200 likes | 347 Views
Real Security for Server Virtualization. Rajiv Motwani 2 nd October 2010. Agenda. Introduction to server virtualization Best practices Patch Management VM Server Sprawl Third party products. What is Server Virtualization?.
E N D
Real Security for Server Virtualization Rajiv Motwani 2nd October 2010
Agenda • Introduction to server virtualization • Best practices • Patch Management • VM Server Sprawl • Third party products
What is Server Virtualization? • Concept of virtualization has existed in various forms in computing since the early 1960s • In virtualization, physical resources are abstracted and shared by multiple operating systems
What is a Hypervisor? A hypervisor provides an abstraction layer that allows a physical server to run one or more virtual servers, effectively decoupling the operating system and its applications from the underlying hardware.
Why Virtualize? • IT flexibility/agility • Predictable scaling to dynamically respond to business needs • Key part of disaster recovery strategy • Improve application availability • Server or data center consolidation • Higher utilization leads to greater consolidation • Promotes greater centralization and security • "Green Computing" • Consume less power, cooling, and real estate • Support DevTest environments • Works for both IT shops and development houses
Benefits of Virtualization Consolidation Continuity Cut server requirements by 10X and reduce IT spending by 50-70% Protect IT assets and service against disasters & outages For Desktops & Server Apps Automation Availability Automate routine management tasks and deliver better IT services to users Improve service levels and eliminate planned downtime
Complexity hidden from OS Storage managed by a Storage Manager Resources can be added/removed at will Storage Architecture independent Hardware Hardware Hardware XenTM Hypervisor XenTM Hypervisor XenTM Hypervisor Virtual Storage Virtualization Components Virtual Storage Solutions Virtual Storage Manager
Virtualization Components (2) Virtual LANs • Segments Network • into logical units • Allows isolation • Increased security • Reduced network • broadcast traffic
• Centralizes Application Management • Application Executes on Server • Application Displayed on the client • Great for bandwidth constrained locations Virtualization Components (3) Application Virtualization (Execution on Server)
Best Practices • Secure VM’s as you would secure physical machines • Regularly updated Anti-virus, IPS, Firewall components are a must • Regular patching • Reduce attack surface • Stop unnecessary services • Disable unused hardware • Intra-VM communication only as required. • VLAN’s • Separate physical adapters • Standardize • Use templates Template
Best Practices (2) • Limit the resources of each VM • Prevent DoS attacks • Restrict access to the console • Access to the service console & management interface • Communication between service console and management interface • Root privileges • Who has access? • Good password policy • VM Logging • Log detail level (for console and each VM) • DoS – limit size
Best Practices (3) • Use updated versions of all virtualization software • Hypervisor vulnerability in Microsoft Hyper V (blue pill) • Several checks in place • Separate address space for hypervisor • No shared memory between guest VM’s • Isolation of virtual network adapters • Restrict third party code in hypervisor • (Depends on vendor)
Remember to secure • Host as well as Guest VM’s • Have AV as well as IPS protection • Management Interface • Backup and Recovery process • Encrypt all traffic between VM’s and Host • VM Image files on disk
Patch Management • Difficult but necessary • Patches for OS + all applications installed on the VM’s • Ideally server environments should have few applications • Take advantage of virtual patching • Signatures deployed on VM’s • Traffic scanned at hypervisor or by a virtual appliance • Patches • Phased manner • Thoroughly tested
Patch Management (2) • Snapshots • NAC • Application virtualization helps • Tools available from all vendors to patch OS + some third party applications • Online and Offline VM’s • Third party tools also available for both modes
Offline VM’s • More at risk • Ensure they have Anti-virus, IPS, Firewall • Next-gen security products have ability to scan these VM’s offline for • Malware • Vulnerabilities and exploits • Once they come online, ensure they are patched first before they can do any other operation (NAC)
Virtual Server Sprawl “A large amount of virtual machines on your network without proper IT management or control” - Steven Warren - blogs.techrepublic.com • Create servers at the click of a button • Who can create in the production environment? • Should be an IT process • Admins create copies of production environment to test and stage applications. • New tools are available to do this automatically.
Virtual Server Sprawl • Some mitigations • Policy that if a VM is unused for X days, it can be removed • Annotate VM’s with an end date while creating them • Scan network for new VM Server traffic • Who can create VM’s? • Use third party products
Third Party Products • Catbird • Embotics • Shavlik • HyTrust • Vizioncore • DynamicOps ....
Questions • Thank You.