SlideShare uma empresa Scribd logo

Virtualisation: Pitfalls in Corporate VMware Implementations

J
Jason Edelstein

Discusses virtualisation security threats and countermeasures with a specific focus on the VMware virtualisation platform. Additional information can be found at: http://www.senseofsecurity.com.au

TecnologiaNegócios
1 de 26
Baixar para ler offline
Virtualisation: Pitfalls in Corporate VMware Implementations 18 May ’09 1 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Agenda 1. Technology overview 2. Typical corporate implementations 3. Common pitfalls and solutions 4. Conclusion 5 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Technology Overview VMware ESX Software Architecture & Concepts 6 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Typical Corporate Implementations Why are they using virtualisation technology? – cost reductions, flexibility and efficiency, increase business resiliency What are organisations using VMware for? – test environment, production systems, virtual desktop, virtual appliances What are security practitioners using VMware for? – sandboxing, forensic analysis, and honeypotting What are organisations not virtualising? – CPU intensive apps – firewalls How are they using it? – simply, with little regard for security 7 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Theoretical Security Problems and Hype Compromise the hypervisor, compromise every virtual machine! What about the Red Pill and the Blue Pill? 8 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Vulnerabilities – Hosted Versions Most of the serious VMware issues (code execution on Host) identified to date are against the “Hosted” versions (Workstation, GSX, etc.). – e.g. CVE-2005-4459 • Vulnerability was identified in VMware Workstation (and others) in the NAT component, which could be exploited by a malicious guest to execute arbitrary commands on the Host OS. • Patch made available by VMware. – e.g. CVE-2007-4496 • Vulnerability was identified in VMware Workstation (and others) that could allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and thus potentially execute arbitrary code on the host. • Patch made available by VMware. 9 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Vulnerabilities – Bare-metal Versions What about serious security issues with the enterprise “bare-metal” solution? – e.g. CVE-2009-1244 - VMSA-2009-0006 - (10 April 2009) • “A critical vulnerability in the virtual machine display function “might” allow a guest operating system to run code on the host.” • Affects both VMware hosted and bare-metal solutions. • Patch made available by VMware. Further research found the following: – “By combining multiple indexing flaws in VMWare's usage of 3D context structures, [a user] is able to both leak from and write to physical host memory. It can do this in a reliable way from inside a virtual machine by combining SVGA framebuffer relative memory leaks with 3D context based write-to-memory flaws, effectively compromising any virtual 'air gap' between physical and virtual hardware.” credit: Kostya Kortchinsky of Immunity Inc. 10 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Exploit Demonstration - CVE-2009-1244 Source: Immunity Inc. 11 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 1. Network architecture Traditional (secure) network architecture 12 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 1. Network architecture cont.d Secure VM implementation 13 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions Does anyone have any comments on the proposed design? Other considerations: Blind Spots – traffic between VM’s; vulnerabilities, malware, worms, etc No Access Control between VM’s Live Migration - propagation of malware 14 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 2. Configuration Management Established best practice in traditional enterprise environments Can be more challenging in virtual environments Secure at deployment and maintain this position going forward Implement appropriate tools to enforce defined configuration standards Virtualisation introduces some new components that must be secured 15 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 2.1. Securing the Virtual Machines Secure virtual machines as you would secure physical machines Create a library of trusted virtualised server builds Use resource management to control server resources 16 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 2.2. Securing the Service Console (COS) Limit access based on business requirements Secure the root account Implement directory based authentication wherever possible Do not run additional software or services inside it Limit executing arbitrary commands and executables Apply patches Implement proper audit trails Do not use the service console unless necessary 17 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 2.3. Securing the Remote Command Line Interface Only necessary in ESXi Runs as a Debian Linux Guest appliance OR Runs as an application on Windows Limit access based on business requirements 18 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 2.4. Securing VI Client including Web Access Connects to host via API Allows you to connect to the console of the VM interactively Copy and paste by default can move data between systems Use terminal services or SSH instead 19 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 2.5. Securing VirtualCenter Enterprise solution for managing VM implementations which is extendable with SDK Runs on user installed and secured Windows Implement RBAC 20 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 2.6. Securing vSwitches Do not use promiscuous mode on network interfaces (default setting) Protect against MAC address spoofing - MAC address changes (permitted by default) – should be denied - Forged transmissions (permitted by default) – should be denied 21 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 2.7. Securing Storage ? Each VM only sees virtual disks that have been presented to virtual SCSI adapters OS within the VM cannot change its own storage access or interrogate the storage 22 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 3. Applying Patches Challenging in virtual environments. e.g. offline virtual machines and templates Numerous components to patch 23 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 4. Defining Roles and Responsibilities Must learn where virtualisation technologies are being used, what they are being used for and who are responsible for their management Who will administer the virtual network? 24 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 5. Limiting Privileged Access Excess privileges make it possible for people to make uncontrolled changes to critical systems Must integrate information security into the access management procedures Reduce access wherever possible and ensure some form of effective access control exists Audit user access routinely and adjust access 25 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 6. Integrate with Existing Change Management Processes All changes after deployment should be authorised, scheduled, and substantiated by change management Activating and deactivating VMs should also go through change management 26 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
VMware Security Direction vShield Zones – Runs as a security virtual appliance – Enables you to monitor, log and block inter-VM traffic within an ESX host or between hosts in a cluster VMsafe – API enables development of virtualisation-aware security solutions in the form of a security virtual machine that can access, correlate and modify information based on memory and CPU, networking, process execution, or storage Cisco Nexus 1000 – Alternative to VMware distributed switch with added functionality – Operates inside the VMware ESX Hypervisor – Brings policy based VM connectivity, mobile VM security and network policy 27 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Conclusion Historically trends and advances in IT outpace security requirements. e.g. 802.11 wireless Most current implementations of virtualisation are insecure Virtualisation can be secured with the right know how Its much easier to bake in security from conception The only way to know if your implementation is secure is to have it audited by independent experts 28 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Q&A Questions? Jason Edelstein Sense of Security Pty Ltd info@senseofsecurity.com.au Tel: +61 2 9290 4444 Final presentation is available at: http://www.senseofsecurity.com.au/presentations/ Virtualisation-Security-AusCERT2009.pdf 29 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009

