real security for server virtualization
DESCRIPTION
Real Security for Server Virtualization. Rajiv Motwani 2 nd October 2010. Agenda. Introduction to server virtualization Best practices Patch Management VM Server Sprawl Third party products. What is Server Virtualization?. - PowerPoint PPT PresentationTRANSCRIPT
Presentation Title (Arial 42pt)Rajiv Motwani
Agenda
2
Concept of virtualization has existed in various forms in computing since the early 1960s
In virtualization, physical resources are abstracted and shared by multiple operating systems
What is Server Virtualization?
Presentation Title Goes Here
Insert Version Number Here
3
What is a Hypervisor?
A hypervisor provides an abstraction layer that allows a physical server to run one or more virtual servers, effectively decoupling the operating system and its applications from the underlying hardware.
A hypervisor is sometimes also called Virtual Machine Monitor or VMM
Citrix XenServer uses the open-source Xen Hypervisor
Presentation Title Goes Here
Insert Version Number Here
4
Key part of disaster recovery strategy
Improve application availability
Higher utilization leads to greater consolidation
Promotes greater centralization and security
"Green Computing"
Support DevTest environments
Why Virtualize?
Creating New Servers is fast and easy
No driver hassles moving to new hardware
Zero downtime hardware maintenance with XenMotion
Disaster recovery plans simplified
Presentation Title Goes Here
Insert Version Number Here
5
spending by 50-70%
Protect IT assets
and service against
Improve service levels and eliminate planned downtime
Automate routine management tasks and deliver better IT services to users
Virtualization is the single hottest topic in IT today. But what is it? There are 4 basic ways to look at how virtualization can be used to deliver business benefits in your organisation:
Server Virtualization: Creates a separate OS environment that is logically isolated from the host server. This allows greater density of resource use (hardware, utilities, space) while providing operational isolation and security.
Desktop Virtualization: Creates a separate OS environment on the desktop, allowing a non-compatible legacy or LOB application to operate within a more current desktop operating system.
Application Virtualization: Separates the application configuration layer from the OS in a desktop environment, reducing application conflicts, bringing patch and upgrade management to a central location and accelerating the deployment of new applications and updates.
Presentation Virtualization: Isolates processing from the graphics and I/O, making it possible to run an application in one location but have it be controlled in another. This is helpful in a variety of situations, including ones where data confidentiality and protection are critical.
6
7
Storage Architecture independent
• Centralizes Application Management
9
Regular patching
VLAN’s
Prevent DoS attacks
Access to the service console & management interface
Communication between service console and management interface
Root privileges
DoS – limit size
Best Practices (2)
Hypervisor vulnerability in Microsoft Hyper V (blue pill)
Several checks in place
No shared memory between guest VM’s
Isolation of virtual network adapters
Restrict third party code in hypervisor
(Depends on vendor)
Best Practices (3)
Management Interface
VM Image files on disk
Remember to secure
Difficult but necessary
Patches for OS + all applications installed on the VM’s
Ideally server environments should have few applications
Take advantage of virtual patching
Signatures deployed on VM’s
Traffic scanned at hypervisor or by a virtual appliance
Patches
Application virtualization helps
Tools available from all vendors to patch OS + some third party applications
Online and Offline VM’s
Third party tools also available for both modes
Patch Management (2)
More at risk
Ensure they have Anti-virus, IPS, Firewall
Next-gen security products have ability to scan these VM’s offline for
Malware
Vulnerabilities and exploits
Once they come online, ensure they are patched first before they can do any other operation (NAC)
Offline VM’s
“A large amount of virtual machines on your network without proper IT management or control” - Steven Warren - blogs.techrepublic.com
Create servers at the click of a button
Who can create in the production environment?
Should be an IT process
Admins create copies of production environment to test and stage applications.
New tools are available to do this automatically.
Virtual Server Sprawl
Some mitigations
Policy that if a VM is unused for X days, it can be removed
Annotate VM’s with an end date while creating them
Scan network for new VM Server traffic
Who can create VM’s?
Use third party products
Agenda
2
Concept of virtualization has existed in various forms in computing since the early 1960s
In virtualization, physical resources are abstracted and shared by multiple operating systems
What is Server Virtualization?
Presentation Title Goes Here
Insert Version Number Here
3
What is a Hypervisor?
A hypervisor provides an abstraction layer that allows a physical server to run one or more virtual servers, effectively decoupling the operating system and its applications from the underlying hardware.
A hypervisor is sometimes also called Virtual Machine Monitor or VMM
Citrix XenServer uses the open-source Xen Hypervisor
Presentation Title Goes Here
Insert Version Number Here
4
Key part of disaster recovery strategy
Improve application availability
Higher utilization leads to greater consolidation
Promotes greater centralization and security
"Green Computing"
Support DevTest environments
Why Virtualize?
Creating New Servers is fast and easy
No driver hassles moving to new hardware
Zero downtime hardware maintenance with XenMotion
Disaster recovery plans simplified
Presentation Title Goes Here
Insert Version Number Here
5
spending by 50-70%
Protect IT assets
and service against
Improve service levels and eliminate planned downtime
Automate routine management tasks and deliver better IT services to users
Virtualization is the single hottest topic in IT today. But what is it? There are 4 basic ways to look at how virtualization can be used to deliver business benefits in your organisation:
Server Virtualization: Creates a separate OS environment that is logically isolated from the host server. This allows greater density of resource use (hardware, utilities, space) while providing operational isolation and security.
Desktop Virtualization: Creates a separate OS environment on the desktop, allowing a non-compatible legacy or LOB application to operate within a more current desktop operating system.
Application Virtualization: Separates the application configuration layer from the OS in a desktop environment, reducing application conflicts, bringing patch and upgrade management to a central location and accelerating the deployment of new applications and updates.
Presentation Virtualization: Isolates processing from the graphics and I/O, making it possible to run an application in one location but have it be controlled in another. This is helpful in a variety of situations, including ones where data confidentiality and protection are critical.
6
7
Storage Architecture independent
• Centralizes Application Management
9
Regular patching
VLAN’s
Prevent DoS attacks
Access to the service console & management interface
Communication between service console and management interface
Root privileges
DoS – limit size
Best Practices (2)
Hypervisor vulnerability in Microsoft Hyper V (blue pill)
Several checks in place
No shared memory between guest VM’s
Isolation of virtual network adapters
Restrict third party code in hypervisor
(Depends on vendor)
Best Practices (3)
Management Interface
VM Image files on disk
Remember to secure
Difficult but necessary
Patches for OS + all applications installed on the VM’s
Ideally server environments should have few applications
Take advantage of virtual patching
Signatures deployed on VM’s
Traffic scanned at hypervisor or by a virtual appliance
Patches
Application virtualization helps
Tools available from all vendors to patch OS + some third party applications
Online and Offline VM’s
Third party tools also available for both modes
Patch Management (2)
More at risk
Ensure they have Anti-virus, IPS, Firewall
Next-gen security products have ability to scan these VM’s offline for
Malware
Vulnerabilities and exploits
Once they come online, ensure they are patched first before they can do any other operation (NAC)
Offline VM’s
“A large amount of virtual machines on your network without proper IT management or control” - Steven Warren - blogs.techrepublic.com
Create servers at the click of a button
Who can create in the production environment?
Should be an IT process
Admins create copies of production environment to test and stage applications.
New tools are available to do this automatically.
Virtual Server Sprawl
Some mitigations
Policy that if a VM is unused for X days, it can be removed
Annotate VM’s with an end date while creating them
Scan network for new VM Server traffic
Who can create VM’s?
Use third party products