vmworld 2013: nsx pci reference architecture workshop session 2 - privileged user control
DESCRIPTION
VMworld 2013 Allen Shortnacy, VMware Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshareTRANSCRIPT
NSX PCI Reference Architecture Workshop Session 2
- Privileged User Control
Allen Shortnacy, VMware
SEC5820
#SEC5820
2
Privileged User Risk
3
What Analysts Are Saying
“A compromise of the virtualization platform
is a worst-case security scenario that places
all the VMs hosted on the virtualization
platform at risk.”
“Hypervisor security protection should be
treated as a defense-in-depth problem,
using multiple strategies to ensure the
overall integrity of this critical layer.”
- Gartner*
* Gartner, Inc. “Hype Cycle for Virtualization, 2012”, Phil Dawson, Nathan Hill, July 24, 2012
4
Jason Cornish, former Shionogi Pharma IT Staffer Pled guilty to Feb ‘11 computer intrusion
Events Demonstrate the Risk
– Wiped out 88 virtual
servers
on 15 VMware hosts:
email,
order tracking, financial,
& other services
– Shionogi’s operations frozen
for days unable to ship product
unable to issue checks
unable to send email
5
About Privileged Users
Cloud and SDDC have expanded the universe of threats from privileged users
• Administrators have accumulated more effective rights due to shared resources
• Often times with poor accountability for actions, whether malicious or just dumb
Advanced persistent threats are real
• If they are in your environment these privileged user accounts are likely targets for
compromise
• If you are using shared accounts tracking activities to a specific user very difficult
Few organizations rely on multi-factor authentication across all user communities
• Solutions and techniques readily available to ensure identity of who is on your systems
• Rarely ties to a comprehensive authorization policy for privileged user activities
• Necessitates an approach to effectively monitor all activities tied to strongly identified
privileged user sessions
6
Four Steps to Controlling Privileged Users in the SDDC
Create Controlled Access Points to the SDDC Edge
• NSX Edge VPN Services or Partner such as Xceedium
• Establish LDAP Role Based Access Controls to govern session criteria
• Provide ‘jump box’ configured with desired client applications/browser
Establish NSX Identity Aware Firewall Policies
• Propagate identity context of remote session to NSX Edge firewall
• Ensures LDAP Group membership to access target application
Provide Prescribed Session for Conducting Administrative Activities
• Time bound sessions, privileged user password vaulting, multi-factor authentication, etc.
• Integration with other services to dynamically define session criteria
Leverage User Activity Monitoring for Audit
• Expands typical source/destination log information to application context
• Integrating syslog data with event correlation engine provides other integration
possibilities
7
NSX Edge SSL VPN Services
All SDDC and Application Admin
Role
Admin
VSM 10.112.243.44
VPN External Interface- 10.112.243.45 Internal Interface- 192.168.1.1
Internet Virtual IP : 192.168.27.2
STEP-1 Enable SSL Service STEP-2
Configure Private
Network
STEP-3 Dynamic IP Pool
Remote User will get IP in this range.
Step -4 Client Install Package
Step -5 Configure User
Authentication Methods
•Local Database
•AD
•LDAP
•Radius
• RSA
Configuration is now complete Corporate LAN 192.168.1.0/24
Remote User
User is ready to Connect
NSX Edge SSL-VPN provides controlled access to Jump Box with
Administrative tools located in controlled location
8
NSX Edge VPN with AES-NI
Up to 40% performance increase by supporting the Intel® AES-NI (AES
New Encryption Instruction Set).
The Edge offloads the AES encryption of data to the hardware on supported
Intel Xeon and 2nd generation Intel Core processors.
No user configuration needed to enable – AES-NI support in hardware is
auto-detected.