Recomendados

Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised EnvironmentPeter Wood
 
Cw13 securing your journey to the cloud by rami naccache-trend micro
Cw13 securing your journey to the cloud by rami naccache-trend microCw13 securing your journey to the cloud by rami naccache-trend micro
Cw13 securing your journey to the cloud by rami naccache-trend microTheInevitableCloud
 
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointVirtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointHyTrust
 
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamWHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamSymantec
 
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend MicroVmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend MicroGraeme Wood
 
VMware Recovery: 77x Faster! NEW ESG Lab Review, with Veeam Backup & Replication
VMware Recovery: 77x Faster! NEW ESG Lab Review, with Veeam Backup & ReplicationVMware Recovery: 77x Faster! NEW ESG Lab Review, with Veeam Backup & Replication
VMware Recovery: 77x Faster! NEW ESG Lab Review, with Veeam Backup & ReplicationSuministros Obras y Sistemas
 
Campus jueves
Campus juevesCampus jueves
Campus juevescampus party
 
Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2vivekbhat
 

Recomendados

Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised EnvironmentPeter Wood
 
Cw13 securing your journey to the cloud by rami naccache-trend micro
Cw13 securing your journey to the cloud by rami naccache-trend microCw13 securing your journey to the cloud by rami naccache-trend micro
Cw13 securing your journey to the cloud by rami naccache-trend microTheInevitableCloud
 
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointVirtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointHyTrust
 
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamWHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamSymantec
 
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend MicroVmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend MicroGraeme Wood
 
VMware Recovery: 77x Faster! NEW ESG Lab Review, with Veeam Backup & Replication
VMware Recovery: 77x Faster! NEW ESG Lab Review, with Veeam Backup & ReplicationVMware Recovery: 77x Faster! NEW ESG Lab Review, with Veeam Backup & Replication
VMware Recovery: 77x Faster! NEW ESG Lab Review, with Veeam Backup & ReplicationSuministros Obras y Sistemas
 
