© 2010 ibm corporation virtualization security best practices ibm institute for advanced security...

© 2010 IBM Corporation

Virtualization Security Best PracticesIBM Institute for Advanced Security

November, 2010November, 2010


IBM Internet Security Systems

Virtualization Security Best Practices

Moderator

Charles Palmer, Director of the Institute for Advanced Security, IBM

Expert Panelists

Edward L. Haletky, Analyst, The Virtualization Practice, LLC - virtualizationpractice.com

David Abercrombie, Senior Product Manager, Server Protection Solutions - IBM

Ajay Dholakia, Senior Technical Staff Member, System x - IBM



Agenda

Introduction and Overview of Virtualization – Charles Palmer

Virtualization: The Basics - Edward L. Haletky virtualizationpractice.com

Virtualization Approaches – David Abercrombie

Virtualization Requirements and Imperatives – Ajay Dholakia

Questions & Answers



4 10/04/10

The Virtualization Journey

Consolidate Resources• Improved efficiency and

utilization of IT resources with simple virtualization tools

Manage Workloads• Improved IT staff productivity with

integrated systems management dashboard for physical and virtual resources

Automate Processes• Consistent and repeatable

processes based on best practices, business priorities and service level agreements with simple virtualization tools

Optimize Delivery• Self provisioned by users based

on business imperatives, unconstrained by physical barriers or location.

ManageWorkloads

AutomateProcesses

OptimizeDelivery

Consolidate Resources

Increased AgilityNetworkStorage

Server


Virtualization Security ReviewEdward L. Haletky



The HypervisorThe Hypervisor




Hardware Layer




Driver/Module Layer

Hardware Layer




Kernel Layer

Driver/Module Layer

Hardware Layer




Virtual Machine Manager

Kernel Layer

Driver/Module Layer

Hardware Layer




Guest OS Layer


Kernel Layer

Driver/Module Layer

Hardware Layer




Application LayerGuest OS Layer


Kernel Layer

Driver/Module Layer

Hardware Layer




Application LayerGuest OS Layer


Kernel Layer

Driver/Module Layer

Hardware Layer

Hypervisor



Hypervisor Basics

How the Hypervisor Protects Itself

or

Internal Workings of a Hypervisor



Understand Hypervisor Security: Access to CPU

Hypervisor Controls CPUHypervisor Controls CPU



Understand Hypervisor Security: Access to Memory

vmkernel

Memory




vmkernel VM

Memory

VM




vmkernel VM

Memory MemoryMemory

VM

Memory




vmkernel VM

Memory MemoryMemory

VM

Memory

Memory

Memory




vmkernel VM

Memory MemoryMemory

VM

Memory

Memory

Memory

.vswp




vmkernel VM

Memory MemoryMemory

VM

Memory

Memory

Memory

MemoryPage

Memory

Page




vmkernel VM

Memory MemoryMemory

VM

Memory

Memory

Memory

.vswp

MemoryPage

Compare

Memory

Page




vmkernel VM

Memory MemoryMemory

VM

Memory

Memory

Memory

.vswp

MemoryPage

Compare

Ptr

Page

Memory

PagePtr




vmkernel VM

Memory MemoryMemory

VM

Memory

Memory

Memory

.vswp

MemoryPagePtr

Page

Memory

PagePtr



Understanding Hypervisor Security: ESX Network Protections

L2-Switch




L2-Switch CAM




L2-Switch CAMXX




L2-Switch CAM

PG-100 PG-200

XX




L2-Switch CAM

PG-100 PG-200

XX

XX




L2-Switch CAM

PG-100 PG-200

XX




L2-Switch CAM

PG-100 PG-200

XXXX




L2-Switch




L2-Switch CAM




L2-Switch CAMNexus 1000V




L2-Switch CAMXX




L2-Switch CAM



Virtual Environment

Threats

Two Sets



Virtual Environment ThreatsVirtual Environment Threats

Existing ThreatVectors

WormsTrojansVirusSpamDDoS










ExistingThreat Vectors

NetworkAttacks


NetworkAttacks




NewThreat Vectors

ManagementUSB over IP

Backup Server

NewThreat Vectors


Backup Server






NetworkAttacks


NetworkAttacks




NewThreat Vectors


Backup Server

NewThreat Vectors


Backup Server






NetworkAttacks


NetworkAttacks

NewThreat Vectors

VM EscapeIntrospection

APIs

NewThreat Vectors

VM EscapeIntrospection

APIs


Virtualization Security Best PracticesDavid Abercrombie

All information represents IBM's current intent, is subject to change or withdrawal without notice, and represents only IBM ISS’ goals and objectives. By providing this information, IBM is not committing to provide this capability.



