Embed Size (px)
Citation preview
© 2010 VMware Inc. All rights reserved
Security and Compliance in a Virtualized Environment
Jan Tiri ([email protected])
CISSP – System Engineer
2
Agenda
Security of the platform
How virtualization affects security
How do we approach virtualization security and compliance
Why virtualization is a security enabler
vShield solutions overview
3
Security of the Platform
4
The Basics: Types of Server Virtualization
Hosted (Type 2) Bare-Metal (Type 1)
VMware ESX/ESXi
Host OSchanges security profile
Host OSchanges security profile
VMware Workstation
VMware Server
VMware Player
VMware Fusion
Windows, Linux, Mac
Virtualization Layer
APP
5
The Basics: Isolation in the Platform
Virtual Machines• Are not able to interact with
each other (except via network)• Are not aware of underlying
storage -- only their own virtual disk(s)• Are subject to strict resource
controls
Virtual Switches• Are complete, VLAN-capable,
layer-2 switches• Have no mechanism for
sharing network traffic
VLAN A VLAN B
6
Secure Implementation
VMware ESXi
• Compact footprint (less than 100MB)
• Fewer patches• Smaller attack surface
• Absence of general-purpose management OS
• No arbitrary code running on server
• Not susceptible to common threats
7
Validated for use by Government and Defense
Common Criteria EAL 4+ Certification
• Highest internationally recognized level
• Achieved for ESX 3.0, ESX 3.5 and vSphere
DISA STIG for ESX
• Approval for use in DoD information systems
NSA Central Security Service
• Guidance for both datacenter and desktop scenarios
7
8
How Virtualization Affects Security
9
Faster Deployment of Servers
Benefit Security Concerns
IT responsiveness Lack of adequate planning Incomplete knowledge of current state
of infrastructure
10
Collapse of Switches and Servers into One Device
HardwareESX/ESXi
Benefits Security Concerns
Flexibilities Cost savings
Lack of intra-server network visibility No separation-by-default
of administration Elevated risk of misconfiguration
11
Virtual Machine Encapsulation
Benefits Security Concern
Improved service levels Ease of business continuity Consistency of deployment Hardware independence
Easier to steal data Updating of offline systems Identity divorced from physical
location
12
Consolidation of Servers
Benefit Security Concern
Capital and operational cost-savings Greater impact of misconfiguration or attack
13
How do we approach Virtualization Security and Compliance?
Use the Principles of Information Security
• Secure the Guests
• Harden the Virtualization layer
• Access Controls
• Administrative Controls
Neil MacDonald (Gartner) - “How To Securely Implement Virtualization”
“Like their physical counterparts, most security vulnerabilities will be introduced through misconfiguration
and mismanagement”
14
Secure the Guests
Host
• Anti-Virus
• Patch Management
Network
• Intrusion Detection/Prevention (IDS/IPS)
Edge
• Firewalls
14
Provide Same Protection as for Physical Servers
15
Harden the Virtualization Layer
VMware Security Hardening Guides
• Being provided for major platform products
• vSphere 4.0
• VMware Cloud Director
• View
• Important for architecture and deployment related controls
15
vCenter IP-based Storage
Other ESX/ESXi hosts
FT vMotion NFS
vSwitch
TCP/IP
iSCSI
10 GigE pNICs
10 GigE
16
Broad scope
Access Controls
Narrowscope
Super Admin
Networking Admin
Server Admin
Operator
VM Owner
Operator
VM Owner
Storage Admin
17
Why Virtualization is a Security Enabler?
