VMware Security Briefing Rob Randell, CISSP Senior Security Specialist SE
Agenda Security Advantages of Virtualization Security Concepts in Virtualization Architecture Operational Security Issues with Virtualization Future of Virtualization Security 2
Security Advantages of Virtualization Better Forensics Capabilities Faster Recovery After an Attack Patching is Safer and More Effective Better Control Over Desktop Resources More Cost Effective Security Devices 3
Security Concepts in Architecture Extended Computing Stack (Hypervisor) Guest Isolation Host Visibility from the Guest Greater co-location of data and assets on one box Management Interfaces Service Console VirtualCenter Hosted vs. Bare Metal 4
Security Concepts: Extended Computing Stack and Guest Isolation Standard x86 VMware ESX Hypervisor VMware Confidential/Proprietary Copyright 2006 VMware, Inc. All rights reserved. 5
Are there any Hypervisor Attack Vectors? There are currently no known hypervisor attack vectors to date that have lead to VM Escape Architectural Vulnerability Designed specifically with Isolation in Mind Software Vulnerability Possible like with any code written by humans Small Code Footprint of Hypervisor (~32MB) Makes it Easier to Audit Depends on VMware Security Response and Patching If a software vulnerability is found, exploit difficulty will be very high Commonly cited: Blue Pill, SubVirt These are NOT hypervisor vulnerabilities, Use the concept of a hypervisor to create advanced malware These can only affect non-virtualized operating systems 6
VMware Architecture: Isolation and Containment VMM Security Design Highlights Privileged instructions within a VM are de-privileged and run within an isolated virtual memory space VMs have no direct access to hardware, only have visibility to virtual devices VMs can only communicate with each other through Virtual Switches Resource reservations and limits guarantees performance isolation OS and applications within a VM run as is with no modification (hence no recertification required) VMM Production Use Proof Points CC EAL 4+ certification ESX 3.0.2 and VC 2.0.2 Passed security audit and put into production by the largest Financial Institutions Passed Defense and Security Agencies scrutiny and audit (NetTop and HAP) Large number of customers run mission critical and transaction processing applications 7
Security Concepts in Architecture Extended Computing Stack (Hypervisor) Guest Isolation Host Visibility from the Guest Greater co-location of data and assets on one box Management Interfaces Service Console VirtualCenter Hosted vs. Bare Metal 8
Greater Collocation of Data on One Box Web Server Database Server PCI Server Domain Controller VMware Confidential/Proprietary Copyright 2006 VMware, Inc. All rights reserved. 9
Concern: Virtualizing the DMZ / Mixing Trust Zones Three Primary Configurations: Physical Separation of Trust Zones Virtual Separation of Trust Zone with Physical Security Devices Fully collapsing all servers and security devices into a VI3 infrastructure Also Applies to PCI Requirements 2.2.1, 1.1.x, 6.3.2, and 6.3.3 10
Physical Separation of Trust Zones VMware Confidential/Proprietary Copyright 2006 VMware, Inc. All rights reserved. 11
Virtual Separation of Trust Zone with Physical Security Devices VMware Confidential/Proprietary Copyright 2006 VMware, Inc. All rights reserved. 12
Full Collapse DMZ in a Box VMware Confidential/Proprietary Copyright 2006 VMware, Inc. All rights reserved. 13
Security Concepts in Architecture Extended Computing Stack (Hypervisor) Guest Isolation Host Visibility from the Guest Greater co-location of data and assets on one box Management Interfaces Service Console VirtualCenter Hosted vs. Bare Metal 14
Management Interfaces: Service Console Interface for advanced ESX Server Management VMware Confidential/Proprietary Copyright 2006 VMware, Inc. All rights reserved. 15
VMware ESXi: The next step in Virtualization Security Unmatched security and reliability: Compact 32MB footprint OS independence means minimal interfaces and a small attack profile Embedded in hardware --- reduces risk of tampering Unstructured Service Console management replaced by controlled API-based management Open ports highly limited. 16
