Download - Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud
Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud
Rob Randell, CISSP, CCSK
Principal Systems Engineer – Security Specialist
Agenda
• Security Perspective on Customer Journey to the Cloud
• Whiteboard Overview of How Virtualization and Cloud Affect Datacenter Security
• How to Secure our Cloud and Make it Compliant
• Network Security and Secure Multi-tenancy in the Cloud
Security Perspective On Customer Deployment Architectures
Physical deployments are still considered to be most secure and remain in all enterprises
Air gapped pods are preferred by security teams for virtualized high risk assets (SOX, PCI, DMZ)
Mixed trust clusters typically have the M&M security model, blocking important asset migration to them
Private cloud is an extension of the mixed trust deployment, with more automation and self service
Dedicated Private Cloud SLAs make it virtually the same risk level as the on-premise deployments
Multi-tenant Public Cloud is just emerging, with concerns around visibility, audit, control and compliance
AIR GAPPED
PODS
MIXEDTRUST
CLUSTERS
ON-PREMISEPRIVATE CLOUD
DEDICATEDPRIVATE“CLOUD”
(eBay, CSC)
PUBLICMULTI-TENANT
CLOUD(Terremark, EC2)
1
2
3
4
5
1 2 3 4 5
0
0 PHYSICAL
4
Segmentation of applications, servers
• VLAN or subnet based policies • Interior or Web application Firewalls• DLP, application identity aware policies
VLAN 1
VLANs
The Datacenter needs to be secured at different levels
Cost & ComplexityAt the vDC Edge
• Sprawl: hardware, FW rules, VLANs• Rigid FW rules• Performance bottlenecks Keep the bad guys out• Perimeter security device (s) at the edge• Firewall, VPN, Intrusion Prevention• Load balancers
End Point Protection• Desktop AV agents, • Host based intrusion• DLP agents for privacy
Perimeter Security
Internal Security
End Point Security
5
Simple Definition of a Virtual Datacenter
VMware vSphere
DMZ
Tenant 1App1 App2 DMZ
Tenant 2App1 App2 DMZ
Tenant …App1 App2
•The isolated and secured share of a virtualized multitenant environment. •Like a physical datacenter shares the Internet for interconnectivity, the tenants of a cloud (public or private) share the local network within the private datacenter or in the service providers network, and also like a physical datacenter, each tenant also has their own private, isolated, and secured virtual networking infrastructure.
6
Securing virtual Data Centers (vDC) with legacy security solutions
Legacy security solutions do not allow the realization of true virtualization and cloud benefits
VIRTUALIZED DMZ WITH FIREWALLS
APPLICATION ZONE DATABASE ZONEWEB ZONE
ENDPOINT SECURITY
INTERNAL SECURITY
PERIMETER SECURITY
Internet
vSphere vSphere vSphere
•Air Gapped Pods with dedicated physical hardware
•Mixed trust clusters without internal security segmentation
•Configuration Complexityo VLAN sprawl o Firewall rules sprawlo Rigid network IP rules without resource context
• Private clouds (?)
Platform Sec.
Secure the Underlying Platform FIRST
Use the Principles of Information Security• Hardening and Lockdown
• Defense in Depth
• Authorization, Authentication, and Accounting to enforce Separation of Duties and Least Privileges
• Administrative Controls
For virtualization this means:• Harden the Virtualization layer
• Setup Access Controls
• Secure the Guests
• Leverage Virtualization Specific Administrative Controls
What Auditors Want to See:• Network Controls
• Change Control and Configuration Management
• Access Controls & Management
• Vulnerability Management
Protection of Management Interfaces is Key
Segment out all non-production networks
• Use VLAN tagging, or
• Use separate vSwitch (see diagram)
Strictly control access to management network, e.g.
