VMware Security Briefing

Rob Randell, CISSP

Staff Systems Engineer - Security Specialist

Summary: VMware Approach to Security

Virtualization Security• Secure hypervisor

architecture• Platform hardening

features• Secure

Development Lifecycle

Audit and Compliance• Prescriptive

guidance for deployment and configuration

• Enterprise controls for security and compliance

Security in the Private Cloud• Virtualization-aware

security• Products taking

Unique Advantage of virtualization

Secure Implementation

VMware ESXi

• Compact footprint (less than 100MB) Fewer patches Smaller attack surface

• Absence of general-purpose management OS

No arbitrary code running on server

Not susceptible to common threats

Secure Implementation

Platform Hardening

• Integrity in Memory Protection ASLR – Randomizes where core

kernel modules load into memory

NX/XD – Marks writable areas of memory as non-executable

• Kernel Integrity Digital signing – ensures the integrity

of drivers and modules as they are loaded by the VMkernel.

• Integrity on Disk TPM – helps assure that image that is

booting off the disk has not been tampered with since the last reboot. (future)

VMware Secure Development Lifecycle Process

VMworld 2009 Session TA2543:VMware’s Secure Software Development Lifecycle

Architecture Risk Analysis

Best Practice and Compliance Requirements

Code Analysis & Inspection

Security Testing

Security Response

Training

Product Security Policy

Protect Customer Data& Infrastructure

Enable Policy Compliance

3rd party experts continually involved at

various points

Independently validated

• Common Criteria Certification EAL (Evaluation Assurance Level) CC EAL 4+ certification

Highest recognized level

Achieved for VI 3.0 and 3.5; in process for vSphere 4

• DISA STIG for ESX Approval for use in DoD

information systems

• NSA Central Security Service guidance for both datacenter

and desktop scenarios

Summary: VMware Approach to Security

Virtualization Security• Secure hypervisor

architecture• Platform hardening

features• Secure

Development Lifecycle

Audit and Compliance• Prescriptive

guidance for deployment and configuration

• Enterprise controls for security and compliance

Security in the Private Cloud• Virtualization-aware

security• Products taking

Unique Advantage of virtualization

How Virtualization Affects Datacenter Security

8 Confidential

Abstraction and ConsolidationCollapse of switches and servers

into one device

• ↑ Flexibility• ↑ Cost-savings• ↓ Lack of virtual network visibility

• ↓ No separation-by-defaultof administration

• ↑ Capital and Operational Cost Savings

• ↓ New infrastructure layer to be secured

• ↓ Greater impact of attack or misconfiguration

How Virtualization Affects Datacenter Security

9 Confidential

Faster deployment of servers

VM Mobility VM Encapsulation

• ↑ Ease of business continuity

• ↑ Consistency of deployment

• ↑ Hardware Independence

• ↓ Outdated offline systems

• ↓ Unauthorized Copy

• ↑ Improved Service Levels

• ↓ Identity divorced from physical location

• ↑ IT responsiveness• ↓ Lack of adequate

planning• ↓ Incomplete

knowledge of current state of infrastructure

• ↓ Poorly Defined Procedures

• ↓ Inconsistent Configurations

How do we secure and make our Virtual Infrastructure compliant?

Use the Principles of Information Security

• Hardening and Lockdown

• Defense in Depth

• Authorization, Authentication, and Accounting to enforce Separation of Duties and Least Privileges

• Administrative Controls

For virtualization this means:

• Secure the Guests

• Harden the Virtualization layer

• Setup Access Controls

• Leverage Virtualization Specific Administrative Controls

What Auditors Want to See:

• Network Controls

• Change Control and Configuration Management

• Access Controls & Management

• Vulnerability Management

Network Segmentation

• A trust zone is a network segment within which data flows relatively freely. Data flowing in and out is subject to stronger restrictions.

Trust Zones in a Cloud environment

Isolation in the Architecture

Segment out all non-production networks

• Use VLAN tagging, or

• Use separate vSwitch (see diagram)

Strictly control access to management network, e.g.

• RDP to jump box, or

• VPN through firewall

13

vSwitch1

vmnic1 2 3 4

Production

vSwitch2

VMkernel

Mgmt Storagevn

ic

vnic

vnic

vCenter IP-based Storage

Other ESX/ESXi hosts

Mgmt Network

ProdNetwork

VMware vSphere 4 Hardening Guidelineshttp://www.vmware.com/resources/techresources/10109

Broad scope

Separation of Duties with vSphere

Narrowscope

Super Admin

Networking Admin

Server Admin

Operator

VM Owner

Operator

VM Owner

Storage Admin

Administrative Controls for Security and Compliance

Requirement VMware Products/Features Partner Products

Configuration management, monitoring, auditing

Host ProfilesTemplatesvCenter Event-based AlarmsvCenter OrchestratorScriptingVMware vCenter Virtual Configuration Manager

Hytrust ApplianceNetIQ Secure Configuration ManagerTripwire Enterprise for VMware

Vulnerability Management

VMware Update Manager Shavlik NetChk Protect

Access Controls and Management

vCenter Roles and PermissionsvCenter event loggingESX/ESXi logging

Hytrust ApplianceCatbird

Network Controls

VMware vShieldvNetwork Distributed Switch

Cisco, Checkpoint, Reflex, Third Brigade, Altor, ISS/IBM, and more.

