1 / 24

VMware Security Architecture and Best Practices

VMware Security Architecture and Best Practices. Rob Randell, CISSP Senior Security Specialist SE. Agenda. Virtualization Specific Security Issues Security Concepts in Virtualization Architecture Operational Security Issues with Virtualization VMware Security Architecture

Download Presentation

VMware Security Architecture and Best Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. VMware Security Architecture and Best Practices Rob Randell, CISSP Senior Security Specialist SE

  2. Agenda • Virtualization Specific Security Issues • Security Concepts in Virtualization Architecture • Operational Security Issues with Virtualization • VMware Security Architecture • Isolation and Containment • Secure Management • Security Best Practices • Primary Issues that Affect Virtualization Security • Secure Design • Secure Deployment • Secure Operations

  3. Security Concepts in Architecture • Extended computing stack • New privileged layers (Hypervisor) exist underneath the operating system • Guest isolation • One guest VM cannot access or even address the “hardware resources” of another guest VM or the host/hypervisor • Host visibility • Difficult to see from the guest whether someone is monitoring from host or host even exists • Virtualized interfaces • Physical connectivity between guests is recreated, e.g. IP network, file shares, may be more or less like true physical counterparts • Management interfaces • The protection of mgmt interfaces (Console OS, VirtualCenter, etc…) very important • Greater co-location of data and assets on one box • Potential single point of failure for not just availability, but also integrity/confidentiality • Host access gives you “keys to the kingdom”

  4. Operational Security Issues • Most security issues arise not from the virtualization infrastructure itself but from operational issues • Adapting existing security processes and solutions to work in the virtualized environment • Most security solutions don’t care whether a machine is physical or virtual • The datacenter and its workloads just became a much more dynamic and flexible place • The risk of misconfiguration requires use of best practices specific to virtualization

  5. VMware Security Architecture

  6. VMkernel designed for Hypervisor-based virtualization VMkernel dedicated to run VMs only No public interface to VMkernel Device drivers qualified in-house as an integral part of the system VM VM VM VM VMware ESX Server Architecture Third- Party Agents SDK / VirtualCenter Agent VMX VMX VMX VMX I/O Stack VMM VMM VMM VMM Service Console Device Drivers DistributedVirtual Machine File System Virtual NIC andSwitch ResourceManagement CPU Scheduling Memory Scheduling Storage Bandwidth Network Bandwidth Storage Stack Network Stack Device Drivers ESX Server VMkernel Hardware Interface Hardware

  7. VMM VMM VM Isolation • Design • Privileged instructions within a VM are “de-privileged” and run within an isolated virtual memory space • VMs have no direct access to hardware, only have visibility to virtual devices • VMs can only communicate with each other through Virtual Switches • Resource reservations and limits guarantees performance isolation • OS and applications within a VM run as is with no modification (hence no recertification required) • Production Use Proof Points • Passed security audit and put into production by the largest Financial Institutions • Passed Defense and Security Agencies scrutiny and audit (NetTop and HAP) • Large number of customers run mission critical and transaction processing applications • CC EAL 2 certification (for ESX 2.5) • CC EAL 4+ certification (for VI 3.0) expected in Q1 2008

  8. Memory Management • Memory Partitioning for VMs • Each VM sees its own zero-based physical address space. • ESX abstracts physical memory by adding a layer of memory address translation. • Memory isolation is imposed by segmentation and paging in x86 (hardware enforced). • Physical memory is zeroed out when allocated to a VM. • No inter-VM memory leaks • Transparent Page sharing – Copy on Write

  9. Virtual Network Design Principles • Virtual Switch Isolation • vSwitches do not learn from the network. • Independent forwarding tables for each vSwitch • vSwitches makes private copy frame data used to make forwarding or filtering decisions • No trust in user-accessible data • No Spanning Tree support • Port Groups • Port groups are user named objects which contain configuration information to provide consistent network access for virtual NICs: • vSwich Name • VLAN ID(s) and tagging/filtering policy • Layer 2 Security Options • NOT VLAN Groups • Virtual ports ignore any requests from the virtual NIC which would violate the L2 security policy • Virtualization protects against specific types of network attacks • Double-Encapsulation Attacks • Spanning Tree Attacks • Random Frame Attacks • MAC Flooding Attacks • 802.1g and ISL Tagging Attacks • Multicast Brute-Force Attacks

  10. Storage A.vmdk Virtual Storage Isolation • VMs have no knowledge or understanding of SANs • Each VM is able to see only the virtual disks that are presented to it on its virtual SCSI adapters. • The VMware VMFS file system coordinates hosts in the cluster • File Locks are stored on the disk as part of the volume metadata

