1 / 50

Virtualization and Cloud Computing

Virtualization and Cloud Computing. Virtualization, Cloud and Security Michael Grafnetter. Agenda. Virtualization Security Risks and Solutions Cloud Computing Security Identity Management. Virtualization and Cloud Computing. Virtualization Security Risks and Solutions. Blue Pill Attack.

gamma
Download Presentation

Virtualization and Cloud Computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter

  2. Agenda • Virtualization Security Risks and Solutions • Cloud Computing Security • Identity Management

  3. Virtualization and Cloud Computing Virtualization SecurityRisks and Solutions

  4. Blue Pill Attack

  5. Blue Pill Attack • Presented in 2006 by Joanna Rutkowska at Black Hat conference • Traps running OS by starting a hypervisor and virtualizing the underlaying machine (needs right to run privileged instructions to achieve this) • Could intercept nearly anything and send fake responses (hardware interrupts, requests for data, system time etc.)

  6. Red Pill • Blue Pill is detectable by timing attack • Trap-and-Emulate takes much longer than native instructions • External time sources (NTP) need to be used, because system time could be spoofed

  7. VMM Vulnerability • By attacking a VMM, one could attack multiple servers at once

  8. Datacenter Management SW • Virtualization infrastructure management software (VMware vCenter, Microsoft SC VMM) is used to control multiple hostsat once

  9. Web Access to DCs • Multiple datacenters can be managed from a central console. Therefore, its security has to be hardened.

  10. One Ring to rule them all… • Management commands available using PowerShell or Web APIs • Get-VM –Name * | Stop-VM • Get-VM –Name * | Remove-VM • Copy-VMGuestFile • Invoke-VMScript–Type Bash • …

  11. Demo DoS attack on virtualization infrastructure

  12. Disabling Host-VM Communication

  13. Physical vs. Virtual Firewall • With virtualization, servers from different Trust Zones usually share the same physical resources (memory, network card, etc.)

  14. Traffic isolation

  15. Demo Configuring traffic isolationon VmwareESXi

  16. Other risks of virtualization • Introduction of yet another OS • Reliance on traditional barriers • Accelerated provisioning • Security left to non-traditional security staff • Audit scope creep

  17. Security Solutions • Virtual Firewall • Live migration • Stretched clusters • Agentless Antivirus • Extensible Switches • Mobile Virtualization Platform • Virtual Desktop Infrastructure (VDI)

  18. Agentless AV

  19. Extensible Switch

  20. Mobile Virtualization Platform

  21. Mobile Virtualization Platform

  22. Mobile Virtualization Platform • Supported devices

  23. Virtual Desktop Infrastructure

  24. Virtualization and Cloud Computing Cloud Computing Security Risks

  25. Who has access to our data?

  26. Physical Security

  27. Hard Disk Crushers

  28. Other Cloud Risks • Unclear data location • Regulatory compliance • Data segregation • Lack of investigative support • Disaster recovery • Long-term viability, vendor lock-in

  29. Virtualization and Cloud Computing Identity Management

  30. Identity Management • Basic Concepts • External user DBs • Two-factor authentication • Role-Based Access Control (RBAC) • Identity Federation • OAuth • OpenID • SAML • RADIUS Proxy • Identity Bridges

  31. External User DBs • Typically Active Directory or generic LDAP is used as central identity store for virtualization infrastructures

  32. Azure Active Directory

  33. Two-Factor Authentication

  34. Role-Based Access Control

  35. Identity Federation

  36. OAuth • Used to delegate user authorizationto a 3rd-party service provider

  37. Demo Creating a web applicationwith Facebook/Twitter/Microsoft Account authentication

  38. OpenID

  39. OpenID http://someopenid.provider.com/john.smith

  40. SAML • Similar to OpenID, but targeted to the enterprise • Security Assertion Markup Language • XML-based • Supports Single sign-on • Requires mutual trust between IdP and SP • Multiple bindings, not just HTTP • Supports Identity provider initiated authentication

  41. SAML

  42. SAML (Google Apps)

  43. SAML Example <saml:Assertion ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac“ Version="2.0" IssueInstant="2004-12-05T09:22:05"> <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer> <ds:Signature>...</ds:Signature> … <saml:Conditions NotBefore="2004-12-05T09:17:05" NotOnOrAfter="2004-12-05T09:27:05"> </saml:Conditions> <saml:AttributeStatement> <saml:Attributex500:Encoding="LDAP" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" FriendlyName="eduPersonAffiliation"> <saml:AttributeValuexsi:type="xs:string">member</saml:AttributeValue> <saml:AttributeValuexsi:type="xs:string">staff</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion>

  44. Microsoft Active Directory Federation Services • SAML-based • Typically used to give access to intranet portals to business partners

  45. Shibboleth • SAML-based federation portal • Open Source

  46. Demo Signing in to a federatedweb application

  47. RADIUS Proxy (Eduroam)

  48. Identity Bridges

  49. Identity Bridges:Azure Access Control Service

More Related