1 C4:Virtualization and Security Complexity is a Virtual Certainty Dennis Moreau Virtualization and Security Executive Summary Operating System App App App Operating System App App App Non-VM Configuration Management Effort Hardware Operating System Virtual Machine Monitor Emulated Hardware Emulated Hardware Server Virtualization Hardware
20
Embed
Virtualization and Security: Complexity is a Virtual Certainty
Virtualization can help organizations progress to flexible and lower-cost enterprise computing. But with these benefits come some serious complications for enterprise systems management, security and compliance efforts. Learn about the security issues introduced by virtualization deployment and the technical approaches to securing these environments.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
C4:Virtualization and Security
Complexity is a Virtual Certainty
Dennis Moreau
Virtualization and Security
Executive Summary
Operating System
App App App
Operating System
App App AppNon-VM
ConfigurationManagement
Effort
Hardware
Operating System
Virtual Machine Monitor
Emulated Hardware Emulated Hardware
Server Virtualization
Hardware
2
• Reduces Diversity• Some Degree of Guest Sandboxing• Rapid Deployment of Next Desired State• Rapid Deployment of Next Desired State …
Once It Is Determined• Re-Imaging … When That is Appropriate• Increased Control Over Network Activity• Insulation from Specific Vulnerability Types
Virtualisation Can Improve Aspects ofSecurity Management
• Insulation from Specific Vulnerability Types• …
I. Description
VMware virtualization software provides Network Address Translation (NAT) for guest systems to access networks. The VMware NAT Service ( ) g ydoes not adequately validate parameters to the PORT and EPRT commands. …
To exploit this vulnerability, an attacker would need to convince a user to run code provided by the attacker on a VMware guest/virtual system. The attacker could then cross the boundary of the guest system and run arbitrary code within the context of the NAT process on the VMware y phost system. …
CVE-2005-4459
3
5
• Empirical Exploitation of Live Virtual Machine Migration: http://www.eecs.umich.edu/techreports/cse/2007/CSE TR 539 07 pdfCSE-TR-539-07.pdf
• Demonstration of changing VM code in flight.• Resulting Guidance:
– Encrypt VMotion channels– Restrict access
Ti h l l NIC fi i
Virtualization Specific Vulnerabilities
– Tightly control vNIC configuration– Isolate LANs (management, transactional, VMotion)
for VMotion and iSCSI *Do Not Use Promiscuous Mode on
Net InterfacesProtect Against MAC SpoofingSecure ESX Server ConsoleMask and Zone SAN Resources *
Limit Administrative AccessLimit Network Connectivity to
VC *Ensure VC Database is SecuredEnable Full and Secure Use of
Certificate-based EncryptionUse VC Custom Roles
Security Guidance: VMWare
Protect Against Root Files System Exhaustion *
Document and Monitor Changes to Configuration *
9
Lock down and configure each VM as appropriate to the organization's standard guidelines for the OS being hosted… *
Baseline the correct virtual server configuration. Internal virtual network configuration likely will not be visible … *
All partitions must be patched. Keep the host OS and all guest OS partitions patched. … *Patch offline images. … *Require virtualization vendors to document their vulnerability response process…. Regularly scan all partitions for vulnerabilities. *Vendors such as Configuresoft are looking at extending their configuration management
capabilities to the host OS in 2007. Regularly scan for correct VMM and VM configuration: network bindings, internal virtual
network connections and other configurations *
Guidance: Gartner
network connections and other configurations. Don't overlook VM and application appliances. Deactivate hyper-threading for guest OSs. *
The security issues related to vulnerability and configuration management get worse, not better, when virtualized … 17 pages – 6483 words
(VCESX0570: CAT II) The IAO/SA will ensure public virtual switches only allow virtual machines that require access to the physical network adapters. *
(VCESX0572: CAT II) The IAO/SA will ensure the permissions on the /usr/sbin/esxcfg-* utilities are 500, except for esxcfg-auth which should be 544.
(VCESX0574: CAT II) The IAO/SA will ensure all private and public virtual switches ( ) p pnot in use are disabled. *
(VCESX0576: CAT II) The IAO/SA will ensure the all virtual switches are labeled within the ESX Server environment.
(VCESX0578: CAT II) The IAO/SA will ensure the all virtual switches labels do not begin with a number.
(VCESX0580: CAT II) The IAO/SA will ensure VMotion virtual switches contain at least one physical network adapter and are configured to use a dedicated VLAN. *
Guidance: DISA Virtual Computing
http://iase.disa.mil/stigs/draft-stigs/index.html
Excerpt from 82 pages ‐ 117+ Controls ‐ 27,000 words…
10
Backup Configuration FilesAdministering ESX Server *Keep system patched *FirewallPasswords
Maintain Proper LoggingReview LogsEstablish/Maint. File Sys IntegritySNMPProtect against MAC SpoofingPasswords
Password AgingPassword complexitysetuidsetgidSSHDisabling Copy and PasteRemove Unnecessary HW www.cisecurity.org
Protect against MAC SpoofingSet GRUB PasswordLimiting Access to suUse “sudo”VLANsSeparate Management VLAN *Don’t Create Default Port GroupiSCSI *
Guidance: Center For Internet Security
Guest Flooding *Logs
CIS ESX Server Benchmark -70 pages - 199+ Compound Controls – 13,713 wordsCIS Genera VM Benchmark -30 pages - 62+ Compound Controls – 9.261
Use CHAP for iSCSI dev *iSCSI Naming Requirements *
Secure virtual images just as well as you secure physical systems – and then some *Malware protection, intrusion detection, firewalls, configuration management, etc.
Visibility is key – security professionals must be able to map and y y y p plocate similar security environments together *
VM relocation will require transportable security policies and proceduresAuthentication, authorization, access, administration, penetration detection,
configuration control, malware protection, enforcement, encryption, signatures and keys, etc.
