Download - VMware vSphere 4.1 and Security Briefing
VMware vSphere 4.1 and Security Briefing
Matt Graybiel, CISSP
Manager, Systems Engineering
ESXi Free or not…
ESXi is an architecture, not a license
An Enterprise License works the same with traditional ESX and ESXi
The free version of ESXI is being renamed to:
VMware Hypervisor
Product Updates
vSphere 4.1
• Last release to include ESX architecture
• ESXi functionality equal to ESX (API’s, Security, Boot from SAN, Auto Deploy)
• Active Directory Integration for ESX/ESXi
• Better Storage API’s
• HA/DRS support up to 320 VM’s per host
• Host Affinity and virtual cores
• vMotion is faster
• Network I/O (DRS for Network traffic) – Requires Enterprise +
• Storage I/O (DRS for Storage traffic) - Requires Enterprise +
• Memory Compression
• vMotion available in Standard and Multipathing available in Enterprise
• Virtual Serial Port Concentrator
vSphere 4.1 Editions
ADVANCED
High Availability
STANDARD ENTERPRISE
4-way vSMP
VC Agent
vMotion™
High Availability
4-way vSMP
VC Agent
Fault Tolerance
Data Recovery
vShield Zones
vMotion™
High Availability
4-way vSMP
VC Agent
Fault Tolerance
Data Recovery
vShield Zones
DRS / DPM
Storage vMotion
Multipathing*
Update Manager Update Manager Update Manager
Thin Provisioning Thin Provisioning Thin Provisioning
vStorage APIs (DP) vStorage APIs (DP) vStorage APIs (DP)
Hot Add Hot Add devices
vSPC vSPC
= New feature with 4.1 release= Existing feature moving down edition
= Edition specific feature or entitlement
= Carry-over feature
vMotion™
ENTERPRISE +
vMotion™
High Availability
8-way vSMP
VC Agent
Fault Tolerance
Data Recovery
vShield Zones
Distributed Switch
DRS / DPM
Storage vMotion
Multipathing*
Update Manager
Thin Provisioning
vStorage APIs (DP)
Hot Add devices
vSPC
I/O Controls
vAAI
vAAI
Host Profiles
Key
6 Physical Cores / CPU256 GB Physical Memory
12 Physical Cores / CPU256 GB Physical Memory
6 Physical Cores / CPU256 GB Physical Memory
12 Physical Cores / CPUNo License Memory Limit
5
Enhanced vCenter Scalability – “Cloud Scale”
vSphere 4 vSphere 4.1 Ratio
VMs per host 320 320 1x
Hosts per cluster 32 32 1x
VMs per cluster 1280 3000 3x
Hosts per VC 300 1000 3x
Registered VMs per VC 4500 15000 3x+
Powered-On VMs per VC 3000 10000 3x
Concurrent VI Clients 30 120 4x
Hosts per DC 100 500 5x
VMs per DC 2500 5000 2x
SLES for VMware
Unlimited instances per host
Patches and updates are free
Support is sold separately from vSphere support
Level 1 and Level 2 Support provided by VMware
Level 3 support is from Novell
Pricing and more details to come around VMWorld
Summary: VMware Approach to Security
Secure Implementation
VMware ESXi
• Compact footprint (less than 100MB)
Fewer patches Smaller attack surface
• Absence of general-purpose management OS
No arbitrary code running on server
Not susceptible to common threats
Secure Implementation
Platform Hardening
• Integrity in Memory Protection ASLR – Randomizes where core
kernel modules load into memory
NX/XD – Marks writable areas of memory as non-executable
• Kernel Integrity Digital signing – ensures the integrity
of drivers and modules as they are loaded by the VMkernel.
