470 likes | 789 Views
UK CISO Council 17 SEP 2008. Microsoft's Approach To Virtualization Security. Kai Axford, CISSP, MCSE Senior Security Strategist Microsoft Corporation kaiax@microsoft.com. Scottish CISO Council 19 SEP 2008 Edinburgh, Scotland. Microsoft's Approach To Virtualisation Security.
E N D
UK CISO Council 17 SEP 2008 Microsoft's Approach To Virtualization Security Kai Axford, CISSP, MCSE Senior Security Strategist Microsoft Corporation kaiax@microsoft.com
Scottish CISO Council 19 SEP 2008Edinburgh, Scotland Microsoft's Approach To Virtualisation Security Kai Axford, CISSP, MCSE Senior Security Strategist Microsoft Corporation kaiax@microsoft.com
Agenda • Forrester’s perspective: Security as an enabler of virtualization • Microsoft’s integrated approach to virtualization security • Achieving benefits through Core Infrastructure Optimization • Q&A
Security will ultimately enable virtualization Myth Red Pill and Blue Pill programs make virtualization insecure Reality Security is the primary driver for desktop virtualization Reality Security will drive more secure server environments
Desktop virtualization, server virtualization: all require the same tools as before . . . • Virtual machines think they are real – you must treat them as such • Patch management • Configuration management • Antivirus security updates • Access control • Each tool will keep machines up-to-date with latest security updates and secure configurations
. . . However, there are a few additional processes you must add • Offline VMs brings new challenges to the environment • Supplement agent-based tools with tools that can update an offline machine • Or, make sure to scan VMs so old vulnerability don’t make their way into a production environment • Firewall-enable each VM – you can’t guarantee a physical appliance is inspecting traffic Offline VM
Recommendations Shift your mindset • > Security is an enabler • > Data centralization • > Better endpoint security • > Standardization of server environment Cross train VM management • > Virtualization can strain organizational silos • > Train desktop, server, network, and storage admins on VM management Use standard templates • > Create ‘Gold’ images for rapid VM deployment • > Eliminates error associated with configuring systems for hardware variants Look for virtualization-aware tools • > Offline patching and preflight checks for production VMs
Value Of Infrastructure Integration Microsoft’s Integrated, Simplified Solutions Customer Benefits Security Save time Lower cost of ownership Identity Gain greater visibility Protect IT Management Access • From the desktop to the data center… • Across physical and virtual environments… • And covering all virtual elements: application, presentation, and hardware • Common Platform & Infrastructure Physical Virtual Client OS Server OS 3rd Party
Microsoft’s Approach To Virtualization Security • Integrated Protection • Defense-in-depth combining Windows Server 2008 security features with Forefront security solutions • Secure Computing Solution • Hyper-V in Windows Server 2008 designed for security through its architecture and features • Simplified Management • Simplify administrative tasks and get clear visibility with Window Server 2008, System Center, and Identity Lifecycle Manager Microsoft Confidential – Provided under NDA
Monolithic Vs. MicrokernelizedVirtualization: Hypervisor + Drivers + Virt software stack + Mgmt interface Monolithic Hypervisor • Includes all virtualization components, including drivers • Runs all code in most privileged part of the processor • Patching may be more likely given code included Microkernelized Hypervisor • Only partitioning memory & CPU • Increase reliability and minimize trusted computing base • No third-party code • Drivers run within guests VM 1 (Admin) VM 2 VM 3 VM 1(“Root”) VM 2 (“Guest”) VM 3 (“Guest”) Virtualization Stack Hypervisor Drivers Drivers Drivers Drivers Drivers Drivers Virtualization Stack Hypervisor Hardware Hardware
Microsoft’s Hypervisor • Minimized Attack Surface • No drivers, extensible code, or 3rd party code included in Hyper-V • Minimal size (only ~600 kilobytes) • Drivers run in the root partition • Simplifies Management& Maintenance • Because of microkernel architecture, the Microsoft hypervisor can be fully updated where needed via Windows Update • Easily replacing the existing installation with a new one without the need for patching. • The hypervisor update can also be rolled back through the control panel Very Thin Layer of Software • Microkernel • Highly reliable Optimized for hardware virtualization features from Intel & AMD • Only runs in most privileged part of processor, where execution context is enforced by the processor Windows Hypervisor Server Hardware
WindowsKernel DeviceDrivers Root Partition Root Partition Guest Partitions • What is a Root Partition? • Portion of hypervisor that has been pushed up and out • Virtualization stack runs within the root partition • Manages guest partitions • Lock it down and minimize its size by using WS 2008 server core • Separation of components by privilege and process • Code signing helps ensure that the hypervisor has not been modified • Before Windows Server 2008 engages Hyper-V through the root partition, it checks to ensure Hyper-V has the proper signature Virtualization Stack • VM 2 • VM 1 . . . WMI Provider VM WorkerProcesses VM MgmtService User Mode (“Ring 3”) VirtualizationServiceProviders(VSPs) Server Core Kernel Mode (“Ring 0”) Windows Hypervisor Provided by: Server Hardware Hyper-V Windows 3rd Party ISVs
