190 likes | 207 Views
Learn about virtualization advantages, vulnerabilities, best practices, securing desktops, hardware/software recommendations, & backend setup for a robust virtual environment.
E N D
Securing and Leveraging the Power of Virtual Servers and Desktops Conrado Wang Cheng Niemeyer <chengw (at) sacredheart.edu> Information Security Officer, Sacred Heart University
Virtualization Advantages • Virtualization? • “Cheap”, fast, easy to setup Application isolation • Template Deployment • Disaster Recovery • High Availability • Forensic Analysis w/P2V & in place with memory snapshots • Honeypotting
Virtualization Disadvantages • Using a template image • One vulnerability is shared by all • Same admin/root passwords??!! • Possibly sequential IP range • Single file Servers & Workstations • Just copy one file and you’re done! • Poor multimedia support • Many eggs in fewer baskets • Virtual Machine Sprawl
Virtualization Vulnerabilities • Guest to Guest Attacks • Guest to Host Attacks • Guest Client Vulnerabilities • Management Console/Host OS Vulnerabilities • Hypervisor Vulnerabilities • Not well developed and widespread, YET…
VM Security Best Practices • Security Best Practices (Firewalls, IPS, Patching, Patching, Patching, Patching) • Secure your VMs as you would physical machines • Secure the Network • Use Separate Private backup and SAN network • Use Separate Private Management Console network • Favor Type 1 Hypervisors for Production and Testing Servers • VMWare ESX Server, Citrix XenServer, MS Hyper-V, etc. • Favor Type 2 use in Security applications • Disable Hardware Acceleration • Use QEmu (full emulation mode w/out kqemu) • Disable all sharing features • Favor Type 2 for Development environments • Run different security zones VMs on separate physical hosts • Use separate physical switches or VLANs in physical switches • Run different Management stations • Disable/remove unnecessary virtual hardware
VMWare ESX Specific • VMWare Update (ESX 3.5 & VC 2.5) • Fix maximum size and rotation for Log Files • Use Resource Management • Secure the VI Console Access • Verify the ESX Console Firewall rules • Use SSL Certificates Encrypt Access to Virtual Center • Secure Console’s Linux environment
Virtualization Applications • Setting up Development Environments • Setting up Testing Environments • Setting up Research Environments • Honeypotting • Consolidate Physical Servers • Virtual Secure Desktops… • Provide a desktop environment for users • Quickly deployed • Secured • Easily maintained • Provide access from those environments to all work tools, systems, and services
Secure Desktop Advantages • Secured Access to Sensitive Systems • Separation of Critical Business data from User data • Quick and Easy Deployment • Stand a new VM(s) in under 2mins • Ease of Policy Enforcement • Can Provide local admin elevation when necessary • Anywhere anytime access (or not) • Easy Integration into Identity Management • Currently • ERP (Datatel Colleague R17, R18) • Registrar’s • Human Resources • Business Office • Admissions (Recruitment Plus) • Financial Aid (PowerFAIDS, EDConnect) • Institutional Advancement (Raiser’s Edge) • Payroll (ADP) • Future Expansion • Document Imaging • Department Shares • MicroFAIDS (MS-DOS!!!!!)
Secure Desktop Disadvantages • Poor Multimedia Support • ACL/Firewall Rule Maintenance • Vulnerable to Screen Scrapping • Increased Disaster Recovery Complexity • SSL Gateway • Connection Broker • Provisioning Server • ESX Servers • SAN & Blade Infrastructure • “Quality of Life” Issues • Cannot browse the web • Cannot persist software changes • Cannot connect certain USB devices • Coming Soon • Cannot access e-mail • Cannot copy & paste to host • Cannot connect any USB devices
Secure Desktop Backend at SHU Hardware Software • HP c7000 Blade Enclosure • HP BL460c • 2 x Quad Core 2.3Ghz (Intel E5345) • 16 GB RAM • 4 x 1Gb Ethernet (on 2 separate boards) • Netapp 3020c Filers • 7TB (4TB Usable ??!!) for VMs • 12TB for User/Department Data • iSCSI all the way baby!!! • Cisco Catalyst 3750 Switches • 1Gb Ethernet (Copper) • 10Gb Uplink • VMWare VI3 (ESX 3.5 and Virtual Center 2.5) • Provision Networks Virtual Access Suite 5.9 • SSL Gateway • RDP Connection Broker • Citrix Provisioning Server Desktops v4.5 Sp1 • PXE Boot • HDD Streaming • Microsoft DHCP Server • Microsoft Windows XP Sp2
Physical vs. Virtual Hardware Physical Virtual • Dell OptiPlex 755 • Intel Core2 2.4Ghz • 2GB RAM • 160GB HDD • Integrated Graphics • 1Gb Ethernet • ~$1,000 • VMWare ESX 3.5 • Virtual Dual to Quad Core 2.3Ghz • 256MB RAM • 1MB HDD • RDP Graphics • 1Gb Ethernet • ~$290 w/existing hardware
Getting Buy-in • Initial deployment as test environments • Clarifying the difference between a purely work environment and a hybrid work/personal one • No other alternatives with new versions • Ease of use and virtually no training required • Unreliability of VPN and Citrix • Ability to access legacy environments with new simultaneously
Demo • https://securedesk.sacredheart.edu/
New Developments • Embedded Hypervisors • ESX 3i, XenServer OEM, etc. • VMSafe • VDI • SAN Snapshot Clones • Netapp FlexClone • Sophisticated Virtual Machine Detection
Resources, Q & A • http://www.cisecurity.org/ • http://www.securityfocus.com/ • http://www.vmware.com/resources/techresources/cat/91 • http://www.citrix.com/ • http://www.provisionnetworks.com/