real security for server virtualization rajiv motwani 2 nd october 2010
TRANSCRIPT
Real Security for Server Virtualization
Rajiv Motwani2nd October 2010
• Introduction to server virtualization
• Best practices
• Patch Management
• VM Server Sprawl
• Third party products
Agenda
• Concept of virtualization has existed in various forms in computing since the early 1960s
• In virtualization, physical resources are abstracted and shared by multiple operating systems
What is Server Virtualization?
What is a Hypervisor?
A hypervisor provides an abstraction layer that allows a physical server to run one or
more virtual servers, effectively decoupling the operating system and its
applications from the underlying hardware.
• IT flexibility/agility• Predictable scaling to dynamically respond to business needs• Key part of disaster recovery strategy• Improve application availability
• Server or data center consolidation• Higher utilization leads to greater consolidation• Promotes greater centralization and security
• "Green Computing"• Consume less power, cooling, and real estate
• Support DevTest environments• Works for both IT shops and development houses
Why Virtualize?
Benefits of Virtualization
Consolidation Continuity
Availability Automation
For Desktops&
Server Apps
Cut server requirements by 10X and reduce ITspending by 50-70%
Protect IT assets and service against disasters & outages
Improve service levels and eliminate planned downtime
Automate routine management tasks and deliver better IT services to users
7
Virtualization Components
Virtual Storage Solutions
Virtual Storage Manager
• Complexity hidden from OS
• Storage managed by a Storage Manager
• Resources can be added/removed at will
• Storage Architecture independent
Hardware
XenTM Hypervisor
Hardware
XenTM Hypervisor
Hardware
XenTM Hypervisor
Virtual Storage
8
Virtualization Components (2)
Virtual LANs
• Segments Network into logical units
• Allows isolation
• Increased security
• Reduced network broadcast traffic
9
Virtualization Components (3)
Application Virtualization (Execution on Server)
• Centralizes Application Management
• Application Executes on Server
• Application Displayed on the client
• Great for bandwidth constrained locations
• Secure VM’s as you would secure physical machines• Regularly updated Anti-virus, IPS, Firewall components are a must• Regular patching
• Reduce attack surface• Stop unnecessary services • Disable unused hardware
• Intra-VM communication only as required.• VLAN’s• Separate physical adapters
• Standardize• Use templates
Best Practices
Template
• Limit the resources of each VM• Prevent DoS attacks
• Restrict access to the console• Access to the service console & management interface• Communication between service console and management interface
• Root privileges• Who has access?• Good password policy
• VM Logging• Log detail level (for console and each VM)• DoS – limit size
Best Practices (2)
• Use updated versions of all virtualization software• Hypervisor vulnerability in Microsoft Hyper V (blue pill)• Several checks in place
• Separate address space for hypervisor• No shared memory between guest VM’s• Isolation of virtual network adapters• Restrict third party code in hypervisor• (Depends on vendor)
Best Practices (3)
• Host as well as Guest VM’s
• Have AV as well as IPS protection
• Management Interface
• Backup and Recovery process
• Encrypt all traffic between VM’s and Host
• VM Image files on disk
Remember to secure
• Difficult but necessary
• Patches for OS + all applications installed on the VM’s• Ideally server environments should have few applications
• Take advantage of virtual patching• Signatures deployed on VM’s• Traffic scanned at hypervisor or by a virtual appliance
• Patches• Phased manner• Thoroughly tested
Patch Management
• Snapshots• NAC
• Application virtualization helps
• Tools available from all vendors to patch OS + some third party applications • Online and Offline VM’s
• Third party tools also available for both modes
Patch Management (2)
• More at risk
• Ensure they have Anti-virus, IPS, Firewall
• Next-gen security products have ability to scan these VM’s offline for• Malware• Vulnerabilities and exploits
• Once they come online, ensure they are patched first before they can do any other operation (NAC)
Offline VM’s
“A large amount of virtual machines on your network without proper IT management or control” - Steven Warren - blogs.techrepublic.com
• Create servers at the click of a button
• Who can create in the production environment?• Should be an IT process
• Admins create copies of production environment to test and stage applications.• New tools are available to do this automatically.
Virtual Server Sprawl
• Some mitigations• Policy that if a VM is unused for X days, it can be removed• Annotate VM’s with an end date while creating them• Scan network for new VM Server traffic• Who can create VM’s?• Use third party products
Virtual Server Sprawl
• Catbird
• Embotics
• Shavlik
• HyTrust
• Vizioncore
• DynamicOps ....
Third Party Products
• Thank You.
Questions