WindowsKernel OSKernel DeviceDrivers VirtualizationServiceClients(VSCs) Enlightenments VMBus The Complete Architecture Root Partition Guest Partitions • Guest-to-guest isolation mitigates risks • VMs can be configured to only communicate through networks where policies can be enforced • If compromised, limits damage because of architecture and hardware • Enables use of all management tools for Windows environment • No need to learn additional tools to manage or secure • Use all device drivers for Windows environment User Mode (“Ring 3”) Virtualization Stack Guest Applications WMI Provider VM WorkerProcesses VM MgmtService Kernel Mode (“Ring 0”) VirtualizationServiceProviders(VSPs) Server Core • Created using Microsoft’s Security Development Lifecycle • Readily enables security ecosystem via published VHD standard Windows Hypervisor Server Hardware Provided by: Hyper-V Windows 3rd Party ISVs
WindowsKernel OSKernel DeviceDrivers Enlightenments Virtualization Attacks Root Partition Guest Partitions Windows User Mode (“Ring 3”) Virtualization Stack Hyper-V Guest Applications WMI Provider VM WorkerProcesses VM MgmtService 3rd Party ISVs Hackers Attack Vectors Kernel Mode (“Ring 0”) VirtualizationServiceClients(VSCs) VirtualizationServiceProviders(VSPs) Server Core VMBus Windows Hypervisor Server Hardware
Attack Mitigation • Non-interference • Guest computations protected from other guests • Guest-to-guest communications not allowed through VM interfaces • Separation • Separate worker processes per guest • Guest-to-parent communications over unique channels • SDL • Threat modeling, penetration testing, and secure code review of all components
demo Windows Server 2008 Hyper-V
Best Practices To Securing Hyper-VDeployment Considerations • Patching the hypervisor • Windows Update • Managing lots of virtual machines • System Center – Virtual Machine Manager • Minimize risk to the Root Partition • Utilize Server Core • Don’t run arbitrary apps, no web surfing • Run your apps and services in guests • Use AzMan to reduce admin privilege • Connect to back-end management network • Only expose guests to internet traffic
Best Practices To Securing Hyper-VDevice Lockdown • Enable NX and virtualization in BIOS • Networking • Virtual Switches • VLANs • Dedicated NIC for root partition • Storage • BitLocker • Storage CDB filtering • Protects pass-through devices
Integrated ProtectionWindows Server 2008 and Windows Vista • Hyper-V Security Features • Server & Domain Isolation • Network Access Protection with IPSec • Enables trusted relationships between devices • Dynamically segment the network based on policy • When used with Hyper-V, each virtual machine can be set to only communicate with trusted virtual machines on a network • Enforced by IPSec and Active Directory • Control access and enforce compliance for physical and virtual clients based on consistent policy • Individual health certificates are associated with each virtual client • Compliance can be enforced on a per virtual session basis • Hyper-V also enables creation of virtual LANs for network segmentation within the virtual environment
Complementary Security Solutions Comprehensive line of business security products that helps you gain greater protection and secure access through deep integration and simplified management • Client & Server OS • Server Applications • Network Edge
An Integrated Security System Management & Visibility Dynamic Response vNext Network Edge Client and Server OS Server Applications
Simplified Management . . . • Virtual Environment • WS08 and Hyper-V • Authorization Manager (AzMan) for Role-Based Access Control • Microsoft Identity Lifecycle Manager • Provides a single view of a user’s identity and its privileges across the heterogeneous enterprise • Enable end-uses to request access to physical and virtual assets through a definedworkflow • Enables management of Hyper-V virtual machines while supporting heterogeneous environments • Integrates with Active Directory and other System Center solutions for coordinated management across physical and virtual environments. Physical Environment
…With Complementary ToolsOffline VM Servicing Toolkit • V1 Solution Accelerator Just Released • Automates VM OS patching of XP, Vista, WS2k3 clients on Virtual Server • Integration with System Center and WSUS • System Center Virtual Machine Manager (VMM 2007) • System Center Configuration Manager 2007 (ConfigMgr 2007) • Windows server update service (WSUS3.0) • V2 Fall 2008 Features • Hyper V, WS2008 clients, CfgMgr 2007 SP1, WSUS 3.0 SP1
... And Enabled By Active Directory System Center Virtual Machine Manager Microsoft Identity Lifecycle Manager Active Directory • Active Directory enables a single identity store for virtualization • Virtual machines based on Hyper-V are treated as a file on the file system. • Across physical / virtual environments, file access can then be granted through user groups • Across different forms of virtualization Forefront security solutions Virtualization Hardware Presentation Application • Hyper-V • Terminal Services • Microsoft App Virt Network Access Protection Server & Domain Isolation
Core Infrastructure Optimization Dynamic Basic Standardized Rationalized Uncoordinated, manual infrastructure Managed IT infrastructure with limited automation Managed, consolidated, and automated IT infrastructure Fully automated management, dynamic resource usage Windows Server 2008: Hyper-V, Active Directory Terminal Services Server & Domain Isolation Microsoft Application Virtualization Forefront Security products System Center solutions Microsoft Identity Lifecycle Manager Microsoft’s virtualization and other infrastructure solutions are key enablers toward achieving Dynamic IT
Threat Landscape:Virtualized Attackers? • Is this is one of the next big attack vectors on the horizon? • The VM industry is focused on securing the VMs from attack. Very little thought of VMs being used as the attacker. • Cases are starting to appear where people use VMs to attack, then shutdown the VM to remove any trace of evidence.