• Integrity on Disk TPM – helps assure that image that is
booting off the disk has not been tampered with since the last reboot. (future)
VMware Secure Development Lifecycle Process
VMworld 2009 Session TA2543:VMware’s Secure Software Development Lifecycle
Architecture Risk Analysis
Best Practice and Compliance
Requirements
Code Analysis & Inspection
Security Testing
Security Response
Training
Product Security Policy
Protect Customer Data& Infrastructure
Enable Policy Compliance
3rd party experts continually involved at
various points
Independently validated
• Common Criteria Certification EAL (Evaluation Assurance Level) CC EAL 4+ certification
Highest recognized level
Achieved for VI 3.0 and 3.5; in process for vSphere 4
• DISA STIG for ESX Approval for use in DoD
information systems
• NSA Central Security Service guidance for both datacenter
and desktop scenarios
Summary: VMware Approach to Security
How Virtualization Affects Datacenter Security
13 Confidential
Abstraction and ConsolidationCollapse of switches and servers
into one device
• ↑ Flexibility• ↑ Cost-savings• ↓ Lack of virtual network visibility
• ↓ No separation-by-defaultof administration
• ↑ Capital and Operational Cost Savings
• ↓ New infrastructure layer to be secured
• ↓ Greater impact of attack or misconfiguration
How Virtualization Affects Datacenter Security
14 Confidential
Faster deployment of servers
VM Mobility VM Encapsulation
• ↑ Ease of business continuity
• ↑ Consistency of deployment
• ↑ Hardware Independence
• ↓ Outdated offline systems
• ↓ Unauthorized Copy
• ↑ Improved Service Levels
• ↓ Identity divorced from physical location
• ↑ IT responsiveness• ↓ Lack of adequate
planning• ↓ Incomplete
knowledge of current state of infrastructure
• ↓ Poorly Defined Procedures
• ↓ Inconsistent Configurations
How do we secure and make our Virtual Infrastructure compliant?
Use the Principles of Information Security
• Hardening and Lockdown
• Defense in Depth
• Authorization, Authentication, and Accounting to enforce Separation of Duties and Least Privileges
• Administrative Controls
What Auditors Want to See:
• Network Controls
• Change Control and Configuration Management
• Access Controls & Management
• Vulnerability Management
For virtualization this means:
• Secure the Guests
• Harden the Virtualization layer
• Setup Access Controls
• Leverage Virtualization Specific Administrative Controls
Network Segmentation
• A trust zone is a network segment within which data flows relatively freely. Data flowing in and out is subject to stronger restrictions.
Trust Zones in a Cloud environment
Isolation in the Architecture
Segment out all non-production networks
• Use VLAN tagging, or
• Use separate vSwitch (see diagram)
Strictly control access to management network, e.g.
• RDP to jump box, or
• VPN through firewall
18
vSwitch1
vmnic1 2 3 4
Production
vSwitch2
VMkernel
Mgmt Storagevn
ic
vnic
vnic
vCenter IP-based Storage
Other ESX/ESXi
hosts
Mgmt Network
ProdNetwork
VMware Infrastructure 3 Security Hardening Guidehttp://www.vmware.com/resources/techresources
/726
Broad scope
Separation of Duties with vSphere
Narrowscope
Administrative Controls for Security and Compliance
Requirement VMware Products/Features Partner Products
Configuration management, monitoring, auditing
Host ProfilesTemplatesvCenter Event-based AlarmsvCenter OrchestratorScriptingVMware vCenter Configuration Manager
Hytrust ApplianceNetIQ Secure Configuration ManagerTripwire Enterprise for VMware
Vulnerability Management
VMware Update Manager Shavlik NetChk Protect
Access Controls and Management
vCenter Roles and PermissionsvCenter event loggingESX/ESXi logging
Hytrust ApplianceCatbird
Network Controls
VMware vShieldvNetwork Distributed Switch
Cisco, Checkpoint, Reflex, Third Brigade, Altor, ISS/IBM, and more.
Summary: VMware Approach to Security
Secure VDC – Key Building Block of the Private Cloud
Edge
AppProtection
vmsafeEndPoint
VMware vSphere
Security & Network vServices
Edge
APP Protection
vmsafeEndPoint
Edge
App Protection
vmsafeEndPoint
1. Encapsulate secure, auto-wired VDC
2. Standup VDC per Org, on demand
3. Migrate, burst, federate VDC to vCloud
Finance
Sales
Intranet
Edge
App Protection
vmsafeEndPoint
Customer SiteSECURE
Security for the Private Cloud
Private Cloud Properties
• Multiple Use: same infrastructure used for various purposes (“multi-tenancy”)
• Dynamic: Ever-changing environment, responding to load, demands, SLAs, etc.
