SlideShare una empresa de Scribd logo

Virtualisation: Pitfalls in Corporate VMware Implementations

J
Jason Edelstein

Discusses virtualisation security threats and countermeasures with a specific focus on the VMware virtualisation platform. Additional information can be found at: http://www.senseofsecurity.com.au

TecnologíaEmpresariales
1 de 26
Descargar para leer sin conexión
Virtualisation: Pitfalls in Corporate VMware Implementations 18 May ’09 1 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Agenda 1. Technology overview 2. Typical corporate implementations 3. Common pitfalls and solutions 4. Conclusion 5 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Technology Overview VMware ESX Software Architecture & Concepts 6 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Typical Corporate Implementations Why are they using virtualisation technology? – cost reductions, flexibility and efficiency, increase business resiliency What are organisations using VMware for? – test environment, production systems, virtual desktop, virtual appliances What are security practitioners using VMware for? – sandboxing, forensic analysis, and honeypotting What are organisations not virtualising? – CPU intensive apps – firewalls How are they using it? – simply, with little regard for security 7 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Theoretical Security Problems and Hype Compromise the hypervisor, compromise every virtual machine! What about the Red Pill and the Blue Pill? 8 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Vulnerabilities – Hosted Versions Most of the serious VMware issues (code execution on Host) identified to date are against the “Hosted” versions (Workstation, GSX, etc.). – e.g. CVE-2005-4459 • Vulnerability was identified in VMware Workstation (and others) in the NAT component, which could be exploited by a malicious guest to execute arbitrary commands on the Host OS. • Patch made available by VMware. – e.g. CVE-2007-4496 • Vulnerability was identified in VMware Workstation (and others) that could allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and thus potentially execute arbitrary code on the host. • Patch made available by VMware. 9 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Vulnerabilities – Bare-metal Versions What about serious security issues with the enterprise “bare-metal” solution? – e.g. CVE-2009-1244 - VMSA-2009-0006 - (10 April 2009) • “A critical vulnerability in the virtual machine display function “might” allow a guest operating system to run code on the host.” • Affects both VMware hosted and bare-metal solutions. • Patch made available by VMware. Further research found the following: – “By combining multiple indexing flaws in VMWare's usage of 3D context structures, [a user] is able to both leak from and write to physical host memory. It can do this in a reliable way from inside a virtual machine by combining SVGA framebuffer relative memory leaks with 3D context based write-to-memory flaws, effectively compromising any virtual 'air gap' between physical and virtual hardware.” credit: Kostya Kortchinsky of Immunity Inc. 10 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Exploit Demonstration - CVE-2009-1244 Source: Immunity Inc. 11 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 1. Network architecture Traditional (secure) network architecture 12 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 1. Network architecture cont.d Secure VM implementation 13 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions Does anyone have any comments on the proposed design? Other considerations: Blind Spots – traffic between VM’s; vulnerabilities, malware, worms, etc No Access Control between VM’s Live Migration - propagation of malware 14 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 2. Configuration Management Established best practice in traditional enterprise environments Can be more challenging in virtual environments Secure at deployment and maintain this position going forward Implement appropriate tools to enforce defined configuration standards Virtualisation introduces some new components that must be secured 15 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 2.1. Securing the Virtual Machines Secure virtual machines as you would secure physical machines Create a library of trusted virtualised server builds Use resource management to control server resources 16 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 2.2. Securing the Service Console (COS) Limit access based on business requirements Secure the root account Implement directory based authentication wherever possible Do not run additional software or services inside it Limit executing arbitrary commands and executables Apply patches Implement proper audit trails Do not use the service console unless necessary 17 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 2.3. Securing the Remote Command Line Interface Only necessary in ESXi Runs as a Debian Linux Guest appliance OR Runs as an application on Windows Limit access based on business requirements 18 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 2.4. Securing VI Client including Web Access Connects to host via API Allows you to connect to the console of the VM interactively Copy and paste by default can move data between systems Use terminal services or SSH instead 19 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 2.5. Securing VirtualCenter Enterprise solution for managing VM implementations which is extendable with SDK Runs on user installed and secured Windows Implement RBAC 20 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 2.6. Securing vSwitches Do not use promiscuous mode on network interfaces (default setting) Protect against MAC address spoofing - MAC address changes (permitted by default) – should be denied - Forged transmissions (permitted by default) – should be denied 21 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 2.7. Securing Storage ? Each VM only sees virtual disks that have been presented to virtual SCSI adapters OS within the VM cannot change its own storage access or interrogate the storage 22 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 3. Applying Patches Challenging in virtual environments. e.g. offline virtual machines and templates Numerous components to patch 23 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 4. Defining Roles and Responsibilities Must learn where virtualisation technologies are being used, what they are being used for and who are responsible for their management Who will administer the virtual network? 24 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 5. Limiting Privileged Access Excess privileges make it possible for people to make uncontrolled changes to critical systems Must integrate information security into the access management procedures Reduce access wherever possible and ensure some form of effective access control exists Audit user access routinely and adjust access 25 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Common Pitfalls and Solutions 6. Integrate with Existing Change Management Processes All changes after deployment should be authorised, scheduled, and substantiated by change management Activating and deactivating VMs should also go through change management 26 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
VMware Security Direction vShield Zones – Runs as a security virtual appliance – Enables you to monitor, log and block inter-VM traffic within an ESX host or between hosts in a cluster VMsafe – API enables development of virtualisation-aware security solutions in the form of a security virtual machine that can access, correlate and modify information based on memory and CPU, networking, process execution, or storage Cisco Nexus 1000 – Alternative to VMware distributed switch with added functionality – Operates inside the VMware ESX Hypervisor – Brings policy based VM connectivity, mobile VM security and network policy 27 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Conclusion Historically trends and advances in IT outpace security requirements. e.g. 802.11 wireless Most current implementations of virtualisation are insecure Virtualisation can be secured with the right know how Its much easier to bake in security from conception The only way to know if your implementation is secure is to have it audited by independent experts 28 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
Q&A Questions? Jason Edelstein Sense of Security Pty Ltd info@senseofsecurity.com.au Tel: +61 2 9290 4444 Final presentation is available at: http://www.senseofsecurity.com.au/presentations/ Virtualisation-Security-AusCERT2009.pdf 29 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009

