© 2007 McAfee, Inc. © 2007 McAfee, Inc.
Secure VirtualizationVirtualization Congerges with Security for Bright New Future
George L. HeronVP, Chief Scientist
CERIAS Security SeminarPurdue UniversityOctober 24, 2007
Evolutionary Convergence in the Enterprise
… 2000 2001 2002 2003 2004 2005 2006… 2000 2001 2002 2003 2004 2005 2006
VirtualizedSystems
CorporateSecurityCallenges Polymorphic
Viruses
Zombies
Mass Mailer Viruses
Denial of Service
Blended Threats
Spam, Phishing, Spyware
Corporate Data Theft
Anti-virusMultiple point products
Comprehensive layersProactive & automated
IntegrationRisk management
… and solutions
Path 2:
Path 1:
VMwareWorkstation
ESXvPro
GreenBorder
SoftricityVMware (new)
VeridianESX server
Virtual Server
OS/
360,
Boc
hs, C
horu
s, chroot(), Denali, Disco, Ensim, FreeBSD, MOL, …
3
10/24/2007
Two Models for Virtualizing Hardware
Virtual Machine Monitor
Host Operating SystemHardware BIOS
App.
Virtual Machine 1 Virtual Machine 2
Guest OS
Applications
Virtual Drivers
Guest OS
Applications
Virtual Drivers
-
L5: Virtual Machine Monitor
L4: Vertical Functions — Security and Networking
L3: Horizontal Functions — Management
L1: Hypervisor and Platform Resources
L2: Specific Hardware Enhancements
Hypervisor-Based
(Layered Model)
Host OS-Based
4
10/24/2007
Why Virtualization?
Targeted and financially motivated
attacks
Virtualization hardware and
software is free
Virtual servers (and clients) need
embedded protection
Malware and users that disable security software
Cloaked rootkits
Faster provisioning of security functionality
Policy compliance
Moore's Law
User activity monitoring
5
10/24/2007
McAfee Secure Virtualization
Scal
able
Sec
urity
Mgt
NA
C fo
r VM
Virt
ualiz
ed R
isk
Mgt
Offl
ine
VM S
cann
ing
Unf
ette
red
Mon
itorin
g
The Convergence …. “Secure Virtualization”Architecture to Deliver Comprehensive Security &
Compliance for Virtual Environments
Details in white paper
“Uncompromising Security in Virtual Machines”
available at www.mcafee.com/virtualization
6
10/24/2007
NAC for VM
Virtualization assists with VM(s) buffering NAC Agent and serving as IPS in-line to security management server
Rad
ius
PEA
P
ACSSever
MgtServer
NAC Agent
Define system compliance policies
ACS queries host. NAC scanner scans device, provides
posture to NAC Server, evaluates posture, returns a token
Host attempts to connect. NAD blocks and establishes a connection between
ACS and NAC Scanner
ACS determines accesspolicy based on
posture token. NAD applies the policy
Non-compliant systems redirected to Remediation Portal. Auto remediation provided by NAC Scanner and
Mgt Agent
5) Remediate
Quarantine Network
Corporate Network
Non-compliant
Compliant
EAPoUDP
HCAP
2) Detect
Network Access Device
3) Assess
1) Define
4) Enforce
VMVMVM
VM
7
10/24/2007
Offline Scanning of VM Images
ePOServer
VMVMVM
Multiple (duplicate)
VMs of main server
image, for backup
VMVMVMVMVMVM
Multiple (duplicate)
VMs of main server
image, for scalability
Multiple VMs for running
back-rev versions
VMScanner/Mgr+
Offline scanning of dormant VMs in
background keeps all images “fresh” and
provisioned with latest patches, policies,
versions.
8
10/24/2007
Unfettered Monitoring
S
S
S
S
SS
S
S
Behavioral stack walkingMonitoring of memory
Intra-API monitoring and plumb lining
Execution profilingPatchGuard bypassing
Stealth monitoringImmutable systems monitoring
Rootkitdetection
Systems service invocation monitoring
API executionAccess monitoring
9
10/24/2007
Scalable Security Management
VM
Benefits of reduced server hardware, more available servers, and immediacy of disaster/backups illustrate reduced costly and “tentacle-natured” provisioning in typical
large corporate environments
INTERNET
Enterprise/Corporate
Automatic provisioning path from ePO security
management server
ePOServer
VMVMVM
VMVM
Enterprise/Corporate
Automatic provisioning path from ePO security
management server
WithoutVirtualized
Server Hierarchy
WithVirtualized
Server Hierarchy
Multiple “manager of manager”VMs provide for virtually
unlimited scalability
10
10/24/2007
“Virtualized-Enhanced” Risk Management
• VM sitting outside•Auditing•Reporting
• VM Security Watchdog• Sentinel watching
multiple VMs
Manager• DLP, NAC, IPS• Virtual Jail Cell• Virtual Taste Testing
• AV, FW, A-Spam, A-Spy, IPS• Outside VM monitoring• Unfettered access to kernel
• Patching & Remediation in VM world• Re-engage initial VM snapshots
• Vulnerability Scanning• Policy Auditing• Asset Information• ePO Rogue System Detection
11
10/24/2007
“Core Virtualization” Features … also Benefit SRM
• Initial Deployment
• Rollback
• Rapid deployment for targeted defenses
• Disaster Recovery and Business Continuity (CISSP tenets)
Secure Virtualization …
Protects consolidated workloads
Watchdogs for Security and compliance
Software isolation protects from tampering or to contain malware
Monitors and protects inter-VM communications
All of these are on an as-needed, on-demand basis