sense of security - securing virtualised environments; focus on the fundamentals
DESCRIPTION
Virtualisation of ICT infrastructure has been one of the more recent strategies to achieve substantial technical and commercial gains from your technology investment; organisations of all sizes are either evaluating it or using it! So what’s the catch? Put simply, the principles of information security are regularly overlooked during the planning and deployment stages of a virtualisation program. This webinar will explore some of the security risks that organisations inadvertently expose there businesses to when deploying virtualised infrastructure. Furthermore the presenter will discuss the fundamentals of information security, and importantly how to apply these fundamentals in a virtualised environment to manage risk and protect critical information assets.TRANSCRIPT
![Page 1: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/1.jpg)
www.senseofsecurity.com.au1 Tuesday, August 31, 2010
Sense of Security Pty Ltd
(ABN 14 098 237 908)
306, 66 King St
Sydney NSW 2000
Australia
Tel: +61 (0)2 9290 4444
Fax: +61 (0)2 9290 4455
Securing Virtualised
Environments
-
Focus on the FundamentalsJul 2010
![Page 2: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/2.jpg)
www.senseofsecurity.com.au2 Tuesday, August 31, 2010
Agenda
• Why people love Virtualisation
• What to look out for
• Identify security weaknesses
• Be prepared
• Conclusion
![Page 3: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/3.jpg)
www.senseofsecurity.com.au3 Tuesday, August 31, 2010
Virtualization Benefits
![Page 4: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/4.jpg)
www.senseofsecurity.com.au4 Tuesday, August 31, 2010
The problem
![Page 5: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/5.jpg)
www.senseofsecurity.com.au5 Tuesday, August 31, 2010
The dream
![Page 6: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/6.jpg)
www.senseofsecurity.com.au6 Tuesday, August 31, 2010
The solution? A virtualisation Project?
Virtualisatio
n
![Page 7: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/7.jpg)
www.senseofsecurity.com.au7 Tuesday, August 31, 2010
Follow me
![Page 8: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/8.jpg)
www.senseofsecurity.com.au8 Tuesday, August 31, 2010
Riding the Virtualisation Silver Bullet
![Page 9: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/9.jpg)
www.senseofsecurity.com.au9 Tuesday, August 31, 2010
It is hard with all the Blah Blah Blah
![Page 10: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/10.jpg)
www.senseofsecurity.com.au10 Tuesday, August 31, 2010
Even Dilbert’s boss is onto this!
Copyright acknowledged
![Page 11: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/11.jpg)
www.senseofsecurity.com.au11 Tuesday, August 31, 2010
Are we doomed?
![Page 12: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/12.jpg)
www.senseofsecurity.com.au12 Tuesday, August 31, 2010
![Page 13: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/13.jpg)
www.senseofsecurity.com.au13 Tuesday, August 31, 2010
CONFIDENTIALITY
INTEGRITY
AVAILABILITY
![Page 14: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/14.jpg)
www.senseofsecurity.com.au14 Tuesday, August 31, 2010
The Real Agenda
• We need to be able to evaluate and measure the security of the
deployment in terms of C I A
![Page 15: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/15.jpg)
www.senseofsecurity.com.au15 Tuesday, August 31, 2010
Confidentiality
![Page 16: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/16.jpg)
www.senseofsecurity.com.au16 Tuesday, August 31, 2010
DMZ
Firewall
Internal
![Page 17: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/17.jpg)
www.senseofsecurity.com.au17 Tuesday, August 31, 2010
Is it getting crowded in there?
![Page 18: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/18.jpg)
www.senseofsecurity.com.au18 Tuesday, August 31, 2010
Stealing a Physical Machine
VERY DIFFICULT
![Page 19: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/19.jpg)
www.senseofsecurity.com.au19 Tuesday, August 31, 2010
Stealing a Virtual Machine
![Page 20: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/20.jpg)
www.senseofsecurity.com.au20 Tuesday, August 31, 2010
Confidentiality cont…
![Page 21: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/21.jpg)
www.senseofsecurity.com.au21 Tuesday, August 31, 2010
Who manages the system?
“ An ESX virtual switch supports copying packets to a mirror port. By using what is called promiscuous mode, ESX Server makes a virtual switch port act as a SPAN port or mirror port. This capability makes it possible to debug using a sniffer or to run monitoring applications such as IDS.”
“Forged transmit blocking, when you enable it, prevents virtual machines from sending traffic that appears to come from nodes on the network other than themselves”
ref [http://www.vmware.com/files/pdf/virtual_networking_concepts.pdf]
Virtual System may be administered by someone who is neither a network nor a security expert!
