SlideShare une entreprise Scribd logo
1  sur  20
Télécharger pour lire hors ligne
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




            1




                        2




Common issues of Virtualization
          Security
           Nguyễn Hinh | hinhnguyen00@gmail.com
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




            2                       About Me
          Hinh Nguyen



                        2
      hinhnguyen00@gmail.com




               UIT



     Focus on
   Virtualization
     & Cloud
    Computing
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                        3
                                  Content

    I. Overview
                                       2

    II. Benefits of Virtualization

    III. Risks for Virtualized Environments

    IV. Recommendations


Common issues of Virtualization Security                           2
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



               Virtualization Overview
                   4




                                       2



                                           With vMotion instances
                                           launching every second,
                                            there are more VMs in
                                             motion globally than
                                            actual aircraft.” -- Paul
                                            Maritz, CEO, VMware


Common issues of Virtualization Security                                3
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



    Virtualization Security Overview
            5

 • Gartner: 60% of VMs
   will be LESS
   SECURE than the 2
   Physical Servers they
   replace (through 2012)




     http://www.gartner.com/it/page.jsp?id=1322414
                                                     Better   Less Secure


Common issues of Virtualization Security                                    4
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                        6
                                  Why???
           Why - “Hypervisor creates new
                             attack surface”
                                  2


                             - Designer/Operator




Common issues of Virtualization Security                           5
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                        7




                                       2




       II. BENEFITS OF
       VIRTUALIZATION

Common issues of Virtualization Security                           6
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



                        II.1. Reduce cost
                        8

 • Reduce maintenance
   cost, save power
                       2
 • Reduce quantity of
   hardware & software
   to purchase
 • Reduce “server
   sprawl”




Common issues of Virtualization Security                           7
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



                              II.2. More Secure
                              9



                                Disaster Recovery &                   Forensic analysis
Sandboxing                             2
                                HA                                    capabilities

 unstable app & compromised
                                  HA, FT, ….                            snapshot
 server
                                  Mixed: 1 physical server (master)
 Risk: “VM Escape”
                                  – VMs (slave)




  Common issues of Virtualization Security                                                8
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                        10




                                       2




       III. RISKS FOR VIRTUALIZED
       ENVIRONMENTS

Common issues of Virtualization Security                           9
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



 III. Risks for Virtualized Environments
             11




                                       2




Common issues of Virtualization Security                           10
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



 III. Risks for Virtualized Environments
             12

 • Hypervisor
 • Host/platform
                        2
 • Communication
 • Isolation between guest
   and guest
 • Isolation between guest
   and host



Common issues of Virtualization Security                           11
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                        13




                                       2




       IV. RECOMMENDATIONS


Common issues of Virtualization Security                           12
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



                 IV.14Recommendations
 • Restrict physical access
 • Implement defense2 in depth
 • Enforce least privilege and separation of
   duties
 • Harden the hypervisor
 • Harden virtual machines and other
   components


Common issues of Virtualization Security                           13
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



                 IV.15Recommendations

                                       2




Common issues of Virtualization Security                           14
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



                 IV.16Recommendations

                                       2




Common issues of Virtualization Security                           15
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



                 IV.17Recommendations

                                       2




Common issues of Virtualization Security                           15
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!



                                       • Update OS,… like physical server
           18
                    VM                 • Limit sharing console: 2
                                       • Control access resource, disconnet
                                         unauthorized device

                                       • Use AD, verify “ESX Admin” group

                  ESXi 2               • passwork policy
                                       • Config FW (SSH), NTP, SNMP…
                                       • SSL for NFC

                                       • Assign role to specific users
                                       • Verify vSphere plug-in
                vCenter                • Client connect vCenter by SSL with
                                         trusted CA-signed cert
                                       • Disable datastore browser
                                       • Management, vMotion & storage traffic
                                         is isolated

                vNetwork               • Forged Transmits & MAC address
                                         change policy: reject
                                       • Port groups are not native VLAN
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




                        19
                                    Q&A

                                       2




Common issues of Virtualization Security
SECURITY BOOTCAMP 2012 | Make yourself to be an expert!




           20




                       2

Contenu connexe

En vedette

SBC 2012 - Lỗ hổng trong cài đặt giao thức OAuth và nguy cơ với người dùng (N...
SBC 2012 - Lỗ hổng trong cài đặt giao thức OAuth và nguy cơ với người dùng (N...SBC 2012 - Lỗ hổng trong cài đặt giao thức OAuth và nguy cơ với người dùng (N...
SBC 2012 - Lỗ hổng trong cài đặt giao thức OAuth và nguy cơ với người dùng (N...Security Bootcamp
 
SBC 2012 - Linux Hardening (Mẫn Thắng)
SBC 2012 - Linux Hardening (Mẫn Thắng)SBC 2012 - Linux Hardening (Mẫn Thắng)
SBC 2012 - Linux Hardening (Mẫn Thắng)Security Bootcamp
 
