Catbird vsecurity : Securing the virtual data center

Transcription

1 Catbird vsecurity : Securing the virtual data center Catbird Networks All rights reserved.

2 Catbird vsecurity: Securing the Virtual Data Center Tamar Newberger, Michael Berman Catbird Scotts Valley, CA EXECUTIVE SUMMARY Virtualization is revolutionizing the data center. With promises of significant cost savings, reduced power consumption and flexible capacity planning, it s no wonder that IT is eager to move virtualized systems from the lab into production. IT managers are responsible for transforming this virtualized data center into a nimble and automated environment that enables their organization to exploit these opportunities. Yet, IT security and compliance can appear to be significant roadblocks to this vision. The impact and force of virtualization are running head-on into the complexity of security and compliance. Indeed, many virtualization projects run into unexpected problems and expense because of a lack of understanding of the requirements for business continuity, integrity and data protection in a virtualized data center. These issues may unnecessarily result in a partial or a complete failure of the virtual data center project. This is unfortunate for many reasons, but most notably because virtualization actually has the power to make virtualized environments even more secure than their physical counterparts. This paper will describe what security gaps are introduced in the move from physical to virtual infrastructure, specifically where security, compliance and audit is concerned. Specific topics to be covered include: loss of visibility, separation of duties and secondary controls on the virtual network; virtual machine mobility and its effect on security; network segmentation in a virtual context; how to update security best-practices to protect virtual infrastructure; and the approach taken by Catbird to monitor, manage and protect virtualized data centers so that they can deliver on their promise. Security in the Virtual Data Center Catbird, Inc Page 2

3 Background Computer virtualization is the consolidation of many physical machines into virtual machines - known as guests - onto one or more physical host systems. The host runs a specialized application or operating system called a hypervisor, which manages the virtual operating system. In a virtualized environment dozens or even hundreds of guest operating systems or virtual machines - may be running simultaneously under one hypervisor. Applications on each virtual machine commonly interoperate with each other via a virtual network, which may include virtual routers and switches (see Figure 1). These virtual networks run inside the physical host, handling traffic which is invisible to anything outside of that host. Figure 1: Typical configuration Administrators manage virtual machines with the same flexibility one typically applies to a simple file. Virtual platform administrators can create and delete, clone, share, move and even roll back the execution state of a virtual machine. While enormously useful, such dynamic configurations are a challenge to data center security, which assumes predictability of monitored systems, a relatively static environment and role-based administration. These next sections will elaborate on the specific change dimensions of virtualized infrastructure that can adversely affect security and how virtualized data centers can mitigate the potential risks. These dimensions are outlined in Table 1. Table 1: Change Dimensions and Effects Change Effect Risk Solution Hypervisor Adds new operating system and infrastructure layers Denial of service, anonymous access, data theft, fraud Monitor configuration and VM states to enforce secure configuration Virtual Networks Virtual Administrator Servers are files Flattens infrastructure and networks; blinds nonvirtualized tools Collapses roles and increases privilege of administrators Increases transience, enables VM mobility, and increased frequency of change within the data center Unauthorize d access, anonymous access, denial of service Escalation of privilege, abuse of privilege, fraud Denial of service, data or intellectual property theft, unauthorized access, fraud 1) Hypervisor: A New Threat Surface The hypervisor presents a new target for attacks. Since all virtual machines depend on the hypervisor to manage virtual processes, the hypervisor is a single point of failure for the entire virtual infrastructure. The hypervisor and virtual machine monitor comprise a new software layer in the application delivery stack. These applications are not immune to defects or vulnerabilities: risks exist from MMU, driver, management, direct I/O and API based attack vectors. Audit and enforce data protection for network layers 2 7 Enforce compensatin g controls via hypervisor and network APIs Provide dynamic protection and controls to protect data: policy based security follows the virtual machines Security in the Virtual Data Center Catbird, Inc Page 3

