SBC 2012 - Một số vấn đề bảo mật trong Virtualization (Nguyễn Hinh)
1. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
1
2
Common issues of Virtualization
Security
Nguyễn Hinh | hinhnguyen00@gmail.com
2. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
2 About Me
Hinh Nguyen
2
hinhnguyen00@gmail.com
UIT
Focus on
Virtualization
& Cloud
Computing
3. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
3
Content
I. Overview
2
II. Benefits of Virtualization
III. Risks for Virtualized Environments
IV. Recommendations
Common issues of Virtualization Security 2
4. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Virtualization Overview
4
2
With vMotion instances
launching every second,
there are more VMs in
motion globally than
actual aircraft.” -- Paul
Maritz, CEO, VMware
Common issues of Virtualization Security 3
5. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
Virtualization Security Overview
5
• Gartner: 60% of VMs
will be LESS
SECURE than the 2
Physical Servers they
replace (through 2012)
http://www.gartner.com/it/page.jsp?id=1322414
Better Less Secure
Common issues of Virtualization Security 4
6. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
6
Why???
Why - “Hypervisor creates new
attack surface”
2
- Designer/Operator
Common issues of Virtualization Security 5
7. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
7
2
II. BENEFITS OF
VIRTUALIZATION
Common issues of Virtualization Security 6
8. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
II.1. Reduce cost
8
• Reduce maintenance
cost, save power
2
• Reduce quantity of
hardware & software
to purchase
• Reduce “server
sprawl”
Common issues of Virtualization Security 7
9. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
II.2. More Secure
9
Disaster Recovery & Forensic analysis
Sandboxing 2
HA capabilities
unstable app & compromised
HA, FT, …. snapshot
server
Mixed: 1 physical server (master)
Risk: “VM Escape”
– VMs (slave)
Common issues of Virtualization Security 8
10. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
10
2
III. RISKS FOR VIRTUALIZED
ENVIRONMENTS
Common issues of Virtualization Security 9
11. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
III. Risks for Virtualized Environments
11
2
Common issues of Virtualization Security 10
12. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
III. Risks for Virtualized Environments
12
• Hypervisor
• Host/platform
2
• Communication
• Isolation between guest
and guest
• Isolation between guest
and host
Common issues of Virtualization Security 11
13. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
13
2
IV. RECOMMENDATIONS
Common issues of Virtualization Security 12
14. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
IV.14Recommendations
• Restrict physical access
• Implement defense2 in depth
• Enforce least privilege and separation of
duties
• Harden the hypervisor
• Harden virtual machines and other
components
Common issues of Virtualization Security 13
15. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
IV.15Recommendations
2
Common issues of Virtualization Security 14
16. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
IV.16Recommendations
2
Common issues of Virtualization Security 15
17. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
IV.17Recommendations
2
Common issues of Virtualization Security 15
18. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
• Update OS,… like physical server
18
VM • Limit sharing console: 2
• Control access resource, disconnet
unauthorized device
• Use AD, verify “ESX Admin” group
ESXi 2 • passwork policy
• Config FW (SSH), NTP, SNMP…
• SSL for NFC
• Assign role to specific users
• Verify vSphere plug-in
vCenter • Client connect vCenter by SSL with
trusted CA-signed cert
• Disable datastore browser
• Management, vMotion & storage traffic
is isolated
vNetwork • Forged Transmits & MAC address
change policy: reject
• Port groups are not native VLAN
19. SECURITY BOOTCAMP 2012 | Make yourself to be an expert!
19
Q&A
2
Common issues of Virtualization Security