  11. Secure Management • VirtualCenter: primary management tool • Encrypted communication • Integration with global security framework, e.g. • Authentication via Active Directory • Detailed auditing • Extensive roles system for fine-grained separation-of-duties • Operational Best Practices for maximum security, e.g. • Dedicated management network • Lock-down of Administrator access

  12. ESX Server 3i: The next step in Virtualization Security • Unmatched security and reliability: • Compact 32MB footprint • OS independence means minimal interfaces and a small attack profile • Embedded in hardware --- reduces risk of tampering • Unstructured Service Console management replaced by controlled API-based management

  13. Security Best Practices

  14. Primary issues that affect Virtualization Security • Control of administrative access • Risk of improper configuration • Lack of Virtual Network Visibility • Management of ever-growing environment

  15. Primary issues that affect Virtualization Security • Control of administrative access • Issue: Administrative interfaces become avenues of attack • Mitigation: Follow Best Practices for • Secure Design • Secure Deployment • Secure Operations • Issue: Great amount of power in single administration console • Mitigation • Follow Best Practices for Secure Operations

  16. Primary issues that affect Virtualization Security • Risk of improper configuration • Issue: VMs placed on incorrect virtual network can break security • Mitigation: Follow Best Practices for • Secure Design • Secure Deployment • Secure Operations

  17. Primary issues that affect Virtualization Security • Lack of Virtual Network Visibility • Issue: Inter-VM traffic within one host not visible to Network-based IDS/IPS • Mitigation: • Forward all traffic to outside system for inspection using a special Promiscuous-mode forwarding VM • Utilize 3rd party NIPS/NIDS tools which run in VMs and sit directly on Virtual Switch

  18. Primary issues that affect Virtualization Security • Management of ever-growing environment • Issue: Security of offline VMs can go out of date • Mitigation: • Follow Best Practices for Secure Deployment • Utilize 3rd party tools for network-based IDS/IPS • (Future) utilize tools for patching of offline VMs • Issue: Difficult to keep track of virtual machine provenance and configuration • Mitigation: • Follow Best Practices for Secure Deployment • Utilize 3rd party tools for VM lifecycle management

  19. Best Practices: Secure Design • Separate and Isolate Management Networks • Service Console • Vmkernel: Vmotion and NFS & iSCSI datastores • Plan for VM mobility: 3 options • Partition trust zones • Combine trust zones using virtual network segmentation and virtual network management best practices • Combine trust zones using portable VM protection with 3rd-party tools (Blue Lane, etc)

  20. Best Practices: Secure Deployment • Harden VMware Infrastructure 3 according to guidelines • VMware-provided • 3rd-party: STIG (draft), CIS (draft), Xtravirt Security Risk Assessment template, etc. • Always secure virtual machines like you would physical servers • Anti-virus • Patching • Host-based intrusion detection/prevention • Use Templates and Cloning to enforce conformity of virtual machines

  21. Best Practices: Secure Operations • Strictly control administrative access • Favor controlled management interfaces (VI Client, Web Access) over unstructured interfaces (Service Console) • Avoid VI Console access except when absolutely necessary; favor OS-based access to VM (RDP, ssh, etc). • Use roles-based access control to limit administrative capabilities and enforce separation of duties, and never use anonymous accounts (e.g. “Administrator”) • Allow powerful access only to small, privileged group; implement break-glass policy for top level administrative account

  22. Best Practices: Secure Networking • Restrict access to privileged networks • Closely restrict administrative access on any host with privileged network • For less privileged users, only allow template-based provisioning on those hosts • Guard against misconfiguration • Clearly label sensitive virtual networks • Generate audit reports that flag suspicious configurations • Routinely inspect event and task logs

  23. Best Practices References • Detailed Prescriptive Guidance • Security Design of the VMware Infrastructure 3 Architecture(http://www.vmware.com/resources/techresources/727) • VMware Infrastructure 3 Security Hardening(http://www.vmware.com/vmtn/resources/726) • Managing VMware VirtualCenter Roles and Permissions(http://www.vmware.com/resources/techresources/826) • STIG (Secure Technology Implementation Guide) draft(http://iase.disa.mil/stigs/draft-stigs/index.html) • CIS (Center for Internet Security) Benchmark(http://www.cisecurity.org/bench_vm.html) • Xtravirt Virtualization Security Risk Assessment (http://www.xtravirt.com/index.php?option=com_remository&Itemid=75&func=fileinfo&id=15)

  24. Questions? Rob Randell, CISSP Senior Systems Engineer - Security Specialist

More Related