Upload
steven-aiello
View
271
Download
5
Embed Size (px)
Citation preview
VMware
Expanded Advanced
concepts in virtualization
STEVEN AIELLO: BACHELORS OF SCIENCE, CISSP, VCP, & SOME OTHER CERTS NO ONE CARES ABOUT.
Sources & References CSA Guide v3.0
NIST Special Publication 800-145
Gartner Newsroom
CRN (News Network)
SANS Institute InfoSec Reading Room
Schneier on Security
Threat Analysis Group
Symantec
Securing the Virtual Environment (Published May 8th 2012)
Itnews.com
Snipe.net
~Francois Marie Arouet Voltaire
“Judge a man by his
questions rather than
his answers."
A Bit About Me 2002 – 2004: Focus1Data
Healthcare Billing, Financial Data, HIPAA
2004 – 2012 (March): ADPWorlds Largest Payroll company (73% of the worlds pay-roll) Every compliance you can imagine…
2012 – Current: OnlineTechPCI, HIPAA, SOC 2, Operationalizing Compliance. “Virtualization Engineering & Systems Support Manager” . Soon to have dev. something in there since I started coding for VMware…
Undergrad EMU in Technology Management
Graduate Student at EMU: Masters of Science concentration in Information Assurance
Why Do I Like Virtualization?
It invites chaos
It breaks down walls
It changes the way good engineers will design
their networks
It gives me power
It causes fights (I’m being serious)
It will make your life better
Why are we here?
We are a security organization
How does VMware play into security?
What other options are there for virtualization
besides VMware?
Does VMware introduce new security holes
into our environment?
Are We Doing Something New?
“Virtualization was first implemented more
than 30 years ago by IBM as a way to
logically partition mainframe computers into
separate virtual machines. These partitions
allowed mainframes to multitask”
Why Do We Virtualize?
Run multiple operating systems on a single
computer
Reduce Capital Cost
Energy efficiency
High application availability
Business continuity & disaster recovery
What is a VM? Why would you
want to use them?
Compatibility
Isolation
Encapsulation
Hardware
independence
Infrastructure building
blocks
Benefits of virtualization Besides
VMs?
If done right, virtualization will change the way you think
Virtualization will change the way you design physical infrastructure
It will make your infrastructure faster (I’m not kidding)
It will give you more control
Virtualization can drive operational efficiency
What Options Do I Have?
It turns out a lot!
VMware
Citrix XenServer
Xen (Open source)
Microsoft Hyper-V
Oracle VM
Parallels (used by Media Temple)
Redhat Enterprise Virtualization
Hypervisor Comparison Table
XenServer You get a lot for free!
Hypervisor
Management Suit
Snapshot & Revert
Live Migration (aka vMotion)
1000$ per server
dVS’s
Resource Pools
HA
Short comings of XenServer?
Backup options (Limited)
AV at the hypervisor not available
Third party hardware integration
It’s playing catch up…
Why Use VMware? I Don’t Expect You To Be Able To Read This
It’s secure, really secure, maybe the 2nd most secure piece of nonmilitary code on the market
Common Criteria rating EAL 4+
Broad 3rd party hardware integration, EMC, NetApp, Equallogic SAN integration
Automatic host and storage load balancing (DRS)
Automatic VM failover in event of a hardware failure
Fault Tolerance for non-cluster aware apps.
Great service (once you get someone on the phone)
Memory over commitment
Thin provisioning
Independent disks
VMware vApps
Pluggable Storage Architecture
VMware SDK
VMware VIX (now in the SDK in ESXi 5.0)
Storage I/O control
How Do I Choose
Know your environment
Are you going to use the features in VMware
you’re going to pay a lot of money for?
Are you multi-tenant?
Is your current hardware on the VMware HCL?
Does your storage infrastructure integrate with
VMware’s PSA?
Do you plan on using the SDK?
Finding Common Ground
What is our definition
of security?
CIA Triad!
Risk Reaction Options
Mitigate RiskReduce your attack surface
Avoid the RiskDon’t do it
Transfer the RiskInsurance
Accept the RiskCost outweighs advantages
More Common Ground
Assumption: We are
using VMware for
some sort of IaaS
Tri-Force of Security
Confidentiality: (Founded predictions)Keep your information private
Integrity: (Unfounded predictions)Your data is what it should be
Availability: Your data is there when you need it
Potential Targets
Hypervisors
Orchestration Tools
Administrative Machines
API Endpoints (very important)
Virtual Machines
Applications
What’s Juicy?
Statistics from 2010 for VMware
EAL 4+
99 Vulnerabilities
7 in VMware’s
3 in the Bare-metal hypervisor
1 exploit in the current version
0 exploited in the wild
What’s Juicy?
zLinux Mainframe
EAL 5
There has never been a reported incident of a
zLinux Mainframe being hacked or infected by
a virus… ever…http://www.longpelaexpertise.com.au/ezine/zosvUnix.php
Availability Attacks
Attack underlying network infrastructure
Failure to control disk I/O in a shared
environment
Concurrent provisioning operations
Lack of memory & CPU resource controls
Where VMware Shines
Availability!
How Does VMware Help? What VMware Offers to Increase Uptime
vMotion
Storage vMotion
Distributed Resource Scheduling
High Availability
Fault Tolerance
Site Recovery Manager (or Veeam)
Reduced network latency
Virtual Distributed Switching
What are vDSs?
How Does VMware Hurt?
DoS Attacks are Very Possible
Failure to control disk I/O in a shared
environment
Concurrent provisioning operations
Lack of memory & CPU resource controls
How do you secure these things when
exposing them to clients?
Availability Protections
Mitigation Tactics
VMware SIOC via VMware’s PSA
Set reservations and limits around multi-
tenant solutions
Limit API operations in the environment
What if David Copperfield Happens?
Setting Limits
VM Limits
Memory Limits
CPU Limits
VMware SIOC via
VMware’s PSA
Confidentiality
How do you
design?
Limit Ingress &
Egress options
Firewalling at the
hypervisor level.
VMware 5.1
Confidentiality Protections
Buy a stinking SSL
certificate!
Do not use or write
systems that return
sensitive data!
Make sure you write
scheduling into your
operations code
I HATE THIS!
Encryption & its Limitations
Full disk encryption in virtual
environments
Hardware based disk arrays (FIPS 140-2)Federal Information Processing Standard
Conflicts with VSS (for Windows)
Alternatives: use in application encryption
Alternatives: use in database encryption
Full VMDK encryption in VMware 6.x
Integrity Protections, a Beacon of
Light?
TrendMicro bought OSSec
TrendMicro has been a leader in the
Hypervisor AV space for a few years
OSSec ala-hypervisor via VMware VIX?
VMware SDK & VIX
ESXi 4.1 vs ESXi 5.x
VMware SDK & VIX
Insert brain here…
VMware SDK & VIX
Data Center Automation
VMware SDK & VIX
Poorly documented
SDK mostly for C# & Java
VIX is pretty new to ESXi
VIX is horribly documented
VIX is mainly C++ libraries, C# & Java ports