Security for Virtualization

Transcription

1 Security for Virtualization René Gundersen Senior Sales Engineer

2 Where are you vulnerable? Takes days to months until patches are available and can be tested & deployed: Microsoft Tuesday Oracle Adobe Developers not available to fix vulnerabilities: No longer with company Working on other projects Patches are no longer being developed: Red Hat 3 -- Oct 2010 Windows Jul 2010 Solaris 8 -- Mar 2009 Oracle Jan 2009 Can t be patched because of cost, regulations, SLA reasons: POS Kiosks Medical Devices 2

3 Exploits are happening before patches are developed # of days until vulnerability is first exploited, after patch is made available 28 days 18 days 10 days Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year. -- ZDNet, January 21, 2010 Zero-day Zero-day MS- Blast Sasser 2005 Zotob WMF IE zero-day 3

4 60% of production VM s will be less secure then their physical counterparts

5 Trend Micro Virtualization Security Solutions Trend Micro products protect virtualized desktops, servers and private & public clouds, and the gateway OfficeScan Deep Security Deep Security Web Security Antivirus Anti-spyware Anti-rootkit Firewall Web threat protection Host intrusion prevention IDS/IPS Web Application Protection Firewall Integrity Monitoring Log Inspection Anti-malware (Q3-2010) Anti-malware (Q3-2010) IDS/IPS Web Application Protection Firewall Integrity Monitoring Log Inspection URL filtering Web reputation Anti-malware Messaging Security Antispam Reputation filtering Secure Cloud (Q3-2010) Identity & integrity based policy enforcement Data encryption & key management Audit controls Anti-virus Anti-spyware Encryption URL filtering Web reputation Anti-malware 9/8/2010 5

6 Security Challenges Defined (Explains the security and compliance challenges previously outlined) 1 2 Trust levels inhibit consolidation The need to keep VMs of different trust levels off of the same server restricts consolidation rates and savings. Host-based controls under-deployed File Integrity Monitoring, host IDS/IPS and anti-malware are often under-deployed, because of cost, complexity or performance. 3 Inter-VM attacks Traditional network security devices cannot detect or contain malicious inter-vm traffic. 4 Instant-on gaps It s all but impossible to consistently provision security to instant-on VMs, and keep it up-to-date. Dormant VMs can eventually deviate so far from the baseline that merely powering them on introduces a massive security hole. 5 Mixed trust level VMs Workloads of different trust levels are likely being consolidated onto a single physical server without sufficient separation. 6 Resource contention Resource-intensive operations (AV storms & pattern-file updates) can quickly result in an extreme load on the system Compliance/Lack of audit trail Higher levels of consolidation put greater stress on the ability to ensure compliance, particularly amongst mission critical / Tier 1 applications. As well, virtualization makes it more difficult to maintain audit trails, and understand what, or by whom, changes were made. Data confidentiality & integrity Unencrypted information in cloud environments is subjected to various risks including theft, unauthorized exposure and malicious manipulation Data access & governance RESTful-authentication* in the cloud can be susceptible to brute force and hijacking, attacks allowing unauthorized data access. Breakdown in the separation of duties might allow unauthorized vendor access to data. (* REpresentational State Transfer) Diminished perimeter Security mechanisms are under the cloud service provider s control and perimeter security mechanisms are significantly diminished. Multi-tenancy In cloud environments, your VMs exist with other unfamiliar, potentially hostile VMs with unknown security. Data destruction Some cloud providers do not overwrite storage before recycling it to another tenant; in some cases where the storage is overwritten, data may be vulnerable after a system crash or unexpected termination. 9/8/2010 6