Recomendados

Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised EnvironmentPeter Wood
 
Cw13 securing your journey to the cloud by rami naccache-trend micro
Cw13 securing your journey to the cloud by rami naccache-trend microCw13 securing your journey to the cloud by rami naccache-trend micro
Cw13 securing your journey to the cloud by rami naccache-trend microTheInevitableCloud
 
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointVirtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointHyTrust
 
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamWHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamSymantec
 
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend MicroVmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend MicroGraeme Wood
 
VMware Recovery: 77x Faster! NEW ESG Lab Review, with Veeam Backup & Replication
VMware Recovery: 77x Faster! NEW ESG Lab Review, with Veeam Backup & ReplicationVMware Recovery: 77x Faster! NEW ESG Lab Review, with Veeam Backup & Replication
VMware Recovery: 77x Faster! NEW ESG Lab Review, with Veeam Backup & ReplicationSuministros Obras y Sistemas
 
Campus jueves
Campus juevesCampus jueves
Campus juevescampus party
 
Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2vivekbhat
 

Recomendados

Security in a Virtualised Environment
Security in a Virtualised EnvironmentSecurity in a Virtualised Environment
Security in a Virtualised EnvironmentPeter Wood
 
Cw13 securing your journey to the cloud by rami naccache-trend micro
Cw13 securing your journey to the cloud by rami naccache-trend microCw13 securing your journey to the cloud by rami naccache-trend micro
Cw13 securing your journey to the cloud by rami naccache-trend microTheInevitableCloud
 
Virtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointVirtualizing More While Improving Risk Posture – From Bare Metal to End Point
Virtualizing More While Improving Risk Posture – From Bare Metal to End PointHyTrust
 
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamWHITE PAPER: Threats to Virtual Environments - Symantec Security Response Team
WHITE PAPER: Threats to Virtual Environments - Symantec Security Response TeamSymantec
 
Vmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend MicroVmware Seminar Security & Compliance for the cloud with Trend Micro
Vmware Seminar Security & Compliance for the cloud with Trend MicroGraeme Wood
 
VMware Recovery: 77x Faster! NEW ESG Lab Review, with Veeam Backup & Replication
VMware Recovery: 77x Faster! NEW ESG Lab Review, with Veeam Backup & ReplicationVMware Recovery: 77x Faster! NEW ESG Lab Review, with Veeam Backup & Replication
VMware Recovery: 77x Faster! NEW ESG Lab Review, with Veeam Backup & ReplicationSuministros Obras y Sistemas
 
Campus jueves
Campus juevesCampus jueves
Campus juevescampus party
 
Virtualization securityv2
Virtualization securityv2Virtualization securityv2
Virtualization securityv2vivekbhat
 
vSphere Security
vSphere SecurityvSphere Security
vSphere Securitymikhail.mikheev
 
IT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization SecurityIT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization SecurityBooz Allen Hamilton
 
Databarracks zerto - webinar - sept2015-slideshare
Databarracks zerto - webinar - sept2015-slideshareDatabarracks zerto - webinar - sept2015-slideshare
Databarracks zerto - webinar - sept2015-slideshareDatabarracks
 
Visibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseVisibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseEMC
 
IBM Security Day, Cuenca - Ecuador
IBM Security Day, Cuenca - EcuadorIBM Security Day, Cuenca - Ecuador
IBM Security Day, Cuenca - EcuadorOlmedo Abril Arboleda
 
Securing Public Web Servers
Securing Public Web ServersSecuring Public Web Servers
Securing Public Web Serverswebhostingguy
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Securitysyrinxtech
 
Zerto @ VMUG.IT 20150304
Zerto @ VMUG.IT 20150304Zerto @ VMUG.IT 20150304
Zerto @ VMUG.IT 20150304VMUG IT
 
VMware vSphere
VMware vSphereVMware vSphere
VMware vSphere零壹科技股份有限公司
 
Virtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualizationVirtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualizationSeccuris Inc.
 
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...Proact Netherlands B.V.
 
VMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised securityVMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised securityArrow ECS UK
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust
 
E Vm Virtualization
E Vm VirtualizationE Vm Virtualization
E Vm VirtualizationArturo Saavedra
 
VMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesJason Chan
 
September 2019 Patch Tuesday
September 2019 Patch TuesdaySeptember 2019 Patch Tuesday
September 2019 Patch TuesdayIvanti
 
Data Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the CloudData Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the CloudTrend Micro (EMEA) Limited
 
Presentation v mware view bootcamp series
Presentation v mware view bootcamp seriesPresentation v mware view bootcamp series
Presentation v mware view bootcamp seriessolarisyourep
 
Security challenges for adoption of virtualization for effective e governance
Security challenges for adoption of virtualization for effective e governanceSecurity challenges for adoption of virtualization for effective e governance
Security challenges for adoption of virtualization for effective e governanceAdam Bert Lacay
 
Virtualization security threats in cloud computing
Virtualization security threats in cloud computingVirtualization security threats in cloud computing
Virtualization security threats in cloud computingNitish Awasthi (anitish_225)
 
Cloud security
Cloud securityCloud security
Cloud securityPedro Alexander Romero Tortosa
 

Más contenido relacionado

La actualidad más candente

IT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization SecurityIT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization SecurityBooz Allen Hamilton
 
