separating fact from fiction - esxi hypervisor...
TRANSCRIPT
![Page 1: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/1.jpg)
Separating Fact from Fiction -ESXi Hypervisor Security
INF2336
Mike Foley, VMware, IncYuecel Karabulut, VMware, Inc
![Page 2: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/2.jpg)
Disclaimer• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
CONFIDENTIAL 2
![Page 3: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/3.jpg)
We Would Like to Talk About Three Things Today
3
1 Virtualization Security: Fact vs. Fiction
2 Foundational Platform Security Solutions
3 Operational Security – Where the REAL Threat Is
![Page 4: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/4.jpg)
Trusted by These Security Teams and 500k+ More
![Page 5: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/5.jpg)
Security Concerns –Fact or Fiction
![Page 6: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/6.jpg)
What Are You Most Concerned About?
What most vSphere Admins say…
“We are concerned about internal threats”Example: Malicious privileged VI admin behavior in branch offices
6
![Page 7: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/7.jpg)
What Are You Most Concerned About?
Some customers (mostly Security Professionals) say…
“We are concerned about VM escape scenarios”Example: Guest-to-host-attack by exploiting a potential vulnerability
in the VM process
7
![Page 8: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/8.jpg)
VM Escape or
Operational Security Threats
What is the More Likely Scenario?
8
![Page 9: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/9.jpg)
0%10%20%30%40%50%60%70%80%90%
100%
VM Escape Operational SecurityThreats
Cost .vs. Probability a.k.a. “Sexy” .vs. “Boring”
ProbabilityCost
What is the More Likely Scenario?
9
![Page 10: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/10.jpg)
Fact vs. Fiction – VM Escape
Fiction• VM Escape is considered a
“Primary” threat by some security professionals
Fact• There is a lot of theoretical intent to
prove it!• Known/past attempts took
advantage of since patched vulnerabilities– In many cases were done NOT on
VMware or with Type 2 hypervisors
• It’s very hard to do!– If it was easy you’d be reading about it on
social media!
10
![Page 11: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/11.jpg)
Why is VM Escape Really Hard to Do?
Proven VM Isolation and Evolving Architecture
Secure Software Development
Lifecycle
Minimum Attack Surface
World Class Systems Security Engineers++ ++ ++
![Page 12: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/12.jpg)
Just the facts!
![Page 13: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/13.jpg)
Isolation is the Name of the GameInstruction IsolationMemory IsolationDevice Isolation
Network IsolationNoisy Neighbor Isolation
Storage IsolationMemory Protection
Layers of Isolation and Protection
![Page 14: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/14.jpg)
Hypervisor
Virtual CPU
Guest OS
VMM
User Apps
Physical Host
Ring 3
Ring 2
Ring 1
Ring 0
Physical Ring 0
Virtualized Privilege Levels
Hardware Privilege Level
OS Requests Trap to VMM without Binary Translation or Paravirtualization
Instruction IsolationVirtual machines don’t have access to Physical Ring 0
![Page 15: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/15.jpg)
Physical HostPhysical Host
Hypervisor
Guest OS managed
memory page tables
Memory Isolation – VM to VM and VM to Host
Host and Virtual Machine Page
Tables are completely
inaccessible to each other
Guest OS managed memory
pages tables
Hypervisor managed guest memory page tables Isolated via CPU virtualization
extensions (HWMMU) Host
Memory Page Table
Host Memory Page
Table
HWMMU
Hypervisor managed
Memory Page Tables
Hypervisor managed
Memory Page Tables
Hypervisor managed
Memory Page Tables
Hypervisor managed
Memory Page Tables
![Page 16: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/16.jpg)
Guest OS
Hypervisor
Physical Host
Guest Device Driver
Guest Device Driver
I/O Stack
Physical Device Driver
Virtual Device
Guest OS
Guest Device Driver
Guest Device Driver
Virtual Device
Guest OSGuest Device
Driver
Dire
ct P
ath
I/O
Device Isolation: Guests Only See What They Are Allocated
VM Kernel and VM Monitor mediate
access to the physical resources,
and all physical hardware access
takes place through the VM Kernel.