Technology and disciplines for discovery, configuration, change
Guidance: EMA
gy p y, g , gmanagement, and more become critical to detecting virtual malware *
Andy Mann, EMA 2007
11
SAN03.001.00 CAT I Zoning is not used to protect the SAN.SAN03 002 00 CAT II Hard zoning is not used to protect the SANSAN03.002.00 CAT II Hard zoning is not used to protect the SAN.SAN04.005.00 CAT II Servers and hosts OS STIG RequirementsSAN04.010.00 CAT III Sensitive Data in Transit EncryptionSAN04.014.00 CAT III Management Console to SAN Fabric DOD PKI protectedSAN04.019.00 CAT I SAN Fabric Zoning List Deny-By-DefaultSAN04.023.00 CAT II Only Internal Network SNMP Access to SAN
Guidance: DISA Storage Virtualization
ySAN05.001.00 CAT II Backup of critical SAN Software and Configurations
Secure Guests as UsualPatch VM HostsIsolate T/M/S netsControl VM Resource UseControl SAN ConfigurationMonitor Configuration DriftMonitor Configuration Dep.
Virtual Security Guidance:Compared
Co-Host Similar SPPages 19 17 82 - 30 70 19
12
ApplicationConfiguration
ApplicationVirtualization
SO ApplicationPolicy
Coupling
Control
Mapping Highly VirtualizedNon-Virtualized
WS-*,
REG, File,Client, Str
ExampleIssues:
OperatingConfiguration
VMMConfiguration
SO ApplicationConfiguration
Guest OSConfiguration
Guidance
BestPractices
Virtual HWConfiguration
Additional Technology tiers =>More controls & More coupling Blue Pill
Vitriol, S
VMMPatching
Mitigation,Patching…
,WCF, …
Enterprise Compliance Complexity
Virtual StorageConfiguration
ConfigurationNeed for “situation awareness”
across the technology stack WWNSpoofing
SubVirt
The same complexity affects mitigation and remediation planning
Equivalence Classes: Common Trust Levels, Security Postures
• SAN Configure
Resource Coupling Examples
• SAN – Configure• Protocol Visibility – Side Channel Attacks…
Challenge: Visibility is Risk … Invisibility is More Risk
VMsafe
Guest 1
Guest 2
Guest 3
Guest N
Security
App.…
Hypervisor
1 2 3 NVMsafe API
Single point of instrumentation for each ESX serverGreatly improved visibility into HV and Guests
VMsafe: Virtual Security Appliance Framework
Greatly improved visibility into HV and GuestsStandardized integration for security appliance vendors
14
Services
Applications
Low Risk:
Less
Controlled
High Risk:
Tightly
Controlled
VirtualizedGuests
VirtualizationHosts
NetworkVirtualization
The Risks of Risk-Driven Compliance
SAN - StorageVirtualization
Storage Network
Will shift as virtual I/O facilities mature.
Business Objectives
How do risks here . . . translate into risks here?
Operational Tasks
Information Assets
Network Nodes
RISKRISK
28
Risk Modeling: Virtualized
15
Compliance in Virtualized Environments
Hosts
Guests
V-Relationships:Hosts, Guests, Net, Storage
16
Guest Security Posture… in Context
Security Process Optimization
17
Adaptive Optimization facilitatesAgility
• Guests must still be secured• + New vulnerabilities must be addressed• Visibility of vulnerability and exploit footprint is affected
– Harder to ask and answer:– Harder to ask and answer: • Where am I vulnerable?• Where have I already been compromised?• What relationships constrain my response?
• More controls to map at each virtualization layer• More opportunities for interference across virtualization
layers
Observations
layers • Mitigation and remediation more intertwined with
operational plausibility due to resource coupling
18
• Virtualization guidance is emerging at each layer for all products: leverage it
• Vulnerabilities and technical responses are emerging: maintain a flexible controls framework across virtualization layers
• Visibility across the technology stack is essential: cultivate discovery and decision support
to capitalize on its economic, operational and agility benefits
CIS Virtual Machine Security Benchmark - The Center for Internet Security, ESX Server Benchmark . http://www.cisecurity.org/
CIS Virtual Machine Security Benchmark - The Center for Internet Security, General Virtualization Benchmark. http://www.cisecurity.org/
DISA STIG Virtual Computing V1 http://iase.disa.mil/stigs/draft-stigs/index.html DRAFT available now.DISA STIG Storage Area Network (SAN) Checklist For Sharing Peripherals Across the Network Security Technical DISA STIG, Storage Area Network (SAN) Checklist For Sharing Peripherals Across the Network, Security Technical
Implementation Guide, Version 1 Release 1.3Security Design of the VMware Infrastructure 3 Architecture, Vmware White Paper, www.vmware .comVMware Infrastructure 3, Security Hardening, Vmware Best Practices, www.vmware.comVirtualization – The State of the Intangible Enterprise, Andi Mann, Enterprise Management AssociatesSecurity Considerations and Best Practices for Securing, Virtual Machines, Neil MacDonald, Gartner, 2007Overview: Information Security January 2007 (“Virtual Threats”)Best Practices: Advanced Server Virtualization, Auerbach, 2006, pgs. 97-99, 144-145, 444-451. Security Benefits: “Virtualization - the next step in enterprise security” (Symantec and Intel Corp.)
http://scmagazine com/us/news/article/624062/virtualization next step enterprise security/
Guidance and Research
http://scmagazine.com/us/news/article/624062/virtualization-next-step-enterprise-security/Storage Virtualization Security: Securing Storage: A Practical Guide to SAN and NAS Security, 11/2005 (Dwivedi,