2. Topics to be
Covered:
Vir t ua l iz at io n
Vir t ua l Ma c hine Mo nit o r
T y p es o f Vir t ua l iz at io n
Why Vir t ua l iz at io n..?
Vir t ua l iz at io n Ap p l ic at io n Ar e a s
Vir t ua l iz at io n Ris k s
Vir t ua l iz at io n Se c ur it y
VM Sp r awl
Mis c e l l a ne o us
3. Virtualization
- Mul t ip l e Op e r a t ing Sy s t e ms o n
a Sing l e Phy s ic a l Sy s t e m
- Mul t ip lt e Ex e c utrio y ing Ha r d wa r e
Sha r e he Und e l
- n
Re s o ur c e s .
Env ir o nme nt s ,
- Ha r d wa r e a nd So f t wa r e
Pa r t it io ning ,
- T ime -Sha r ing ,
- Pa r t ia l o r Co mp l e t e
Ma c hine Simul a t io n/
- Se p a r a tio n o f a Re s o ur c e
Emul a t io n
o r Re q ue s t f o r a s e r v ic e .
4. S o u r c e : Vir t ua l iz a t io n
Ov e r v ie w
whit e p a p e r , By
5. - Vir t ua l Ma c hine Mo nit o r ( VMM)
- Emul a t io n o r s imul a t io n
- Vir t ua l Ma c hine s
- I s o l a t e d Env ir o nme nt
6. S o u r c e : Vir t ua l iz a t io n
Ov e r v ie w
whit e p a p e r , By
7. Para
Virtualization
S o u r c e : Vir t ua l iz a t io n
Ov e r v ie w
whit e p a p e r , By
8. Why
Virtualization..?
Se r v e r Co ns o l id at io n.
Leg a c y Ap p l ic at io ns.
Sa nd b o x .
Ex e c ut io n o f Mul t ip l e Op e r at ing
Sy s t e ms.
Simul at io n o f Ha r d wa r e a nd
Ne t wo r k ing Dev ic es.
Po we r f ul De bugging a nd Pe r f o r ma nc e
Mo nit o r ing
Fa ul t a nd Er r o r Co nt a inme nt
Ap p l ic at io n a nd Sy s t e m Mo b il it y
Sha r e d Me mo r y Mul t ip r o c ess o r s
Bus iness Co nt inuit y
9. S o u r c e : Vir t ua l iz a t io n
Ov e r v ie w
whit e p a p e r , By
10. I n f r a s t r u c t u r e is wha t
c o nne c t s r e s o ur c e s t o y o ur
b us ine s s .
V ir t u a l I n f r a s t r u c t u r e is a
d y na mic ma p p ing o f y o ur
r e s o ur c e s t o y o ur b us ine s s .
S o u r c e : Vir t ua l iz a t io n
Ov e r v ie w
R e s u l t : d e c r e a s e d c o s t s a nd
whit e p a p e r , By
12. Virtualization
Application Areas
Se r v e r
Vir t ua l iz a t io n
St o r a g e
Vir t ua l iz a t io n
I nf r a s t r uc t ur e Vir t ua l iz at io n
Ne t wo r k
Vir t ua l iz a t io n
13. Virtualization
Risks
- I ne x p e r ie nc e I nv o l v e d .
- I nc r e a s e d Cha nne l s f o r At t a c k .
- Cha ng e Ma na g e me nt Co nt r o l .
- I T Ass e t T r a c k ing a nd
Ma na g e me nt .
- Se c ur ing Do r ma nt Vir t ua l
Ma c hines.
- Sha r ing Dat a b e t we e n Vir t ua l
Ma c hines.
14. Exploitation on Virtualization
- Malicious Code Activities through Detection of VM.
- Denial of Service on the Virtual Machine.
- Virtual Machine Escape
15. Historical Incident
- VMware Multiple Denial Of
Service Vulnerabilities
Some VMware products
support storing
configuration information in
VMDB files. Under some
circumstances, a malicious
user could instruct the
virtual machine process
(VMX) to store malformed
data, causing an error. This
error could enable a
successful Denial-of-
Service attack on guest
operating systems.
Link:
16. Virtualization
Security
Hy p e r v is o r Se c ur it y
Ho s t / Pl at f o r m Se c ur it y
Se c ur ing Co mmunic at io ns
Se c ur it y b e t we e n Gues t s
Se c ur it y b e t we e n Ho s t s a nd
Gues t s
Vir t ua l iz e d I nf r a s t r uc t ur e
Se c ur it y
Vir t ua l Ma c hine Sp r awl
17. Hardening Steps to Secure Virtualisation
Environment - Server Service Console
- Restriction to Internal Trusted Network
- Block all the incoming and
outgoing traffic except for
necessary ports.
- Monitor the integrity and modification of the configuration
files
- Limit ssh based client communication to a discrete group
of ip addresses
- Create separate partitions for /home, /tmp, and /var/log
18. Hardening Steps to
Secure Virtualisation
Environment - Virtual
Network Layer
- Network breach by user
error or omission.
- MAC Address spoofing (MAC
address changes)
- MAC Address spoofing
(Forged transmissions)
19. Hardening Steps to Secure Virtualisation
Environment - Virtual Machine
- Apply standard infrastructure security
measures into virtual infrastructure
- Set the resource reservation and limits
for each virtual machine
20. Virtual Machine
Sprawl
Unc he c k e d c r e at io n o f ne w
Vir t ua l Ma c hines ( Vms )
T he VMs t hat a r e c r e at e d f o r a
s ho r t -t e r m p r o j e c t a r e s t il l
us ing CPU, RAM a nd ne t wo r k
r es o ur c es, a nd t hey c o ns ume
s t o r a g e ev e n if t hey a r e powe r e d
of f .
VM s p r awl c o ul d l e a d t o a
c o mp ut ing e nv ir o nme nt r unning
o ut o f r es o ur c es at a muc h
q uic k e r -t ha n-e x p e c t e d r at e , a nd
it c o ul d s k e w wid e r c a p a c it y -
p l a nning e x e r c is es.
21. Miscellaneous
Ka s p e r s ky La b ha s int r o d uc e d
Ka s p e r s ky Se c ur it y f o r
Vir t ua l iz at io n, a v ir t ua l s e c ur it y
a p p l ia nc e t hat int egr at es wit h
VMwa r e v Shie l d End po int t o p r ov id e
a g e nt l ess, a nt i ma l wa r e s e c ur it y.
VMwa r e So ur c e Co d e Le a k Rev e a l s
Vir t ua l iz at io n Se c ur it y Co nc e r ns.
Sy ma nt e c ha s it s own wid e r a ng e o f
t o o l s f o r Vir t ua l iz at io n Se c ur it y :
− Sy ma nt e c Cr it ic a l Sy s t e m
Pr ot e c t io n
− Sy ma nt e c Dat a Lo ss Pr ev e nt io n
− Sy ma nt e c Co nt r o l Co mp l ia nc e Suit e
− Sy ma nt e c Se c ur it y I nf o r mat io n
Ma na g e r