Security Must Evolve

Static Dynamic

SECURITY

69

Physical

Blocks threats and attacks at the perimeterBlocks threats and attacks at the perimeter

Secures each physical server with protection and reporting for a single agent

Secures each physical server with protection and reporting for a single agent

Patches critical vulnerabilities on individual serversPatches critical vulnerabilities on individual servers

Policies are specific to critical applications in each network segment and server

Policies are specific to critical applications in each network segment and server

Network IPSNetwork IPS

Server ProtectionServer Protection

System PatchingSystem Patching

Security PoliciesSecurity Policies

Virtualized

Should protect against threats at perimeter and between VMs

Should protect against threats at perimeter and between VMs

Securing each VM as if it were a physical server adds time, cost and footprint

Securing each VM as if it were a physical server adds time, cost and footprint

Needs to protect against vulnerabilities that result from VM state changes

Needs to protect against vulnerabilities that result from VM state changes

Policies must be able to move with the VMsPolicies must be able to move with the VMs

Network IPSNetwork IPS

Server ProtectionServer Protection

System PatchingSystem Patching




Integrated Protection vs. Host-based Protection

70

Host-Based Agent

Firewall functions only in the context of the VMFirewall functions only in the context of the VM

Requires agent to be presentRequires agent to be present

Security is impacted by VM state changeSecurity is impacted by VM state change

Policy is enforced only within the VMPolicy is enforced only within the VM

Isolation Isolation

Attack Prevention

Attack Prevention

VM StateVM State


Virtual Server Protection

Firewall enforces virtual network-wide policyFirewall enforces virtual network-wide policy

Secures all virtual machines automaticallySecures all virtual machines automatically

Security is not impacted by VM state changeSecurity is not impacted by VM state change

Policy is enforced outside of the VM and irrespective of the VMs location

Policy is enforced outside of the VM and irrespective of the VMs location

IsolationIsolation

Attack Prevention

Attack Prevention

VM StateVM State




IBM Confidential

ESX Server

VM VM VM VM SVM

vSwitchVMSafe

vSwitch

•Firewall•I ntrusion Prevention•Virtual I nfrastructure Auditing•Rootkit detection•Discovery

Integrated Security Benefits

71



IBM Confidential

Regain Lost Visibility and Control

Identify VMs that are invisible to traditional discovery tools

Control unauthorized crossing of trust zones Ensure VMs that come online do not introduce

vulnerabilities Quarantine unauthorized VMs

– VMs that are not considered trusted are given limited network access

72

Virtual Network



ESX ServerESX Server

Dynamic Environment Protection

VMVM VMVMSVMSVM

vSwitchvSwitchVMSafeVMSafe

vSwitchvSwitch

VMVM VMVM SVMSVM


vSwitchvSwitch

SiteProtector

Policy

Events

Updates

Maintain security posture irrespective of the physical server on which the VM resides

Abstraction from underlying physical servers provides dynamic security optimized for mobility

73



ESX ServerESX Server

Dynamic Environment Protection

VMVM VMVMSVMSVM


vSwitchvSwitch

VMVM VMVM SVMSVM


vSwitchvSwitch

VMVM

SiteProtector

Policy

Events

Updates

Maintain security posture irrespective of the physical server on which the VM resides

Abstraction from underlying physical servers provides dynamic security optimized for mobility