Campus jueves
Campus juevesCampus jueves
Campus juevescampus party
 
Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2vivekbhat
 
vSphere Security
vSphere SecurityvSphere Security
vSphere Securitymikhail.mikheev
 
IT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization SecurityIT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization SecurityBooz Allen Hamilton
 
Databarracks zerto - webinar - sept2015-slideshare
Databarracks zerto - webinar - sept2015-slideshareDatabarracks zerto - webinar - sept2015-slideshare
Databarracks zerto - webinar - sept2015-slideshareDatabarracks
 
Visibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseVisibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseEMC
 
IBM Security Day, Cuenca - Ecuador
IBM Security Day, Cuenca - EcuadorIBM Security Day, Cuenca - Ecuador
IBM Security Day, Cuenca - EcuadorOlmedo Abril Arboleda
 
Securing Public Web Servers
Securing Public Web ServersSecuring Public Web Servers
Securing Public Web Serverswebhostingguy
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Securitysyrinxtech
 
Zerto @ VMUG.IT 20150304
Zerto @ VMUG.IT 20150304Zerto @ VMUG.IT 20150304
Zerto @ VMUG.IT 20150304VMUG IT
 
VMware vSphere
VMware vSphereVMware vSphere
VMware vSphere零壹科技股份有限公司
 
Virtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualizationVirtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualizationSeccuris Inc.
 
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...Proact Netherlands B.V.
 
VMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised securityVMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised securityArrow ECS UK
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust
 
E Vm Virtualization
E Vm VirtualizationE Vm Virtualization
E Vm VirtualizationArturo Saavedra
 
VMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesJason Chan
 
September 2019 Patch Tuesday
September 2019 Patch TuesdaySeptember 2019 Patch Tuesday
September 2019 Patch TuesdayIvanti
 
Data Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the CloudData Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the CloudTrend Micro (EMEA) Limited
 
Presentation v mware view bootcamp series
Presentation v mware view bootcamp seriesPresentation v mware view bootcamp series
Presentation v mware view bootcamp seriessolarisyourep
 
Security challenges for adoption of virtualization for effective e governance
Security challenges for adoption of virtualization for effective e governanceSecurity challenges for adoption of virtualization for effective e governance
Security challenges for adoption of virtualization for effective e governanceAdam Bert Lacay
 
Virtualization security threats in cloud computing
Virtualization security threats in cloud computingVirtualization security threats in cloud computing
Virtualization security threats in cloud computingNitish Awasthi (anitish_225)
 
Cloud security
Cloud securityCloud security
Cloud securityPedro Alexander Romero Tortosa
 

Mais conteúdo relacionado

Mais procurados

IT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization SecurityIT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization SecurityBooz Allen Hamilton
 
Databarracks zerto - webinar - sept2015-slideshare
Databarracks zerto - webinar - sept2015-slideshareDatabarracks zerto - webinar - sept2015-slideshare
Databarracks zerto - webinar - sept2015-slideshareDatabarracks
 
Visibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseVisibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseEMC
 
Securing Public Web Servers
Securing Public Web ServersSecuring Public Web Servers
Securing Public Web Serverswebhostingguy
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Securitysyrinxtech
 
Zerto @ VMUG.IT 20150304
Zerto @ VMUG.IT 20150304Zerto @ VMUG.IT 20150304
Zerto @ VMUG.IT 20150304VMUG IT
 
Virtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualizationVirtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualizationSeccuris Inc.
 
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...Proact Netherlands B.V.
 
VMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised securityVMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised securityArrow ECS UK
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust
 
VMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesJason Chan
 
September 2019 Patch Tuesday
September 2019 Patch TuesdaySeptember 2019 Patch Tuesday
September 2019 Patch TuesdayIvanti
 
Data Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the CloudData Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the CloudTrend Micro (EMEA) Limited
 
Presentation v mware view bootcamp series
Presentation v mware view bootcamp seriesPresentation v mware view bootcamp series
Presentation v mware view bootcamp seriessolarisyourep
 
Security challenges for adoption of virtualization for effective e governance
Security challenges for adoption of virtualization for effective e governanceSecurity challenges for adoption of virtualization for effective e governance
Security challenges for adoption of virtualization for effective e governanceAdam Bert Lacay
 

Mais procurados (20)

vSphere Security
vSphere SecurityvSphere Security
vSphere Security
 
IT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization SecurityIT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization Security
 
Databarracks zerto - webinar - sept2015-slideshare
Databarracks zerto - webinar - sept2015-slideshareDatabarracks zerto - webinar - sept2015-slideshare
Databarracks zerto - webinar - sept2015-slideshare
 
Visibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseVisibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized Enterprise
 
IBM Security Day, Cuenca - Ecuador
IBM Security Day, Cuenca - EcuadorIBM Security Day, Cuenca - Ecuador
IBM Security Day, Cuenca - Ecuador
 
Securing Public Web Servers
Securing Public Web ServersSecuring Public Web Servers
Securing Public Web Servers
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Security
 
Zerto @ VMUG.IT 20150304
Zerto @ VMUG.IT 20150304Zerto @ VMUG.IT 20150304
Zerto @ VMUG.IT 20150304
 
VMware vSphere
VMware vSphereVMware vSphere
VMware vSphere
 
Virtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualizationVirtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualization
 
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...
 
VMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised securityVMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised security
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure
 
E Vm Virtualization
E Vm VirtualizationE Vm Virtualization
E Vm Virtualization
 
VMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor Security
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit Perspectives
 
September 2019 Patch Tuesday
September 2019 Patch TuesdaySeptember 2019 Patch Tuesday
September 2019 Patch Tuesday
 
Data Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the CloudData Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the Cloud
 
Presentation v mware view bootcamp series
Presentation v mware view bootcamp seriesPresentation v mware view bootcamp series
Presentation v mware view bootcamp series
 
Security challenges for adoption of virtualization for effective e governance
Security challenges for adoption of virtualization for effective e governanceSecurity challenges for adoption of virtualization for effective e governance
Security challenges for adoption of virtualization for effective e governance
 

Semelhante a Virtualisation: Pitfalls in Corporate VMware Implementations

Virtualization security threats in cloud computing
Virtualization security threats in cloud computingVirtualization security threats in cloud computing
Virtualization security threats in cloud computingNitish Awasthi (anitish_225)
 
Chapter 05: introduction to virtualization features
Chapter 05: introduction to virtualization featuresChapter 05: introduction to virtualization features
Chapter 05: introduction to virtualization featuresSsendiSamuel
 
virtukdjkdjajdajkjdacdjdjdjcjdcjkdjc.pptx
virtukdjkdjajdajkjdacdjdjdjcjdcjkdjc.pptxvirtukdjkdjajdajkjdacdjdjdjcjdcjkdjc.pptx
virtukdjkdjajdajkjdacdjdjdjcjdcjkdjc.pptxaravym456
 
Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudTjylen Veselyj
 
Trend micro v2
Trend micro v2Trend micro v2
Trend micro v2JD Sherry
 
Identifying and analyzing security threats to virtualized cloud computing inf...
Identifying and analyzing security threats to virtualized cloud computing inf...Identifying and analyzing security threats to virtualized cloud computing inf...
Identifying and analyzing security threats to virtualized cloud computing inf...IBM222
 
20090911 virtualizationandcloud
20090911 virtualizationandcloud20090911 virtualizationandcloud
20090911 virtualizationandcloudSupratik Ghatak
 
20090911 virtualizationandcloud
20090911 virtualizationandcloud20090911 virtualizationandcloud
20090911 virtualizationandcloudMeenal Joshi
 
VMWARE Professionals - App Management
VMWARE Professionals - App ManagementVMWARE Professionals - App Management
VMWARE Professionals - App ManagementPaulo Freitas
 
IBM Think 2019 session 2116 - Best practices for operating and managing a pro...
IBM Think 2019 session 2116 - Best practices for operating and managing a pro...IBM Think 2019 session 2116 - Best practices for operating and managing a pro...
IBM Think 2019 session 2116 - Best practices for operating and managing a pro...Hendrik van Run
 