4 The hypervisor attack surface consists of the following access methods: 1. Direct console access to the hypervisor user interface (CLI). This requires physical access to the hypervisor host. 2. Network access to the hypervisor UI. This is accomplished via virtual network (VM to hypervisor) or non-virtualized network access to the host interface 3. Virtual machine break out. This is a subversion of the hypervisor through manipulation of the shared memory or via the hooks required to run the VM. Malicious network access is the most critical risk factor, as it represents both the highest probability of attack and the highest cost incurred from a successful attack. 1 Example risks: Virtual network access or attack from compromised or misused virtual machine (see Figure 2) Human error and improper configuration of the virtualization environment by an authorized user or unauthorized access by a malicious user. (see Figure 3) Figure 2: VM attacks hypervisor For example, an infected virtual machine can launch a DOS attack against the hypervisor. This virtualized attack is invisible to a non-virtualized security device. Figure 3: Unauthorized use Security in the Virtual Data Center Catbird, Inc Page 4

5 Catbird Mitigation Continuous validation of the hypervisor configuration and environment is required to assure the integrity of the hypervisor and the security of the virtual machines. Monitoring must include oversight and visibility into the virtual administrator activities. Catbird delivers 24x7, automated and continuous validation of the hypervisor environment required to assure the integrity of the hypervisor management network and the security of the virtual machines. Catbird monitoring includes oversight and visibility into the virtual administrator activities. Catbird also implements dual controls for privileged activities and for administrative override. Catbird vsecurity delivers effective oversight on operations personnel as well. 2) The Old Threat Surface, Newly-Concealed: New, Invisible Virtual Networks Virtual machines continue to have same attack surface as the physical systems that they replace. For example, an unpatched Windows Server 2003 will have approximately 202 remotely executable exploits. 2 While this basic threat surface is unchanged, virtualization increases the risk from a malicious insider due to the lack of visibility into the virtual environment unobserved emboldening. 3 Non-virtualized security technology is simply unable to validate the virtual environment. This gap in security coverage creates an opportunity for unobserved activities and misconfiguration of networks. This observation failure dramatically increases the likelihood of an abuse occurring or a misconfiguration remaining undetected for a prolonged period. Inside the hypervisor, the virtual network is a collection of I/O channels within the memory backplane of the host. It is not possible to install the usual security tools - non-virtualized firewall, network intrusion prevention systems (IPS) or vulnerability monitoring systems - into the hypervisor s backplane. Like the Agents in the Matrix 4, if you want to secure the virtual world, you have to be in the virtual world, and able to run security software within it. This requires virtualized versions of IPS, vulnerability monitoring, network access control and other security technologies. Just as a compromised hypervisor would allow an attacker to manipulate any of the virtual machine guests on the host without detection, a malicious virtual center administrator may manipulate the virtual environment unobserved and with complete impunity. This is one of the most fundamental risks of virtualization. Network segmentation, a common practice in the physical world, is often absent in enterprise-class virtual data centers. Some security-aware administrators have wisely separated the hypervisor management network from the rest of the guest machines, but often there is no distinction on the virtual network between machines of different trust zones, scope, policies, etc. Even where different subnets have been configured in an effort to model a physically segmented network, there is no built-in enforcement when a machine migrates to an unauthorized place. This risks a publicly facing, low-security virtual machine easily bridging onto the most sensitive of private networks. Catbird Mitigation Catbird delivers virtual machine data protection through a non-invasive, independent system of controls within the virtual infrastructure itself. Catbird validates the configuration of the hypervisor environment to detect and prevent a breach in network segmentation, including monitoring of the virtual switch and the virtual machines. Catbird monitoring includes the classic security tools that any physical environment would need: a secure baseline, vulnerability management, change control, network admission control, intrusion detection and prevention, enforced via network and acceptable use policies. Catbird TrustZones delivers the technical controls to detect and prevent unauthorized traffic within the virtualized network backplane. A TrustZone is a logical grouping of virtual assets, independent of physical host, with a policy envelope associated with each group. TrustZones leapfrog virtual firewalls by providing network segmentation that complements the new architecture of virtualization. Zones can span hosts and clusters, enforcing a policy that follows virtual machines through mobility, and includes detailed audit trails. Catbird monitors and enforces the defined TrustZones policy, preventing unauthorized guests Security in the Virtual Data Center Catbird, Inc Page 5