Solution Characteristics for Private Cloud Security
• Virtualization-aware
• Adaptable
• Take advantage of hypervisor for efficiency, enforceability, performance
Confidential
vShield Zones 1.0 Solves Some Key Issues
Distributed firewall• vShield Zones + Cisco N1k • Mixed trust zones on shared physical resources• Simple, container based rules• vMotion-aware• Enforcement point near VM• Microflow-level Visibility• Application Aware
Better consolidation•VM placement not tied to physical zoning
Tenant A
UCS 5108s
vShield Zones
vSphere
vShield Zones
vSphere
6100s
Nexus N1k
Tenant B Tenant C
Leveraging Virtualization To Solve Security Problems
Security solutions are facing a growing problem
• Protection engines do not get complete visibility in and below the OS
• Protection engines are running in the same context as the malware they are protecting against
• Even those that are in a safe context, can’t see other contexts (e.g. network protection has no host visibility).
Virtualization can provide the needed visibility
• Better Context – Provide protection from outside the OS, from a trusted context
• New Capabilities – view all interactions and contexts CPU
Memory
Network
Storage
VMsafe™ APIs
• New security solutions can be developed and integrated into VMware virtual infrastructure
• Protect the VM by inspection of virtual components (CPU, Memory, Network and Storage)
• Complete integration and awareness of VMotion, Storage VMotion, HA, etc.
• Provides an unprecedented level of security for the application and the data inside the VM
Security VM
VMsafe Security APIs
ESX
HIPS Firewall IPS/IDS Anti-Virus
VMsafe™ APIs
API’s for all virtual hardware components of the VM
• CPU/Memory Inspections Inspection of specific memory pages being used by the VM or it applications
Knowledge of the CPU state
Policy enforcement through resource allocation of CPU and memory pages
• Networking View all IO traffic on the host
Ability to intercept, view, modify and replicate IO traffic from any one VM or all VM’s on a single host.
Capability to provide inline or passive protection
• Storage Ability to mount and read virtual disks (VMDK)
VMsafe Partner Releases
Category Partner Solution Status
Firewall VPN1-VE
UTM - Firewall, IPS, App FW
Early Access
VF 3.0
Firewall, network monitoring
GA
IDS/IPS IBM ISS Proventia
Hybrid host/network IPS + Anti-rootkit + Virtual NAC
GA
Third Brigade Deep Security 7
Hybrid host/network IPS
GA
VMC
vTrust network zoning, network IPS, virtualization mgmt
GA
Antivirus Virusscan for Offline Virtual Images (OVI) 2.0
Offline AV
GA
Core Protection for Virtual Machines 1.0
Online / Offline AV
GA
Efficient Antivirus as a Service for Virtual Datacenters
Hypervisor-based introspection for all major AV functions• File-scanning engines and virus definitions
offloaded to security VM – scheduled and realtime• Thin file-virtualization driver in-guest >95%+
reduction in guest footprint (eventually fully agentless)
Deployable as a service• No agents to manage - in-guest driver bundling
with VMTools• Turnkey, security-as-service delivery
Applicable to all virtualized deployment models• private clouds (virtual datacenters)• public clouds (service providers)• virtual desktops
VMware vSphereIntrospection
SVM
OSHardened
AV
VM
APP
OSKernelKernel
BIOS
VM
APP
OSKernelKernel
BIOS
VM
APP
OSKernelKernel
BIOS
Proof of Concept demo’edat RSA2010
Where to Learn More
Security• Hardening Best Practices
• Implementation Guidelines
http://vmware.com/security
Compliance• Partner Solutions
• Advice and Recommendation
http://vmware.com/go/compliance
Operations• Peer-contributed Content
http://viops.vmware.com
Summary: VMware Approach to Security
Questions?