7 1 Inter-VM attacks/ blind spots

8 2 Instant-on gaps Active Active, with out-of-date Dormant security

9 3 Mixed trust level VMs

10 4 Resource contention 3:00am Scan Typical AV Console

11 Deep Security

12 Trend Micro Deep Security Server & application protection 5 protection modules Shields web application vulnerabilities Deep Packet Inspection IDS / IPS Web Application Protection Application Control Detects and blocks known and zero-day attacks that target vulnerabilities Provides increased visibility into, or control over, applications accessing the network Reduces attack surface. Prevents DoS & detects reconnaissance scans Firewall Integrity Monitoring Detects malicious and unauthorized changes to directories, files, registry keys Optimizes the identification of important security events buried in log entries Log Inspection Anti-Virus Detects and blocks malware (web threats, viruses & worms, Trojans) 12 Protection is delivered via Agent and/or Virtual Appliance

13 Trend Micro Agent-Less Solution Deep Security 7.5 Isolates security for better-than-physical protection Guest VMs Trend Micro Deep Security 7.5 Virtual Appliance IDS/IPS -Virtual Patch - App Control AV -On Access - On Demand OS APP Kernel Firewall VMsafe-net API Seraph (EPSEC) API VMTools vsphere (ESX) Introspection API s

14 Sample list of systems protected Deep Security rules shield vulnerabilities in these common applications Operating Systems Database servers Web app servers Mail servers FTP servers Backup servers Storage mgt servers DHCP servers Desktop applications Mail clients Web browsers Anti-virus Other applications Windows (2000, XP, 2003, Vista, 2008, 7), Sun Solaris (8, 9, 10), Red Hat EL (4, 5), SuSE Linux (10,11) Oracle, MySQL, Microsoft SQL Server, Ingres Microsoft IIS, Apache, Apache Tomcat, Microsoft Sharepoint Microsoft Exchange Server, Merak, IBM Lotus Domino, Mdaemon, Ipswitch, IMail,, MailEnable Professional, Ipswitch, War FTP Daemon, Allied Telesis Computer Associates, Symantec, EMC Symantec, Veritas ISC DHCPD Microsoft (Office, Visual Studio, Visual Basic, Access, Visio, Publisher, Excel Viewer, Windows Media Player), Kodak Image Viewer, Adobe Acrobat Reader, Apple Quicktime, RealNetworks RealPlayer Outlook Express, MS Outlook, Windows Vista Mail, IBM Lotus Notes, Ipswitch IMail Client Internet Explorer, Mozilla Firefox Clam AV, CA, Symantec, Norton, Trend Micro, Microsoft Samba, IBM Websphere, IBM Lotus Domino Web Access, X.Org, X Font Server prior, Rsync, OpenSSL, Novell Client 14

15 Security with Trend Micro For all stages of the Virtualization Journey Virtual appliance inspects ALL VM-bound traffic & virtually patches all VMs Appliance provides automated instant-on security VM defends itself from mixed trust levels Firewall Virtual Appliance IDS / IPS Appliance serializes Anti-M/w full system scans Agent extends protection & compliance from server to cloud Inter-VM attacks PCI / Mixed Trust Resource Compliance levels Contention Cloud Computing VM Sprawl/ Instant ON issues PCI

16 Our Strategic Advantage Improves Security by providing the most secure virtualization infrastructure, with APIs, and certification programs Improves Virtualization by providing security solutions architected to fully exploit the VMware platform Better-than-physical security for VMware customers 9/8/

17 Deep Security architecture 17

18 Trend Micro Deep Security Server & Application Protection for ALL servers Deep Packet Inspection IDS / IPS Web App. Protection Application Control Detects and blocks known and zero-day attacks that target vulnerabilities Shields web application vulnerabilities Increased visibility into, or control over, applications accessing the network Firewall Reduces attack surface. Prevents DoS & detects reconnaissance scans Integrity Monitoring Detects malicious and unauthorized changes to directories, files, registry keys Log Inspection Optimizes the identification of important security events buried in log entries Anti-Virus Detects and blocks malware (web threats, viruses & worms, Trojans) Protection is delivered by virtualization-aware agents in lieu of or in Copyright addition 2009 Trend Micro to Inc. virtual 18 appliance

19 Questions 21