6 from joining networks for which they are not privileged. 3) Collapse of Roles; Loss of Separation of Duties and Least-privileges What is fundamentally new in the move from P to V is the collapsing of roles. In the physical data center, implicit separation of duties and change controls would prevent most accidental or malicious activities. Think of the people and paper required to routinely set up a new server in a well-run data center. There are the procurement people, the network people, the data center floor managers, the operations people and perhaps even a security manager. If any one of them makes an inadvertent error, the likelihood is another would catch it before it became an exploitable issue. By contrast, the virtualized data center allows one operator to control the system, network and security infrastructure completely. The virtual administrator combines most, if not all, of the privileges of a domain administrator, root user, network and security operations. This collapses operational roles, reduces Separation of Duties (SoD) and vastly increases the risks of escalation of privilege and abuse of privilege. A single administrator has all of the keys to the kingdom. This collapse of process protection may allow an administrator to compromise virtual guests and their data. At the very least, there is a high likelihood that this operator will make a common mistake which can put the environment at risk. More alarming is the fact that malicious administrators may decrypt network traffic 5, snapshot data or systems, or even peek into physical memory covertly with little fear of detection. Combined with a lack of surveillance of the virtual environment, this would not only allow but may embolden a rogue administrator to do irreparable damage. Secondary or Backup controls Most security vulnerabilities happen not from malicious hackers but from inadvertent human error. Standard practice on physical networks in regulated data centers mandate automated tools (often built into system software) to monitor for such error, essentially functioning as belt and suspenders. These secondary and backup controls essential to compliance - are absent in virtualization platforms. Network controls to prevent unauthorized or anonymous access do not exist. Dual controls to prevent abuse of privilege do not exist. Automation to ensure secure life-cycle and strict change controls do not exist. Insecure or unauthorized hypervisor configuration negates secondary controls. Together, these omissions compound each other, leading to weaknesses easily exploited. Catbird Mitigation Catbird addresses the challenges brought on by the new virtual administrator. Catbird delivers controls over the virtual administrator, compensating for SoD, audit and least-privilege principles affected by virtualization. Catbird implements common controls for network policy and virtual platform administration. Catbird supports access controls to enforce authority, and includes features to separate roles and organize proper virtual network segmentation for policy containment and enforcement. 4) Loss of Change Management As Servers Become Files Virtualization includes the capability of cloning existing guest systems, downloading guest images and creating guest images with very few keystrokes and within minutes. The ability to provision entire systems quickly and easily is of huge benefit to business users. Most organizations have an established protocol for data center servers. Different protocols are applied to machines with different tasks or policies. In the physical world, it is relatively straightforward to ensure that new machines added to a data center adhere to the configuration policies assigned to that group and that they be introduced in a controlled and coordinated manner. In current virtualized data centers, this process is completely circumvented by the extended powers of the virtual infrastructure administrator and the lack of cooperation between the operations and security teams in the initial deployment of virtual systems. A symptom of the loss in change of controls is Virtual Sprawl. Virtual sprawl is a term used to describe the inflationary growth in the number of operating system instances installed in a virtual infrastructure. Creation of a new virtual machine on most hypervisors is as easy as a few mouse clicks. Without good reason or approval, virtual infrastructure administrators can instantly create new machines or clone existing machines. The total Security in the Virtual Data Center Catbird, Inc Page 6