SBC 2012 - Phát hiện tấn công DDoS sử dụng mạng Neural (Trần Nguyên Ngọc)
SBC 2012 - Phát hiện tấn công DDoS sử dụng mạng Neural (Trần Nguyên Ngọc)SBC 2012 - Phát hiện tấn công DDoS sử dụng mạng Neural (Trần Nguyên Ngọc)
SBC 2012 - Phát hiện tấn công DDoS sử dụng mạng Neural (Trần Nguyên Ngọc)Security Bootcamp
 
Security Bootcamp 2012 - Bảo vệ Web App với Mod Security (Sử Hoàng Sơn)
Security Bootcamp 2012 - Bảo vệ Web App với Mod Security (Sử Hoàng Sơn)Security Bootcamp 2012 - Bảo vệ Web App với Mod Security (Sử Hoàng Sơn)
Security Bootcamp 2012 - Bảo vệ Web App với Mod Security (Sử Hoàng Sơn)Security Bootcamp
 
SBC 2012 - Database Security (Nguyễn Thanh Tùng)
SBC 2012 - Database Security (Nguyễn Thanh Tùng)SBC 2012 - Database Security (Nguyễn Thanh Tùng)
SBC 2012 - Database Security (Nguyễn Thanh Tùng)Security Bootcamp
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)Security Bootcamp
 

En vedette (6)

SBC 2012 - Lỗ hổng trong cài đặt giao thức OAuth và nguy cơ với người dùng (N...
SBC 2012 - Lỗ hổng trong cài đặt giao thức OAuth và nguy cơ với người dùng (N...SBC 2012 - Lỗ hổng trong cài đặt giao thức OAuth và nguy cơ với người dùng (N...
SBC 2012 - Lỗ hổng trong cài đặt giao thức OAuth và nguy cơ với người dùng (N...
 
SBC 2012 - Linux Hardening (Mẫn Thắng)
SBC 2012 - Linux Hardening (Mẫn Thắng)SBC 2012 - Linux Hardening (Mẫn Thắng)
SBC 2012 - Linux Hardening (Mẫn Thắng)
 
SBC 2012 - Phát hiện tấn công DDoS sử dụng mạng Neural (Trần Nguyên Ngọc)
SBC 2012 - Phát hiện tấn công DDoS sử dụng mạng Neural (Trần Nguyên Ngọc)SBC 2012 - Phát hiện tấn công DDoS sử dụng mạng Neural (Trần Nguyên Ngọc)
SBC 2012 - Phát hiện tấn công DDoS sử dụng mạng Neural (Trần Nguyên Ngọc)
 
Security Bootcamp 2012 - Bảo vệ Web App với Mod Security (Sử Hoàng Sơn)
Security Bootcamp 2012 - Bảo vệ Web App với Mod Security (Sử Hoàng Sơn)Security Bootcamp 2012 - Bảo vệ Web App với Mod Security (Sử Hoàng Sơn)
Security Bootcamp 2012 - Bảo vệ Web App với Mod Security (Sử Hoàng Sơn)
 
SBC 2012 - Database Security (Nguyễn Thanh Tùng)
SBC 2012 - Database Security (Nguyễn Thanh Tùng)SBC 2012 - Database Security (Nguyễn Thanh Tùng)
SBC 2012 - Database Security (Nguyễn Thanh Tùng)
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
 

Plus de Security Bootcamp

Ransomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfSecurity Bootcamp
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecuritySecurity Bootcamp
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewSecurity Bootcamp
 
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSecurity Bootcamp
 
Giam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrGiam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrSecurity Bootcamp
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-wantSecurity Bootcamp
 
Macro malware common techniques - public
Macro malware   common techniques - publicMacro malware   common techniques - public
Macro malware common techniques - publicSecurity Bootcamp
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learningSecurity Bootcamp
 
Tim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuTim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuSecurity Bootcamp
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 costSecurity Bootcamp
 
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET -  Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET -  Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active DirectorySecurity Bootcamp
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018Security Bootcamp
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksSecurity Bootcamp
 
Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Security Bootcamp
 

Plus de Security Bootcamp (20)

Ransomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
 
Hieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurityHieupc-The role of psychology in enhancing cybersecurity
Hieupc-The role of psychology in enhancing cybersecurity
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
 
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe moSbc 2020 bao gio vn co anm dua vao cong nghe mo
Sbc 2020 bao gio vn co anm dua vao cong nghe mo
 
Deception change-the-game
Deception change-the-gameDeception change-the-game
Deception change-the-game
 
Giam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdrGiam sat thu dong thong tin an toan hang hai su dung sdr
Giam sat thu dong thong tin an toan hang hai su dung sdr
 
Sbc2019 luong-cyber startup
Sbc2019 luong-cyber startupSbc2019 luong-cyber startup
Sbc2019 luong-cyber startup
 
Insider threat-what-us-do d-want
Insider threat-what-us-do d-wantInsider threat-what-us-do d-want
Insider threat-what-us-do d-want
 
Macro malware common techniques - public
Macro malware   common techniques - publicMacro malware   common techniques - public
Macro malware common techniques - public
 
