Mitigating Information Security Risks of Virtualization Technologies Toon-Chwee, Wee VMWare (Hong Kong) 2009 VMware Inc. All rights reserved
Agenda Virtualization Overview Key Components of Secure Virtualization Technologies Achieving and Demonstrating Compliance Use Case: Securely Mixing Trust Zones
Virtualization Basics
Pools of Shared Resources Traditional View Virtual Infrastructure Exchange Operating VMware Infrastructure System PCI Operating VMware Infrastructure System VMware Infrastructure DNS Operating VMware Infrastructure System CRM Operating VMware Infrastructure System CPU Pool Memory Pool Storage Pool Interconnect Pool
How Virtualization Affects Security and Compliance Abstraction and Consolidation Capital and Operational Cost Savings New infrastructure layer to be secured Greater impact of attack or misconfiguration Collapse of switches and servers into one device Flexibility Cost-savings Lack of virtual network visibility No separation-by-default of administration 5
How Virtualization Affects Security and Compliance Faster deployment of servers IT responsiveness Lack of adequate planning Incomplete knowledge of current state of infrastructure Poorly Defined Procedures Inconsistent Configurations VM Mobility Improved Service Levels Identity divorced from physical location VM Encapsulation Ease of business continuity Consistency of deployment Hardware Independence Outdated offline systems Unauthorized copy 6
What not to worry about Hypervisor Rootkits Examples: Blue Pill, SubVirt, etc. These are ALL theoretical, highly complex attacks Widely recognized by security community as being only of academic interest Irrelevant Architectures Example: numerous reports claiming guest escape Apply only to hosted architecture (e.g. Workstation), not bare-metal (i.e. ESX) Hosted architecture deliberately include numerous channels for exchanging information between guest and host. Contrived Scenarios Example: VMotion intercept Involved exploits where Best practices around hardening, lockdown, design, for virtualization etc, not followed, or Poor general IT infrastructure security is assumed
Security Advantages of Virtualization Allows Automation of Many Manual Error Prone Processes Cleaner and Easier Disaster Recovery/Business Continuity Better Forensics Capabilities Faster Recovery After an Attack Patching is Safer and More Effective Better Control Over Desktop Resources More Cost Effective Security Devices App Virtualization Allows de-privileging of end users Better Lifecycle Controls Security Through VM Introspection
Primary Compliance Issue: Collocation of VMs on Same Physical Hardware Virtual Machines are dedicated and isolated entities abstracted from the physical hardware Isolation characteristics of VMs and virtual networks meet compliance requirements Configuration choices are key in meeting compliance requirements Misconfiguration is greatest risk to virtual infrastructure Virtual Infrastructure VMware Infrastructure CPU Pool Memory Pool Storage Pool Interconnect Pool
KEYS TO A SECURE VIRTUALIZED DEPLOYMENT
How do we secure our Virtual Infrastructure? Use the Principles of Information Security Hardening and Lockdown Defense in Depth Authorization, Authentication, and Accounting Separation of Duties and Least Privileges Administrative Controls For virtualization this means: Secure the Guests Harden the Virtualization layer Setup Access Controls Leverage Virtualization Specific Administrative Controls
Securing Virtual Machines Provide Same Protection as for Physical Servers Host Anti-Virus Patch Management Network Intrusion Detection/Prevention (IDS/IPS) Firewalls 12
vnic vnic vnic Isolation in the Architecture Production vswitch1 vmnic1 2 3 4 Prod Network Mgmt VMkernel Storage Mgmt Network vswitch2 Segment out all non-production networks Use VLAN tagging, or Use separate vswitch (see diagram) Strictly control access to management network, e.g. RDP to jump box, or VPN through firewall vcenter Other ESX/ESXi hosts IP-based Storage 13
Secure/Compliant Virtualization Platform Requirements Enterprise Features for Management Controls Strong Access Controls Centralized Authentication Granular Authorization Controls Configuration Management Audit and Logging A Flexible and Well Defined API
Enforce Strong Access Controls Joe Harry Security Principle Least Privileges Separation of Duties Implementation in Virtual Infrastructure Roles with only required privileges Roles applied only to required objects Administrator Operator Anne User
Maintain Tight Administrative Controls Requirement Configuration management, monitoring, auditing Track and Manage VM Updating of offline VMs Virtual network security
Achieving Regulatory Compliance Think Security First Design for Compliance Understand the Scope of the Requirements Ensure that Controls are Comprehensive Don t Rely on Technology Alone Assign the Right Project Manager Collaborate with the Auditor
Use Case: Securely Mixing Trust Zones Three Primary Configurations Physical Separation of Trust Zones Virtual Separation of Trust Zone with Physical Security Devices Fully collapsing all servers and security devices into a Virtual Infrastructure
Physical Separation of Trust Zones
Physical Separation of Trust Zones Advantages Simpler, less complex configuration Less change to physical environment Little change to separation of duties Less change in staff knowledge requirements Smaller chance of misconfiguration leading to a security issue Disadvantages Lower consolidation and utilization of resources Higher cost
Virtual Separation of Trust Zones with Physical Security Devices
Virtual Separation of Trust Zones with Physical Security Devices Advantages Better utilization of resources Take Full Advantage of Virtualization Benefits Lower cost Disadvantages (can be mitigated) More complexity Greater chance of misconfiguration
Fully Collapsed Trust Zones including Security Devices
Fully Collapsed Trust Zones including Security Devices Advantages Full utilization of resources, replacing physical security devices with virtual Lowest-cost option Management of entire DMZ and network from a single management workstation Disadvantages (can be mitigated) Greatest complexity, which in turn creates highest chance of misconfiguration Requirement for explicit configuration to define separation of duties to help mitigate risk of misconfiguration; also requires regular audits of configurations Potential loss of certain functionality, such as VMotion (Being mitigated by vendors and VMsafe)
Conclusion Understand Virtualization Technology Isolation Characteristics of VMs make Collocation of VMs Compliant Key Components of Secure Virtualization Technologies a Must Understand the Steps Necessary for Compliance
Questions? 2009 VMware Inc. All rights reserved