Virtualization and Cloud Computing

Transcription

1 Virtualization and Cloud Computing Virtualization, Cloud and Security Mgr. Michael Grafnetter

2 Agenda Virtualization Security Risks and Solutions Cloud Computing Security Identity Management

3 Virtualization and Cloud Computing Virtualization Security Risks and Solutions

4 Blue Pill Attack

5 Blue Pill Attack Presented in 2006 by Joanna Rutkowska at Black Hat conference Traps running OS by starting a hypervisor and virtualizing the underlaying machine (needs right to run privileged instructions to achieve this) Could intercept nearly anything and send fake responses (hardware interrupts, requests for data, system time etc.)

6 Red Pill Blue Pill is detectable by timing attack Trap-and-Emulate takes much longer than native instructions External time sources (NTP) need to be used, because system time could be spoofed

7 VMM Vulnerability By attacking a VMM, one could attack multiple servers at once

8 Datacenter Management SW Virtualization infrastructure management software (VMware vcenter, Microsoft SC VMM) is used to control multiple hosts at once

9 Web Access to DCs Multiple datacenters can be managed from a central console. Therefore, its security has to be hardened.

10 One Ring to rule them all Management commands available using PowerShell or Web APIs Get-VM Name * Stop-VM Get-VM Name * Remove-VM Copy-VMGuestFile Invoke-VMScript Type Bash

11

12 Disabling Host-VM Communication

13 Physical vs. Virtual Firewall With virtualization, servers from different Trust Zones usually share the same physical resources (memory, network card, etc.)

14 Traffic isolation

15 Traffic Monitoring

16 Other risks of virtualization Introduction of yet another OS Reliance on traditional barriers Accelerated provisioning Security left to non-traditional security staff Audit scope creep

17 Security Solutions Virtual Firewall Live migration Stretched clusters Agentless Antivirus Extensible Switches Mobile Virtualization Platform Virtual Desktop Infrastructure (VDI)

18 Agentless AV

19 Extensible Switch

20 Mobile Virtualization Platform

21 Mobile Virtualization Platform

22 Virtual Desktop Infrastructure

23 Virtualization and Cloud Computing Pass-the-Hash Attacks

24 LSASS NTLM Hashes

25 Passing the Hash

26 Win10 Virtual Secure Mode

27 Win10 Virtual Secure Mode

28 Virtualization and Cloud Computing Cloud Computing Security Risks

29 Who has access to our data?

30 Physical Security

31 Hard Disk Crushers

32 Storing Recovery Keys in Cloud

33 Azure Key Vault

34 Other Cloud Risks Unclear data location Regulatory compliance Data segregation Lack of investigative support Disaster recovery Long-term viability, vendor lock-in

35 Virtualization and Cloud Computing Identity Management

36 Identity Management Basic Concepts Two-factor authentication Role-Based Access Control (RBAC) External user DBs Identity Federation OAuth OpenID SAML RADIUS Proxy Identity Bridges

37 Multi-Factor Authentication

38 One-time Passwords HMAC-based One-time Password (HOTP) Time-based One-time Password (TOTP) Out-of-Band TANs Pre-generated (POTP) SMS Push Notifications

39 TOTP HMAC(K, C) := SHA1(K 0x5C5C... SHA1(K 0x C)) HOTP(K, C) := Truncate(HMAC(K,C)) & 0x7FFFFFFF K Secret Key C Counter/Clock

40 Problem: Lost Device Recovery Questions What is the maiden name of your mother? Verification POTP In-Person Verification (used in enterprise environments, but not usable with cloud services)

41 Application-Specific Passwords Some protocols (or their implementations) like SSH, SFTP or IMAP do not support 2FA

42 Role-Based Access Control

43 External User DBs Typically Active Directory or generic LDAP is used as central identity store for virtualization infrastructures

44 Cloud vs. On-Prem Accounts

45 Azure AD Password Sync

46 Azure AD Password Sync Hash

47 Azure AD Hash Plaintext: Pa$$w0rd NT Hash (Stored in on-prem Active Directory): B DE3F726500D4FF OrgId Hash (Sent to Azure AD): v1;pph1_md4,317ee9d1dec6508fa510,100, f4a257ffec a605ce8ddedfbc9df9777b bc0a6dd895ef404f;

48 Identity Federation

49 Identity Federation Protocols OAuth OpenID WS-Federation + SAML JWT RADIUS

50 OAuth Used to delegate user authorization to a 3 rd -party service provider

51 OAuth

52 Authorization Management

53 DoS Risk

54 DoS Risk

55 OpenID

56 OpenID

57 OpenID

58 Claims-based Identity First Name: John Last Name: Doe Login: John Mail: Role: User Role: Administrator

59 SAML Security Assertion Markup Language Similar to OpenID, but targeted to the enterprise XML-based Supports Single sign-on Requires mutual trust between IdP and SP Multiple bindings, not just HTTP Supports Identity provider initiated authentication

60 SAML

61 SAML (Google Apps)

62 SAML Response Example <saml:assertion ID="b07b804c-7c29-ea f3d6f7928ac Version="2.0" IssueInstant=" T09:22:05"> <saml:issuer> <ds:signature>...</ds:signature> <saml:conditions NotBefore=" T09:17:05" </saml:conditions> <saml:attributestatement> NotOnOrAfter=" T09:27:05"> <saml:attribute x500:encoding="ldap" Name="urn:oid: " FriendlyName="eduPersonAffiliation"> <saml:attributevalue xsi:type="xs:string">member</saml:attributevalue> <saml:attributevalue xsi:type="xs:string">staff</saml:attributevalue> </saml:attribute> </saml:attributestatement> </saml:assertion>

63 Shibboleth SAML-based federation portal Open Source

64 Microsoft Active Directory Federation Services SAML-based Typically used to give access to intranet portals to business partners

65 JWT (JSON Web Token) Header: { typ: 'JWT', alg: 'HS256' } Payload/Claims: { user: john, admin: true, exp: , 15:27 } Signature => BASE64

66 Identity Bridges

67 Identity Bridges: Azure Access Control Service

68 RADIUS Proxy (Eduroam)