Securing the Data Center against vulnerabilities & Data Protectionvulnerabilities & Data Protection

Agenda

Virtual Virtualization TechnologyHow Virtualization affects the Datacenter SecurityHow Virtualization affects the Datacenter SecurityKeys to a Secure Virtualized Deployment and Data ProtectionThe Future of Datacenter Security

2

Centralized Management

VMware VirtualCenter

VMware VirtualCenter

SHAREDSTORAGE

33

Centralized Management

2

Centrally manage your infrastructure from a single console

1Virtual Machine

Management

Server Provisioning

Workload Migration

3

g

47Resource

Management

4

6

Programmatic Interfaces

7

System Monitoring

5Rich Security and Access

Controls

6

About TemplatesA template is a master copy of a VM used to create and provision new VMs.

About Clones

A clone is a copy of a VM plus customization.

About Snapshots

S h t t ti

Process Tree

Snapshots capture entire state of the VM

Memory state

Settings stateSettings state

Disk state

A snapshot preserves the state of the virtual machine so you can return to it repeatedly.

Linear Process

snapshot 2 snapshot 3 snapshot 4 snapshot 5Windows operating system snapshot 1

Guided Consolidation

Automatically discovers physicalDISCOVER

Automatically discovers physical serversAnalyzes utilization and usage patternspatternsConverts physical servers to VMs placed intelligently based on user response

ANALYZE

response

Lowers training requirements for new virtualization usersSteers users through the entire consolidation process

CONVERT

ESXi: Thin, Hardware-Integrated Hypervisor

32MB footprint:32MB footprint: Increased securityand reliabilityNo installation: From server boot to running VMs in minutesrunning VMs in minutes

From server boot to running VMs in Minutes3i

1. Power on server and boot into hypervisor

3i

2. Configure Admin Password3. (optional) Modify network

configuration4. Connect VI Client to IP

Address or manage with VirtualCenter

ESXi Enables ‘Plug-and-Play’ Datacenter

DRS + ESXi : “Hot add” of compute capacityStandardized and optimized servers as stateless compute nodesPlug-and-Play capacity management

ESXi: 32MB thin, production-proven, OS-independent, secure hypervisor

Traditional ESX Server

Agent Agent… RPM

98% 2%

RHEL3-basedService Console

Helpers VMMVMM VMM

VMkernel

HAL and Device Drivers

Resource Management

NetworkingStorage

Disk Footprint: 2 GB 32 MBDisk Footprint:Percent of Patches >50%

ESXi Server : Thin Virtualization!

Agent Agent… RPM

98% 2%

RHEL3-basedService Console

VMMVMM VMMHelpers

VMkernel

Resource Management

NetworkingStorage

HAL and Device Drivers

Disk Footprint: 2 GB 32 MBDisk Footprint:Percent of Patches >50%

Agenda

Virtual Virtualization TechnologyHow Virtualization affects the Datacenter SecurityHow Virtualization affects the Datacenter SecurityKeys to a Secure Virtualized Deployment and Data ProtectionThe Future of Datacenter Security

14

How Virtualization Affects Datacenter Security

Abstraction and Consolidation

Collapse of switches and servers into one deviceConsolidation

• ↑ Capital and Operational Cost Savings

• ↓ New infrastructure layer to be secured

servers into one device• ↑ Flexibility• ↑ Cost-savings• ↓ Lack of virtual network

i ibilitbe secured• ↓ Greater impact of attack or

misconfiguration

visibility• ↓ No separation-by-default

of administration

15

How Virtualization Affects Datacenter Security

Faster deployment of

VM Mobility• ↑ Improved Service

VM Encapsulation• ↑ Ease of businessp y

servers• ↑ IT responsiveness• ↓ Lack of adequate

planning

• ↑ Improved Service Levels

• ↓ Identity divorced from physical location

• ↑ Ease of business continuity

• ↑ Consistency of deployment

• ↑ Hardware Independence• ↓ Incomplete

knowledge of current state of infrastructure

Independence• ↓ Outdated offline

systems

16

Biggest Security Risk: Misconfiguration

Neil MacDonald – “How To Securely Implement Virtualization”

“Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration and mismanagement”

Agenda

Virtual Virtualization TechnologyHow Virtualization affects the Datacenter SecurityHow Virtualization affects the Datacenter SecurityKeys to a Secure Virtualized Deployment and Data ProtectionThe Future of Datacenter Security

18

VMware Update Manager Automates patch management for ESX Server hosts and select Microsoft and RHEL virtual machines

Scans and remedies online as well as offline virtual machines* and online ESX Server hosts

Eliminates manual tracking of patch

Snapshots virtual machines prior to patching and allows rollback to snapshot

levels of ESX Server hosts and virtual machinesAutomates enforcement of patch

Update Host standardsReduces risk through snapshots and offline virtual machine patching

UpdateManager

HostServer

19 * Note: RHEL guests can only be scanned, not remediated

Non-disruptive ESX Server Patching with Update Manager and DRSand DRS

Update Manager patches entire DRS clusters

Each host in the cluster Patch

DBenters DRS maintenance mode, one at a timeVMs are migrated off, host is patched & rebooted if

VMotionVMotion

Patch server

patched & rebooted if requiredVMs are migrated back onNext host is selectedVMotionVMotion

Automates patching of large number of hostslarge number of hosts with zero downtime to virtual machines

20

Data and System Protection – Physical vs. Virtual

Data and system protection with physical infrastructure

Separate processes for protecting data System• Separate processes for protecting data and system disks

• Require identical hardware for guaranteed restore

y

DataSystem

configurationg• Complex processes to ensure protection

Data and system protection with VMware Infrastructure

• Same process for data and system disks

E ti t t d d t• Entire system stored as data • Hardware-independent virtual

machines are easy to restore to any hardware

System, data, system config

What to Backup in a ESX Server?

