Virtually Secure: Uncovering the risks of virtualization

Virtually Secure
Uncovering the risks of virtualization

Virtual Insecurity
Unknown Denial of Service on core servers

IT can not identify root cause
Copyright 2007 – Seccuris Inc.

Virtual Insecurity

Financial System
controls subverted
in unknown fashion

Audit systems and
forensic process
unable to assist


Virtual Insecurity

Employees
bypassing
technical
controls &
policies

Policies &
processes fail
to identify &
respond

Virtual Insecurity

60% of production virtual machines
will be less secure
than their physical counterparts…

…through 2009.


WELCOME TO THE REST OF YOUR LIFE

What do we need to understand regarding
design, management and control
to implement virtualization successfully
in our critical environments?


What is virtualization? (Overview)

Concept not new:
Done since the 1960’s

Physical Hardware = Host Machine
Operating System / Virtual
Appliance = Guest
VMs = Virtual Machine(s)
Hypervisor (VMM) = Virtual
Machine Monitor
Virtual Infrastructure = Composite
of VMM & Mgmt tools


Hybrid VMM
Type-2 VMM

Guest Guest
1 2

Guest Guest
VMM 1 2

Host OS Host OS VMM

Hardware Hardware

Examples:

Windows
Server
Virtualization

Xen

VMWare ESX
http://port25.technet.com/archive/2007/08/13/Interoperab-on-the-metal-and-on-the-wire.aspx

Virtualization Implementations

Full Virtualization
• Binary Translation – Privileged Instructions Rewritten
• Hypervisor in “Ring 0”, Guest in “Ring -1”



Full Virtualization
• Hardware Supported Virtualization
(Accelerated Virtualization, Hardware Virtual Machine, Native
Virtualization)
• Hardware Hypervisor in “Privileged Level”, Guest in Ring 0



Paravirtualization
• System Call Proxy & Exception Trapping
• Hypervisor in Ring 0, Guest in Ring 3


On-going development of Virtualization

Generational Development of Virtualization

1. Development & Test

2. Consolidation

3. Virtualized Data Center

Increased complexity, controls & management processes


Players in the Virtualization Market

The image cannot be display ed. Your computer may not hav e enough memory to open the image, or the image may hav e been corrupted. Restart y our computer, and then open the file again. If the red x still appears, y ou may hav e to delete the image and then insert it again.

The image cannot be display ed. Your computer may not hav e enough memory to open the image, or the image may hav e been corrupted. Restart y our computer, and then open the file again. If the red x still appears, y ou may hav e to delete the image and then insert it again.


Players in the Virtualization Market


VMWare – How does it work?

Binary Translation (System Call Proxy)

Like an emulator, VMware software provides a completely virtualized
set of hardware to the guest operating system.

VMware software virtualizes the hardware for a video adapter, a
network adapter, and hard disk adapters.

The host provides pass-through drivers for guest USB, serial, and
parallel devices.


VMWare – How does it work?

The host provides
pass-through drivers for
guest USB, serial, and
parallel devices.

Video, Cache and other
hardware includes
pass-through as well…


VMWare Products:
What is the difference?

Desktop Virtualization On Host OS
• VMWare Workstation Hybrid VMM
• VMWare Fusion
• VMWare Player

Server Virtualization On Bare Metal
• VMWare ESX Server Type-1 VMM
• VMWare Server - Freeware

Management & Automation Above it all
• VMWare Virtual Center Management Software


Technical Concepts –
VMWare Implementation
Datacenter Components

• Computing Servers (Bare metal)

• Management Server – Single
Control point (Win 2k3)

• Desktop clients



Datacenter Architecture
• Hosts, Clusters &
Resource Pools
• DRS and HA
• Dynamically Allocate System Resources

• High Availability

• VMotion
• Move guest between physical systems



Physical Security has become
MORE important



Datacenter Architecture

• Networking Architecture
• vSwitch and Port groups
• VLANS
• Traffic Shaping
• NIC Teaming



Network security includes new layers
of complexity


Technical Concepts

Storage Architecture

• Datastore
• Underlying technologies
• FiberChannel
• iSCSI
• SAN
• Direct Attached Storage, NAS

• Raw Device Mapping



Data inventory & Information Classification
becomes a prime time issue


Threats & Risks in Virtualization

• Technical Concerns

• Applied threats


Threats & Risks – Technical Concerns

Technical Concerns

•Denial of Service
• Load issues (Time / Period)
• Bottle Necks (Physical)
• Bottle Necks (Logical)

How well do you know your
application processing time
cycles?



Technical Concerns

•Communication Between VMs or
Between VMs
and Host
• Shared Directories
• Open Services (FTP, DHCP)
• Misconfigured network cards

How well built are your legacy
and custom applications?



Technical Concerns

• VM Escape
• VM Monitoring from the Host
• VM Monitoring from Another VM
• VM Monitoring from network
based host
(Network / Storage)

“VM Escapes have happened”



Technical Concerns

• External Modification of a
VM

• External Modification of
the Hypervisor
• Sun Bing’s Example

How much trust do you put
in your administrators?