1. Unique introspection
2. Policy abstraction
Cost Effective• Single virtual appliance with breadth
of functionality• Single framework for comprehensive
protection
Simple• No sprawl in rules, VLANs, agents• Relevant visibility for VI Admins,
network and security teams• Simplified compliance
Adaptive• Virtualization and change aware• Program once, execute everywhere• Rapid remediation
18
Security Enabler: Unique Introspection
Introspect detailed VM state and VM-to-VM communications
vSphere + vShield
Processor
memory
Network
Disk
File System
Process
control blocks
Benefits
• Comprehensive host and VM protection
• Reduced configuration errors• Quick problem identification• Reduced complexity – no security
agents per VM required
19
Security Enabler: Policy Abstraction
BEFORE vShield
VMware vSphere
Policy is tied to the physical host; lost during vMotion
Policy seamlessly follows virtual machine
AFTER vShield
vShield
Benefits
• Create and enforce security policies with live migration, automated VM load balancing and automated VM restart
• Rapid provisioning of security policies
• Easier compliance with continuous monitoring and comprehensive logging
Separate the policy definition from the policy implementation
Policy seamlessly follows virtual machine
20
VMware Transforms Security from Complex…
VMware vSphere
VLAN’s
agent
Complex
• Policies, rules implementation - no clear separation of duties; organizational confusion
• Many steps – configure network, firewall and vSphere• Spaghetti of VLANs, Sprawl - Firewall rules, agents
Policies, Rules
Network admin
Security admin
VI admin
Overlapping Roles / Responsibilities
Many steps. Configure
• Network
• Firewall
• vSphere
Define, Implement , Monitor, Refine,
agent agent agent agent agent agent agent
21
… To Disruptively Simple
VMware vSphere
vShield Manager + vCenter
Few steps:
Configure vShield
Simple
• Clear separation of duties• Few steps – configure vShield• Eliminate VLAN sprawl – vNIC firewalls • Eliminate firewall rules, agents sprawl
Network admin
Security admin
VI admin
Clear separation of Roles / Responsibilities
Define, Monitor, Refine,
Implement
22
2010 – Introducing vShield Solutions
VMware vSphere + vCenter
DMZ PCI compliant
HIPAA compliant
Securing the Private Cloud End to End: from the Edge to the Endpoint
Edge
vShield Edge 1.0
Secure the edge of the virtual datacenter
Security Zone
vShield App 1.0 and Zones
Application protection from network based threats
Endpoint = VM
vShield Endpoint 1.0
Enables offloaded anti-virus
Virtual Datacenter 1 Virtual Datacenter 2
Web Test & Dev
23
• Simplify IT compliance with centralized logging &, reporting• Simplify provisioning with vCenter Integration and programmable management• Third-party solution integration
VMware vShield – Foundation for Cloud Security
vShield Manager
Centralized Management of Security across the vDC
• Improve performance by offloading anti-virus (AV) functions
• Reduce costs by freeing up virtual machine resources
• Reduce risk by streamlining AV functions to a hardened security virtual machine (SVM)
• Satisfy audit requirements with detailed logging of AV tasks
• Increase visibility for inter-VM communications and eliminate blind spots
• Eliminate dedicated hardware and VLANs for different security groups
• Optimize resource utilization while maintaining strict security
• Simplified compliance with comprehensive logging of inter VM activities
vShield App and Zones Application protection from network
based threats
vShield Endpoint Offload anti-virus processing for
endpoints
• Reduce cost and complexity by eliminating multiple special purpose appliances
• Ensure policy enforcement with network isolation
• Simplify management with vCenter integration
• Easier scalability with one edge per org/tenant
• Speed up provisioning of edge security services
• Simplify IT compliance with detailed logging
vShield Edge Secure the edge of the virtual
datacenter
24
• Multiple edge security services in one appliance• Stateful inspection firewall• Network Address Translation (NAT)• Dynamic Host Configuration Protocol (DHCP)• Site to site VPN (IPsec)• Web Load Balancer
• Network isolation(edge port group isolation)• Detailed network flow statistics for chargebacks, etc• Policy management through UI or REST APIs• Logging and auditing based on industry standard syslog
format
vShield EdgeSecure the Edge of the Virtual Data Center
VMware vSphere
Tenant A Tenant C Tenant X
Features
Benefits• Lower cost and complexity by eliminating multiple
special purpose appliances• Ensure policy enforcement with network isolation• Simplify management with vCenter integration and
programmable interfaces• Easier scalability with one edge per org/tenant• Rapid provisioning of edge security services• Simplify IT compliance with detailed logging
25
vShield AppApplication Protection for Network Based Threats
VMware vSphere
DMZ PCI HIPAA
Features
• Hypervisor-level firewall • Inbound, outbound connection control applied at
vNIC level• Elastic security groups - “stretch” as virtual machines
migrate to new hosts• Robust flow monitoring • Policy Management
• Simple and business-relevant policies• Managed through UI or REST APIs
• Logging and auditing based on industry standard syslog format
Benefits
• Increase visibility for inter-VM communications• Eliminate dedicated hardware and VLANs for
different security groups• Optimize resource utilization while maintaining strict
security • Simplified compliance with comprehensive logging of
inter VM activity
26
vShield EndpointOffload Anti-virus processing for endpoints
VMware vSphere
Introspection
SVM
OSHardened
AV
VM
APP
OSKernel
BIOS
VM
APP
OSKernel
BIOS
VM
APP
OSKernel
BIOS
Benefits• Improve performance by offloading anti-virus functions
in tandem with AV partners• Improve VM performance by eliminating anti-virus
storms• Reduce risk by eliminating agents susceptible to attacks
and enforced remediation• Satisfy audit requirements with detailed logging of AV
tasks
Features• Eliminate anti-virus agents in each VM; anti-virus off-
loaded to a security VM delivered by AV partners• Enforce remediation using driver in VM • Policy and configuration Management: through UI or
REST APIs• Logging and auditing
27
Where to Learn More
Security• Hardening Best Practices
• Implementation Guidelines
http://vmware.com/go/security
Compliance• Partner Solutions
• Advice and Recommendation
http://vmware.com/go/compliance
Operations• Peer-contributed Content
http://viops.vmware.com
28
Questions?