Virutalization and the Future of Datacenter Security
Virutalization and the Future of Datacenter SecurityVirutalization and the Future of Datacenter Security
Virutalization and the Future of Datacenter Securityguestb09e16
 
Cloud Computing and VCE
Cloud Computing and VCECloud Computing and VCE
Cloud Computing and VCECenk Ersoy
 
Chapter 02: Introduction to compute virtualization
Chapter 02: Introduction to compute virtualizationChapter 02: Introduction to compute virtualization
Chapter 02: Introduction to compute virtualizationSsendiSamuel
 
Virtualization meisen 042811
Virtualization meisen 042811Virtualization meisen 042811
Virtualization meisen 042811Morty Eisen
 
VMware TechTues - Veeam Availability Suite
VMware TechTues - Veeam Availability SuiteVMware TechTues - Veeam Availability Suite
VMware TechTues - Veeam Availability SuiteTeck Sze Tay
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudRochester Security Summit
 
Fadi El Moussa Secure Cloud 2012 V2
Fadi El Moussa Secure Cloud 2012 V2Fadi El Moussa Secure Cloud 2012 V2
Fadi El Moussa Secure Cloud 2012 V2fadielmoussa
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
Vmug birmingham mar2013 trendmicro
Vmug birmingham mar2013 trendmicroVmug birmingham mar2013 trendmicro
Vmug birmingham mar2013 trendmicrodvmug1
 

Semelhante a Virtualisation: Pitfalls in Corporate VMware Implementations (20)

Virtualization security threats in cloud computing
Virtualization security threats in cloud computingVirtualization security threats in cloud computing
Virtualization security threats in cloud computing
 
Cloud security
Cloud securityCloud security
Cloud security
 
Chapter 05: introduction to virtualization features
Chapter 05: introduction to virtualization featuresChapter 05: introduction to virtualization features
Chapter 05: introduction to virtualization features
 
virtukdjkdjajdajkjdacdjdjdjcjdcjkdjc.pptx
virtukdjkdjajdajkjdacdjdjdjcjdcjkdjc.pptxvirtukdjkdjajdajkjdacdjdjdjcjdcjkdjc.pptx
virtukdjkdjajdajkjdacdjdjdjcjdcjkdjc.pptx
 
Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the Cloud
 
Trend micro v2
Trend micro v2Trend micro v2
Trend micro v2
 
Identifying and analyzing security threats to virtualized cloud computing inf...
Identifying and analyzing security threats to virtualized cloud computing inf...Identifying and analyzing security threats to virtualized cloud computing inf...
Identifying and analyzing security threats to virtualized cloud computing inf...
 
20090911 virtualizationandcloud
20090911 virtualizationandcloud20090911 virtualizationandcloud
20090911 virtualizationandcloud
 
20090911 virtualizationandcloud
20090911 virtualizationandcloud20090911 virtualizationandcloud
20090911 virtualizationandcloud
 
VMWARE Professionals - App Management
VMWARE Professionals - App ManagementVMWARE Professionals - App Management
VMWARE Professionals - App Management
 
IBM Think 2019 session 2116 - Best practices for operating and managing a pro...
IBM Think 2019 session 2116 - Best practices for operating and managing a pro...IBM Think 2019 session 2116 - Best practices for operating and managing a pro...
IBM Think 2019 session 2116 - Best practices for operating and managing a pro...
 
Virutalization and the Future of Datacenter Security
Virutalization and the Future of Datacenter SecurityVirutalization and the Future of Datacenter Security
Virutalization and the Future of Datacenter Security
 
Cloud Computing and VCE
Cloud Computing and VCECloud Computing and VCE
Cloud Computing and VCE
 
Chapter 02: Introduction to compute virtualization
Chapter 02: Introduction to compute virtualizationChapter 02: Introduction to compute virtualization
Chapter 02: Introduction to compute virtualization
 
Virtualization meisen 042811
Virtualization meisen 042811Virtualization meisen 042811
Virtualization meisen 042811
 
VMware TechTues - Veeam Availability Suite
VMware TechTues - Veeam Availability SuiteVMware TechTues - Veeam Availability Suite
VMware TechTues - Veeam Availability Suite
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public Cloud
 
