IT Virtualization Security 2009

Integrating Time-proven IT Security Principles with the Advantages of a

Virtualized Linux Environment on IBM System z

Dave RivardSSH Communications Security

Slides:

2 out of 240

Agenda System Virtualization and what is it? History and The Mainframe How have we gotten to this point? Why does the platform still exist? z Virtualization Architecture Advantages to Mainframe Virtualization Disadvantages How the heck do we Secure it?

System Virtualization - Overview and Benefits Ability to run multiple Operating Systems on

a single physical machine Can share resources with multiple hosts on

the same hardware Benefits:

Server consolidation and optimization Cost reduction Improved application availability Enhanced manageability

If its old does it work?

History Quote: “Forget about that

Mainframe thing, Concentrate on CCMail and Netware 3.1, that dinosaur is dead”

Unnamed IT Manager Somewhere in Springfield, Ma 1991

How have we gotten to this point? IBM Needed to open the MVS

Operating system to survive Decentralization Cost Flexibility

Why does the platform still exist?

Reliability Standardization Vast depth of 3rd party software Nobody ever got fired for buying IBM Fast transaction processor Fast database repository Security

z Virtualization Architecture Z/OS (MVS and DOS too) USS – UNIX System Services Z/VM – 1st to the scene LDAP – Out of the box Z/LINUX – How many IFL’s can

you host on one box?

So what was……

….now is…….

…and has become

Advantages to Mainframe Virtualization Scalability Flexibility Efficiency Reduction of Cost Z Security Improved Quality of Service

Disadvantages You just opened your most secure

box One Vendor How do we keep track of who is

who? How are we going to find all those

old Smelly guys?

Security in a z World

Virtualization Security Challenges Virtualization introduces a new layer of complexity

in the system new threat surface Sharing the same resource pool makes single

points of failure• Compromised hosts threaten also the guests

Virtualization breaks the traditional three tier architectural separation

Complexity of conversion to virtualized environment

• Rapid changes in the infrastructure• Not enough knowledge of the changed security

situation

Virtualized Security policies Avoid sharing of IP addresses Do not use hosts in situations where there is

risk for infectionExample: browsing the internet

Incorporate virtual machines in the corporate security policy

Link the physical security outside the pool and virtual security systems under one management to enable defense-in-depth

Authentication

PAM User Store? LDAP, RACF, ACF2, Top Secret? Provisioning? Rooms of Administrators? Federation System and User ID Parameters

Proper steps and planning to verify users and processes

Audit Individual logs? Volume of data Quality of events ID Switching/Generic ID’s Forensics

Encryption Native Hardware Cryptographic

Processors Telnet FTP

Conclusions Z Virtualized environments are being deployed

fast and the importance in production environments is growing

Virtualized environment improves security in some areas but introduces also new challenges

Virtualization requires new security thinking and a careful migration and implementation plan

Link the virtual and physical security to create a defense-in-depth approach

Resources IBM Redbooks

http://www.redbooks.ibm.com z/VM and Linux on IBM System The Virtualization Cookbook for SLES 10

SP2z/VM and Linux on IBM System z: Virtualization Cookbook for Red Hat

Enterprise Linux 4

Liberty Alliancehttp://www.projectliberty.org/

NSAhttp://www.nsa.gov/ia/_files/factsheets/

SOA_security_vulnerabilities_web.pdf

Questions?

Dave Rivarddrivard@ssh.com