Databarracks zerto - webinar - sept2015-slideshare
Databarracks zerto - webinar - sept2015-slideshareDatabarracks zerto - webinar - sept2015-slideshare
Databarracks zerto - webinar - sept2015-slideshareDatabarracks
 
Visibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseVisibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseEMC
 
Securing Public Web Servers
Securing Public Web ServersSecuring Public Web Servers
Securing Public Web Serverswebhostingguy
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Securitysyrinxtech
 
Zerto @ VMUG.IT 20150304
Zerto @ VMUG.IT 20150304Zerto @ VMUG.IT 20150304
Zerto @ VMUG.IT 20150304VMUG IT
 
Virtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualizationVirtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualizationSeccuris Inc.
 
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...Proact Netherlands B.V.
 
VMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised securityVMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised securityArrow ECS UK
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust
 
VMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesJason Chan
 
September 2019 Patch Tuesday
September 2019 Patch TuesdaySeptember 2019 Patch Tuesday
September 2019 Patch TuesdayIvanti
 
Data Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the CloudData Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the CloudTrend Micro (EMEA) Limited
 
Presentation v mware view bootcamp series
Presentation v mware view bootcamp seriesPresentation v mware view bootcamp series
Presentation v mware view bootcamp seriessolarisyourep
 
Security challenges for adoption of virtualization for effective e governance
Security challenges for adoption of virtualization for effective e governanceSecurity challenges for adoption of virtualization for effective e governance
Security challenges for adoption of virtualization for effective e governanceAdam Bert Lacay
 

La actualidad más candente (20)

vSphere Security
vSphere SecurityvSphere Security
vSphere Security
 
IT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization SecurityIT Security Risk Mitigation Report: Virtualization Security
IT Security Risk Mitigation Report: Virtualization Security
 
Databarracks zerto - webinar - sept2015-slideshare
Databarracks zerto - webinar - sept2015-slideshareDatabarracks zerto - webinar - sept2015-slideshare
Databarracks zerto - webinar - sept2015-slideshare
 
Visibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized EnterpriseVisibility & Security for the Virtualized Enterprise
Visibility & Security for the Virtualized Enterprise
 
IBM Security Day, Cuenca - Ecuador
IBM Security Day, Cuenca - EcuadorIBM Security Day, Cuenca - Ecuador
IBM Security Day, Cuenca - Ecuador
 
Securing Public Web Servers
Securing Public Web ServersSecuring Public Web Servers
Securing Public Web Servers
 
Virtualization Security
Virtualization SecurityVirtualization Security
Virtualization Security
 
Zerto @ VMUG.IT 20150304
Zerto @ VMUG.IT 20150304Zerto @ VMUG.IT 20150304
Zerto @ VMUG.IT 20150304
 
VMware vSphere
VMware vSphereVMware vSphere
VMware vSphere
 
Virtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualizationVirtually Secure: Uncovering the risks of virtualization
Virtually Secure: Uncovering the risks of virtualization
 
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...
PROACT SYNC 2013 - Breakout - VSPEX en vBlock Converged Infrastructure bouwbl...
 
VMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised securityVMware and Trend Micro, partnering to revolutionise virtualised security
VMware and Trend Micro, partnering to revolutionise virtualised security
 
HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure HyTrust and VMware-Providing a Secure Virtual Infrastructure
HyTrust and VMware-Providing a Secure Virtual Infrastructure
 
E Vm Virtualization
E Vm VirtualizationE Vm Virtualization
E Vm Virtualization
 
VMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor SecurityVMworld 2014: ESXi Hypervisor Security
VMworld 2014: ESXi Hypervisor Security
 
Virtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit PerspectivesVirtualization: Security and IT Audit Perspectives
Virtualization: Security and IT Audit Perspectives
 
September 2019 Patch Tuesday
September 2019 Patch TuesdaySeptember 2019 Patch Tuesday
September 2019 Patch Tuesday
 
