esponsiveness
S o u r c e : Vir t ua l izat io n Overv iew whit epaper , By VMWare.
Deskt op Vir t ua l izat io nAppl icat ion Vir t ua l izat ion
Virtualization Application Areas
Virtualization Application Areas
I nf rast ruct ure Vir t ua l izat io n
Server Vir t ua l izat ion
St orage Vir t ua l izat ion
Net work Vir t ua l izat ion
- I nexper ience I nvo l ved.
- I ncreased Channe l s f o r At t ack .
- Change Management Cont ro l .
- I T Asset Track ing and Management .
- Secur ing Dormant Vir t ua l Machines.
- Shar ing Dat a bet ween Vir t ua l Machines.
Virtualization Risks
Exploitation on Virtualization
- Malicious Code Activities through Detection of VM.
- Denial of Service on the Virtual Machine.
- Virtual Machine Escape
Historical Incident
- VMware Multiple Denial Of Service Vulnerabilities
Some VMware products support storing configuration information in VMDB files. Under some circumstances, a malicious user could instruct the virtual machine process (VMX) to store malformed data, causing an error. This error could enable a successful Denial-of-Service attack on guest operating systems.
Link: http://www.Securiteam.com/cves/2007/CVE-2007-1877.html
Virtualization Security
Hy perv isor Secur it y
Host / Pl at f orm Secur it y
Secur ing Communicat ions
Secur it y bet ween Guest s
Secur it y bet ween Host s and Guest s
Vir t ua l ized I nf rast ruct ure Secur it y
Vir t ua l Machine Sprawl
Hardening Steps to Secure Virtualisation Environment - Server Service Console
- Restriction to Internal Trusted Network
- Block all the incoming and outgoing traffic except for necessary ports.
- Monitor the integrity and modification of the configuration files
- Limit ssh based client communication to a discrete group of ip addresses
- Create separate partitions for /home, /tmp, and /var/log
Hardening Steps to Secure Virtualisation Environment - Virtual
Network Layer
- Network breach by user error or omission.
- MAC Address spoofing (MAC address changes)
- MAC Address spoofing (Forged transmissions)
Hardening Steps to Secure Virtualisation Environment - Virtual Machine
- Apply standard infrastructure security measures into virtual infrastructure
- Set the resource reservation and limits for each virtual machine
Virtual Machine Sprawl
Unchecked creat ion o f new Vir t ua l Machines (Vms)
The VMs t hat are creat ed f or a shor t -t erm pro j ec t are st il l using CPU, RAM and net work resources, and t hey consume st orage even if t hey are powered o f f .
VM sprawl coul d l ead t o a comput ing env ironment running out o f resources at a much quicker-t han-expect ed rat e , and it coul d skew wider capac it y -p l anning exerc ises.
Miscellaneous Kaspersky Lab has int roduced
Kaspersky Secur it y f o r Vir t ua l izat ion, a v ir t ua l secur it y appl iance t hat int egrat es wit h VMware vShie l d Endpo int t o prov ide agent l ess, ant i mal ware secur it y.
VMware Source Code Leak Revea l s Vir t ua l izat ion Secur it y Concerns.
Sy mant ec has it s own wide range o f t o o l s f o r Vir t ua l izat ion Secur it y :
− Sy mant ec Cr it ica l Sy st em Prot ec t ion
− Sy mant ec Dat aLoss Prevent ion
− Sy mant ec Cont ro l Compl iance Suit e
− Sy mant ec Secur it y I nf o rmat ion Manager
− Sy mant ec Managed Secur it y Serv ices
− Sy mant ec Endpo int So l ut ions
References
- VMware.com
- Microsoft.com
- SANS.org
- Gartner.com
- Trendmicro.com
- Symantec.com
Thank You