Virtualization

-By Mangesh Gunj a l

Topics to be Covered:

Vir t ua l izat ion

Vir t ua l Machine Monit o r

T y pes o f Vir t ua l izat ion

Why Vir t ua l izat io n..?

Vir t ua l izat ion Appl icat ion Areas

Vir t ua l izat ion Risks

Vir t ua l izat ion Secur it y

VM Sprawl

Misce l l aneous

Virtualization

- Mul t ip l e Execut ion Env ir onment s,

-Hardware and So f t ware Par t it io ning ,

-T ime-Shar ing ,

-Par t ia l o r Compl et e Machine Simul at ion/ Emul at ion

- Mul t ip l e Operat ing Sy st ems on a Sing l e Phy sica l Sy st em

- Share t he Under l y ing Hardware Resources.

- Separat ion o f a Resource or Request f o r a serv ice .

S o u r c e : Vir t ua l izat io n Overv iew whit epaper , By VMWare.

- Vir t ua l Machine Monit o r (VMM)

- Emul at ion or simul at ion

- Vir t ua l Machines

- I so l at ed Env ir onment

S o u r c e : Vir t ua l izat io n Overv iew whit epaper , By VMWare.

Para Virtualization

S o u r c e : Vir t ua l izat io n Overv iew whit epaper , By VMWare.

Why Virtualization..?

Server Conso l idat ion.

Legacy Appl icat ions.

Sandbox .

Execut ion o f Mul t ip l e Operat ing Sy st ems.

Simul at ion o f Hardware and Net work ing Dev ices.

Power f ul Debugging and Per f ormance Monit o r ing

Faul t and Error Cont a inment

Appl icat io n and Sy st em Mobil it y

Shared Memory Mul t iprocessors

Business Cont inuit y

Vir t ua l izat ion is FUN...and p l ent y ot her reasons.

S o u r c e : Vir t ua l izat io n Overv iew whit epaper , By VMWare.

I n f r a s t r u c t u r e is what connect s r esources t o y our business.

V ir t u a l I n f r a s t r u c t u r e is a dy namic mapping o f y ourresources t o y our business.

R e s u l t : decreased cost s and increased ef f ic ienc ies and r esponsiveness

S o u r c e : Vir t ua l izat io n Overv iew whit epaper , By VMWare.

Deskt op Vir t ua l izat io nAppl icat ion Vir t ua l izat ion

Virtualization Application Areas

Virtualization Application Areas

I nf rast ruct ure Vir t ua l izat io n

Server Vir t ua l izat ion

St orage Vir t ua l izat ion

Net work Vir t ua l izat ion

- I nexper ience I nvo l ved.

- I ncreased Channe l s f o r At t ack .

- Change Management Cont ro l .

- I T Asset Track ing and Management .

- Secur ing Dormant Vir t ua l Machines.

- Shar ing Dat a bet ween Vir t ua l Machines.

Virtualization Risks

Exploitation on Virtualization

- Malicious Code Activities through Detection of VM.

- Denial of Service on the Virtual Machine.

- Virtual Machine Escape

Historical Incident

- VMware Multiple Denial Of Service Vulnerabilities

Some VMware products support storing configuration information in VMDB files. Under some circumstances, a malicious user could instruct the virtual machine process (VMX) to store malformed data, causing an error. This error could enable a successful Denial-of-Service attack on guest operating systems.

Link: http://www.Securiteam.com/cves/2007/CVE-2007-1877.html

Virtualization Security

Hy perv isor Secur it y

Host / Pl at f orm Secur it y

Secur ing Communicat ions

Secur it y bet ween Guest s

Secur it y bet ween Host s and Guest s

Vir t ua l ized I nf rast ruct ure Secur it y

Vir t ua l Machine Sprawl

Hardening Steps to Secure Virtualisation Environment - Server Service Console

- Restriction to Internal Trusted Network

- Block all the incoming and outgoing traffic except for necessary ports.

- Monitor the integrity and modification of the configuration files

- Limit ssh based client communication to a discrete group of ip addresses

- Create separate partitions for /home, /tmp, and /var/log

Hardening Steps to Secure Virtualisation Environment - Virtual

Network Layer

- Network breach by user error or omission.

- MAC Address spoofing (MAC address changes)

- MAC Address spoofing (Forged transmissions)

Hardening Steps to Secure Virtualisation Environment - Virtual Machine

- Apply standard infrastructure security measures into virtual infrastructure

- Set the resource reservation and limits for each virtual machine

Virtual Machine Sprawl

Unchecked creat ion o f new Vir t ua l Machines (Vms)

The VMs t hat are creat ed f or a shor t -t erm pro j ec t are st il l using CPU, RAM and net work resources, and t hey consume st orage even if t hey are powered o f f .

VM sprawl coul d l ead t o a comput ing env ironment running out o f resources at a much quicker-t han-expect ed rat e , and it coul d skew wider capac it y -p l anning exerc ises.

Miscellaneous Kaspersky Lab has int roduced

Kaspersky Secur it y f o r Vir t ua l izat ion, a v ir t ua l secur it y appl iance t hat int egrat es wit h VMware vShie l d Endpo int t o prov ide agent l ess, ant i mal ware secur it y.

VMware Source Code Leak Revea l s Vir t ua l izat ion Secur it y Concerns.

Sy mant ec has it s own wide range o f t o o l s f o r Vir t ua l izat ion Secur it y :

− Sy mant ec Cr it ica l Sy st em Prot ec t ion

− Sy mant ec Dat aLoss Prevent ion

− Sy mant ec Cont ro l Compl iance Suit e

− Sy mant ec Secur it y I nf o rmat ion Manager

− Sy mant ec Managed Secur it y Serv ices

− Sy mant ec Endpo int So l ut ions

References

- VMware.com

- Microsoft.com

- SANS.org

- Gartner.com

- Trendmicro.com

- Symantec.com

Thank You