View
230
Download
1
Tags:
Embed Size (px)
Citation preview
VMware Security Briefing
Rob Randell, CISSP
Staff Systems Engineer - Security Specialist
Summary: VMware Approach to Security
Virtualization Security• Secure hypervisor
architecture• Platform hardening
features• Secure
Development Lifecycle
Audit and Compliance• Prescriptive
guidance for deployment and configuration
• Enterprise controls for security and compliance
Security in the Private Cloud• Virtualization-aware
security• Products taking
Unique Advantage of virtualization
Secure Implementation
VMware ESXi
• Compact footprint (less than 100MB) Fewer patches Smaller attack surface
• Absence of general-purpose management OS
No arbitrary code running on server
Not susceptible to common threats
Secure Implementation
Platform Hardening
• Integrity in Memory Protection ASLR – Randomizes where core
kernel modules load into memory
NX/XD – Marks writable areas of memory as non-executable
• Kernel Integrity Digital signing – ensures the integrity
of drivers and modules as they are loaded by the VMkernel.
• Integrity on Disk TPM – helps assure that image that is
booting off the disk has not been tampered with since the last reboot. (future)
VMware Secure Development Lifecycle Process
VMworld 2009 Session TA2543:VMware’s Secure Software Development Lifecycle
Architecture Risk Analysis
Best Practice and Compliance Requirements
Code Analysis & Inspection
Security Testing
Security Response
Training
Product Security Policy
Protect Customer Data& Infrastructure
Enable Policy Compliance
3rd party experts continually involved at
various points
Independently validated
• Common Criteria Certification EAL (Evaluation Assurance Level) CC EAL 4+ certification
Highest recognized level
Achieved for VI 3.0 and 3.5; in process for vSphere 4
• DISA STIG for ESX Approval for use in DoD
information systems
• NSA Central Security Service guidance for both datacenter
and desktop scenarios
Summary: VMware Approach to Security
Virtualization Security• Secure hypervisor
architecture• Platform hardening
features• Secure
Development Lifecycle
Audit and Compliance• Prescriptive
guidance for deployment and configuration
• Enterprise controls for security and compliance
Security in the Private Cloud• Virtualization-aware
security• Products taking
Unique Advantage of virtualization
How Virtualization Affects Datacenter Security
8 Confidential
Abstraction and ConsolidationCollapse of switches and servers
into one device
• ↑ Flexibility• ↑ Cost-savings• ↓ Lack of virtual network visibility
• ↓ No separation-by-defaultof administration
• ↑ Capital and Operational Cost Savings
• ↓ New infrastructure layer to be secured
• ↓ Greater impact of attack or misconfiguration
How Virtualization Affects Datacenter Security
9 Confidential
Faster deployment of servers
VM Mobility VM Encapsulation
• ↑ Ease of business continuity
• ↑ Consistency of deployment
• ↑ Hardware Independence
• ↓ Outdated offline systems
• ↓ Unauthorized Copy
• ↑ Improved Service Levels
• ↓ Identity divorced from physical location
• ↑ IT responsiveness• ↓ Lack of adequate
planning• ↓ Incomplete
knowledge of current state of infrastructure
• ↓ Poorly Defined Procedures
• ↓ Inconsistent Configurations
How do we secure and make our Virtual Infrastructure compliant?
Use the Principles of Information Security
• Hardening and Lockdown
• Defense in Depth
• Authorization, Authentication, and Accounting to enforce Separation of Duties and Least Privileges
• Administrative Controls
For virtualization this means:
• Secure the Guests
• Harden the Virtualization layer
• Setup Access Controls
• Leverage Virtualization Specific Administrative Controls
What Auditors Want to See:
• Network Controls
• Change Control and Configuration Management
• Access Controls & Management
• Vulnerability Management
Network Segmentation
• A trust zone is a network segment within which data flows relatively freely. Data flowing in and out is subject to stronger restrictions.
Trust Zones in a Cloud environment
Isolation in the Architecture
Segment out all non-production networks
• Use VLAN tagging, or
• Use separate vSwitch (see diagram)
Strictly control access to management network, e.g.
• RDP to jump box, or
• VPN through firewall
13
vSwitch1
vmnic1 2 3 4
Production
vSwitch2
VMkernel
Mgmt Storagevn
ic
vnic
vnic
vCenter IP-based Storage
Other ESX/ESXi hosts
Mgmt Network
ProdNetwork
VMware vSphere 4 Hardening Guidelineshttp://www.vmware.com/resources/techresources/10109
Broad scope
Separation of Duties with vSphere
Narrowscope
Super Admin
Networking Admin
Server Admin
Operator
VM Owner
Operator
VM Owner
Storage Admin
Administrative Controls for Security and Compliance
Requirement VMware Products/Features Partner Products
Configuration management, monitoring, auditing
Host ProfilesTemplatesvCenter Event-based AlarmsvCenter OrchestratorScriptingVMware vCenter Virtual Configuration Manager
Hytrust ApplianceNetIQ Secure Configuration ManagerTripwire Enterprise for VMware
Vulnerability Management
VMware Update Manager Shavlik NetChk Protect
Access Controls and Management
vCenter Roles and PermissionsvCenter event loggingESX/ESXi logging
Hytrust ApplianceCatbird
Network Controls
VMware vShieldvNetwork Distributed Switch
Cisco, Checkpoint, Reflex, Third Brigade, Altor, ISS/IBM, and more.