![Page 22: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/22.jpg)
www.senseofsecurity.com.au22 Tuesday, August 31, 2010
Integrity
• Just like any other software virtual platforms are
and have been buggy– VMSA-0008-0002.1 (Virtual Center Tomcat 5.5.7.1)
– CVE-2007-1321 (Heap Overflow in Xen network Driver)
– CVE-2008-0923 (Path Traversal vulnerability in VMware's shared folders
implementation)
– CVE-2009-2968 (VMware Studio 2 directory traversal)
• Patch Management Framework in place?
![Page 23: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/23.jpg)
www.senseofsecurity.com.au23 Tuesday, August 31, 2010
Integrity cont…
![Page 24: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/24.jpg)
www.senseofsecurity.com.au24 Tuesday, August 31, 2010
This is a good start to getting ….
![Page 25: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/25.jpg)
www.senseofsecurity.com.au25 Tuesday, August 31, 2010
Integrity cont…
• Man in the Middle Attacks
• Various VMWare clients susceptible
• Including vi client– Configuration of the clients.xml file
![Page 26: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/26.jpg)
www.senseofsecurity.com.au26 Tuesday, August 31, 2010
Segregation of Duties
• Server, storage, network, and security
duties are collapsed
• Critical considerations:
– Role-mapping within IT
– RBAC capabilities of virtualisation platform
– Layered controls (prevent, detect, respond)
• Roles and Responsibilities– Review of 75 discrete responsibilities assigned to 3 or 4 roles
(Per VMWare)
![Page 27: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/27.jpg)
www.senseofsecurity.com.au27 Tuesday, August 31, 2010
Infrastructure hardening
• Hypervisor Protection
• Management Interfaces
• Zones of Trust
• Virtual Network Configuration
• Consolidation of functions
![Page 28: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/28.jpg)
www.senseofsecurity.com.au28 Tuesday, August 31, 2010
Auditing
• The entire environment should be auditable
• All activity should be logged and monitored
• Administrators/Auditors should be able to
produce compliance reports at any point in
time
• Native and Commercial tools can be used
![Page 29: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/29.jpg)
www.senseofsecurity.com.au29 Tuesday, August 31, 2010
VMWare Native Tool – Host Profiles
Cluster
Reference Host
Host profiles reduce setup time and allow you to manage configuration consistency and correctness.
This slide courtesy VMware
![Page 30: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/30.jpg)
www.senseofsecurity.com.au30 Tuesday, August 31, 2010
Basic Workflow to Implement Host Profiles
•Host Profile– Memory Reservation
– Storage
– Networking
– Date and Time
– Firewall
– Security
– Services
– Users and User Groups
– Security
ClusterReference Host1
2
3
4
5
This slide courtesy VMware
![Page 31: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/31.jpg)
www.senseofsecurity.com.au31 Tuesday, August 31, 2010
After you create the profile, attach it to hosts/clusters so that you can check compliance and apply it to hosts not in compliance.
This slide courtesy VMware
![Page 32: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/32.jpg)
www.senseofsecurity.com.au32 Tuesday, August 31, 2010
Availability
• How is Availability delivered?
• Active Active
• Active Passive
• Fault Tolerance
• System Maintenance
• Patch Management (access to dormant
VM’s)
![Page 33: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/33.jpg)
www.senseofsecurity.com.au33 Tuesday, August 31, 2010
HA – High Availability
FT – Fault Tolerance
VCB / VADR
NIC & HBA Teaming
VMotion
Storage VMotion
Network Redundancy
PerformancePlanned Downtime Unplanned Downtime
VM Failure Monitoring
Virtual Machines
Server
ESX Server
App
OS
App
OS
App
OS
App
OS
App
OS
Storage
Interconnect
This slide courtesy VMware
![Page 34: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/34.jpg)
www.senseofsecurity.com.au34 Tuesday, August 31, 2010
Availability: Speed, Latency, Capacity
• Can software-based virtual appliances
deliver to level expected of purpose built
hardware?
• Many vendors have elected not to deliver L3
capability in virtual appliances.
• Do you want a Virtual UTM?
![Page 35: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/35.jpg)
www.senseofsecurity.com.au35 Tuesday, August 31, 2010
Key Issues to Think About
• Going in blind with no plan – is not a plan!
• Inadequate Protection to the Hypervisor
• Blind Spot - Lack of Visibility and Control to
Virtualised Network and VM’s
• Collapsed Fabric – Virtualising across zones of trust
• Segregation of Duties – not defined
• Administration – Availability, Patch Management
• Ensure overall system is auditable
![Page 36: Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals](https://reader034.vdocuments.us/reader034/viewer/2022042623/548160c0b4af9fef158b6023/html5/thumbnails/36.jpg)
www.senseofsecurity.com.au36 Tuesday, August 31, 2010
Thank You
Murray Goldschmidt
Chief Operating Officer
Sense of Security
+61 2 9290 4444
www.senseofsecurity.com.au