Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter

Virtualization and Cloud Computing

Virtualization, Cloud and Security

Michael Grafnetter

Agenda

Virtualization Security Risks and Solutions Cloud Computing Security Identity Management

Virtualization SecurityRisks and Solutions

Blue Pill Attack

Presented in 2006 by Joanna Rutkowska at Black Hat conference

Traps running OS by starting a hypervisor and virtualizing the underlaying machine (needs right to run privileged instructions to achieve this)

Could intercept nearly anything and send fake responses (hardware interrupts, requests for data, system time etc.)

Red Pill

Blue Pill is detectable by timing attack Trap-and-Emulate takes much longer than native

instructions External time sources (NTP) need to be used,

because system time could be spoofed

VMM Vulnerability

By attacking a VMM, one could attack multiple servers at once

Datacenter Management SW

Virtualization infrastructure management software (VMware vCenter, Microsoft SC VMM) is used to control multiple hostsat once

Web Access to DCs

Multiple datacenters can be managed from a central console. Therefore, its security has to be hardened.

One Ring to rule them all…

Management commands available using PowerShell or Web APIs Get-VM –Name * | Stop-VM Get-VM –Name * | Remove-VM Copy-VMGuestFile Invoke-VMScript –Type Bash …

DoS attack on virtualization infrastructure

Disabling Host-VM Communication

Physical vs. Virtual Firewall

With virtualization, servers from different Trust Zones usually share the same physical resources (memory, network card, etc.)

Traffic isolation

Configuring traffic isolationon Vmware ESXi

Other risks of virtualization

Introduction of yet another OS Reliance on traditional barriers Accelerated provisioning Security left to non-traditional security staff Audit scope creep

Security Solutions

Virtual Firewall Live migration Stretched clusters

Agentless Antivirus Extensible Switches Mobile Virtualization Platform Virtual Desktop Infrastructure (VDI)

Agentless AV

Extensible Switch

Mobile Virtualization Platform

Supported devices

Virtual Desktop Infrastructure

Cloud Computing Security Risks

Who has access to our data?

Physical Security

Hard Disk Crushers

Other Cloud Risks

Unclear data location Regulatory compliance Data segregation Lack of investigative support Disaster recovery Long-term viability, vendor lock-in

Identity Management

Basic Concepts External user DBs Two-factor authentication Role-Based Access Control (RBAC)

Identity Federation OAuth OpenID SAML RADIUS Proxy Identity Bridges

External User DBs

Typically Active Directory or generic LDAP is used as central identity store for virtualization infrastructures

Azure Active Directory

Two-Factor Authentication

Role-Based Access Control

Identity Federation

Used to delegate user authorizationto a 3rd-party service provider

Creating a web applicationwith Facebook/Twitter/

Microsoft Account authentication

OpenID

http://someopenid.provider.com/john.smith

Similar to OpenID, but targeted to the enterprise

Security Assertion Markup Language XML-based Supports Single sign-on Requires mutual trust between IdP and SP Multiple bindings, not just HTTP Supports Identity provider initiated

authentication

SAML (Google Apps)

SAML Example<saml:Assertion

ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac“ Version="2.0"

IssueInstant="2004-12-05T09:22:05">

<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>

<ds:Signature>...</ds:Signature>

<saml:Conditions

NotBefore="2004-12-05T09:17:05" NotOnOrAfter="2004-12-05T09:27:05">

</saml:Conditions>

<saml:AttributeStatement>

<saml:Attribute x500:Encoding="LDAP" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" FriendlyName="eduPersonAffiliation">

<saml:AttributeValue xsi:type="xs:string">member</saml:AttributeValue>

<saml:AttributeValue xsi:type="xs:string">staff</saml:AttributeValue>

</saml:Attribute>

</saml:AttributeStatement>

</saml:Assertion>

Microsoft Active Directory Federation Services

SAML-based Typically used to give access to intranet

portals to business partners

Shibboleth

SAML-based federation portal Open Source

Signing in to a federatedweb application

RADIUS Proxy (Eduroam)

Identity Bridges

Identity Bridges:Azure Access Control Service

Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter

Documents

virtualization and cloud

Virtualization and Cloud Computingwankarcs/index_files/pdf/gcc...Virtualization and Cloud Computing •Virtualization plays an important role in Cloud computing, since it allows for

Cloud & Virtualization

Cloud Opportunities with Virtualization

Virtualization Into Cloud

virtualization in cloud technology

Virtualization in the Cloud

Cloud Technology: Virtualization

Virtualization and Cloud Solutions

Secure Cloud-Scale Virtualization

Virtualization to the Cloud€¦ · Virtualization is a Catalyst for Cloud Savings from virtualization are significant and undeniable. Virtualization is the technical underpinning

Virtualization & cloud computing

Cloud Computing and Virtualization

NSWI150 - Virtualization and Cloud Computing Cloud

Cloud Standards and Virtualization

Virtualization & Cloud Demystified

Private cloud server virtualization

Virtualization and Cloud Computing - wiki.bdnog.orgwiki.bdnog.org/lib/exe/fetch.php/bdnog9/virtualization-intro.pdf · Virtualization and Cloud Computing. Virtualization Introduction

Data Virtualization in the Cloud: Accelerating Data Virtualization Adoption

Virtualization and Cloud Computing - USENIX · Virtualization and Cloud Computing Server Virtualization Consolidates workload Simplifies resource management Enabling Utility-based