Threats & Risks – Applied Threats

VMBR – Virtual Machine Based
Root Kits
APP 1 APP 2
SubVirt: Implementing malware
with virtual machines

BluePill: VM “Rootkit”

Before Attack



VMBR – Virtual Machine Based
Root Kits
APP 1 APP 2

SubVirt: Implementing malware
Evil
Host OS
with virtual machines App

Evil OS Evil VMM
BluePill: VM “Rootkit”

Hardware
Fundamental changes
to forensic system
investigation must After Attack
occur!



VMWare DHCP Server Remote Code
Execution Vulnerabilities

CVE-2007-0061, CVE-2007-0062,
CVE-2007-0063
(http://www.iss.net/threats/275.html)

IMPACTS VMM and VMs!



Hardware Visibility
(http://seclists.org/isn/2008/Mar/0055.html)

• Hardware segmentation
DOES NOT EXIST

• Race conditions, covert
channels, unknown
overflow issues are
possible!


Security Controls for Virtualization

• Controls for Today

• Software & Appliances

• Controls in the future



Controls for Today (CIS Best Practices)
Configuration:

• Limit Physical Access to Host
• Harden Base Operating System

• Configuration Maximums
• Firewalling Virtual Machine Layer Service Ports

• Use Encryption For Communication
• Virtualization Server Authentication



Controls for Today
Configuration:

• Disabling Features (Including Screensavers and Suspend)
• File Sharing Between Host and Guests

• Time Synchronization
• Disconnect Unused Devices



Controls for Today
Architecture Requirements

• Remote Management
• Patching and Vulnerabilities
• Logging & Auditing



Controls for Today
Architecture & Configuration

Host and Network Defences
• File Integrity Checking
• Strong Passwords
• Disk Partitioning
• Backups



Software & Appliances

• Host Based IDS/IPS
• Host Based Anti-Virus
• Host Change Control
• Host Logging



Security Controls in the Future

• VMSafe – Hypervisor
Visibility & Control

• VMWare (aware) security
software

• Virtualizaiton (aware)
security hardware



Is virtualization PCI
compliant?

“We are currently trying to
become PCI compliant,
but our auditor company
is saying that “in no shape
or form is virtualization PCI
compliant”. I disagree, but
I am not an auditor.”
Greg Ryan


Obstacles to Success

The top obstacles to virtualization success include:

• Weak assignment of activities between
virtual machine administrators and security staff.

• Inadequate control over patching and tamper protection of
offline virtual machines other images.


Obstacles to Success

The top obstacles to virtualization success include:

• Limited visibility to the host operating system and virtual
network to control vulnerabilities.

• Inhibited visibility to inter-virtual machine traffic for
intrusion prevention systems (IPSs).

• Deficient solution for mobile virtual machines that need
security policy and settings to migrate with them.


Business Environment improvements

Policy & Procedure - What to look for?

• Can the organization ensure that:

• each virtual machine is appropriately configured and tested?

• can support virtual machines within its computing environment?


Business Environment improvements

Policy & Procedure - What to look for?

• Does the organization have a plan for
assessing, monitoring and reporting on the
state of its physical and virtual systems?

• How will deployment and compliance of new virtual
machines be tracked?


Technical Environment improvements

• Technology Selection

• Technical Architecture & Zoning

• Configuration & Tuning

• Change Control & Audit


Technical Environment improvements

Resources

• Center for Internet Security
• http://www.cisecurity.org/

• VMware Security Center
• http://www.vmware.com/security/


General Thoughts around Virtualization

The fallacy* of cost reduction


General Thoughts around Virtualization

The fallacy of cost reduction
• Increased complexity

• Increase in exposure to:
• Technical misconfiguration
• Central points of access /
collusion for staff


Moving forward with Virtualization

Understand how virtualization will change your
security program, architecture and controls

Make plans today for securing the virtualization
roadmap in your environment

Prepare for the inevitable impacts with design
review, control improvements & incident
handling


How Seccuris assists your solution

Security Architecture & Design for
Virtual Environments

Virtualization Environment
Risk Assessment

Managed Security Services for
Virtual Environments


Thanks
Michael Legary, SCP, CISSP, CISM, CISA, CCSA, GCIH, CPP
Founder & Chief Innovation Officer
Seccuris Inc.

This presentation contains reference
material and direct content from
Email: Michael.Legary@seccuris.com
multiple copyright holders.
Direct: 204-255-4490
Main: 204-255-4136 References available on request /
Fax: 204-942-6705 within presentation slide notes.

Resources

Center for Internet Security
http://www.cisecurity.org/

VMware Security Center
http://www.vmware.com/sec
urity/


Virtually Secure: Uncovering the risks of virtualization

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (19)

Semelhante a Virtually Secure: Uncovering the risks of virtualization

Semelhante a Virtually Secure: Uncovering the risks of virtualization (20)

Mais de Seccuris Inc.

Mais de Seccuris Inc. (11)

Último

Último (20)

Virtually Secure: Uncovering the risks of virtualization