www.isaca.org Slide 1 of 41 Server Virtualization Server Virtualization Assessment – Tools and Assessment – Tools and Techniques Techniques Chicago ISACA Chapter 8/11/2011 Chicago ISACA Chapter 8/11/2011 Michael Hoesing CISA, Michael Hoesing CISA, CISSP, CCP, ACDA, CIA, CFSA, CMA, CPA CISSP, CCP, ACDA, CIA, CFSA, CMA, CPA [email protected]Anything discussed herein should be tested thoroughly in a lab environment before use in production. Opinions are those of the author and not conference sponsors, employers, clients, past, present or future. Don’t sue me; I have no money.
41
Embed
Www.isaca.org Slide 1 of 41 Server Virtualization Assessment – Tools and Techniques Chicago ISACA Chapter 8/11/2011 Michael Hoesing CISA, CISSP, CCP, ACDA,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
www.isaca.org Slide 1 of 41
Server Virtualization Assessment Server Virtualization Assessment – Tools and Techniques– Tools and Techniques
Chicago ISACA Chapter 8/11/2011Chicago ISACA Chapter 8/11/2011
[email protected] discussed herein should be tested thoroughly in a lab environment before use in production. Opinions are those of the author and not conference sponsors, employers, clients, past, present or future. Don’t sue me; I have no money.
Slide 2 of 41
Server Virtualization Assessment -Server Virtualization Assessment -ObjectivesObjectives
• Virtualization Definitions, Background, Scope• Risks and Controls • Assessment Approaches and Tools:
• Assessment Examples– VM (Guest) Sprawl– ESX Console Operating System
• ISACA – Whitepaper – issued Oct 2010 risks, audit approacheshttp://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Virtualization-Benefits-and-Challenges.aspx Audit program issued Jan 2011, GRC levelhttp://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/VMware-Server-Virtualization-Audit-Assurance-Program.aspx
• SANS talk through http://www.sans.org/reading_room/analysts_program/VMware_ITAudit_Sep09.pdf
• Mine (come to the hands-on class), mix of process/procedure and detailed metrics
Slide 13 of 41
GATHERING METRICS – SOME GATHERING METRICS – SOME THOUGHTSTHOUGHTS
• In 50 mins all I can do is name-drop, you do the research in your environment/strategy/risk appetite
• Not a Bake-off, not a Best-of, I can only relate what worked in my lab (see bullet one above), any product not mentioned just means I have not installed it yet
• Good News, lots of products to chose from , list grows almost daily (bad news, that expands due diligence time)
• Some tools Work in a Virtual Appliance, some tools have both a physical and virtual appliance
• Key – does ingress and egress to/from the Guest allow the product to do its Job (patching, AV, config assessment)
Slide 14 of 41
GATHERING METRICS – SOME GATHERING METRICS – SOME THOUGHTS (cont)THOUGHTS (cont)
• Free Tools – great price, don’t scale well• Some tools inventory the Virtual Center
database, some tools enumerate raw data• No one tool does everything, run multiple tools
for corroboration and completeness• Tools that use a RHEL baseline, take care in
reviewing, but maybe 80-90% correct• In a lab, build an ESX server (and vCenter) with
the vendor defaults, and build a second ESX server with your organization’s standard build, for education purposes and to calibrate tools
Slide 15 of 41
METRIC GATHERING TOOLSMETRIC GATHERING TOOLS
• Interviewing and Document Review for policies, standards, procedures, training
• From VMware - VI API, VIX API (allows files xfer from guest) , Perl API, CIM API (risks of rolling your own = script storage security, stored passwords, change management, version management)
• More Free Tools:• Bastille – remember to run in the –assess mode,
not the harden mode (3.0.9-1.0)• DISA – SRR (security readiness review evaluation
script) watch these, they may harden if not run correctly
• LSAT – works on 3.5 and before, but the MD5 process will try to analyze the very large vmdk disk files, this is time consuming and could crash running guests (note : does not work in vSphere, C compiler is removed)
Free Tools CIS-CAT (if a member) will list VM’s with non-compliant vmx config files (not a complete inventory but a good start on what needs correction)
Slide 22 of 41
SPRAWL – PowerCLI 4.0 SPRAWL – PowerCLI 4.0
VI Tools for Windows & Powershell now named vSphere PowerCLI 4.1 (partial script)
• Released July 2011• Memory based pricing is new, and not popular• ESX COS is gone, ESXi the only choice• ESXi has hypervisor and console all on the same
partition, faster (vendor says)• ESXi 5 has a firewall (iptables) ESXi 1-4 did not• No (if configured as suggested) console access,
all access is remote • Use vMA, remote CLI, and PowerCLI for audit
metric gathering or vCenter
Slide 38 of 41
vSphere 5 (cont)vSphere 5 (cont)
• TPM (Trusted Processing Module) recognition available (Intel’s TXT or AMD’s SEM , soon)
• Hope they Fixed These in 5 (ESXi 4.1 issues) Logs removed upon reboot root password not set
during installation Tech Support Mode (from console) Remote Tech Support Mode (SSH), accesses Single
User Mode (root without any password if not set at default, even with password root SSH is enabled)
Reset System Configuration – resets an empty root password (watch iLO and iDRAC)
Slide 39 of 41
Conclusion
Slide 40 of 41
SUMMARYSUMMARY
• Virtualized Infrastructure is Important to the Organization and worthy of secure configuration and periodic assessment of that state
• Standards are available for a starting point to create/edit your organization's policy
• Tools are available, in all price ranges, to gather metrics from an ESX environment
• Get the tools, gather the metrics, compare to the policy/standard, cite the differences, improve your security posture