Real Security for Server Virtualization

Rajiv Motwani2nd October 2010

• Introduction to server virtualization

• Best practices

• Patch Management

• VM Server Sprawl

• Third party products

Agenda

• Concept of virtualization has existed in various forms in computing since the early 1960s

• In virtualization, physical resources are abstracted and shared by multiple operating systems

What is Server Virtualization?

What is a Hypervisor?

A hypervisor provides an abstraction layer that allows a physical server to run one or

more virtual servers, effectively decoupling the operating system and its

applications from the underlying hardware.

• IT flexibility/agility• Predictable scaling to dynamically respond to business needs• Key part of disaster recovery strategy• Improve application availability

• Server or data center consolidation• Higher utilization leads to greater consolidation• Promotes greater centralization and security

• "Green Computing"• Consume less power, cooling, and real estate

• Support DevTest environments• Works for both IT shops and development houses

Why Virtualize?

Benefits of Virtualization

Consolidation Continuity

Availability Automation

For Desktops&

Server Apps

Cut server requirements by 10X and reduce ITspending by 50-70%

Protect IT assets and service against disasters & outages

Improve service levels and eliminate planned downtime

Automate routine management tasks and deliver better IT services to users

7

Virtualization Components

Virtual Storage Solutions

Virtual Storage Manager

• Complexity hidden from OS

• Storage managed by a Storage Manager

• Resources can be added/removed at will

• Storage Architecture independent

Hardware

XenTM Hypervisor

Hardware

XenTM Hypervisor

Hardware

XenTM Hypervisor

Virtual Storage

8

Virtualization Components (2)

Virtual LANs

• Segments Network into logical units

• Allows isolation

• Increased security

• Reduced network broadcast traffic

9

Virtualization Components (3)

Application Virtualization (Execution on Server)

• Centralizes Application Management

• Application Executes on Server

• Application Displayed on the client

• Great for bandwidth constrained locations

• Secure VM’s as you would secure physical machines• Regularly updated Anti-virus, IPS, Firewall components are a must• Regular patching

• Reduce attack surface• Stop unnecessary services • Disable unused hardware

• Intra-VM communication only as required.• VLAN’s• Separate physical adapters

• Standardize• Use templates

Best Practices

Template

• Limit the resources of each VM• Prevent DoS attacks

• Restrict access to the console• Access to the service console & management interface• Communication between service console and management interface

• Root privileges• Who has access?• Good password policy

• VM Logging• Log detail level (for console and each VM)• DoS – limit size

Best Practices (2)

• Use updated versions of all virtualization software• Hypervisor vulnerability in Microsoft Hyper V (blue pill)• Several checks in place

• Separate address space for hypervisor• No shared memory between guest VM’s• Isolation of virtual network adapters• Restrict third party code in hypervisor• (Depends on vendor)

Best Practices (3)

• Host as well as Guest VM’s

• Have AV as well as IPS protection

• Management Interface

• Backup and Recovery process

• Encrypt all traffic between VM’s and Host

• VM Image files on disk

Remember to secure

• Difficult but necessary

• Patches for OS + all applications installed on the VM’s• Ideally server environments should have few applications

• Take advantage of virtual patching• Signatures deployed on VM’s• Traffic scanned at hypervisor or by a virtual appliance

• Patches• Phased manner• Thoroughly tested

Patch Management

• Snapshots• NAC

• Application virtualization helps

• Tools available from all vendors to patch OS + some third party applications • Online and Offline VM’s

• Third party tools also available for both modes

Patch Management (2)

• More at risk

• Ensure they have Anti-virus, IPS, Firewall

• Next-gen security products have ability to scan these VM’s offline for• Malware• Vulnerabilities and exploits

• Once they come online, ensure they are patched first before they can do any other operation (NAC)

Offline VM’s

“A large amount of virtual machines on your network without proper IT management or control” - Steven Warren - blogs.techrepublic.com

• Create servers at the click of a button

• Who can create in the production environment?• Should be an IT process

• Admins create copies of production environment to test and stage applications.• New tools are available to do this automatically.

Virtual Server Sprawl

• Some mitigations• Policy that if a VM is unused for X days, it can be removed• Annotate VM’s with an end date while creating them• Scan network for new VM Server traffic• Who can create VM’s?• Use third party products

Virtual Server Sprawl

• Catbird

• Embotics

• Shavlik

• HyTrust

• Vizioncore

• DynamicOps ....

Third Party Products

• Thank You.

Questions