04/13/23 1

Benefits of Virtualization for

IT SecurityClay Calvert

Director of IT SecurityUniversity of Mary Washington

04/13/23 2

Vocabulary VM / Guest – Virtual Machine

Host – Physical machine

VMDK – Virtual Disk

VMX – Virtual Machine Config File

Recent Vendor Progress in Virtualization Microsoft released Hyper-V

Steve Ballmer said "It's virtualization time for Microsoft. We're gonna make sure we democratize virtualization."

Apple (finally) allows virtualization of OS-X Leopard, but only the server version and only on Mac Hardware (of course).

Sun buys VirtualBox for i386 and will be virtualizing SPARC hardware using a customized Xen.

04/13/23 3

04/13/23 4

What is Virtualization? Per Wikipedia: In computing, virtualization is

a broad term that refers to the abstraction of computer resources.

Virtualization is more than emulation. Virtual machines have near ‘real-time’ access to many of resources on the physical computer.

04/13/23 5

What is Virtualization? (Continued) Virtualization from an application perspective

is fairly easy. The hard part, for many, are the concepts behind a virtual machine.

In most cases, a VM can be treated the same as a physical computer How do you back up a Virtual Machine? How do you monitor a VM?

How can a VM act like a real computer? Is it “Voodoo”?

04/13/23 6

Vmware Bridge Protocol is a “layer 2” device. VMs can have completely different network protocols installed then the host. If fact, no layer three networking even needs to be on the host.

04/13/23 7

What is a Virtual Machine? A virtual machine is primarily a folder

containing small configuration files and large virtual disk files. These folders, just like regular directories, can be copied.

RAM, is a value in a config file.

Optical drives are passed through from the physical host. ISO files can also be used.

Virtual Machine Files Example

04/13/23 8

Sample Virtual Machine Config File config.version = "8“ sanbarrow.com virtualHW.version = "4” is a great site memsize = "384” for .VMX file info ide1:0.present = "TRUE" ide1:0.fileName = "auto detect" ide1:0.deviceType = "cdrom-raw" ide0:0.present = "TRUE" ide0:0.fileName = "MAIN.vmdk" ide0:1.present = "TRUE" ide0:1.fileName = "IMAGES.vmdk“ ethernet0.present = "TRUE”

04/13/23 9

So, VMs can be copied, you say? What about different physical hardware

For the most part, the same virtual hardware is used VMs can be run from Windows, Linux and even Mac

physical machines. Can you say “portable”?

Disaster Recovery / CooP Have copies of VMs at alternate data center Keep previous versions at the ready Better yet, automatic data synchronization. $$$

04/13/23 10

What else can I do with a copied VM?

Part of IT security is separating production from development and testing. CISSP Domain: Applications and System

Development Security

Copies of production can be used for nearly bit-to-bit identical servers for testing. Be careful not to have name conflicts on network Rename VM server names or sandbox.

04/13/23 11

Cloning Physical Servers into VMs VMware has a converter tool

Can clone Windows machines while they are running Drivers, etc., can be automatically installed.

Can use Ghost and other imaging tools VMware can mount Ghost and Acronis image files

Newer versions only

Production may run physically, but Dev and Test can be virtualized through cloning.

04/13/23 12

Benefits to Testing and Development Cost of physical servers

Do we all have exact copies of production in our development and testing labs?

What about for each developer/team that needs a separate environment?

Testing migrations, e.g., Novell to AD

Build new servers in Dev., then copy to Prod.04/13/23 13

Testing and Development Benefits, Cont. Snapshots (One of the coolest features, ever!)

Original VMDKs become read-only Disk changes are stored in separate file Reverting to previous state erases all changes

“Will this service pack break my application?” How do you uninstall MDAC updates?

04/13/23 14

Non-Linear Snapshots

04/13/23 15

“Boss, I need 10 PCs so I can test out the web page with different browsers.”

This feature is not on all virtualization applications.

High Availability (More Voodoo)

04/13/23 16

Certain virtualization products can move running VMs from one physical server to another while running. Usually require connecting to same SAN Newer software can copy between SANs

VMs shut down on one host can be powered up on another physical machine.

High Availability, cont.

04/13/23 17

Training / Playground Anyone been to a SANS class?

One can do quite a bit of damage to a VM, and be able to revert it to the original state.

Multiple Operating Systems Linux, Windows, Solaris, DOS, even Novell & more. Can even run 64-bit VMs on 32-bit Host Oses

Need 64-bit, VT enabled CPU Turn on hardware virtualization in BIOS

04/13/23 18

Forensics benefits with virtualization Malware Analysis

“Sandbox” the VM, i.e., disable network Take snapshots Can use debuggers ‘externally’

Visual Studio and Eclipse, for example

Mount captured disk images as VMs Conversely, how do you image a VM? What about RAM imaging?

Keep multiple tools handy. Helix, Backtrack, etc.

04/13/23 19

Network Forensics Fairly easy to capture traffic without needing

software or in-line sniffer. Capture from Host.

VMs can be set to revert to previous state on reboot.

VMs can be easily deployed. Small. Cheap.

Honeypots

Honeynets

04/13/23 20

How do you do honeynets? Multiple virtual switches can be created

There is no built-in router or firewall but small VMs, such as M0n0wall, work great

VMs can be can assigned multiple NICs

Different NICs can be assigned to the virtual switches

04/13/23 21

VMware Virtual Network Editor

04/13/23 22

Custom Virtual Network Diagram

04/13/23 23

VMware’s and NSA’s NetTop

04/13/23 24

Vmware’s NetTop, cont. Laptop running trusted Linux

No TCP/IP installed at this level

One Linux VM is a packet filtering router Other Linux VM’s are IPSEC firewalls Different security postures are allowed on

same physical computer. Top Secret and Confidential living together… Oh, my!

If the NSA can trust virtualization…

04/13/23 25

04/13/23 26

Some Uses of Virtualization

Virtual machines allow for great flexibility in a wide range of topics

Call Centers / Help Desks 16-bit on 64-bit Old software

No drivers USB, etc., pass through

Screen shots/casts

Security

Testing

Docu-menting

Disaster Recovery

COOP

Development

Labs

TrainingMultipleOSes

“Impossible” Screen Shot. TrueCrypt pre-boot password prompt.

04/13/23 27

Disadvantages of Virtualization Did I mention that the whole computer is a set

of files? Hmm, can you say physical security?

Shared resources can slow down other VMs.

One physical server outage can down several production ‘servers’.

Vulnerabilities in Host can compromise VMs

Management Virtual Machine Sprawl Where is it? What Host houses this VM?

04/13/23 28

Giving .EDUs a break VMware Academic Program

Most software can be used free of charge for IT, computer science and engineering programs.

Discount for other software purchased.

VirtualBox Commercial version can be used in academic

institutions. FYI, only decent freeware solution for Mac

04/13/23 29

04/13/23 30

Questions?

Comments?

ccalvert@umw.edu 540-286-8122