Fadi El Moussa Secure Cloud 2012 V2
Fadi El Moussa Secure Cloud 2012 V2Fadi El Moussa Secure Cloud 2012 V2
Fadi El Moussa Secure Cloud 2012 V2
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
Vmug birmingham mar2013 trendmicro
Vmug birmingham mar2013 trendmicroVmug birmingham mar2013 trendmicro
Vmug birmingham mar2013 trendmicro
 

Mais de Jason Edelstein

Sense of Security Best practice strategies to improve your enterprise security
Sense of Security Best practice strategies to improve your enterprise securitySense of Security Best practice strategies to improve your enterprise security
Sense of Security Best practice strategies to improve your enterprise securityJason Edelstein
 
Sense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsSense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsJason Edelstein
 
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsSense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsJason Edelstein
 
PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009Jason Edelstein
 
PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009Jason Edelstein
 
PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007Jason Edelstein
 
Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009Jason Edelstein
 
Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Jason Edelstein
 
VoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldVoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldJason Edelstein
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0Jason Edelstein
 

Mais de Jason Edelstein (10)

Sense of Security Best practice strategies to improve your enterprise security
Sense of Security Best practice strategies to improve your enterprise securitySense of Security Best practice strategies to improve your enterprise security
Sense of Security Best practice strategies to improve your enterprise security
 
Sense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsSense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated Environments
 
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsSense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
 
PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009
 
PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009
 
PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007
 
Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009
 
Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009
 
VoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldVoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate World
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0
 