Data Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the CloudData Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the Cloud
 
Presentation v mware view bootcamp series
Presentation v mware view bootcamp seriesPresentation v mware view bootcamp series
Presentation v mware view bootcamp series
 
Security challenges for adoption of virtualization for effective e governance
Security challenges for adoption of virtualization for effective e governanceSecurity challenges for adoption of virtualization for effective e governance
Security challenges for adoption of virtualization for effective e governance
 

Similar a Virtualisation: Pitfalls in Corporate VMware Implementations

Virtualization security threats in cloud computing
Virtualization security threats in cloud computingVirtualization security threats in cloud computing
Virtualization security threats in cloud computingNitish Awasthi (anitish_225)
 
Chapter 05: introduction to virtualization features
Chapter 05: introduction to virtualization featuresChapter 05: introduction to virtualization features
Chapter 05: introduction to virtualization featuresSsendiSamuel
 
Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudTjylen Veselyj
 
Trend micro v2
Trend micro v2Trend micro v2
Trend micro v2JD Sherry
 
Identifying and analyzing security threats to virtualized cloud computing inf...
Identifying and analyzing security threats to virtualized cloud computing inf...Identifying and analyzing security threats to virtualized cloud computing inf...
Identifying and analyzing security threats to virtualized cloud computing inf...IBM222
 
20090911 virtualizationandcloud
20090911 virtualizationandcloud20090911 virtualizationandcloud
20090911 virtualizationandcloudSupratik Ghatak
 
20090911 virtualizationandcloud
20090911 virtualizationandcloud20090911 virtualizationandcloud
20090911 virtualizationandcloudMeenal Joshi
 
VMWARE Professionals - App Management
VMWARE Professionals - App ManagementVMWARE Professionals - App Management
VMWARE Professionals - App ManagementPaulo Freitas
 
IBM Think 2019 session 2116 - Best practices for operating and managing a pro...
IBM Think 2019 session 2116 - Best practices for operating and managing a pro...IBM Think 2019 session 2116 - Best practices for operating and managing a pro...
IBM Think 2019 session 2116 - Best practices for operating and managing a pro...Hendrik van Run
 
Virutalization and the Future of Datacenter Security
Virutalization and the Future of Datacenter SecurityVirutalization and the Future of Datacenter Security
Virutalization and the Future of Datacenter Securityguestb09e16
 
Cloud Computing and VCE
Cloud Computing and VCECloud Computing and VCE
Cloud Computing and VCECenk Ersoy
 
Chapter 02: Introduction to compute virtualization
Chapter 02: Introduction to compute virtualizationChapter 02: Introduction to compute virtualization
Chapter 02: Introduction to compute virtualizationSsendiSamuel
 
Virtualization meisen 042811
Virtualization meisen 042811Virtualization meisen 042811
Virtualization meisen 042811Morty Eisen
 
VMware TechTues - Veeam Availability Suite
VMware TechTues - Veeam Availability SuiteVMware TechTues - Veeam Availability Suite
VMware TechTues - Veeam Availability SuiteTeck Sze Tay
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudRochester Security Summit
 
Fadi El Moussa Secure Cloud 2012 V2
Fadi El Moussa Secure Cloud 2012 V2Fadi El Moussa Secure Cloud 2012 V2
Fadi El Moussa Secure Cloud 2012 V2fadielmoussa
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld
 
Vmug birmingham mar2013 trendmicro
Vmug birmingham mar2013 trendmicroVmug birmingham mar2013 trendmicro
Vmug birmingham mar2013 trendmicrodvmug1
 
Virtualization presentation
Virtualization presentationVirtualization presentation
Virtualization presentationMangesh Gunjal
 

Similar a Virtualisation: Pitfalls in Corporate VMware Implementations (20)

Virtualization security threats in cloud computing
Virtualization security threats in cloud computingVirtualization security threats in cloud computing
Virtualization security threats in cloud computing
 