![Page 17: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/17.jpg)
VM 2
Hypervisor
Physical Host
Guest Device Driver
Virtual Switch 1
Virtual Device
VM 1
Guest Device Driver
Virtual Device
Virtual Switch 2 Virtual Switch 3
VM 3
Guest Device Driver
Virtual Device Virtual Device
Network Isolation at the vSwitch level
vSwitches are not routers!
To route packets between vSwitches you need something else.
Example:“Can a VM on vSwitch 1 see a VM on vSwitch 2?”
![Page 18: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/18.jpg)
VLAN’s and vSwitches – No Hopping Allowed
• MAC Flooding? Not vulnerable
• 802.1q and ISL tagging? Not vulnerable
• Double-encapsulation Attacks? Not vulnerable
• Multicast brute-force Attacks? Not vulnerable
• Spanning Tree Attacks? Not vulnerable
• Random Frame Attacks? Not vulnerable
• VLAN Hopping? Native VLAN is not used
18
![Page 19: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/19.jpg)
Operational Security –Where the REAL Threat Is
![Page 20: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/20.jpg)
Fact vs. Fiction – Operational Security
Fiction• Operational Security is considered a
“Secondary” threat by security professionals
Fact• Threat/Risk Management is not
well understood• Least Privilege is NOT widely
adopted• Common ROOT passwords• All admins have vCenter privileges• Actions are not tied to policy
• Patching ESXi is not a priority• Compromise the Admin, get
access to the infrastructure
20
![Page 21: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/21.jpg)
Least Privilege – RBAC Security Policy Enforcement
![Page 22: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/22.jpg)
Least Privilege – Workflow-based Security Policy Enforcement• Leverage VMware Orchestrator to limit privilege exposure
• Consider VMware vCAC for workflow approvals
• Example: – Remove “Delete VM” from Admin Role– Replace with vCO action– Use vCAC for approval workflow
![Page 23: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/23.jpg)
Least Privilege – Workflow-based Security Policy Enforcement• Leverage VMware Orchestrator to limit privilege exposure
• Consider VMware vCAC for workflow approvals
• Example: – Remove “Delete VM” from Admin Role– Replace with vCO action– Use vCAC for approval workflow
![Page 24: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/24.jpg)
I Can’t Help You if you Don’t Patch!
24
![Page 25: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/25.jpg)
You protect your physical datacenter
with this guy…
![Page 26: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/26.jpg)
…and this is how you protect your
virtual datacenter?
![Page 27: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/27.jpg)
Limit access to vCenter and ESXi with a dedicated Management Network
Isolate Your Management Interfaces
![Page 28: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/28.jpg)
Takeaways• VM Escape
– VMware works hard to mitigate any and all potential threats in this area
• Real Threat Vectors– Continuous Threat Analysis– Operational Security
• Adopt Least Privilege – RBAC and Workflow-based Security Policy Enforcement• Patch your systems!• Isolate your Management Interfaces
– Network• Embrace Virtualized Networking and Micro-Segmentation (Go to the NSX sessions for more info!)
28
![Page 29: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/29.jpg)
Questions?
![Page 30: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/30.jpg)
Online Resources
30
ESXi Security Whitepaper and vSphere Hardening Guide
Whitepaper Hardening Guide
![Page 31: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/31.jpg)
VMware vSphere Beta• Help shape the future of vSphere
• Gain visibility into features and technology that may be in upcoming versions of vSphere
• No nominations required. Open to everyone! • http://www.vmware.com/go/vspherebetaq2
31
![Page 32: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/32.jpg)
Thank You
![Page 33: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/33.jpg)
Fill out a surveyEvery completed survey is entered
into a drawing for a $25 VMware company store gift certificate
![Page 34: Separating Fact from Fiction - ESXi Hypervisor Securitydownload3.vmware.com/vmworld/2014/downloads/session-pdfs/... · 2014. 11. 7. · Fact vs. Fiction – VM Escape Fiction •](https://reader036.vdocuments.us/reader036/viewer/2022071107/5fe22002eede29799d69ee9e/html5/thumbnails/34.jpg)
Separating Fact from Fiction -ESXi Hypervisor Security
INF2336
Mike Foley, VMware, IncYuecel Karabulut, VMware, Inc