Último

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

Virtualisation: Pitfalls in Corporate VMware Implementations

  • 1. Virtualisation: Pitfalls in Corporate VMware Implementations 18 May ’09 1 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 2. Agenda 1. Technology overview 2. Typical corporate implementations 3. Common pitfalls and solutions 4. Conclusion 5 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 3. Technology Overview VMware ESX Software Architecture & Concepts 6 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 4. Typical Corporate Implementations Why are they using virtualisation technology? – cost reductions, flexibility and efficiency, increase business resiliency What are organisations using VMware for? – test environment, production systems, virtual desktop, virtual appliances What are security practitioners using VMware for? – sandboxing, forensic analysis, and honeypotting What are organisations not virtualising? – CPU intensive apps – firewalls How are they using it? – simply, with little regard for security 7 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 5. Theoretical Security Problems and Hype Compromise the hypervisor, compromise every virtual machine! What about the Red Pill and the Blue Pill? 8 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 6. Vulnerabilities – Hosted Versions Most of the serious VMware issues (code execution on Host) identified to date are against the “Hosted” versions (Workstation, GSX, etc.). – e.g. CVE-2005-4459 • Vulnerability was identified in VMware Workstation (and others) in the NAT component, which could be exploited by a malicious guest to execute arbitrary commands on the Host OS. • Patch made available by VMware. – e.g. CVE-2007-4496 • Vulnerability was identified in VMware Workstation (and others) that could allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and thus potentially execute arbitrary code on the host. • Patch made available by VMware. 9 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 7. Vulnerabilities – Bare-metal Versions What about serious security issues with the enterprise “bare-metal” solution? – e.g. CVE-2009-1244 - VMSA-2009-0006 - (10 April 2009) • “A critical vulnerability in the virtual machine display function “might” allow a guest operating system to run code on the host.” • Affects both VMware hosted and bare-metal solutions. • Patch made available by VMware. Further research found the following: – “By combining multiple indexing flaws in VMWare's usage of 3D context structures, [a user] is able to both leak from and write to physical host memory. It can do this in a reliable way from inside a virtual machine by combining SVGA framebuffer relative memory leaks with 3D context based write-to-memory flaws, effectively compromising any virtual 'air gap' between physical and virtual hardware.” credit: Kostya Kortchinsky of Immunity Inc. 10 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 8. Exploit Demonstration - CVE-2009-1244 Source: Immunity Inc. 11 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 9. Common Pitfalls and Solutions 1. Network architecture Traditional (secure) network architecture 12 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 10. Common Pitfalls and Solutions 1. Network architecture cont.d Secure VM implementation 13 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 11. Common Pitfalls and Solutions Does anyone have any comments on the proposed design? Other considerations: Blind Spots – traffic between VM’s; vulnerabilities, malware, worms, etc No Access Control between VM’s Live Migration - propagation of malware 14 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 12. Common Pitfalls and Solutions 2. Configuration Management Established best practice in traditional enterprise environments Can be more challenging in virtual environments Secure at deployment and maintain this position going forward Implement appropriate tools to enforce defined configuration standards Virtualisation introduces some new components that must be secured 15 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 13. Common Pitfalls and Solutions 2.1. Securing the Virtual Machines Secure virtual machines as you would secure physical machines Create a library of trusted virtualised server builds Use resource management to control server resources 16 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 14. Common Pitfalls and Solutions 2.2. Securing the Service Console (COS) Limit access based on business requirements Secure the root account Implement directory based authentication wherever possible Do not run additional software or services inside it Limit executing arbitrary commands and executables Apply patches Implement proper audit trails Do not use the service console unless necessary 17 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 15. Common Pitfalls and Solutions 2.3. Securing the Remote Command Line Interface Only necessary in ESXi Runs as a Debian Linux Guest appliance OR Runs as an application on Windows Limit access based on business requirements 18 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 16. Common Pitfalls and Solutions 2.4. Securing VI Client including Web Access Connects to host via API Allows you to connect to the console of the VM interactively Copy and paste by default can move data between systems Use terminal services or SSH instead 19 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 17. Common Pitfalls and Solutions 2.5. Securing VirtualCenter Enterprise solution for managing VM implementations which is extendable with SDK Runs on user installed and secured Windows Implement RBAC 20 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 18. Common Pitfalls and Solutions 2.6. Securing vSwitches Do not use promiscuous mode on network interfaces (default setting) Protect against MAC address spoofing - MAC address changes (permitted by default) – should be denied - Forged transmissions (permitted by default) – should be denied 21 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 19. Common Pitfalls and Solutions 2.7. Securing Storage ? Each VM only sees virtual disks that have been presented to virtual SCSI adapters OS within the VM cannot change its own storage access or interrogate the storage 22 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 20. Common Pitfalls and Solutions 3. Applying Patches Challenging in virtual environments. e.g. offline virtual machines and templates Numerous components to patch 23 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 21. Common Pitfalls and Solutions 4. Defining Roles and Responsibilities Must learn where virtualisation technologies are being used, what they are being used for and who are responsible for their management Who will administer the virtual network? 24 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 22. Common Pitfalls and Solutions 5. Limiting Privileged Access Excess privileges make it possible for people to make uncontrolled changes to critical systems Must integrate information security into the access management procedures Reduce access wherever possible and ensure some form of effective access control exists Audit user access routinely and adjust access 25 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 23. Common Pitfalls and Solutions 6. Integrate with Existing Change Management Processes All changes after deployment should be authorised, scheduled, and substantiated by change management Activating and deactivating VMs should also go through change management 26 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 24. VMware Security Direction vShield Zones – Runs as a security virtual appliance – Enables you to monitor, log and block inter-VM traffic within an ESX host or between hosts in a cluster VMsafe – API enables development of virtualisation-aware security solutions in the form of a security virtual machine that can access, correlate and modify information based on memory and CPU, networking, process execution, or storage Cisco Nexus 1000 – Alternative to VMware distributed switch with added functionality – Operates inside the VMware ESX Hypervisor – Brings policy based VM connectivity, mobile VM security and network policy 27 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 25. Conclusion Historically trends and advances in IT outpace security requirements. e.g. 802.11 wireless Most current implementations of virtualisation are insecure Virtualisation can be secured with the right know how Its much easier to bake in security from conception The only way to know if your implementation is secure is to have it audited by independent experts 28 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 26. Q&A Questions? Jason Edelstein Sense of Security Pty Ltd info@senseofsecurity.com.au Tel: +61 2 9290 4444 Final presentation is available at: http://www.senseofsecurity.com.au/presentations/ Virtualisation-Security-AusCERT2009.pdf 29 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009