Cloud security
Cloud securityCloud security
Cloud security
 
Chapter 05: introduction to virtualization features
Chapter 05: introduction to virtualization featuresChapter 05: introduction to virtualization features
Chapter 05: introduction to virtualization features
 
Virtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the CloudVirtual Machine Introspection - Future of the Cloud
Virtual Machine Introspection - Future of the Cloud
 
Trend micro v2
Trend micro v2Trend micro v2
Trend micro v2
 
Identifying and analyzing security threats to virtualized cloud computing inf...
Identifying and analyzing security threats to virtualized cloud computing inf...Identifying and analyzing security threats to virtualized cloud computing inf...
Identifying and analyzing security threats to virtualized cloud computing inf...
 
20090911 virtualizationandcloud
20090911 virtualizationandcloud20090911 virtualizationandcloud
20090911 virtualizationandcloud
 
20090911 virtualizationandcloud
20090911 virtualizationandcloud20090911 virtualizationandcloud
20090911 virtualizationandcloud
 
VMWARE Professionals - App Management
VMWARE Professionals - App ManagementVMWARE Professionals - App Management
VMWARE Professionals - App Management
 
IBM Think 2019 session 2116 - Best practices for operating and managing a pro...
IBM Think 2019 session 2116 - Best practices for operating and managing a pro...IBM Think 2019 session 2116 - Best practices for operating and managing a pro...
IBM Think 2019 session 2116 - Best practices for operating and managing a pro...
 
Virutalization and the Future of Datacenter Security
Virutalization and the Future of Datacenter SecurityVirutalization and the Future of Datacenter Security
Virutalization and the Future of Datacenter Security
 
Cloud Computing and VCE
Cloud Computing and VCECloud Computing and VCE
Cloud Computing and VCE
 
Chapter 02: Introduction to compute virtualization
Chapter 02: Introduction to compute virtualizationChapter 02: Introduction to compute virtualization
Chapter 02: Introduction to compute virtualization
 
Virtualization meisen 042811
Virtualization meisen 042811Virtualization meisen 042811
Virtualization meisen 042811
 
VMware TechTues - Veeam Availability Suite
VMware TechTues - Veeam Availability SuiteVMware TechTues - Veeam Availability Suite
VMware TechTues - Veeam Availability Suite
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public Cloud
 
Fadi El Moussa Secure Cloud 2012 V2
Fadi El Moussa Secure Cloud 2012 V2Fadi El Moussa Secure Cloud 2012 V2
Fadi El Moussa Secure Cloud 2012 V2
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
Vmug birmingham mar2013 trendmicro
Vmug birmingham mar2013 trendmicroVmug birmingham mar2013 trendmicro
Vmug birmingham mar2013 trendmicro
 
Virtualization presentation
Virtualization presentationVirtualization presentation
Virtualization presentation
 

Más de Jason Edelstein

Sense of Security Best practice strategies to improve your enterprise security
Sense of Security Best practice strategies to improve your enterprise securitySense of Security Best practice strategies to improve your enterprise security
Sense of Security Best practice strategies to improve your enterprise securityJason Edelstein
 
Sense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsSense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsJason Edelstein
 
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsSense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsJason Edelstein
 
PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009Jason Edelstein
 
PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009Jason Edelstein
 
PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007Jason Edelstein
 
Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009Jason Edelstein
 
Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Jason Edelstein
 
VoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldVoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldJason Edelstein
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0Jason Edelstein
 

Más de Jason Edelstein (10)

Sense of Security Best practice strategies to improve your enterprise security
Sense of Security Best practice strategies to improve your enterprise securitySense of Security Best practice strategies to improve your enterprise security
Sense of Security Best practice strategies to improve your enterprise security
 
Sense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated EnvironmentsSense of security - Virtualisation Security for Regulated Environments
Sense of security - Virtualisation Security for Regulated Environments
 