Threat Landscape:Virtualized Attackers? • But we do write all events to the SysLog • Things that go into drive slack are recoverable using forensics tools • We still have network traces… • …and audit logs • …and firewall and router logs • …not to mention video cameras in the server room.
Summary • Security is an enabler of virtualization • Many things are similar in securing the virtual environment, but there are key considerations • Microsoft is delivering an integrated, simplified approach to IT security across physical and virtual environments • Secure computing platform: Hyper-V’s architecture • Integrated protection: WS08 + complementary Microsoft solutions • Simplified management: Hyper-V + System Center + Identity Lifecycle Manager + tools / guidance • Customers at every stage of IT maturity can use this approach through Core IO guidance
Hyper-V– Transforming Microsoft IT's Datacenter Environment
The Microsoft Environment First and Best Customer ~120K Windows Vista clients ~1500 Windows Server 2008 instances 500+ production Hyper-V VMs > 25% virtualized on VS 2005 and Hyper-V VMM 2008 beta heavily utilized WS 2008 R2 (Win7) deployment imminent Planning for next-next wave products to begin shortly Enterprise Infrastructure High Scale Processes 6 data centers 98 countries 441 buildings 2300+ applications 11K production server instances > 205K managed computers > 685K devices >180K end users 1 trillion rows of perf data/day 67,000,000+ internal IMs per month 143K+ user mailboxes 225,800,000+ remote connections per month 1B+ LiveID authentications/day
MSIT Virtualisation - Past • Acknowledged we had a serious utilization and agility issue several years ago • < 10% average CPU utilization and falling • Three weeks or more to get a new server • Impending data center space and infrastructure crisis at current instance growth rates • Began deploying Virtual Server 2005 as a proof-of-concept utility service (The “Virtual Server Utility” or “VSU”) back in 2004 • Early VM benchmarks and performance analysis indicated more than 30% of the datacenter could be virtualized
Business requirements for data center system deployment • Single submission process focused on selection of the platform • Client submits business / application / service requirements • Engineering partners with Client to match solutions to those requirements • Decision tree leverages best technology Virtual Server Utility SQL Utility FileSvr Utility Dedicated Commodity Servers Dedicated Scale Up/Out Servers Compute Utility / Storage Utility / Backup Utility Centralized procurement via Buy Desk Performance and Capacity Management Services Dynamic Manageability Utility Managed Platform Lifecycle General Compute Utility Strategy • RightSizing • Shifts from WANTS to NEEDS • Focuses on near term capacity needs • Institutes checks and balances • Deemphasizes perceptions • Onramp for utility solutions Shared Utility Platforms Standalone Utility Platforms • Utility Solutions • Drive utilization up • Leverage commodity solutions • Excess capacity drives next opportunity • Build on foundational Utility solutions • “Buy in” and “pay for use” billing • Demonstrated agility and efficiency versus resource island (single ownership) approach • Utility Enablers • Drive abstraction and competitive bidding • Deliver capacity planning as a service • Feed reporting of system performance SLAs • Adjust other IT services to meet agility needs • Hardware platform refresh owned/funded by the capacity management and utility services • Software platform refresh simplified by HW consistency Application and service owners are abstracted from hardware to concentrate on developing, deploying and supporting great apps
RightSizing Basics • Normalize Platform capability differences • Leverages SPEC INT benchmark (Compute Units) • Contrast and compare platforms using consistent measurements • Platform purchase check/challenge • Gather performance metrics on existing systems • Step down purchase requests to an appropriate platform, based-upon historical utilization data and Compute Unit comparisons • 4 socket -> 2 socket -> Virtual Machine • Push dedicated solutions to shared or utility platforms • Consolidated services, virtual machines, SAN, etc. • Regular business reporting • Total capability versus utilization • Platform type and OEM purchasing trends • RightSizing engagements (Savings versus “Missed Opportunities”) • Push Microsoft product groups, partners, and vendors to address needs with complete packaged solutions
