VMware

Expanded Advanced

concepts in virtualization

STEVEN AIELLO: BACHELORS OF SCIENCE, CISSP, VCP, & SOME OTHER CERTS NO ONE CARES ABOUT.

Sources & References CSA Guide v3.0

NIST Special Publication 800-145

Gartner Newsroom

CRN (News Network)

SANS Institute InfoSec Reading Room

Schneier on Security

Threat Analysis Group

Symantec

Securing the Virtual Environment (Published May 8th 2012)

Itnews.com

Snipe.net

~Francois Marie Arouet Voltaire

“Judge a man by his

questions rather than

his answers."

A Bit About Me 2002 – 2004: Focus1Data

Healthcare Billing, Financial Data, HIPAA

2004 – 2012 (March): ADPWorlds Largest Payroll company (73% of the worlds pay-roll) Every compliance you can imagine…

2012 – Current: OnlineTechPCI, HIPAA, SOC 2, Operationalizing Compliance. “Virtualization Engineering & Systems Support Manager” . Soon to have dev. something in there since I started coding for VMware…

Undergrad EMU in Technology Management

Graduate Student at EMU: Masters of Science concentration in Information Assurance

Why Do I Like Virtualization?

It invites chaos

It breaks down walls

It changes the way good engineers will design

their networks

It gives me power

It causes fights (I’m being serious)

It will make your life better

Why are we here?

We are a security organization

How does VMware play into security?

What other options are there for virtualization

besides VMware?

Does VMware introduce new security holes

into our environment?

Are We Doing Something New?

“Virtualization was first implemented more

than 30 years ago by IBM as a way to

logically partition mainframe computers into

separate virtual machines. These partitions

allowed mainframes to multitask”

Why Do We Virtualize?

Run multiple operating systems on a single

computer

Reduce Capital Cost

Energy efficiency

High application availability

Business continuity & disaster recovery

What is a VM? Why would you

want to use them?

Compatibility

Isolation

Encapsulation

Hardware

independence

Infrastructure building

blocks

Benefits of virtualization Besides

VMs?

If done right, virtualization will change the way you think

Virtualization will change the way you design physical infrastructure

It will make your infrastructure faster (I’m not kidding)

It will give you more control

Virtualization can drive operational efficiency

What Options Do I Have?

It turns out a lot!

VMware

Citrix XenServer

Xen (Open source)

Microsoft Hyper-V

Oracle VM

Parallels (used by Media Temple)

Redhat Enterprise Virtualization

Hypervisor Comparison Table

XenServer You get a lot for free!

Hypervisor

Management Suit

Snapshot & Revert

Live Migration (aka vMotion)

1000$ per server

dVS’s

Resource Pools

HA

Short comings of XenServer?

Backup options (Limited)

AV at the hypervisor not available

Third party hardware integration

(more on this later)

It’s playing catch up…

Why Use VMware? I Don’t Expect You To Be Able To Read This

It’s secure, really secure, maybe the 2nd most secure piece of nonmilitary code on the market

Common Criteria rating EAL 4+

Broad 3rd party hardware integration, EMC, NetApp, Equallogic SAN integration

Automatic host and storage load balancing (DRS)

Automatic VM failover in event of a hardware failure

Fault Tolerance for non-cluster aware apps.

Great service (once you get someone on the phone)

Memory over commitment

Thin provisioning

Independent disks

VMware vApps

Pluggable Storage Architecture

VMware SDK

VMware VIX (now in the SDK in ESXi 5.0)

Storage I/O control

How Do I Choose

Know your environment

Are you going to use the features in VMware

you’re going to pay a lot of money for?

Are you multi-tenant?

Is your current hardware on the VMware HCL?

Does your storage infrastructure integrate with

VMware’s PSA?

Do you plan on using the SDK?

Finding Common Ground

What is our definition

of security?

CIA Triad!

Risk Reaction Options

Mitigate RiskReduce your attack surface

Avoid the RiskDon’t do it

Transfer the RiskInsurance

Accept the RiskCost outweighs advantages

More Common Ground

Assumption: We are

using VMware for

some sort of IaaS

Tri-Force of Security

Confidentiality: (Founded predictions)Keep your information private

Integrity: (Unfounded predictions)Your data is what it should be

Availability: Your data is there when you need it

Potential Targets

Hypervisors

Orchestration Tools

Administrative Machines

API Endpoints (very important)

Virtual Machines

Applications

What’s Juicy?

Statistics from 2010 for VMware

EAL 4+

99 Vulnerabilities

7 in VMware’s

3 in the Bare-metal hypervisor

1 exploit in the current version

0 exploited in the wild

What’s Juicy?

zLinux Mainframe

EAL 5

There has never been a reported incident of a

zLinux Mainframe being hacked or infected by

a virus… ever…http://www.longpelaexpertise.com.au/ezine/zosvUnix.php

Availability Attacks

Attack underlying network infrastructure

Failure to control disk I/O in a shared

environment

Concurrent provisioning operations

Lack of memory & CPU resource controls

Where VMware Shines

Availability!

How Does VMware Help? What VMware Offers to Increase Uptime

vMotion

Storage vMotion

Distributed Resource Scheduling

High Availability

Fault Tolerance

Site Recovery Manager (or Veeam)

Reduced network latency

Virtual Distributed Switching

What are vDSs?

How Does VMware Hurt?

DoS Attacks are Very Possible

Failure to control disk I/O in a shared

environment

Concurrent provisioning operations

Lack of memory & CPU resource controls

How do you secure these things when

exposing them to clients?

Availability Protections

Mitigation Tactics

VMware SIOC via VMware’s PSA

Set reservations and limits around multi-

tenant solutions

Limit API operations in the environment

What if David Copperfield Happens?

Setting Limits

VM Limits

Memory Limits

CPU Limits

VMware SIOC via

VMware’s PSA

Confidentiality

How do you

design?

Limit Ingress &

Egress options

Firewalling at the

hypervisor level.

VMware 5.1

Confidentiality Protections

Buy a stinking SSL

certificate!

Do not use or write

systems that return

sensitive data!

Make sure you write

scheduling into your

operations code

I HATE THIS!

Encryption & its Limitations

Full disk encryption in virtual

environments

Hardware based disk arrays (FIPS 140-2)Federal Information Processing Standard

Conflicts with VSS (for Windows)

Alternatives: use in application encryption

Alternatives: use in database encryption

Full VMDK encryption in VMware 6.x

Integrity Protections, a Beacon of

Light?

TrendMicro bought OSSec

TrendMicro has been a leader in the

Hypervisor AV space for a few years

OSSec ala-hypervisor via VMware VIX?

VMware SDK & VIX

ESXi 4.1 vs ESXi 5.x

VMware SDK & VIX

Insert brain here…

VMware SDK & VIX

Data Center Automation

VMware SDK & VIX

Poorly documented

SDK mostly for C# & Java

VIX is pretty new to ESXi

VIX is horribly documented

VIX is mainly C++ libraries, C# & Java ports

Questions?saiello@onlinetech.com