7 number of VMs in an organization can multiply at an enormous rate, proportional only to the capacity of the physical machine hosting them. As an example, a recent client audit by Catbird revealed that a domain machine had been improperly cloned, creating two distinct machines with the same domain identity. This instantly made inventory and vulnerability management databases invalid. Rapid and unpredictable growth of new machines strains the security processes of an organization. Patching plans, for example, break down when one does not know what machines to patch. Machines may become unprotected and an infected or compromised machine on a virtual network may then easily infect the remainder of the virtual machines on that network, which are typically invisible to standard security devices. As a consequence, most virtualized systems have no method of ensuring that policies are adhered to when changes to virtual machines occur and no way of assessing the impact of such changes on security and compliance. Mobility Further complicating change management is the unique feature of virtual machine migration. Current VM technology supports relocating guest systems between clusters and hypervisors with little or no downtime 6. Guest systems can be dynamically moved from one physical host to another, without interruption of computation, presentation or state. A virtual machine hosting back office payroll applications, administered and protected by a particular policy on a particular physical server, can be instantly moved to a new host, with perhaps inappropriate monitoring and protection. Software Lifecycle and Rollbacks Lastly, change management is challenged by the issue of software lifecycle and rollbacks first described by Garfinkel and Rosenblum. It refers to the potential exploitation of the temporal nature of virtualization, where, by design, machine state may be rolled back to a previous execution state. Traditional security processes assume time is moving forward, and thus patched machines remain patched, ports are closed, accounts disabled, etc. with all of these measures appropriately logged. Rolling back to a previous state undoes these actions and re-exposes the protected machines, even as the audit logs are not necessarily amended to reflect the reverted state. Catbird Mitigation Catbird vsecurity delivers a combination of sophisticated virtual machine tracking, along with a management framework for auditing virtual machine state. The Catbird vtracker tracks guest systems independent of location or mobility events. The Catbird Control Center audits the state of the virtual machines over their lifetimes, supplying forensics for root cause analysis. IT managers can monitor and integrate Catbird into existing change control processes. Routine tasks would be approved, scheduled and validated by a change management process. Catbird delivers the ability to detect and validate new guest systems, rolled up and correlated into a holistic view of all changes to the data center enabling trendspotting of risky or dangerous activity. Catbird provides independent enforcement of security and compliance, and can alert administrators about fat finger or configuration errors. Catbird allows administrators to establish a topology upfront that enforces network segmentation that separates test, development, and production VMs. Organizations that rely on manual process controls soon find that they are out of compliance with data protection and regulatory requirements. To address this, Catbird provides monitoring, mitigation and enforcement procedures for baselining, change control and security validation to meet the demands that virtualization-savvy business units will place on IT management. Catbird is thus able to effectively control the underlying causes of virtual sprawl: the combination of changing business demands, faster provisioning and poor process controls in the virtual infrastructure. Catbird vsecurity Approach The multi-award winning Catbird vsecurity is comprehensive protection and compliance for virtual, cloud and physical data centers. It is built on industry standard, network-based security technologies and uses patent-pending methodologies for data correlation and intelligence. It s architecture is 100% cloud based, using web services and a serviceoriented architecture (SOA) perfectly complementary to virtualization. Security in the Virtual Data Center Catbird, Inc Page 7

8 V-Security integrates: Virtual network visibility, monitoring and flow analysis Virtual machine tracking, analysis and quarantine Policy monitoring and enforcement (Catbird TrustZones ) across the entire data center Network access control (NAC) with automatic virtual machine quarantine 24x7 vulnerability monitoring IDS/IPS with zero-day threat intelligence Network segmentation Web-based management portal Catbird vsecurity instantly identifies compromised assets, alerts appropriate personnel, and optionally quarantines the offenders. No other vendor can deliver this level of breadth and depth in protecting security and compliance from within the virtual infrastructure. vsecurity consists of the following elements: vcompliance The only product in the industry specifically designed to monitor and enforce compliance for virtual and cloud environments. vcompliance automatically monitors and audits more controls required by the leading regulatory standards organizations and supports the widest array of common security frameworks. vcompliance includes default policies such as SOX, HIPAA, DIACAP and PCI; each policy is built upon Catbird controls which map to the appropriate compliance framework. Catbird applies controls across seven areas that are all required for operations, security and compliance, specifically: Auditing, Inventory management, Configuration management, Change management, Access control, Vulnerability management and Incident response blocks out-of-policy or compromised VMs from breaching data center security. TrustZones Defined as a logical group of assets that share a common security policy envelope, TrustZones provide visibility, monitoring and policy enforcement across a port group or network space (CIDR). TrustZones can be used to segment the network. They can span multiple port groups within a switch, VLANs, multiple switches, multiple hosts and even multiple clusters - and still maintain the policy envelope through vmotion events. HypervisorShield HypervisorShield monitors and controls access to the hypervisor management network and other hypervisor management components, detects malicious network activity directed at the hypervisor from virtual machines and validates that the hypervisor network is configured according to best practices and site security policy. vsecurity Architecture Catbird V-Security consists of two components: a network based virtual appliance, referred to as a Catbird - and the Catbird Control Center. The Catbird virtual machine appliances connect to the virtual switch. The Control Center is the command-and-control center for all vsecurity operations and is itself a virtual machine. Due to the dynamic nature of security threats, both the virtual appliances and Control Center are continuously updated from Catbird. VMshield Protects virtual machines by correlating advanced VM tracking capabilities (via the Catbird vtracker ) and hundreds of virtual machine attributes with in-depth monitoring of suspect activity on the network itself. VMShield automatically Security in the Virtual Data Center Catbird, Inc Page 8