Summary: VMware Approach to Security

Virtualization Security• Secure hypervisor

architecture• Platform hardening

features• Secure

Development Lifecycle

Audit and Compliance• Prescriptive

guidance for deployment and configuration

• Enterprise controls for security and compliance

Security in the Private Cloud• Virtualization-aware

security• Products taking

Unique Advantage of virtualization

17

2010 – Introducing vShield Products

VMware vSphere VMware vSphere

DMZ Application 1 Application 2

Securing the Private Cloud End to End: from the Edge to the Endpoint

Edge

vShield Edge

Secure the edge of the virtual datacenter

Security Zone

vShield App and Zones

Create segmentation between enclaves or silos of workloads

Endpoint = VM

vShield Endpoint

Offload anti-virus processing

Endpoint = VM vShield Manager

Centralized Management

18

• Multiple edge security services in one appliance• Stateful inspection firewall• Network Address Translation (NAT)• Dynamic Host Configuration Protocol (DHCP)• Site to site VPN (IPsec)• Web Load Balancer

• Edge port group isolation• Detailed network flow statistics for chargebacks, etc• Policy management through UI or REST APIs• Logging and auditing based on industry standard

syslog format

vShield EdgeSecure the Edge of the Virtual Data Center

VMware vSphere

Tenant A Tenant X

Features

Load balancer

firewall

VPN

19

vShield Edge Install and Configure

Installed per Port Group in the ‘networking’ view on the DVS

Edge creates a logical perimeter based off the Port Group

• Creates a secure Port Group and installed on boundary of the port group

• The Port Group at Layer 2 should be backed by a VLAN or vShield Port Group isolation (solves VLAN sprawl issue)

• Edge has two interfaces External / Internal. Internal connects to the secure port group it protects and external interfaces with the uplink (externally facing)

Policies set in 5 tuple- Src/Dest IP address, Src/Dest port and service

• Edge protects the port group on the inside and has an external IP address

• Performs (NAT) Network Address Translation to connect the VMs to the Internet

• IPSec VPN set up for secure connectivity to remote resources with Cisco, Checkpoint or any other VPN termination

• Load balancer capabilities for the servers hosted in the vDC

20

vShield AppApplication Protection for Network Based Threats

VMware vSphere

DMZ PCI HIPAA

Features

• Hypervisor-level firewall • Inbound, outbound connection control applied at

vNIC level• Elastic security groups - “stretch” as virtual machines

migrate to new hosts• Robust flow monitoring • Policy Management

• Simple and business-relevant policies• Managed through UI or REST APIs

• Logging and auditing based on industry standard syslog format

21

vShield App Install and Configure

vShield App is installed on every ESX host

• Controls and monitors all network traffic on the host, even for packets that never cross a physical NIC.

vShield App uses intuitive policy constructs

• Containers from vCenter- resource pools, VMs can be used directly to create business like policies

• Security groups can be created by grouping vNICs of dual homed VMs for additional granularity

• 5 tuple classic rules also apply

• IP-based stateful firewall and application layer gateway for a broad range of protocols including Oracle, FTP, Sun/Linux/MS RPC, etc…

Flow monitoring to observe network activity

• Virtual machines to help define and refine firewall policies

• Identify botnets, and secure business processes through detailed reporting of application traffic (application, sessions, bytes).

22

Leveraging Virtualization for Better-than-Physical Security

Issues

• “AV storms” can cause 100% saturation in shared compute (CPU) and SAN/NAS (storage I/O) environments

• Traditional agents are resource intensive - not optimized for high utilization, efficient clouds

• Up to 6 GB on VMware View desktops

Opportunities

• Leverage hypervisor to offload AV functions from agents into a dedicated security VM

• Deploy security in a more agile, service-driven manner to both private and public cloud environments

VMware vSphereIntrospection

SVM

OSHardened

AV

VM

APP

OSKernel

BIOS

VM

APP

OSKernel

BIOS

VM

APP

OSKernel

BIOS

23

Security VM

VM

APP

OS

Kernel

BIOS

ESX 4.1

vSphere Platform

VM

APP

OS

Kernel

BIOS

Guest VM

OS

PartnerManagement

Console

vShield Endpoint Library

Overview: vShield Endpoint Components

Partner Agent

vShield Endpoint ESX Module

vCenter

On Access Scans

On Demand Scans

Guest Driver

vShield Manager 4.1

Legend

Partner Components

Partner Facing Components and APIs

vShield Endpoint Components VMware

Platform

EPsec

Interface

VI Admin

Security Admin

VMware

Internal

Interfaces

Partner

Accessible

Interfaces

Remediation

Caching & Filtering

APPsAPPs

APPsR

ES

T

StatusMonitor

24

Sequence Diagram for On Access Scans

VMVMGuest VM

OS

Security VM

EPsec Lib

Partner Agent

On Access Scans

On Demand Scans

Remediation

Caching & Filtering

APPsAPPs

APPs EPsec Thin

Agent

result cached?

excluded by filter?

file event

* file data request

* file data* file data

* file data request

scan result

scan resultresult

file event

data cached?

file event

result

result

* file data

time

Where to Learn More

Security• Hardening Best Practices• Implementation Guidelines

http://vmware.com/security

Compliance• Partner Solutions• Advice and

Recommendation

http://vmware.com/go/compliance

Operations• Peer-contributed Content

http://viops.vmware.com

Summary: VMware Approach to Security

Virtualization Security• Secure hypervisor

architecture• Platform hardening

features• Secure

Development Lifecycle

Audit and Compliance• Prescriptive

guidance for deployment and configuration

• Enterprise controls for security and compliance

Security in the Private Cloud• Virtualization-aware

security• Products taking

Unique Advantage of virtualization

Questions?

Rob Randell, CISSP

Senior Security and Compliance Specialist