1 / 29

Hypervisor Hardening and Security

Hypervisor Hardening and Security. VMUG Sydney/Brisbane Meetings 21 st July & 10 th August, 2011. John Reeman - Founder and CTO of VMinformer. Involved in IT Security for 18 years Previously founder and owner of London based network security integrator.

germane-olson
Download Presentation

Hypervisor Hardening and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hypervisor Hardening and Security • VMUG Sydney/Brisbane Meetings • 21st July & 10th August, 2011

  2. John Reeman - Founder and CTO of VMinformer • Involved in IT Security for 18 years • Previously founder and owner of London based network security integrator. • Contributing author to CIS (Center for Internet Security) ESX 3.5 and 4.x Security benchmarks • Involved in conducting Security Risk Audits & Vulnerability Assessments for the last 10 Years • Designed and developed VMinformer a unique security assessment monitoring tool for virtual environments • Founder and CTO of VMinformer, HQ in Sydney, sales representation worldwide

  3. Our tool is about providing:- Visibility of the security posture of your virtual environment. It does this quickly, accurately and affordably.

  4. What our customers say "There is no way we could constantly check settings – it would be very expensive. This software cost us a few thousand dollars, it is a very cheap insurance, potentially saving us millions in outages or service interruptions." Grenda Corporation "The product worked exactly as advertised, was very (very) fast and found everything that I expected it to find based on current information security best practices. I look forward to seeing the product evolve and improve over time, but the current version is extremely capable and saves an enormous amount of time during a security review." IT Risk & Security Consultancy

  5. Recent Awards “The first Australian company to win this award in three years”

  6. “Virtualization is pervasive it is everywhere”

  7. “I’ve spent the last 10 years researching and conducting virtualization audits across the city of London and in Europe and time and time again the security failures boiled down to one thing...”

  8. Human!!

  9. Hidden Dangers • Human traits • Self regulation • Blind faith; • Complacency; • Over confidence; • Housekeeping • Visibility • Who, what, where, when and how

  10. Verizon Report 2008 & 2009 What commonalities exist? 69% were discovered by a third party (-6%). 81% of victims were not PCI Compliant 83% of attacks were not highly difficult (<>). 87% were considered avoidable through simple or intermediate controls 99.9% of records were compromised from servers and applications. How do breaches occur? 67% were aided by significant errors (<>). 64% resulted from hacking (+5%). 38% utilized malware (+7%). 22% involved privilege misuse (+7%). 9% occurred via physical attacks (+7%). Who is behind data breaches? 74% resulted from external sources (+1%). 20% were caused by insiders (+2%). 32% implicated business partners (-7%). 39% involved multiple parties (+9%).

  11. The Journey • Where do you start? • A journey • Building blocks • Visibility • Arm yourself with knowledge - know your enemy and how to adapt. • Its not all about the tools or controls

  12. VMware Product Suite • VMware vSphere • vCloud • vMotion • Storage vMotion • vShield Zones • vCenter Server • Lab Manager • Life Cycle Manager • Site Recovery Manager • vOrchestrator Larger attack surface

  13. Attacking systems - The Process • Information gathering • port knocking (nmap + other tools) • Identify targets (quick wins) • Profile the target systems • Target specific ports / applications • Attack • sql injection, XSS scripting etc • Brute force attacks • Compromise • Own the target, build a new toolset on the target platform to start the cycle again

  14. Profiling a system for attack • Demo

  15. The potential threats • Guest to Guest • Host to Guest • Guest to Host • External to Host • External to Guest

  16. Architecture and Design - This is complex stuff Need to watch resource could impact other VM’s Isolation

  17. Don’t be a Sheep! • Face Value • A ‘Best Practice’ is just that • It may not be right for you • Relevance • TRUST

  18. Storage layer • Where is the data stored? • How important is the data? • Encryption? “Isolate data according to environment”

  19. Management • VI Client - ESX or vCenter • API’s - over 10+ currently available (VMCI Sockets) • Web interface - ESX or vCenter • Console (ESX) • Think about entitlement carefully

  20. Management - vCenter Security LDAP AUTH Potential Risks • Man in the middle attacks • Brute force attacks • sslsniff (moxie marlinspike) • SQL Injection Good Design • Isolate vCenter on a management network • Change the default SSL Cert • Lock down MSSQL • Work on the principle of least privilege

  21. Management - Protocols and Ports 902,903 2050-2250 5988 SSH 8042-8045 5989 CIM (427) HTTP Can control using ESX Firewall “All Incoming and All outgoing blocked” 3260 Most TCP based some UDP HTTPS VNC 636 NTP 2049 SNMP 514 NFS 8000 SMTP

  22. Security Controls - Today • Vendor provided - eg. VMsafe, vShield Zones • Inbuilt Firewall on each ESX Host, IPTABLES, new vSphere5 ESXi Firewall • 3rd Party Vendors, Firewall’s, IPS, Anti-Virus etc • Configuration and lockdown • Entitlement - Roles and Permissions • AUDITING and Monitoring

  23. User case Demo data kindly supplied by Mark Iveli (sydney vmug), from a vSphere 5 implementation

  24. VMinformer Policies • CIS Benchmarks, VMware Hardening Guides, ISO 27005, DISA STIG, • PCI-DSS v2.x • Own Research (undocumented key pairs) • Policies can be customized so can query anything in the api only limit is one’s imagination!

  25. Minimise risk • Audit and assess • Have to use automated tools • Independent of manufacturer • Easy to use and don’t become a burden • Regular and constant review • Delta’s / Reference builds • Visual Data Maps

  26. Cloud Thoughts • Your cloud provider should offer assurance around security • More often than not they won’t though (it’s not their concern) • Tell them your systems must meet certain security requirements, your own, PCI etc (if they wan’t your business they should listen) • For extra protection find a solution that mandates a minimal security state for your virtual machines and if not met then alerts or sandboxes

  27. Some closing thoughts • Human Traits will cause virtualization security breaches • Don’t become complacent • Security is getting better but it has a long way to go • Virtualization Security will end up costing you more • Design well, think about what you are trying to achieve • Virtualization is NOT inherently INSECURE • Monitoring and Auditing is ESSENTIAL

  28. “Do or Do Not. There is no Try”

  29. Contact - John ReemanMobile: 04 5096 8306 • Email : john@vminformer.comTwitter: @vminformer www.vminformer.com www.vminformer.com/VCP

More Related