IBM Presentations: Blue Pearl Basic template

Virtualization Security Best Practices

IBM Institute for Advanced Security

November, 2010

© 2010 IBM Corporation

IBM Internet Security Systems

Virtualization Security Best Practices

Moderator

 Charles Palmer, Director of the Institute for Advanced Security, IBM

Expert Panelists

 Edward L. Haletky, Analyst, The Virtualization Practice, LLC virtualizationpractice.com

 David Abercrombie, Senior Product Manager, Server Protection Solutions - IBM

 Ajay Dholakia, Senior Technical Staff Member, System x - IBM



Agenda

 Introduction and Overview of Virtualization – Charles Palmer

 Virtualization: The Basics - Edward L. Haletky virtualizationpractice.com

 Virtualization Approaches – David Abercrombie

 Virtualization Requirements and Imperatives – Ajay Dholakia

 Questions & Answers



The Virtualization Journey

4 10/04/10

Server

Storage Network

Increased Agility

Consolidate

Resources

Manage

Workloads

Automate

Processes

Optimize

Delivery

Consolidate Resources

• Improved efficiency and utilization of IT resources with simple virtualization tools

Manage Workloads

• Improved IT staff productivity with integrated systems management dashboard for physical and virtual resources

Automate Processes

• Consistent and repeatable processes based on best practices, business priorities and service level agreements with simple virtualization tools

Optimize Delivery

• Self provisioned by users based on business imperatives, unconstrained by physical barriers or location.


Virtualization Security Review

Edward L. Haletky



The Hypervisor



Hardware Layer

The Hypervisor



Driver/Module

Layer

Hardware Layer

The Hypervisor



Kernel Layer

Driver/Module

Layer

Hardware Layer

The Hypervisor



Virtual Machine

Manager

Kernel Layer

Driver/Module

Layer

Hardware Layer

The Hypervisor



Guest OS Layer

Virtual Machine

Manager

Kernel Layer

Driver/Module

Layer

Hardware Layer

The Hypervisor



Application

Layer

Guest OS Layer

Virtual Machine

Manager

Kernel Layer

Driver/Module

Layer

Hardware Layer

The Hypervisor



Application

Layer

Guest OS Layer

Virtual Machine

Manager

Kernel Layer

Driver/Module

Layer

Hardware Layer

The Hypervisor



Application

Layer

Guest OS Layer

Virtual Machine

Manager

Kernel Layer

Driver/Module

Layer

Hardware Layer

Hypervisor

The Hypervisor



Hypervisor Basics

How the Hypervisor Protects Itself or

Internal Workings of a Hypervisor



Hypervisor schedules

VMs on each physical

Core/CPU/Hyperthread

Complete control on how

Cores are assigned to vCPUs

CPU will be used for hypervisor, virtual switches, etc.

Hypervisor Controls CPU

Understand Hypervisor Security: Access to CPU























Understand Hypervisor Security:

Access to Memory

Memory Assignment

Memory Ballooning – ESX vmkernel

Memory

Memory Compression

Memory Swapping

Content Based Page Sharing -

ESX




Access to Memory

Memory Assignment


Memory

Memory Compression

Memory Swapping


ESX

VM

VM




Access to Memory

Memory Assignment


Memory Compression

Memory Swapping


ESX

VM

Memory

VM

Memory




Access to Memory

Memory Assignment


Memory Compression

Memory Swapping


ESX

VM

VM




Access to Memory

Memory Assignment


Memory Compression

Memory Swapping


ESX

VM

VM




Access to Memory

Memory Assignment


Memory Compression

Memory Swapping


ESX

.vswp

VM

VM




Access to Memory

Memory Assignment


Memory Compression

Memory Swapping


ESX

VM

Page

VM

Page




Access to Memory

Memory Assignment


Memory Compression

Memory Swapping


ESX

.vswp

VM

Compare

VM

Page

Page




Access to Memory

Memory Assignment


Page

Memory Compression

Memory Swapping


ESX

.vswp

Compare

VM

VM




Access to Memory

Memory Assignment


Page

Memory Compression

Memory Swapping


ESX

.vswp

VM

VM



Understanding Hypervisor Security: ESX Network Protections

MAC Flooding

802.1q and ISL Tagging Attacks

Double Encapsulation Attacks

Multicast Brute Force Attacks

Spanning Tree Attacks

Random Frame Attacks

L2-Switch




MAC Flooding






L2-Switch CAM




MAC Flooding






L2-Switch CAM




MAC Flooding






L2-Switch CAM




MAC Flooding






L2-Switch




MAC Flooding






PG-100 PG-200

L2-Switch




MAC Flooding






X

PG-100 PG-200

CAM




MAC Flooding






PG-100 PG-200

CAM




MAC Flooding






PG-100 PG-200

L2-Switch




ARP Cache Poisoning still possible

Any Vulnerabilities in Replacement vSwitch

ESX vSwitch/Portgroup Protections - Reject

MAC Spoofing by GuestOS


Promiscuous Mode vNICs within GuestOS


Forged TX from GuestOS

VMDirectPath

L2-Switch












VMDirectPath

L2-Switch CAM












VMDirectPath

L2-Switch CAM












VMDirectPath

L2-Switch CAM












VMDirectPath

L2-Switch CAM












VMDirectPath

L2-Switch CAM












VMDirectPath

L2-Switch CAM












VMDirectPath

X

CAM












VMDirectPath

L2-Switch

X












VMDirectPath

X

L2-Switch CAM












VMDirectPath

L2-Switch CAM



Virtual Environment

Threats

Two Sets



Existing

Threat

Vectors

Worms

Trojans

Virus

Spam

DDoS

Virtual Environment Threats



Existing

Threat

Vectors

Network

Attacks

Existing

Threat

Vectors

Worms

Trojans

Virus

Spam

DDoS




Existing

Threat

Vectors

Network

Attacks

Existing

Threat

Vectors

Worms

Trojans

Virus

Spam

DDoS

New

Threat

Vectors

Management

USB over IP

Backup

Server




Existing

Threat

Vectors

Network

Attacks

Existing

Threat

Vectors

Worms

Trojans

Virus

Spam

DDoS

New

Threat

Vectors

Management

USB over IP

Backup

Server




Existing

Threat

Vectors

Network

Attacks

Existing

Threat

Vectors

Worms

Trojans

Virus

Spam

DDoS

New

Threat

Vectors

Management

USB over IP

Backup

Server




Existing

Threat

Vectors

Network

Attacks

Existing

Threat

Vectors

Worms

Trojans

Virus

Spam

DDoS

New

Threat

Vectors

Management

USB over IP

Backup

Server




Existing

Threat

Vectors

Network

Attacks

Existing

Threat

Vectors

Worms

Trojans

Virus

Spam

DDoS

New

Threat

Vectors

Management

USB over IP

Backup

Server




Existing

Threat

Vectors

Network

Attacks

Existing

Threat

Vectors

Worms

Trojans

Virus

Spam

DDoS

New

Threat

Vectors

Management

USB over IP

Backup

Server




Existing

Threat

Vectors

Network

Attacks

Existing

Threat

Vectors

Worms

Trojans

Virus

Spam

DDoS

New

Threat

Vectors

Management

USB over IP

Backup

Server

New

Threat

Vectors

VM Escape

Introspection

APIs




Existing

Threat

Vectors

Network

Attacks

Existing

Threat

Vectors

Worms

Trojans

Virus

Spam

DDoS

New

Threat

Vectors

Management

USB over IP

Backup

Server

New

Threat

Vectors

VM Escape

Introspection

APIs




Existing

Threat

Vectors

Network

Attacks

Existing

Threat

Vectors

Worms

Trojans

Virus

Spam

DDoS

New

Threat

Vectors

Management

USB over IP

Backup

Server

New

Threat

Vectors

VM Escape

Introspection

APIs




David Abercrombie

All information represents IBM's current intent, is subject to change or withdrawal without notice, and represents only IBM ISS ’ goals and objectives. By providing this information, IBM is not committing to provide this capability.