• RDP to jump box, or
• VPN through firewall
9
vSwitch1
vmnic1 2 3 4
Production
vSwitch2
VMkernel
Mgmt Storagevn
ic
vnic
vnic
vCenter IP-based Storage
Other ESX/ESXi hosts
Mgmt Network
ProdNetwork
VMware vSphere 4 Hardening Guidelineshttp://www.vmware.com/resources/techresources/10109
More Power
LessPower
SuperCloud Admin
CloudNetworking
Admin
CloudServer Admin
Tenant A Admin
VM Admin VM Admin
Tenant B Admin
VM Admin VM Admin
Tenant C Admin
VM Admin VM Admin
CloudStorage Admin
Separation of Duties Must Be Enforced
11
Air Gapped Design – Costly and Inefficient
Company Z
Firewall
Load Balancer
Switch
Company YCompany X
Aggregation
Access
Internet
L2-L3 Switch
Firewall
Load Balancer
L2-L3 Switch
Firewall
Load Balancer
L2-L3 Switch
Switch Switch
vSpherevSphere vSpherevSphere vSpherevSphere
VPN Gateway VPN Gateway VPN GatewayRemoteAccess
12
VLAN 1002VLAN 1001
VLAN1000
Multi-tenancy – Physical Firewall and VLAN
Company ZCompany YCompany X
Access-Aggregation
Internet
L2-L3 Switch
VMware vSphere + vShield
PG-X (vlan1000) PG-Y (vlan 1001) PG-Z (vlan 1002)
PG-Z
PG-X Port group Company X n/w
PG-Y Port group Company Y n/w
Port group Company Z n/w
Legend :
Port group to VM Links
VLAN 1000
VLAN 1001
VLAN 1002
VLAN 1000 VLAN 1001 VLAN 1002
Virtual to Ext. Switch Links
Firewalls
vDS/vSS
13
Multi-tenancy Virtualization Aware
Company ZCompany YCompany X
Access-Aggregation
Internet
L2-L3 Switch
VMware vSphere + vShield
PG-X(vlan1000) PG-Y(vlan1000) PG-Z(vlan1000)
PG-Z
PG-X Port group Company X n/w
PG-Y Port group Company Y n/w
Port group Company Z n/w
Legend :
PG-C External uplink Port group
PG-C(vlan100)
Internal Company Links
External Up Link
Infrastructure VLAN (VLAN 1000)
VLAN1000 VLAN1000 VLAN1000
vShield Edge VM
Provider VLAN (VLAN 100)
vDS to Ext. Switch Links
Traffic flow not allowed
vDS
14
Virtual Datacenter 2
ESX Hardening
Cluster ACluster B
VMware vSphere + vCenter
Enforce Microsegmentation Inside the vDC
Protect applications against Network Based Threats• Application-Aware Full Stateful
Packet Inspection FW
• Control on per-VM/per vNIC level
• See VM-VM traffic within the same host
• Security groups enforced with VM movement
CIS & PCI
Virtual Datacenter 1
DISA & PCIDatabase
AppWeb
15
Offload Endpoint Based Security Functions with VM Introspection Techniques
Improves performance and effectiveness of existing endpoint security solutions • Offload Functions
• AV• File Integrity Monitoring• Application Whitelisting
16
Virtualized Security and Edge Services
Internal Security and Compliance
Endpoint Security
Edge/Perimeter ProtectionElastic LogicalEfficient
AutomatedProgrammable
Security as a Service
Cloud Aware Security
• Micro-segmentation• Discover and report regulated
data in the Datacenter and Cloud
• Secure the edge of the virtual datacenter
• Security and Edge networking services gateway
• Efficient offload of endpoint based security into the cloud infrastructure – i.e.- anti-virus and file integrity monitoring
17
Continuous and Automated ComplianceOngoing Change and Compliance Management Understand Pervasive Change Capture in-band and out-of-band changes Are you still Compliant?
• Remediate
• Exceptions
Fit within current enterprise change mgmt workflow process
Protect against vulnerabilities Hypervisor-based anti-virus provides
superior protection Patch Management guards against
known attacks Software provisioning tied to compliance Day to day vulnerability checks
Deployed from Gold Standard
CompliantState
NoncompliantState
CompliantState
Mark asException
Remediate(RFC Optional)
Planned Change
Unplanned Change
18 Confidential
Conclusion
• The Cloud Had Great Benefits and like any Technology its Associated Risks
• These Risks Can Be Mitigated With Proper Controls
• The Classic Principles of Information Security Should be Applied
• Key Architecture Decisions must be made for Security
• Tools Designed for the Cloud Must Be Utilized
Questions?Rob Randell, CISSP, CCSK
Principal Security and Compliance Specialist