9 The Catbird Control Center is a single virtual machine instance with no limit on the number of Catbird virtual machine appliances and number of sites managed. It is a web-based management console. The Control Center supports multi-tenant role-based access control, integration with Active Directory and other multi-factor authentication mechanisms. The Control Center manages the Catbirds (virtual machine appliances). Each Catbird virtual machine appliance performs discovery, assessment, device access and management services for attached logical networks. Large organizations federate Control Center instances to provide global security management and reporting. The Catbird appliance operates in existing virtual infrastructures, or as a stand-alone virtual machine using a virtual machine player technology. The Catbird Control Center provides management, data correlation, data analysis, logging and integration with other vendor products. Conclusion Virtualization technology delivers a highly dynamic and significantly more cost-effective data center, fundamentally changing the way servers are deployed and managed. This also profoundly changes the way security is architected. The success of a virtualization strategy will only be as successful as its ability to protect the data and assets of the organization. Many of the security and compliance issues introduced by virtualization can be solved with better processes. Others will require a virtualized security technology like Catbird that brings visibility, management and control to virtual infrastructure and which contemplates both the benefits and risks of virtual machine mobility. In all cases, operations and security teams need to work together on building-in security from project inception and recognize that traditional approaches are inadequate for this new paradigm. REFERENCES AND CITATIONS Pollard, B. (Feb 2008) Security Advantages and Disadvantages of Virtualization University of Maryland, XTMN 606, Cohort 24 Center for Internet Security (2007) CIS ESX Benchmark Charu Chaubal, VMware Inc. (2008) Security Hardening, VMware Infrastructure 3 Tal Garfinkel and Mendel Rosenblum, Stanford University Department of Computer Science When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments NSA, Systems and Network Analysis Center, (2008) VMware ESX Server 3 Configuration Guide DISA, for the DOD (2008) ESX Server Security Technical Implementation Guide V1R1 (2008, April 28). Berman, Rieke and Dennis, Catbird Networks, Inc. (coming 2009) Catbird Secure Virtual Infrastructure Configuration Guide, Available upon request. Yankee Group (2006) 2006 Global Virtualization Survey. In Yankee Group, The Global Connectivity Experts. 1 It is important to note that to date there have been no reported exploitations of weaknesses in the hypervisor itself by malicious hackers. This is not surprising: 99% of security breaches are the result of simple human error errors which need to be assiduously prevented in a virtual data center. 2 CVE Query Results. (2007) In The National Vulnerability Database, US DHS Cybersecurity Division 3 Martinez-Moyano, Conrad, Rich and Andersen (2006) Security in the Virtual Data Center Catbird, Inc Page 9

10 Modeling the emergence of insider threat vulnerabilities in Proceeding of the 2006 Winter Conference. Retrieved January 9, 2008 from Moyano_et_al_2006_WSC.pdf 4 The Matrix. (1999, March 31 USA). Written and Directed by Larry Wachowski and Andy Wachowski. 5 Bellare, S. Goldwasser, and D. Micciancio (1997) Pseudo-random number generation within cryptographic algorithms: The DDS case. In CRYPTO 6 Migrate Virtual Machines with Zero Downtime (2007). In VMware Vmotion. Security in the Virtual Data Center Catbird, Inc Page 10