Security Must Evolve

Physical

Network IPS

Server Protection

System Patching

Blocks threats and attacks at the perimeter

Secures each physical server with protection and reporting for a single agent

Patches critical vulnerabilities on individual servers

Security Policies

Policies are specific to critical applications in each network segment and server

Network IPS

Server Protection

System Patching

Virtualized

Should protect against threats at perimeter and between

VMs

Securing each VM as if it were a physical server adds time, cost and footprint

Needs to protect against vulnerabilities that result from

VM state changes

Security Policies

Policies must be able to move with the VMs

69

Static

SECURITY

Dynamic



Integrated Protection vs. Host-based Protection

Host-Based Agent Virtual Server Protection

Isolation

Firewall functions only in the context of the VM

Isolation

Firewall enforces virtual network-wide policy

Attack Prevention Requires agent to be present

VM State

Security Policies

Security is impacted by VM state change

Policy is enforced only within the VM

Attack Prevention

Secures all virtual machines automatically

VM State

Security Policies

Security is not impacted by

VM state change

Policy is enforced outside of the VM and irrespective of the

VMs location

© 2010 IBM Corporation 70

71


Integrated Security Benefits

 Simplified deployment



Eliminates visibility gaps

– Inter-VM communication

– Discovery

– VM whitelisting/vNAC

 Automated protection

VM VM

ESX Server

VM

 Advanced security techniques

– Introspection-based malware detection

 Control of resources allocated to security



More flexible licensing

•

•

•

•

•

Firewall

Intrusion Prevention

Virtual Infrastructure Auditing

Rootkit detection

Discovery

VM SVM vSwitch vSwitch

IBM Confidential

VMSafe



Regain Lost Visibility and Control

 Identify VMs that are invisible to traditional discovery tools

 Control unauthorized crossing of trust zones

 Ensure VMs that come online do not introduce vulnerabilities

 Quarantine unauthorized VMs

– VMs that are not considered trusted are given limited network access

Virtual

Network

72

IBM Confidential © 2010 IBM Corporation


Dynamic Environment Protection

 Maintain security posture irrespective of the physical server on which the VM resides

SiteProtector

Policy

Events

Updates

SVM

VM

ESX Server

VM

Abstraction from underlying physical servers provides dynamic security optimized for mobility

VM

ESX Server

VM

SVM

VMSafe vSwitch vSwitch vSwitch vSwitch

VMSafe



Dynamic Environment Protection

 Maintain security posture irrespective of the physical server on which the VM resides

SiteProtector

Policy

Events

Updates

SVM

VM

ESX Server

VM VM

Abstraction from underlying physical servers provides dynamic security optimized for mobility

VM

ESX Server

VM

SVM

VMSafe vSwitch vSwitch vSwitch vSwitch

VMSafe



Defense In Depth

Host-Based Agent

Access Management

Security/Configuration Management

Malware Detection/Prevention

File Integrity Monitoring

Encrypted Traffic Inspection

Security Virtual Machine

Firewall

Intrusion Prevention


Access Monitoring

Access Control

Firewall

Host-Based Agent


Access Management

Security/Configuration Management


File Integrity Monitoring

Encrypted Traffic Inspection

75

Network-Based Appliance

Firewall


Network Policy Enforcement



Evolution of Secure Virtualization solutions

 Today…Security Virtual Machines take over some key functions from host-based agents

– Host-level firewall, IPS/IDS, guest security configuration, some anti-malware functions

– Fewer resources (CPU, memory) consumed

– Less intrusive (kernel drivers)

– Guest OS-independent

 More to come…

– Hardware-level root-of-trust (TPMs)