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the FundamentalsSense of Security - Securing Virtualised Environments; Focus on the Fundamentals
Sense of Security - Securing Virtualised Environments; Focus on the Fundamentals
 
PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009PCI What When AISA Sydney 2009
PCI What When AISA Sydney 2009
 
PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009PCI Compliance a Business Issue Isaca 2009
PCI Compliance a Business Issue Isaca 2009
 
PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007PCI Compliance What Does This Mean For the Australian Market Place 2007
PCI Compliance What Does This Mean For the Australian Market Place 2007
 
Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009Addressing Security Challenges of Mobility and Web 2.0 2009
Addressing Security Challenges of Mobility and Web 2.0 2009
 
Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009Achieving PCI Compliance Long And Short Term Strategies 2009
Achieving PCI Compliance Long And Short Term Strategies 2009
 
VoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldVoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate World
 
Managing and Securing Web 2.0
Managing and Securing Web 2.0Managing and Securing Web 2.0
Managing and Securing Web 2.0
 

Último

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Último (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

Virtualisation: Pitfalls in Corporate VMware Implementations

  • 1. Virtualisation: Pitfalls in Corporate VMware Implementations 18 May ’09 1 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 2. Agenda 1. Technology overview 2. Typical corporate implementations 3. Common pitfalls and solutions 4. Conclusion 5 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 3. Technology Overview VMware ESX Software Architecture & Concepts 6 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 4. Typical Corporate Implementations Why are they using virtualisation technology? – cost reductions, flexibility and efficiency, increase business resiliency What are organisations using VMware for? – test environment, production systems, virtual desktop, virtual appliances What are security practitioners using VMware for? – sandboxing, forensic analysis, and honeypotting What are organisations not virtualising? – CPU intensive apps – firewalls How are they using it? – simply, with little regard for security 7 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 5. Theoretical Security Problems and Hype Compromise the hypervisor, compromise every virtual machine! What about the Red Pill and the Blue Pill? 8 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 6. Vulnerabilities – Hosted Versions Most of the serious VMware issues (code execution on Host) identified to date are against the “Hosted” versions (Workstation, GSX, etc.). – e.g. CVE-2005-4459 • Vulnerability was identified in VMware Workstation (and others) in the NAT component, which could be exploited by a malicious guest to execute arbitrary commands on the Host OS. • Patch made available by VMware. – e.g. CVE-2007-4496 • Vulnerability was identified in VMware Workstation (and others) that could allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and thus potentially execute arbitrary code on the host. • Patch made available by VMware. 9 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 7. Vulnerabilities – Bare-metal Versions What about serious security issues with the enterprise “bare-metal” solution? – e.g. CVE-2009-1244 - VMSA-2009-0006 - (10 April 2009) • “A critical vulnerability in the virtual machine display function “might” allow a guest operating system to run code on the host.” • Affects both VMware hosted and bare-metal solutions. • Patch made available by VMware. Further research found the following: – “By combining multiple indexing flaws in VMWare's usage of 3D context structures, [a user] is able to both leak from and write to physical host memory. It can do this in a reliable way from inside a virtual machine by combining SVGA framebuffer relative memory leaks with 3D context based write-to-memory flaws, effectively compromising any virtual 'air gap' between physical and virtual hardware.” credit: Kostya Kortchinsky of Immunity Inc. 10 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 8. Exploit Demonstration - CVE-2009-1244 Source: Immunity Inc. 11 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 9. Common Pitfalls and Solutions 1. Network architecture Traditional (secure) network architecture 12 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 10. Common Pitfalls and Solutions 1. Network architecture cont.d Secure VM implementation 13 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 11. Common Pitfalls and Solutions Does anyone have any comments on the proposed design? Other considerations: Blind Spots – traffic between VM’s; vulnerabilities, malware, worms, etc No Access Control between VM’s Live Migration - propagation of malware 14 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 12. Common Pitfalls and Solutions 2. Configuration Management Established best practice in traditional enterprise environments Can be more