Avoiding Security Mistakes In Virtualized Environments

Ahmed SallamSenior Technologist, Software Architecture & StrategyChief Software Architect

© 2009 The SANS™ Institute - www.sans.org

How to Avoid

– Holistic approach to Virtualization Security• VM image files security• VMs traditional end point security• Securing the virtual network (NIPS, Firewall)• Mitigating vulnerable and out of patch VMs

– Security must be “Baked In” when designing Virtual Environments

• Security at the hypervisor level• Security underneath the operating system• VMSafe is a good example

© 2009 The SANS™ Institute - www.sans.org 2

Scanning of offline Virtual Images

Running VMs

Offline Images

Scans VMs stored locally Scans VMs stored centrally

Securing underneath the OSVMSafe example

• Be prepared for a notion of protecting VM• Monitor & control memory inside VMs

Security underneath the OSThe evolution

• Protection for all virtualized devices

Enterprise Virtual Firewall / NIPS

© 2009 The SANS™ Institute - www.sans.org 6

LAN 1 LAN 2

Web Servers Database Servers

vSwitch1

Physical NIC

vSwitch2

Physical Server

Other Networks

vNic 1 vNic2

Secure FirewallVirtual Appliance

All Traffic Entering/Leaving

the Virutal Environment goes

through the firewall as well

as Inter-LAN traffic

The “Virtual World”

VMWARE ESX

vSwitch0

LAN 1 LAN 2

Web Servers Database Servers

Vswitch

Physical NIC2

Vswitch

Physical Server

Physical NIC1

Network Firewall (Virtualized or Not Virtualized)

Other Networks

The “Virtual World”

VMWARE ESX

Physical Network Firewall inspects Inter-lan traffic as well

as inbound/outbound traffic

In Summary

– Tighter integration of security capabilities futures

– Security virtualization challenge has to do with people and processes

– Education on unique virtualization security issues and capabilities.

© 2009 The SANS™ Institute - www.sans.org 7

Thank You

© 2009 The SANS™ Institute - www.sans.org