Supports both pre-shared key (PSK) and certificate authentication mode
Encryption algorithms – 3DES, AES (128 and 256 bits)
Performance - 1 Gbps throughput
NSX
9
Role
SDDC Administrator
Application or Database
Administrator
Action
NSX Edge Manager
Configure SSL-VPN/AD
Integration
Configure ‘Jump Box’
Xceedium
Establish Policies for Admin
actions on protected assets
Step 1: Establish Secure Bastion Host DMZ with NSX Edge
Providing access to tools used for administrative tasks must be
controlled with role based access to an approved session
VXLAN
VXLAN
Network
Fabric
WAN
Internet
.1Q
.1Q
VXLAN
.1Q
VMworld 2013
June, 2013
The Problems We Solve
– Protect Enterprises from Privileged User Risks
– Manage Privileged Access Across Traditional, Virtualized,
Cloud, and Hybrid Enterprises
– Enforce Audit and Compliance Controls
– PCI DSS, HIPAA/HITECH, NERC CIP, FISMA, SOX
– Enable Secure Migration of Enterprise Applications to the
Cloud
– Federate Privileged Identity Across Hybrid Cloud Architectures
© 2013 Xceedium, Inc. 11
Identity Integration Enterprise-Class Core
Unified Policy Management
Control and Audit All Privileged Access
• Vault Credentials • Centralized Authentication • Federate Identity • Privileged Single Sign-on
• Role-Based Access Control • Monitor & Record Activity • Full Attribution • Protect End Systems, Consoles, APIs
12
Introducing Privileged Identity Management for the New Enterprise
Traditional Data Center
Mainframe, Windows, Linux, Unix, Networking
New Enterprise
Virtualized Data Center
VMware Console / APIs
SaaS Applications
SaaS App Console
Public Cloud - IaaS
Cloud Console /APIs
Hardware Appliance Cloud Appliance OVF Virtual Appliance
13
Xsuite for VMware PIM for VMware vSphere and vCloud
Auto-Discovery and provisioning of all VMware Infrastructure Virtual Machine’s via
VMware’s API.
• Dynamic Discovery and provisioning for Access of Virtual Machines
Roles Based Privileged Access Control & Single Sign-On Across:
• Enterprise systems, vCenter, vShield, vCloud Director, and the New NSX Consoles, as
well as Physical and Virtual Machines
Separation of Duties for vCenter, vShield, vCloud Director, and NSX Console
Full Audit Trail and Session Recording Across:
• Enterprise systems, vCenter, vShield, vCloud Director, NSX Console, all Virtual
Machines Privileged user Sessions
• API Access to VMware vShield, & vCloud
Password and Access Key Management:
• Vaulting and lifecycle management of all privileged user credentials for: enterprise
systems, vCenter, vShield, vCloud Director, and NSX Console, AD based Console users
and Virtual Machines.
Strong Authorization and Attributed Use:
• Support for multi-factor authentication
• Detailed record of who is using each account, even for shared accounts vCenter,
vShield, vCloud Director, and the New NSX Console, Unix root accounts, Windows
admin. accounts)
VMware Reference Architecture
VMware VM Target Server Connection in Controlled, Audited, and Recorded
Enterprise Network
VMware vSphere Console
Virtual Machines are discovered by the VIISDK API and provisioned via vCenter Tagging.
VM Target
Devices
VMware vCloud
Director
VMware vShield Console
VMware NSX Console
VM Target
Devices
VM Target
Devices
VM Target
Devices
VM Target
Devices
VM Target
Devices
VM Target
Devices
VM Target
Devices
VM Target
Devices
VM Target
Devices
VM Target
Devices
VM Target
Devices
VM Target
Devices
VM Target
Devices
VM Target
Devices
VM Target
Devices
Post API/Sessions
User is logged in as provisioned user to provisioned org will access, recording and audit.
Privileged Users
Xceedium Client AD/LDAP
Radius Server
User Authenticates to Xsuite with Credentials, PIV, CAC, or Smartcard
Xsuite Authenticates User/Group with
AD/LDAP & Radius
Client Receives Transparent Access to Target Server
PIV/CAC Revocation Server
ADFS Server
Xsuite OVF based Virtual Appliance
Syslog
Splunk
VMware Log Insight
Session Recordings
Full Audit of all VMware Console & Virtual Machine Privileged User activity
15
Demo: Establish NSX Edge SSL-VPN and Partner Solutions
16
Role
SDDC Administrator
Application or Database
Administrator
Action
In Service composer / Firewall
Edit source / destination
Edit identity based security
groups
Step 2: Protect Your Secure Zones with NSX Identity Firewall
It is critical to provide purpose driven firewall rules that restrict access
to controlled VMs to only those nodes which require access
VXLAN
VXLAN
Network
Fabric
WAN
Internet
.1Q
.1Q
VXLAN
.1Q
17
Identity Based Access Control
Active Directory
Eric Frost
User AD Group App Name Originating
VM Name
Destination
VM Name
Source IP Destination IP
Eric Frost DBA PGAdmin.exe Eric-Win7 vPostgres-GL 192.168.10.75 192.168.10.78
IP: 192.168.10.75
AD Source Destination Source IP Destination IP
DBA vPostgres-GL 192.168.10.75 192.168.10.78
Rule Table
Logs
18
Demo: Create NSX Firewall Rules for Controlling Access
19
Step 3: Access Prescribed Session for Governed Activities
Providing a role based access controlled, multi-factor authenticated
session creates a trusted, least privilege connection to the target
VXLAN
VXLAN
Network
Fabric
WAN
Internet
.1Q
.1Q
VXLAN
.1Q
Role
Application or Database
Administrator
Action
SSL-VPN or Xceedium Client
Authenticate to the Jump Box
with Role Based Control
Leverage appropriate
administrative tool(s) with
identity firewall controlled access
20
Demo: Establish Secure Desktop Networking for Role Based Sessions
21
Step 4: Privileged User Activity Monitoring
NSX provides logging of privileged user activity expanded to
incorporate identity firewall rules as well as application used for access
Role
SDDC Administrator
Information Risk Personnel
Action
In NSX Manager
Review session logs for
approved activity
In Xceedium
Record session for review
VXLAN
VXLAN
Network
Fabric
WAN
Internet
.1Q
.1Q
VXLAN
.1Q
22
What is VMware Activity Monitoring?
