Smau 2010 MIlano: Seminario AIPSI Virtualizzazione Sicura

Alessio L.R. Pennasilicomayhem@aipsi.orgtwitter: mayhemsppFaceBook: alessio.pennasilico

Virtualization (in)security

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

$ whois mayhem

Board of Directors:CLUSIT, Associazione Informatici Professionisti,

Associazione Italiana Professionisti Sicurezza Informatica, Italian Linux Society, OpenBSD Italian User Group,

Hacker’s Profiling Project

2

Security Evangelist @

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Classical threats

Escape from VM

diversi esempi nel tempo,

ne vedremo altri in futuro :)

3

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

altre minacce

malware vm-aware

4

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Confidenzialità

posso clonare macchine accese e fare quello che voglio sui cloni?

5

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Management VLAN

Gli host/hypervisor si dicono diverse cose interessanti

Dove facciamo passare il traffico “di servizio”?

6

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Traffico di servizio

accesso all’interfaccia amministrativa

test reachability per HA

vMotion

iSCSI, NFS

7

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Soluzioni?

Dividere

Filtrare

Analizzare

8

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Logical

9

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Physical

10

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

disruption

Cosa succede se rendo “irraggiungibili” gli IP monitorati per la gestione dell’HA?

11

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Unauthorized access

Brute force?

Exploit (undocumented services)?

Exploit application layer? (SOAP)

12

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

netstat

tcp        0          0  0.0.0.0:5989            0.0.0.0:*              LISTENtcp        0          0  0.0.0.0:902              0.0.0.0:*              LISTEN            tcp        0          0  0.0.0.0:903              0.0.0.0:*              LISTEN            tcp        0          0  0.0.0.0:427              0.0.0.0:*              LISTEN            tcp        0          0  0.0.0.0:80                0.0.0.0:*              LISTEN            tcp        0          0  0.0.0.0:22                0.0.0.0:*              LISTEN            tcp        0          0  0.0.0.0:443              0.0.0.0:*              LISTEN            

13

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Perchè

intercettare / rallentare il traffico iSCSI / NFS

storage in replica per HA/DR

14

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Migration

Manipolare le VM durante la migrazione?

http://www.eecs.umich.edu/techreports/cse/2007/CSE-TR-539-07.pdfJon Oberheide, Evan Cooke, Farnam Jahanian: Xensploit

15

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Migration

Posso spostare VM infette

di datacenter in datacenter...

16

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Dubbi...

traffico “trusted” tra datacenter per garantire la migration delle VM?

Traffico protetto?

Traffico Trusted / VPN come canale di accesso amministrativo?

17

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Dormant VM

outdated policy

outdated signatures (AV, IPS)

manipolabili? >;-)

18

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Botnet e Cloud?

19

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Traffico interVM

firewall virtuali?

feature dell’hypervisor?

prodotti di terze parti?

20

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Prodotti agent based

multipiattaforma?

(comprende backup, AV, IPS...)

21

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Budget?

81% delle intrusioni avvengono su reti che non

sodisfano i requirement delle più diffuse

norme/best practice / guidelines

Gartner

22

Thursday, 21 October, 2010

Virtualization (in)security mayhem@aipsi.org

Conclusioni

Usare la virtualizzazione?

Si, ma…

Dividere, Filtrare, Analizzare, Patchare

23

Thursday, 21 October, 2010

Alessio L.R. Pennasilicomayhem@aipsi.orgtwitter: mayhemsppFaceBook: alessio.pennasilico

Domande?

These slides are written by Alessio L.R. Pennasilico aka mayhem. They are subjected to Creative Commons Attribution-ShareAlike 2.5 version; you can copy, modify or sell them. “Please” cite your source and use the same licence :)

Grazie per l’attenzione!

Thursday, 21 October, 2010