Management Interfaces: VirtualCenter VirtualCenter: primary management tool Encrypted communication Integration with global security framework, e.g. Authentication via Active Directory Detailed auditing Extensive roles system for finegrained separation-of-duties Operational Best Practices for maximum security, e.g. Dedicated management network Lock-down of Administrator access 17
Security Concepts in Architecture Extended Computing Stack (Hypervisor) Guest Isolation Host Visibility from the Guest Greater co-location of data and assets on one box Management Interfaces Service Console VirtualCenter Hosted vs. Bare Metal 18
Hosted Virtualization vs. Bare Metal Virtualization Hosted Virtualization Bare-Metal Virtualization VMware Workstation VMware Server VMware Player Host OS Changes Security Profile Greatly VMware ESX Server VMware Confidential/Proprietary Copyright 2006 VMware, Inc. All rights reserved. 19
Common Misconception about VMware Security Hosted Platforms Guest Escape Vulnerabilities Does NOT affect ESX only hosted platforms (Workstation and Server) Not exactly escape nor a hypervisor vulnerability Uses documented communication interface for hosted features such as drag-n-drop, cut n-paste, and shared folders. This communication interface can be disabled (on by default) 20
Adapt existing security processes Adapt existing security solutions Operational Security Issues The datacenter becomes much more dynamic and flexible Misconfiguration is #1 Risk 21
How do we secure our Virtual Infrastructure? Use the Principles of Information Security Hardening and Lockdown Defense in Depth Authorization, Authentication, and Accounting Separation of Duties and Least Privileges Administrative Controls 22
Best Practices References Security Design of the VMware Infrastructure 3 Architecture (http://www.vmware.com/resources/techresources/727) VMware Infrastructure 3 Security Hardening (http://www.vmware.com/vmtn/resources/726) Managing VMware VirtualCenter Roles and Permissions (http://www.vmware.com/resources/techresources/826) DISA STIG and Checklist for VMware ESX (http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf) (http://iase.disa.mil/stigs/checklist/esx_server_checklist_v1r1_30_ap r_2008.pdf) CIS (Center for Internet Security) Benchmark (http://www.cisecurity.org/bench_vm.html) Xtravirt Virtualization Security Risk Assessment (http://www.xtravirt.com/index.php?option=com_remository&itemid= 75&func=fileinfo&id=15) 23
The Future of Virtualization Security
Leveraging Virtualization To Solve Security Problems Security solutions are facing a growing problem Protection engines do not get complete visibility in and below the OS Protection engines are running in the same context as the malware they are protecting against Even those that are in a safe context, can t see other contexts (e.g. network protection has no host visibility). Virtualization can provide the needed visibility Better Context Provide protection from outside the OS, from a trusted context New Capabilities view all interactions and contexts CPU Memory Network Storage VMware Confidential/Proprietary Copyright 2006 VMware, Inc. All rights reserved. 25
Introducing VMsafe Security VM HIPS Firewall IPS/IDS Anti-Virus Security API ESX New security solutions can be developed and integrated into VMware virtual infrastructure Protect the VM by inspection of virtual components (CPU, Memory, Network and Storage) Complete integration and awareness of VMotion, Storage VMotion, HA, etc. Provides an unprecedented level of security for the application and the data inside the VM VMware Confidential/Proprietary Copyright 2006 VMware, Inc. All rights reserved. 26
VMsafe APIs API s for all virtual hardware components of the VM CPU/Memory Inspection Inspection of specific memory pages being used by the VM or it applications Knowledge of the CPU state Policy enforcement through resource allocation of CPU and memory pages Networking View all IO traffic on the host Ability to intercept, view, modify and replicate IO traffic from any one VM or all VM s on a single host. Capability to provide inline or passive protection Storage Ability to mount and read virtual disks (VMDK) Inspect IO read/writes to the storage devices Transparent to the device and inline of the ESX Storage stack VMware Confidential/Proprietary Copyright 2006 VMware, Inc. All rights reserved. 27
Questions? Rob Randell, CISSP Senior Security Specialist SE