Malware detection-using-machine-learning
Malware detection-using-machine-learningMalware detection-using-machine-learning
Malware detection-using-machine-learning
 
Tim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cuTim dieu moi trong nhung dieu cu
Tim dieu moi trong nhung dieu cu
 
Threat detection with 0 cost
Threat detection with 0 costThreat detection with 0 cost
Threat detection with 0 cost
 
Build SOC
Build SOC Build SOC
Build SOC
 
AD red vs blue
AD red vs blueAD red vs blue
AD red vs blue
 
Securitybox
SecurityboxSecuritybox
Securitybox
 
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET -  Hiểm hoa tiềm ẩn trong hệ thống Active DirectoryGOLDEN TICKET -  Hiểm hoa tiềm ẩn trong hệ thống Active Directory
GOLDEN TICKET - Hiểm hoa tiềm ẩn trong hệ thống Active Directory
 
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
PHÂN TÍCH MỘT SỐ CUỘC TẤN CÔNG APT ĐIỂN HÌNH NHẮM VÀO VIỆT NAM 2017-2018
 
Api security-present
Api security-presentApi security-present
Api security-present
 
Lannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber AttacksLannguyen-Detecting Cyber Attacks
Lannguyen-Detecting Cyber Attacks
 
Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018Letrungnghia-gopyluananm2018
Letrungnghia-gopyluananm2018
 

Dernier

Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 

Dernier (20)

Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 

SBC 2012 - Một số vấn đề bảo mật trong Virtualization (Nguyễn Hinh)

  • 1. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 1 2 Common issues of Virtualization Security Nguyễn Hinh | hinhnguyen00@gmail.com
  • 2. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 2 About Me Hinh Nguyen 2 hinhnguyen00@gmail.com UIT Focus on Virtualization & Cloud Computing
  • 3. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 3 Content I. Overview 2 II. Benefits of Virtualization III. Risks for Virtualized Environments IV. Recommendations Common issues of Virtualization Security 2
  • 4. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Virtualization Overview 4 2 With vMotion instances launching every second, there are more VMs in motion globally than actual aircraft.” -- Paul Maritz, CEO, VMware Common issues of Virtualization Security 3
  • 5. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! Virtualization Security Overview 5 • Gartner: 60% of VMs will be LESS SECURE than the 2 Physical Servers they replace (through 2012) http://www.gartner.com/it/page.jsp?id=1322414 Better Less Secure Common issues of Virtualization Security 4
  • 6. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 6 Why??? Why - “Hypervisor creates new attack surface” 2 - Designer/Operator Common issues of Virtualization Security 5
  • 7. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 7 2 II. BENEFITS OF VIRTUALIZATION Common issues of Virtualization Security 6
  • 8. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! II.1. Reduce cost 8 • Reduce maintenance cost, save power 2 • Reduce quantity of hardware & software to purchase • Reduce “server sprawl” Common issues of Virtualization Security 7
  • 9. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! II.2. More Secure 9 Disaster Recovery & Forensic analysis Sandboxing 2 HA capabilities unstable app & compromised HA, FT, …. snapshot server Mixed: 1 physical server (master) Risk: “VM Escape” – VMs (slave) Common issues of Virtualization Security 8
  • 10. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 10 2 III. RISKS FOR VIRTUALIZED ENVIRONMENTS Common issues of Virtualization Security 9
  • 11. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! III. Risks for Virtualized Environments 11 2 Common issues of Virtualization Security 10
  • 12. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! III. Risks for Virtualized Environments 12 • Hypervisor • Host/platform 2 • Communication • Isolation between guest and guest • Isolation between guest and host Common issues of Virtualization Security 11
  • 13. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 13 2 IV. RECOMMENDATIONS Common issues of Virtualization Security 12
  • 14. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! IV.14Recommendations • Restrict physical access • Implement defense2 in depth • Enforce least privilege and separation of duties • Harden the hypervisor • Harden virtual machines and other components Common issues of Virtualization Security 13
  • 15. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! IV.15Recommendations 2 Common issues of Virtualization Security 14
  • 16. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! IV.16Recommendations 2 Common issues of Virtualization Security 15
  • 17. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! IV.17Recommendations 2 Common issues of Virtualization Security 15
  • 18. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! • Update OS,… like physical server 18 VM • Limit sharing console: 2 • Control access resource, disconnet unauthorized device • Use AD, verify “ESX Admin” group ESXi 2 • passwork policy • Config FW (SSH), NTP, SNMP… • SSL for NFC • Assign role to specific users • Verify vSphere plug-in vCenter • Client connect vCenter by SSL with trusted CA-signed cert • Disable datastore browser • Management, vMotion & storage traffic is isolated vNetwork • Forged Transmits & MAC address change policy: reject • Port groups are not native VLAN
  • 19. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 19 Q&A 2 Common issues of Virtualization Security
  • 20. SECURITY BOOTCAMP 2012 | Make yourself to be an expert! 20 2