74



IBM Confidential

Defense In Depth

75

Host-Based Agent

Access Management

Security/Configuration Management

Malware Detection/Prevention

File Integrity Monitoring

Encrypted Traffic Inspection

Security Virtual Machine

Firewall

Intrusion Prevention


Access Monitoring

Access Control

Network-Based Appliance

Firewall


Network Policy Enforcement

Data Loss Prevention

Host-Based Agent

Firewall


Access Management

Security/Configuration Management


File Integrity Monitoring

Encrypted Traffic Inspection



IBM Confidential

Evolution of Secure Virtualization solutions

Today…Security Virtual Machines take over some key functions from host-based agents– Host-level firewall, IPS/IDS, guest security configuration, some anti-malware functions– Fewer resources (CPU, memory) consumed – Less intrusive (kernel drivers)– Guest OS-independent

More to come…– Hardware-level root-of-trust (TPMs)– Maturity of virtual machine introspection– Security component collaboration & automated remediation



IBM Confidential

Summary

Virtualization does impact security posture “Legacy” tools are still relevant New products adapted for virtual environments are available No single product provides adequate protection

77


Virtualization Security Best Practices Ajay Dholakia




Security complexities raised by virtualization

Complexities

Dynamic relocation of VMs

Increased infrastructure layersto manage and protect

Multiple operating systems and applications per server

Elimination of physical boundaries between systems

Manually tracking software and configurations of VMs

Maintenance of virtual images

Image sprawl (proliferation)

Virtual appliances (Trojan Horse)

Public Cloud risks

–“Black box” sharing in clouds reduces visibility and control

–Privacy and accountability regulations

• 1:1 ratio of OSs and applications per server

• 1:Many ratio of OSs and applications per server

• Additional layer to manage and secure

After VirtualizationBefore

Virtualization



Virtualization security – Driving requirements

RequirementsSecure platforms & engineering processThreat and vulnerability management

–Internal / external threat mitigationPrivileged access

–Role segregation & access controlData confidentiality and integrity

–Data @ rest ( storage ) data in transit (network) Regulatory complianceMulti-tenancy / isolation

–Isolation management of Virtual Servers Image / virtual appliance securityConsolidated systems security

–Consolidated server, storage, net. security mgmt.Systems Integrity Management

–Trusted software / firmware / hardware



Virtualization security – Imperatives … The Low Hanging Fruit

Easy steps you can follow

7. Do not use Paravirtualized drivers within DMZ based VMs, or any that hold sensitive data unless there is an absolute performance requirement to do so, and then only use the specific driver instead of installing them all.






6. Use a centralized directory service to provide authentication

5. Use a centralized tool to provide authorization.

4. Use a centralized syslog/log server for collecting audit and standard log data for analysis

3. Analyze/Review your log data daily for issues.










2. Ensure only the hypervisor can access any LUN assigned to a hypervisor.










2. Ensure only the hypervisor can access any LUN assigned to a hypervisor.

1. Firewall your virtualization management tools from the rest of your network



Virtualization Security wrap up

• Important to understand the inner workings of a hypervisor and how it protects itself

• Type of threats that virtual environments are vulnerable to

• Security posture impacted by virtualization and no single product provide adequate protection but…

• Firewall tools are a good start to protect your virtual environment

Virtualization Security wrap up

• Important to understand the inner workings of a hypervisor and how it protects itself

• Type of threats that virtual environments are vulnerable to

• Security posture impacted by virtualization and no single product provide adequate protection but…

• Firewall tools are a good start to protect your virtual environment

Summary



Questions & Answers


Thank you!

For more information on Virtualization Security, visit,

IBM Institute for Advanced Security: www.instituteforadvancedsecurity.com

The Virtualization Practicehttp://www.virtualizationpractice.com/blog/?page_id=2




Seed Questions

Ed– How do we handle antivirus, patching and malware?– Should we be using VLANs? Are they secure?– Do I have to worry about ‘escaping VM’ attacks?– Can you virtualize a DMZ?

Dave– Performance-wise, how do security virtual machines impact the virtual environment?– Can security virtual machines be integrated with platforms other than VMware?

Ajay– Does virtualization improve security or makes it more challenging?– Does security of physical end-points interact with security for virtual end-points? Or does

it remain separate?

© 2010 ibm corporation virtualization security best practices ibm institute for advanced security...

Documents