Transcript VMware Security Discussion

Security of VMware vSphere
Bob van der Werf
Sr. Systems Engineer
VMware
VMware Security Strategy
.OVF
Platform Security
Secure Operations
Secure hypervisor
architecture
Prescriptive
guidance for
deployment and
configuration
Platform hardening
features
Secure
Development
Lifecycle
Integration into
existing policies,
procedures, and
tools in the
enterprise
Virtualization of
Security
Self-describing,
Self-configuring
security
Unique Advantage
of virtualization
2
Architecture: Isolation by design
CPU & Memory
Virtual Network
Virtual Storage
• VMs have limited
access to CPU
• Memory isolation
enforced by Hardware
TLB
• Memory pages zeroed
out before being used
by a VM
• No code exists to link
virtual switches
• Virtual switches immune
to learning and bridging
attacks
• Virtual Machines only
see virtual SCSI
devices, not actual
storage
• Exclusive virtual
machine access to
virtual disks enforced by
VMFS using SCSI file
locks
3
Secure Implementation
VMware ESXi
Compact 59 MB footprint
Fewer patches
ESXi
Smaller attack surface
Absence of generalpurpose management OS
No arbitrary code running
on server
Not susceptible to common
threats
Secure Implementation
Platform Hardening
Integrity in Memory Protection
ASLR – Randomizes where core
kernel modules load into memory
NX/XD – Marks writable areas of
memory as non-executable
Kernel Integrity
Digital signing – ensures the integrity
of drivers and applications as they
are loaded by the VMkernel.
Module signing – allows ESX to
identify the providers of modules,
drivers, or applications and whether
they are VMware-certified.
Independently validated
Common Criteria
Certification EAL
(Evaluation Assurance
Level)
CC EAL 4+ certification


Highest recognized level
Achieved for ESX 3.0; in
process for ESX 3.5 and
vSphere 4
DISA STIG for ESX
Approval for use in DoD
information systems
NSA Central Security
Service
guidance for both datacenter
and desktop scenarios
6
VMware vSphere™ – Components
Clustering
Data Protection
Application
Services
Firewall
Anti-virus
Intrusion Prevention
Intrusion Detection
Dynamic Resource
Sizing
Availability
Security
Scalability
vCompute
vStorage
vNetwork
Hardware Assist
Enhanced Live
Migration
Compatibility
Storage
Management
& Replication
Storage Virtual
Appliances
vSphere 4.0
Infrastructure
Services
Network
Management
VMware VMsafe API’s
VMware
VMware VMsafe™
New approach to VM Security
Protect by inspection of virtual
components (CPU, Memory,
Network and Storage)
Functionality provided in Security
Virtual Appliance
VMsafe
Complete integration with
VMware vSphere, e.g.
Vmotion
Storage Vmotion
HA
Better Context
Isolated from the malware
In cooperation with the smaller,
trustable codebase of the
hypervisor
ESX with
ESXVMsafe
VMsafe CPU/Memory API
Can inspect memory locations and CPU registers
Hypervisor Extension implemented as VMX/VMM modules
VMsafe API Library
Capabilities:
Detect current application state in the protected VMs CPU from
general purpose register values
Sense system configuration state from the control registers on the
protected VM
VMsafe CPU/Memory Interface
Protected
Virtual Machine
Protected
Virtual Machine
Security
Virtual Machine
Security
Agent
VMsafe
Library
VMware vSphere™
VMX
VMM
VMsafe
Extensio
n
VMX
VMM
VMsafe
Extensio
n
VMX
VMM
VMsafe CPU/Memory API Use Cases
BIOS: Early Boot Security
Security Agents are up and running before the protected VM
powers on
System Integrity Protection
The Security Agent can monitor the protected VMs physical
memory accesses
Enforce Multiple Policies (verify-before-execute)
Defeats: Shellcode interjection attack (overflow attack)
Defeats: Kernelcode injection attack (bypass driver-signing
processes)
Vmsafe Network Packet Inspection API
Provides distributed virtual filter (DVFilter) solutions to
protect network packet streams
vNetwork Data Path Agent (Fast Agent)
Installs as a kernel module and directly intercepts packets in the
virtual network packet stream
vNetwork Control Path Agent (Slow Agent)
Resides in a security virtual appliance and can be used for
further thorough processing
VMsafe Net Data/Control Path Agents
Protected
Virtual Machine
Protected
Virtual Machine
Security
Virtual Machine
Security Agent
Control Path
Agent
DVFilter
Library
vNIC
vNIC
DVFilters
Data Path
Agent
Data Path
Agent
vSwitch
vNetwork
Distributed
Switch
VMware vSphere™
pNICs
VMsafe Network Packet Inspection API Capabilities
Inspecting packets
Modifying packets
Passing a packet to the control path agent for further processing
Dropping packets from the packet stream
Injecting packets in the packet stream
VMsafe Virtual Disk Development Kit
Provides interfaces that allow for applications with
possibilities for direct manipulation of Virtual Machine
Disk Format (VMDK) images
VDDK: Virtual Disk Development Kit
Read/write data anywhere in a VMDK file
Create and manage redo logs (parent-child disk chaining)
Read and write disk metadata
VMsafe Virtual Disk Development Kit: Use Cases
Read the VMDK image files offline, checking each sector for a
virus signature
Perform a forensic analysis on the VMDK image files
Monitor compliance of configuration files on virtual disks
Scan for unauthorized content on virtual disks, such as credit
card or social security numbers
Current VMsafe Program Partnerships
Where to Learn More
Security
Hardening Best Practices
Implementation Guidelines
http://vmware.com/go/security
Compliance
Partner Solutions
Advice and Recommendation
http://vmware.com/go/compliance
Operations
Peer-contributed Content
http://viops.vmware.com
Thank You
Bob van der Werf
[email protected]
http://www.vmware.com/go/security
http://www.vmware.com/go/compliance