VM 3VM 2VM 1

VMFS RDMVMFS RDM

.vmx

.redo

.vmdk

.vmx

.redo

.vmdk

.vmx

.vmdk

ESX Server

Service Console

22

Approaches when Performing Backup

> R b k ft i id i t l hi> Run backup software inside a virtual machine

> Perform off-line backups

> VMware Consolidated Backup

23

VMware Consolidated Backup

> Backup load off ESX Server

> Backup traffic off the LAN> Backup traffic off the LAN

> Backup agents off virtual machines

24

VCB Software

> VCB Software is not a replacement for backup software

> VCB Software integrates with existing backup g g ptools and technologies already in place

25

How VCB Works?

VM 1 VM 2 VM 3Backup Disk Tape

OR

ESX Server 1Centralized

unt

Physical

Backup Proxy Server

Centralized Data Mover

MouPhysical

Server

snapshot

snapshot

SANStorage

snapshot

snapshot

26

Securing Virtual Machines

Provide Same Protection as for Physical Servers

HostAnti Virus

y

Anti-Virus

Patch Management

NetworkNetworkIntrusion Detection/Prevention (IDS/IPS)(IDS/IPS)

EdgeFirewallsFirewalls

27

Secure Design for Virtualization LayerFundamental Design Principles• Isolate all management

networks• Disable all unneededDisable all unneeded

services• Tightly regulate all

administrative access

28

Enforce Strong Access Controls

Security Principle

Implementation in VI

Least Privileges

Roles with only required privileges

S ti f R l li d l t

Joe

Separation of Duties

Roles applied only to required objects

Ad i i t t

Harry

Administrator

Operator

UserAnne

29

Security Advantages of Virtualization

Ease of maintenanceTest patches on multiple configurations in containedTest patches on multiple configurations in contained environment before rolling them out

Use snapshots to save the known good state of a virtual hi b f t i t thi i kmachine before trying out something risky

Production VM can be cloned and then modified off-line while the original one still runs.

Updated VMs can be brought up in parallel with the previous version

Both can be kept running as long as necessary to validate the new configurationg

30

Security Advantages of Virtualization

Publish or Retract

Audit Usage

Retain

Create Approve

BetterLifecycleControls

DisposeRequest

Document

Archive

ocu e t

Request for

Monitor & Adjust

Resources

Power-On or

Suspend

Route for Audit/

Approval

Deploy from

Template

Request for VM

Provisioning

Delete

Agenda

Virtual Virtualization TechnologyHow Virtualization affects the Datacenter SecurityHow Virtualization affects the Datacenter SecurityKeys to a Secure Virtualized Deployment and Data ProtectionThe Future of Datacenter Security

32

New Solutions for Reduced DowntimeAvailability

AppOS

AppOS

AppOS

S

ESX ServerZero downtime, zero data loss continuous availability

Fault ToleranceServer

Storage

availability

Integrated backup and Data Recoverygrecovery applianceData Recovery

33

VMware Fault Tolerance 2009

Availability

Single identical VMs running in lockstep on separate hosts

AppApp AppXX App App AppApp

Zero downtime, zero data loss failover for all virtual machines in case of hardware failuresIntegrated with VMware HA/DRS

FTFTHAHAHAHAOSOS OSXX OS OS OSOS

Zero downtime, zero data lossNo complex clustering or specialized

g

VMware ESX

VMware ESX

FTFTHAHAHAHA

X

No complex clustering or specialized hardware requiredSingle common mechanism for all applications and OS-esX

34

Transforming Availability Service Levelsnc

e

VMware FTe To

lera

n

CONTINUOUS

re F

ailu

re AUTOMATEDRESTART

with VMware HA

Har

dwar

UNPROTECTED

0% 10% 100%Application Coverage

0% 10%

35

vCenter Data Recovery 2009

Availability

VirtualCenterAgent-less, disk-based backup and recovery of your VMs

1. Backup

VirtualCenterVM or file level restoreIncremental backups and data de-dupe to save disk space

1. Schedule backups via VC2. Snapshots taken3. Data de-duped and stored

Quick, simple and complete data protection for your VMs Centralized Management through VirtualCenter

2. Restore XDe-duplicated

Storage

VirtualCenterthrough VirtualCenter Cost Effective Storage Management

1. VM goes down2. Select VM images/files

XVirtualCenter

gto recover

3. Restore…VM running in seconds

X36

Copyright © 2005 VMware, Inc. All rights reserved.Copyright © 2005 VMware, Inc. All rights reserved.

VMware VMsafeSecurity

API that enables protection of VMs by inspection of virtual components in conjunction with

Application

components in conjunction with hypervisor Isolation of protection engine from malwareB d i f i t lBroad ranging coverage of virtual machine CPU, memory, storage and network

Operating SystemProtection

Engine

VMware Infrastructure

37

Ecosystem Enablement with VMware VMsafe 2009

Security

Multi-function Security Appliance

Agent-less deployment of partnerAppOS

App

OS

App

OS

App

OS

App

OS Secu

rity

VM

vNetwork Distributed Switch

AppOSSe

curit

yVM

Agent-less deployment of partner security servicesSingle security VM for multiple security services AV, Firewall, IPSSecurity policy and state movesVMware ESXVMware ESX

Integrated more effective

Security policy and state moves with virtual machine

Integrated, more effective, comprehensive security solutions within the virtual infrastructureBetter security than physical servers!

38

VMsafe: Broad Security Industry Support

Enterprise to SMB

End-points to Gateways

Anti-Virus to IPS

Networks to Host

Audit to Patching

And Anywhere in between…

39

Th k YThank You

http://www.vmware.com/go/security