– Maturity of virtual machine introspection

– Security component collaboration & automated remediation



Summary

 Virtualization does impact security posture

 “Legacy” tools are still relevant

 New products adapted for virtual environments are available

 No single product provides adequate protection

77



Ajay Dholakia




Security complexities raised by virtualization

Complexities

 Dynamic relocation of VMs

 Increased infrastructure layers to manage and protect



Multiple operating systems and applications per server

 Elimination of physical boundaries between systems

Before Virtualization

 Manually tracking software and configurations of VMs

 Maintenance of virtual images



Image sprawl (proliferation)

 Virtual appliances (Trojan Horse)

 Public Cloud risks

• 1:1 ratio of OSs and applications per server

–“Black box” sharing in clouds reduces visibility and control

–Privacy and accountability regulations

After Virtualization

• 1:Many ratio of OSs and applications per server

• Additional layer to manage and secure



Virtualization security – Driving requirements

Requirements



Secure platforms & engineering process

 Threat and vulnerability management

–Internal / external threat mitigation

 Privileged access

–Role segregation & access control



Data confidentiality and integrity

–Data @ rest ( storage ) data in transit (network)



Regulatory compliance

 Multi-tenancy / isolation

–Isolation management of Virtual Servers

 Image / virtual appliance security

 Consolidated systems security

–Consolidated server, storage, net. security mgmt.

 Systems Integrity Management

–Trusted software / firmware / hardware



Virtualization security – Imperatives … The Low Hanging Fruit

Easy steps you can follow

7. Do not use Paravirtualized drivers within DMZ based VMs, or any that hold sensitive data unless there is an absolute performance requirement to do so, and then only use the specific driver instead of installing them all.






6. Use a centralized directory service to provide authentication

5. Use a centralized tool to provide authorization.

4. Use a centralized syslog/log server for collecting audit and standard log data for analysis

3. Analyze/Review your log data daily for issues.










2. Ensure only the hypervisor can access any LUN assigned to a hypervisor.










2. Ensure only the hypervisor can access any LUN assigned to a hypervisor.

1. Firewall your virtualization management tools from the rest of your network



Summary

Virtualization Security wrap up

• Important to understand the inner workings of a hypervisor and how it protects itself

• Type of threats that virtual environments are vulnerable to

• Security posture impacted by virtualization and no single product provide adequate protection but…

• Firewall tools are a good start to protect your virtual environment



Questions & Answers


Thank you!

For more information on Virtualization Security, visit,

IBM Institute for Advanced Security: www.instituteforadvancedsecurity.com

The Virtualization Practice http://www.virtualizationpractice.com/blog/?page_id=2




Seed Questions

 Ed

– How do we handle antivirus, patching and malware?

– Should we be using VLANs? Are they secure?

– Do I have to worry about ‘ escaping VM ’ attacks?

– Can you virtualize a DMZ?



Dave

– Performance-wise, how do security virtual machines impact the virtual environment?

– Can security virtual machines be integrated with platforms other than VMware?



Ajay

– Does virtualization improve security or makes it more challenging?

– Does security of physical end-points interact with security for virtual end-points? Or does it remain separate?


IBM Presentations: Blue Pearl Basic template

Virtualization Security Best Practices

IBM Institute for Advanced Security

Virtualization Security Best Practices

Agenda

Virtualization Security Review

Edward L. Haletky

Hypervisor Basics

Virtual Environment

Virtualization Security Best Practices

David Abercrombie

Virtualization Security Best Practices

Ajay Dholakia

Summary

Questions & Answers

Thank you!

Related documents

Products

Support

IBM Presentations: Blue Pearl Basic template

Virtualization Security Best Practices

IBM Institute for Advanced Security

Virtualization Security Best Practices

Agenda

Virtualization Security Review

Edward L. Haletky

Hypervisor Basics

Virtual Environment

Virtualization Security Best Practices

David Abercrombie

Virtualization Security Best Practices

Ajay Dholakia

Summary

Questions & Answers

Thank you!

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib