Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Securing the Data Center against vulnerabilities & Data Protectionvulnerabilities & Data Protection
Agenda
Virtual Virtualization TechnologyHow Virtualization affects the Datacenter SecurityHow Virtualization affects the Datacenter SecurityKeys to a Secure Virtualized Deployment and Data ProtectionThe Future of Datacenter Security
2
Centralized Management
VMware VirtualCenter
VMware VirtualCenter
SHAREDSTORAGE
33
Centralized Management
2
Centrally manage your infrastructure from a single console
1Virtual Machine
Management
Server Provisioning
Workload Migration
3
g
47Resource
Management
4
6
Programmatic Interfaces
7
System Monitoring
5Rich Security and Access
Controls
6
About TemplatesA template is a master copy of a VM used to create and provision new VMs.
About Clones
A clone is a copy of a VM plus customization.
About Snapshots
S h t t ti
Process Tree
Snapshots capture entire state of the VM
Memory state
Settings stateSettings state
Disk state
A snapshot preserves the state of the virtual machine so you can return to it repeatedly.
Linear Process
snapshot 2 snapshot 3 snapshot 4 snapshot 5Windows operating system snapshot 1
Guided Consolidation
Automatically discovers physicalDISCOVER
Automatically discovers physical serversAnalyzes utilization and usage patternspatternsConverts physical servers to VMs placed intelligently based on user response
ANALYZE
response
Lowers training requirements for new virtualization usersSteers users through the entire consolidation process
CONVERT
ESXi: Thin, Hardware-Integrated Hypervisor
32MB footprint:32MB footprint: Increased securityand reliabilityNo installation: From server boot to running VMs in minutesrunning VMs in minutes
From server boot to running VMs in Minutes3i
1. Power on server and boot into hypervisor
3i
2. Configure Admin Password3. (optional) Modify network
configuration4. Connect VI Client to IP
Address or manage with VirtualCenter
ESXi Enables ‘Plug-and-Play’ Datacenter
DRS + ESXi : “Hot add” of compute capacityStandardized and optimized servers as stateless compute nodesPlug-and-Play capacity management
ESXi: 32MB thin, production-proven, OS-independent, secure hypervisor
Traditional ESX Server
Agent Agent… RPM
98% 2%
RHEL3-basedService Console
Helpers VMMVMM VMM
VMkernel
HAL and Device Drivers
Resource Management
NetworkingStorage
Disk Footprint: 2 GB 32 MBDisk Footprint:Percent of Patches >50%
ESXi Server : Thin Virtualization!
Agent Agent… RPM
98% 2%
RHEL3-basedService Console
VMMVMM VMMHelpers
VMkernel
Resource Management
NetworkingStorage
HAL and Device Drivers
Disk Footprint: 2 GB 32 MBDisk Footprint:Percent of Patches >50%
Agenda
Virtual Virtualization TechnologyHow Virtualization affects the Datacenter SecurityHow Virtualization affects the Datacenter SecurityKeys to a Secure Virtualized Deployment and Data ProtectionThe Future of Datacenter Security
14
How Virtualization Affects Datacenter Security
Abstraction and Consolidation
Collapse of switches and servers into one deviceConsolidation
• ↑ Capital and Operational Cost Savings
• ↓ New infrastructure layer to be secured
servers into one device• ↑ Flexibility• ↑ Cost-savings• ↓ Lack of virtual network
i ibilitbe secured• ↓ Greater impact of attack or
misconfiguration
visibility• ↓ No separation-by-default
of administration
15
How Virtualization Affects Datacenter Security
Faster deployment of
VM Mobility• ↑ Improved Service
VM Encapsulation• ↑ Ease of businessp y
servers• ↑ IT responsiveness• ↓ Lack of adequate
planning
• ↑ Improved Service Levels
• ↓ Identity divorced from physical location
• ↑ Ease of business continuity
• ↑ Consistency of deployment
• ↑ Hardware Independence• ↓ Incomplete
knowledge of current state of infrastructure
Independence• ↓ Outdated offline
systems
16
Biggest Security Risk: Misconfiguration
Neil MacDonald – “How To Securely Implement Virtualization”
“Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration and mismanagement”
Agenda
Virtual Virtualization TechnologyHow Virtualization affects the Datacenter SecurityHow Virtualization affects the Datacenter SecurityKeys to a Secure Virtualized Deployment and Data ProtectionThe Future of Datacenter Security
18
VMware Update Manager Automates patch management for ESX Server hosts and select Microsoft and RHEL virtual machines
Scans and remedies online as well as offline virtual machines* and online ESX Server hosts
Eliminates manual tracking of patch
Snapshots virtual machines prior to patching and allows rollback to snapshot
levels of ESX Server hosts and virtual machinesAutomates enforcement of patch
Update Host standardsReduces risk through snapshots and offline virtual machine patching
UpdateManager
HostServer
19 * Note: RHEL guests can only be scanned, not remediated
Non-disruptive ESX Server Patching with Update Manager and DRSand DRS
Update Manager patches entire DRS clusters
Each host in the cluster Patch
DBenters DRS maintenance mode, one at a timeVMs are migrated off, host is patched & rebooted if
VMotionVMotion
Patch server
patched & rebooted if requiredVMs are migrated back onNext host is selectedVMotionVMotion
Automates patching of large number of hostslarge number of hosts with zero downtime to virtual machines
20
Data and System Protection – Physical vs. Virtual
Data and system protection with physical infrastructure
Separate processes for protecting data System• Separate processes for protecting data and system disks
• Require identical hardware for guaranteed restore
y
DataSystem
configurationg• Complex processes to ensure protection
Data and system protection with VMware Infrastructure
• Same process for data and system disks
E ti t t d d t• Entire system stored as data • Hardware-independent virtual
machines are easy to restore to any hardware
System, data, system config
What to Backup in a ESX Server?