challenging in virtual environments Secure at deployment and maintain this position going forward Implement appropriate tools to enforce defined configuration standards Virtualisation introduces some new components that must be secured 15 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 13. Common Pitfalls and Solutions 2.1. Securing the Virtual Machines Secure virtual machines as you would secure physical machines Create a library of trusted virtualised server builds Use resource management to control server resources 16 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 14. Common Pitfalls and Solutions 2.2. Securing the Service Console (COS) Limit access based on business requirements Secure the root account Implement directory based authentication wherever possible Do not run additional software or services inside it Limit executing arbitrary commands and executables Apply patches Implement proper audit trails Do not use the service console unless necessary 17 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 15. Common Pitfalls and Solutions 2.3. Securing the Remote Command Line Interface Only necessary in ESXi Runs as a Debian Linux Guest appliance OR Runs as an application on Windows Limit access based on business requirements 18 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 16. Common Pitfalls and Solutions 2.4. Securing VI Client including Web Access Connects to host via API Allows you to connect to the console of the VM interactively Copy and paste by default can move data between systems Use terminal services or SSH instead 19 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 17. Common Pitfalls and Solutions 2.5. Securing VirtualCenter Enterprise solution for managing VM implementations which is extendable with SDK Runs on user installed and secured Windows Implement RBAC 20 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 18. Common Pitfalls and Solutions 2.6. Securing vSwitches Do not use promiscuous mode on network interfaces (default setting) Protect against MAC address spoofing - MAC address changes (permitted by default) – should be denied - Forged transmissions (permitted by default) – should be denied 21 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 19. Common Pitfalls and Solutions 2.7. Securing Storage ? Each VM only sees virtual disks that have been presented to virtual SCSI adapters OS within the VM cannot change its own storage access or interrogate the storage 22 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 20. Common Pitfalls and Solutions 3. Applying Patches Challenging in virtual environments. e.g. offline virtual machines and templates Numerous components to patch 23 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 21. Common Pitfalls and Solutions 4. Defining Roles and Responsibilities Must learn where virtualisation technologies are being used, what they are being used for and who are responsible for their management Who will administer the virtual network? 24 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 22. Common Pitfalls and Solutions 5. Limiting Privileged Access Excess privileges make it possible for people to make uncontrolled changes to critical systems Must integrate information security into the access management procedures Reduce access wherever possible and ensure some form of effective access control exists Audit user access routinely and adjust access 25 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 23. Common Pitfalls and Solutions 6. Integrate with Existing Change Management Processes All changes after deployment should be authorised, scheduled, and substantiated by change management Activating and deactivating VMs should also go through change management 26 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 24. VMware Security Direction vShield Zones – Runs as a security virtual appliance – Enables you to monitor, log and block inter-VM traffic within an ESX host or between hosts in a cluster VMsafe – API enables development of virtualisation-aware security solutions in the form of a security virtual machine that can access, correlate and modify information based on memory and CPU, networking, process execution, or storage Cisco Nexus 1000 – Alternative to VMware distributed switch with added functionality – Operates inside the VMware ESX Hypervisor – Brings policy based VM connectivity, mobile VM security and network policy 27 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 25. Conclusion Historically trends and advances in IT outpace security requirements. e.g. 802.11 wireless Most current implementations of virtualisation are insecure Virtualisation can be secured with the right know how Its much easier to bake in security from conception The only way to know if your implementation is secure is to have it audited by independent experts 28 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009
  • 26. Q&A Questions? Jason Edelstein Sense of Security Pty Ltd info@senseofsecurity.com.au Tel: +61 2 9290 4444 Final presentation is available at: http://www.senseofsecurity.com.au/presentations/ Virtualisation-Security-AusCERT2009.pdf 29 www.senseofsecurity.com.au © Sense of Security 2009 Monday, May 25, 2009