MSIT Virtualisation - Present • Began deploying Windows Server 2008 Hyper-V in late CY 2007 • Cross-section of infrastructure and business unit applications deployed • RC confidence was high enough to offer Hyper-V VMs in the commodity VSU service • 500 live Hyper-V VMs currently, with several hundred VMs waiting for capacity • VMs are now the default platform • Approaching 30% virtualized overall, with very aggressive targets for the future
MSIT Virtual Server Utility - 2008 Positioning Pre Hyper-V Platform Selection
MSIT Host and Cluster Designs • Servers – Traditionally rack mounted systems, now shifting to blades • 4P single-core -> 2P dual-core -> 2P quad-core • Limited use of 4P quad-core systems in labs • Storage – DAS for local host storage, SAN for VM storage • Dual-path FC SAN at RAID 0+1 for production • FC and some iSCSI SAN at RAID 5 for labs • Networking – Single environment, moving to multi-network hosts • Limited use of physically multi-homed hosts in the past • Now using 802.1q support in current HW and with Hyper-V • High-Availability – Host and guest clustering • 99.95% availability on VS 2005, with few apps requiring more • Guest NLB and Failover Clustering used, with caveats • Now offering Hyper-V HA VMs at a 25% premium for critical workloads
MSIT Infrastructure Virtualisation Plans • Smaller physical form-factors, but with greater capability • Higher densities, with more instances per physical unit • Most all elements in the infrastructure design will be a FRU (Field Replaceable Unit) • Near-stateless hosts, with no local storage - SAN boot • All virtualisation hosts will be clustered and all VMs HA • Operational efficiencies gains with Live Migration for host maintenance and capacity management • Larger clusters, up to 16 nodes, require less sunk capacity to tolerate unplanned single-node failures • Comprehensive server/storage/network design allows for dynamic host reconfiguration – MSIT “Scale Unit” • MAC address and N-Port ID virtualisation at the blade • Dynamic VLANs on the network and LUN masking on the storage • 33% of the space, 55% of the power/cooling, 90% fewer cables
“Dynamic Datacenter “ Enablers • Applications / Services • Modeling of dependencies/constraints/relationships to infrastructure and other apps/services • Use of standardized descriptions and manifests to describe elements and relationships • Lifecycle managed to anticipate and take advantage of new platform/infrastructure capabilities Management Security Compute – Logical Environment • Virtual Machines • Blade Servers • Boot from SAN, VHD, Network • HA and Mobility Solutions • Homogeneous Consolidation • Multi-tenancy • Network • VLAN tagging (802.1q) and QoS (802.1p) • 10+ Gb Ethernet • Aggregation and sub-segmentation • Unified Fabric • Storage • N-Port Virtualisation (NPIV) • Thin Provisioning • HA Solutions • FCoE Datacenter Services – Physical Environment • Design for needs in 3+ years • Plan for higher densities – More power, new cabling requirements, etc. • Modular deployments - Compute, storage, and network bundles • Field Replaceable Units (FRU) for most HW • Task-Oriented Toolsets • Capacity Management • Knowledge-Based Mgmt • Self-Service • Encryption – In-flight and At-Rest • Endpoint Security • Hardware Security Modules (HSM) • Trusted Platform Modules (TPM)
MSIT Virtualisation - Summary • Virtualisation is “cool”, but used properly allows an large enterprise environment like Microsoft address real business needs • Even though Microsoft virtualisation and management technology is very capable, business and operational process changes were necessary • Utility Services, “RightSizing”, and centralized procurement/capacity mgmt • In the past three years, MSIT has been able to virtualize 25% of their corporate server infrastructure on Virtual Server 2005! • Current MSIT targets are to virtualize 50% of our environment on Hyper-V and upwards of 80% on Hyper-V v2 (in Windows Server 2008 R2) over the next 2-3 calendar years • MSIT is working on a next-generation infrastructure architecture to more fully take advantage of machine virtualisation benefits • Machine virtualisation is a piece of a bigger strategy for MSIT, which we map to very promising Microsoft and industry efforts
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.