Visibility into group, application and destination activity in the virtual
environment which generates an activity log of:
Applications running on virtual machines
Server access by Desktop Pool, Security group or AD Group
Interactions between groups (SG, AD, DP)
Dev Security Group Developer AD Group
Desktop
Pool
Security
Group
AD
Group
23
With / Without NSX: Visibility Comparison
Active Directory Eric Frost
Today
Source Destination
172.16.254.1 172.16.112.2
With Activity
Monitoring
VM Tools
User AD Group App Name Originating VM
Name
Destination
VM Name
Source IP Destination IP
Eric DBA Pgadmin.exe Windows 7 PostgreSQL DB
Server
192.168.10.75 192.168.10.78
VSM SVM
Compute Management Gateway
24
Demo: Privileged User Activity Monitoring
25
Summary – Value Achieved via Privileged User Control
Leveraging NSX Edge and Partner technologies facilitates strong authentication
and role based authorization to bastion host as a single point of entry
Establishing NSX Distributed Firewall Identity Based Rules extend the paradigm
to support access of the target only via prescribed means
Supports enhanced integration with other processes like service desk requests or
other deep packet monitoring tools to validate activities
Information Risk professionals and Auditors have access to information from
Activity Based Monitoring and partner technologies like Xceedium to create
irrefutable chains of evidence that only approved activities were conducted
26
VMworld: Security and Compliance Sessions
Category Topic
NSX
• 5318: NSX Security Solutions In Action (201)
• 5753: Dog Fooding NSX at VMware IT (201)
• 5828: Datacenter Transformation (201)
• 5582: Network Virtualization across Multiple Data Centers (201)
NSX Firewall
• 5893: Economies of the NSX Distributed Firewall (101)
• 5755: NSX Next Generation Firewalls (201)
• 5891: Build a Collapsed DMZ Architecture (301)
• 5894: NSX Distributed Firewall (301)
NSX Service
Composer
• 5749: Introducing NSX Service Composer (101)
• 5750: NSX Automating Security Operations Workflows (201)
• 5889: Troubleshooting and Monitoring NSX Service Composer (301)
Compliance
• 5428: Compliance Reference Architecture Framework Overview (101)
• 5624: Accelerate Deployments – Compliance Reference Architecture (Customer Panel) (201)
• 5253: Streamlining Compliance (201)
• 5775: Segmentation (301)
• 5820: Privileged User Control (301)
• 5837: Operational Efficiencies (301)
Other
• 5589: Healthcare Customer Case Study: Maintaining PCI, HIPAA and HITECH Compliance in
Virtualized Infrastructure (Catbird – Jefferson radiology)
• 5178: Motivations and Solution Components for enabling Trusted Geolocation in the Cloud - A
Panel discussion on NIST Reference Architecture (IR 7904). (Intel and HyTrust)
• 5546: Insider Threat: Best Practices and Risk Mitigation techniques that your VMware based
IaaS provider better be doing! (Intel)
27
For More Information…
VMware Collateral VMware Approach to Compliance
VMware Solution Guide for PCI
VMware Architecture Design Guide for PCI
VMware QSA Validated Reference Architecture PCI
Partner Collateral VMware Partner Solution Guides for PCI
How to Engage? [email protected]
@VMW_Compliance on Twitter
THANK YOU
NSX PCI Reference Architecture Workshop Session 2
- Privileged User Control
Allen Shortnacy, VMware
SEC5820
#SEC5820