Upload
cameroon45
View
290
Download
7
Embed Size (px)
DESCRIPTION
Citation preview
IT Virtualization Security 2009
Integrating Time-proven IT Security Principles with the Advantages of a
Virtualized Linux Environment on IBM System z
Dave RivardSSH Communications Security
Slides:
2 out of 240
Agenda System Virtualization and what is it? History and The Mainframe How have we gotten to this point? Why does the platform still exist? z Virtualization Architecture Advantages to Mainframe Virtualization Disadvantages How the heck do we Secure it?
System Virtualization - Overview and Benefits Ability to run multiple Operating Systems on
a single physical machine Can share resources with multiple hosts on
the same hardware Benefits:
Server consolidation and optimization Cost reduction Improved application availability Enhanced manageability
If its old does it work?
History Quote: “Forget about that
Mainframe thing, Concentrate on CCMail and Netware 3.1, that dinosaur is dead”
Unnamed IT Manager Somewhere in Springfield, Ma 1991
How have we gotten to this point? IBM Needed to open the MVS
Operating system to survive Decentralization Cost Flexibility
Why does the platform still exist?
Reliability Standardization Vast depth of 3rd party software Nobody ever got fired for buying IBM Fast transaction processor Fast database repository Security
z Virtualization Architecture Z/OS (MVS and DOS too) USS – UNIX System Services Z/VM – 1st to the scene LDAP – Out of the box Z/LINUX – How many IFL’s can
you host on one box?
So what was……
….now is…….
…and has become
Advantages to Mainframe Virtualization Scalability Flexibility Efficiency Reduction of Cost Z Security Improved Quality of Service
Disadvantages You just opened your most secure
box One Vendor How do we keep track of who is
who? How are we going to find all those
old Smelly guys?
Security in a z World
Virtualization Security Challenges Virtualization introduces a new layer of complexity
in the system new threat surface Sharing the same resource pool makes single
points of failure• Compromised hosts threaten also the guests
Virtualization breaks the traditional three tier architectural separation
Complexity of conversion to virtualized environment
• Rapid changes in the infrastructure• Not enough knowledge of the changed security
situation
Virtualized Security policies Avoid sharing of IP addresses Do not use hosts in situations where there is
risk for infectionExample: browsing the internet
Incorporate virtual machines in the corporate security policy
Link the physical security outside the pool and virtual security systems under one management to enable defense-in-depth
Authentication
PAM User Store? LDAP, RACF, ACF2, Top Secret? Provisioning? Rooms of Administrators? Federation System and User ID Parameters
Proper steps and planning to verify users and processes
Audit Individual logs? Volume of data Quality of events ID Switching/Generic ID’s Forensics
Encryption Native Hardware Cryptographic
Processors Telnet FTP
Conclusions Z Virtualized environments are being deployed
fast and the importance in production environments is growing
Virtualized environment improves security in some areas but introduces also new challenges
Virtualization requires new security thinking and a careful migration and implementation plan
Link the virtual and physical security to create a defense-in-depth approach
Resources IBM Redbooks
http://www.redbooks.ibm.com z/VM and Linux on IBM System The Virtualization Cookbook for SLES 10
SP2z/VM and Linux on IBM System z: Virtualization Cookbook for Red Hat
Enterprise Linux 4
Liberty Alliancehttp://www.projectliberty.org/
NSAhttp://www.nsa.gov/ia/_files/factsheets/
SOA_security_vulnerabilities_web.pdf
Questions?
Dave [email protected]