Summary: VMware Approach to Security
Virtualization Security• Secure hypervisor
architecture• Platform hardening
features• Secure
Development Lifecycle
Audit and Compliance• Prescriptive
guidance for deployment and configuration
• Enterprise controls for security and compliance
Security in the Private Cloud• Virtualization-aware
security• Products taking
Unique Advantage of virtualization
17
2010 – Introducing vShield Products
VMware vSphere VMware vSphere
DMZ Application 1 Application 2
Securing the Private Cloud End to End: from the Edge to the Endpoint
Edge
vShield Edge
Secure the edge of the virtual datacenter
Security Zone
vShield App and Zones
Create segmentation between enclaves or silos of workloads
Endpoint = VM
vShield Endpoint
Offload anti-virus processing
Endpoint = VM vShield Manager
Centralized Management
18
• Multiple edge security services in one appliance• Stateful inspection firewall• Network Address Translation (NAT)• Dynamic Host Configuration Protocol (DHCP)• Site to site VPN (IPsec)• Web Load Balancer
• Edge port group isolation• Detailed network flow statistics for chargebacks, etc• Policy management through UI or REST APIs• Logging and auditing based on industry standard
syslog format
vShield EdgeSecure the Edge of the Virtual Data Center
VMware vSphere
Tenant A Tenant X
Features
Load balancer
firewall
VPN
19
vShield Edge Install and Configure
Installed per Port Group in the ‘networking’ view on the DVS
Edge creates a logical perimeter based off the Port Group
• Creates a secure Port Group and installed on boundary of the port group
• The Port Group at Layer 2 should be backed by a VLAN or vShield Port Group isolation (solves VLAN sprawl issue)
• Edge has two interfaces External / Internal. Internal connects to the secure port group it protects and external interfaces with the uplink (externally facing)
Policies set in 5 tuple- Src/Dest IP address, Src/Dest port and service
• Edge protects the port group on the inside and has an external IP address
• Performs (NAT) Network Address Translation to connect the VMs to the Internet
• IPSec VPN set up for secure connectivity to remote resources with Cisco, Checkpoint or any other VPN termination
• Load balancer capabilities for the servers hosted in the vDC
20
vShield AppApplication Protection for Network Based Threats
VMware vSphere
DMZ PCI HIPAA
Features
• Hypervisor-level firewall • Inbound, outbound connection control applied at
vNIC level• Elastic security groups - “stretch” as virtual machines
migrate to new hosts• Robust flow monitoring • Policy Management
• Simple and business-relevant policies• Managed through UI or REST APIs
• Logging and auditing based on industry standard syslog format
21
vShield App Install and Configure
vShield App is installed on every ESX host
• Controls and monitors all network traffic on the host, even for packets that never cross a physical NIC.
vShield App uses intuitive policy constructs
• Containers from vCenter- resource pools, VMs can be used directly to create business like policies
• Security groups can be created by grouping vNICs of dual homed VMs for additional granularity
• 5 tuple classic rules also apply
• IP-based stateful firewall and application layer gateway for a broad range of protocols including Oracle, FTP, Sun/Linux/MS RPC, etc…
Flow monitoring to observe network activity
• Virtual machines to help define and refine firewall policies
• Identify botnets, and secure business processes through detailed reporting of application traffic (application, sessions, bytes).
22
Leveraging Virtualization for Better-than-Physical Security
Issues
• “AV storms” can cause 100% saturation in shared compute (CPU) and SAN/NAS (storage I/O) environments
• Traditional agents are resource intensive - not optimized for high utilization, efficient clouds
• Up to 6 GB on VMware View desktops
Opportunities
• Leverage hypervisor to offload AV functions from agents into a dedicated security VM
• Deploy security in a more agile, service-driven manner to both private and public cloud environments
VMware vSphereIntrospection
SVM
OSHardened
AV
VM
APP
OSKernel
BIOS
VM
APP
OSKernel
BIOS
VM
APP
OSKernel
BIOS
23
Security VM
VM
APP
OS
Kernel
BIOS
ESX 4.1
vSphere Platform
VM
APP
OS
Kernel
BIOS
Guest VM
OS
PartnerManagement
Console
vShield Endpoint Library
Overview: vShield Endpoint Components
Partner Agent
vShield Endpoint ESX Module
vCenter
On Access Scans
On Demand Scans
Guest Driver
vShield Manager 4.1
Legend
Partner Components
Partner Facing Components and APIs
vShield Endpoint Components VMware
Platform
EPsec
Interface
VI Admin
Security Admin
VMware
Internal
Interfaces
Partner
Accessible
Interfaces
Remediation
Caching & Filtering
APPsAPPs
APPsR
ES
T
StatusMonitor
24
Sequence Diagram for On Access Scans
VMVMGuest VM
OS
Security VM
EPsec Lib
Partner Agent
On Access Scans
On Demand Scans
Remediation
Caching & Filtering
APPsAPPs
APPs EPsec Thin
Agent
result cached?
excluded by filter?
file event
* file data request
* file data* file data
* file data request
scan result
scan resultresult
file event
data cached?
file event
result
result
* file data
time
Where to Learn More
Security• Hardening Best Practices• Implementation Guidelines
http://vmware.com/security
Compliance• Partner Solutions• Advice and
Recommendation
http://vmware.com/go/compliance
Operations• Peer-contributed Content
http://viops.vmware.com
Summary: VMware Approach to Security
Virtualization Security• Secure hypervisor
architecture• Platform hardening
features• Secure
Development Lifecycle
Audit and Compliance• Prescriptive
guidance for deployment and configuration
• Enterprise controls for security and compliance
Security in the Private Cloud• Virtualization-aware
security• Products taking
Unique Advantage of virtualization
Questions?
Rob Randell, CISSP
Senior Security and Compliance Specialist