Assessing Security in a Virtual Environment

Document Sample
Assessing Security in a Virtual Environment Powered By Docstoc
					Assessing Security in a Virtual Environment

Chris Buechler Metro Louisville InfoSec 2007 Conference October 18, 2007

Assessing Security in a Virtual Environment
Overview • Intro to Virtualization
– Common uses, reasons for adoption, types

• Virtualization security risks • Content is virtualization-specific, not vendor or product specific

Intro to Virtualization
• Ability to run multiple operating systems simultaneously on a single physical machine • Hypervisor (a.k.a. Virtual Machine Monitor)
– Software that makes this possible

Common Uses of Virtualization
• Test environments • Development environments • Production physical infrastructure replacement

Top 5 Reasons to Adopt Virtualization
• • • • Server Consolidation and Infrastructure Optimization Physical Infrastructure Cost Reduction Improved Operational Flexibility & Responsiveness Increased Application Availability & Improved Business Continuity • Improved Desktop Manageability & Security

From http://vmware.com/overview/why.html

Types of Virtualization
• Bare metal (type 1) hypervisor • Hosted (type 2) hypervisor

Hosted Virtualization
• Runs on a stock operating system
– Windows, Linux, Mac OS X, others

• Higher performance overhead • Potentially more security risks • Common in test and development environments, small organizations

Hosted Virtualization
• Most Popular Offerings
– VMware
• Workstation • Server • Fusion

– Microsoft
• Virtual PC • Virtual Server

– Parallels
• Workstation • Desktop

Hosted Virtualization
Functional Diagram

From VMware Server datasheet: http://www.vmware.com/pdf/server_datasheet.pdf

Bare Metal Virtualization
• Virtualization software runs directly on hardware
– VMware ESX Server – Xen

• Offers substantially better performance • Only option for enterprise-class production deployments

Bare Metal Virtualization
Functional Diagram

From VMware ESX datasheet: http://www.vmware.com/pdf/esx_datasheet.pdf

Security-relevant Virtualization Challenges
• Inadequate technical skills
– Proper training important – Use external resources for critical or complex deployments

• Complexity • Inadequate management tools
– Lack of integration into existing systems

Security-relevant Virtualization Challenges
• Server sprawl
– Add, remove and change processes

• Backups
– Data backup – Full VM backup

• Removing hardware barrier
– Exercise caution when mixing machines of differing trust levels on the same host

Security-relevant Virtualization Challenges
• Accounting and auditing
– Integrate with existing systems and processes

• Hypervisor access provisioning
– Principle of least privilege

• Patch management

Securing the Host
• For hosted products, follow usual security guidelines for host OS. • For bare metal products, follow vendor recommendations. • Compromise of host equivalent to physical access at a minimum, potentially worse.

Securing Management Interfaces
• Use dedicated physical NIC for management interface • Do not use management interface for any VM network access • Locate management interface on restricted IP subnet • Utilize host based firewall

Mixing Networks of Differing Trust Levels
• Possible to connect nearly limitless networks to a single machine

Mixing Networks of Differing Trust Levels
• Risks
– Misconfiguration – Future hypervisor networking vulnerabilities

Network Traffic Visibility
• Problems with lacking visibility
– Network IDS, IPS – Network troubleshooting

• Problems with excessive visibility
– Segments acting as a hub

Excessive Network Traffic Visibility

Lacking Network Traffic Visibility
Direct network communication from VM1 to VM2 never seen on the physical network, hence may be invisible to your existing network monitoring solutions.

Testing Network Traffic Visibility
• Capture traffic from various points of reference using a protocol analyser
– Wireshark – tcpdump – Microsoft Network Monitor

• Easiest to see what’s happening on a quiet network • Use capture filters to reduce noise

Attacking the Hypervisor
• Guest to Guest attacks
– Future vulnerabilities possible

• Guest to Host attacks
– Few have been discovered, none widely exploited – Major problems in this area likely to appear in the future

• Host to Guest attacks

Change and Configuration Management
• Integrate with existing processes
– Adjustments to existing systems and/or processes may be necessary

• Changes to production virtual infrastructure components warrant increased scrutiny
– Hypervisor changes – SAN changes – Hardware, network, and other related changes

Virtual Appliances
• Pre-configured virtual machines • Hundreds available • Generally tailored to a specific use
– Mail server – Anti-spam – Application server – Web server – Database server – etc…

Risks of Virtual Appliances
• Ease of running unmanageable systems • Malicious code

Only use virtual appliances provided by a trusted vendor in production environments

Fault Tolerance
• Consider maintaining redundant physical servers for your most critical functions
– DHCP – DNS – Authentication and directory services (Active Directory, etc.)

Virtual Security Solutions
• Hypervisor IPS
– Immature and unproven products exist – “Right now there is zero evidence to suggest that hypervisor IPS is anything but snake oil, and zero hypervisor research findings to back the concept”
Thomas Ptacek, from http://www.matasano.com/log/708/dark-reading-on-virtualization-security/

• Virtual network IDS/IPS
– Immature products exist, not widely used

• An area to watch
– As more research is conducted and products mature, products in this space will likely become more common. – Exercise caution with products in this space

Audit Guidance
• Specific check lists hard to come by • Look for security guidance and best practices documents from virtualization vendor • Partner with technical expert on your virtualization platform
– External resources may be required

Virtual Malware Analysis
• Hosted virtualization commonly used to analyze suspected malware • Should not trust virtualization to protect host OS
– Hypervisor vulnerabilities – Networking – VM and host integration utilities

• Today’s malware commonly detects virtualization software and behaves differently

Additional References
• • • Security Implications of the Virtualized Data Center – http://www.sans.org/reading_room/whitepapers/sysadmin/1796.php Virtualization and Security – ISS – http://blogs.iss.net/archive/virtblog.html Virtualization security risks being overlooked, Gartner warns. – http://www.networkworld.com/news/2007/040607-virtualizationsecurity.html Virtualization Security – Matasano Security – http://www.matasano.com/log/708/dark-reading-on-virtualization-security/ DISA Virtual Machine Security Technical Implementation Guide – http://iase.disa.mil/stigs/stig/vm_stig_v2r2.pdf

• •

Thanks for attending!
• Presentation available from:
– http://chrisbuechler.com/ISSA2007.pdf