VM 3VM 2VM 1
VMFS RDMVMFS RDM
.vmx
.redo
.vmdk
.vmx
.redo
.vmdk
.vmx
.vmdk
ESX Server
Service Console
22
Approaches when Performing Backup
> R b k ft i id i t l hi> Run backup software inside a virtual machine
> Perform off-line backups
> VMware Consolidated Backup
23
VMware Consolidated Backup
> Backup load off ESX Server
> Backup traffic off the LAN> Backup traffic off the LAN
> Backup agents off virtual machines
24
VCB Software
> VCB Software is not a replacement for backup software
> VCB Software integrates with existing backup g g ptools and technologies already in place
25
How VCB Works?
VM 1 VM 2 VM 3Backup Disk Tape
OR
ESX Server 1Centralized
unt
Physical
Backup Proxy Server
Centralized Data Mover
MouPhysical
Server
snapshot
snapshot
SANStorage
snapshot
snapshot
26
Securing Virtual Machines
Provide Same Protection as for Physical Servers
HostAnti Virus
y
Anti-Virus
Patch Management
NetworkNetworkIntrusion Detection/Prevention (IDS/IPS)(IDS/IPS)
EdgeFirewallsFirewalls
27
Secure Design for Virtualization LayerFundamental Design Principles• Isolate all management
networks• Disable all unneededDisable all unneeded
services• Tightly regulate all
administrative access
28
Enforce Strong Access Controls
Security Principle
Implementation in VI
Least Privileges
Roles with only required privileges
S ti f R l li d l t
Joe
Separation of Duties
Roles applied only to required objects
Ad i i t t
Harry
Administrator
Operator
UserAnne
29
Security Advantages of Virtualization
Ease of maintenanceTest patches on multiple configurations in containedTest patches on multiple configurations in contained environment before rolling them out
Use snapshots to save the known good state of a virtual hi b f t i t thi i kmachine before trying out something risky
Production VM can be cloned and then modified off-line while the original one still runs.
Updated VMs can be brought up in parallel with the previous version
Both can be kept running as long as necessary to validate the new configurationg
30
Security Advantages of Virtualization
Publish or Retract
Audit Usage
Retain
Create Approve
BetterLifecycleControls
DisposeRequest
Document
Archive
ocu e t
Request for
Monitor & Adjust
Resources
Power-On or
Suspend
Route for Audit/
Approval
Deploy from
Template
Request for VM
Provisioning
Delete
Agenda
Virtual Virtualization TechnologyHow Virtualization affects the Datacenter SecurityHow Virtualization affects the Datacenter SecurityKeys to a Secure Virtualized Deployment and Data ProtectionThe Future of Datacenter Security
32
New Solutions for Reduced DowntimeAvailability
AppOS
AppOS
AppOS
S
ESX ServerZero downtime, zero data loss continuous availability
Fault ToleranceServer
Storage
availability
Integrated backup and Data Recoverygrecovery applianceData Recovery
33
VMware Fault Tolerance 2009
Availability
Single identical VMs running in lockstep on separate hosts
AppApp AppXX App App AppApp
Zero downtime, zero data loss failover for all virtual machines in case of hardware failuresIntegrated with VMware HA/DRS
FTFTHAHAHAHAOSOS OSXX OS OS OSOS
Zero downtime, zero data lossNo complex clustering or specialized
g
VMware ESX
VMware ESX
FTFTHAHAHAHA
X
No complex clustering or specialized hardware requiredSingle common mechanism for all applications and OS-esX
34
Transforming Availability Service Levelsnc
e
VMware FTe To
lera
n
CONTINUOUS
re F
ailu
re AUTOMATEDRESTART
with VMware HA
Har
dwar
UNPROTECTED
0% 10% 100%Application Coverage
0% 10%
35
vCenter Data Recovery 2009
Availability
VirtualCenterAgent-less, disk-based backup and recovery of your VMs
1. Backup
VirtualCenterVM or file level restoreIncremental backups and data de-dupe to save disk space
1. Schedule backups via VC2. Snapshots taken3. Data de-duped and stored
Quick, simple and complete data protection for your VMs Centralized Management through VirtualCenter
2. Restore XDe-duplicated
Storage
VirtualCenterthrough VirtualCenter Cost Effective Storage Management
1. VM goes down2. Select VM images/files
XVirtualCenter
gto recover
3. Restore…VM running in seconds
X36
Copyright © 2005 VMware, Inc. All rights reserved.Copyright © 2005 VMware, Inc. All rights reserved.
VMware VMsafeSecurity
API that enables protection of VMs by inspection of virtual components in conjunction with
Application
components in conjunction with hypervisor Isolation of protection engine from malwareB d i f i t lBroad ranging coverage of virtual machine CPU, memory, storage and network
Operating SystemProtection
Engine
VMware Infrastructure
37
Ecosystem Enablement with VMware VMsafe 2009
Security
Multi-function Security Appliance
Agent-less deployment of partnerAppOS
App
OS
App
OS
App
OS
App
OS Secu
rity
VM
vNetwork Distributed Switch
AppOSSe
curit
yVM
Agent-less deployment of partner security servicesSingle security VM for multiple security services AV, Firewall, IPSSecurity policy and state movesVMware ESXVMware ESX
Integrated more effective
Security policy and state moves with virtual machine
Integrated, more effective, comprehensive security solutions within the virtual infrastructureBetter security than physical servers!
38
VMsafe: Broad Security Industry Support
Enterprise to SMB
End-points to Gateways
Anti-Virus to IPS
Networks to Host
Audit to Patching
And Anywhere in between…
39
Th k YThank You
http://www.vmware.com/go/security