Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtualization and Cloud Computing

Similar presentations

Presentation on theme: "Virtualization and Cloud Computing"— Presentation transcript:

1 Virtualization and Cloud Computing
Virtualization, Cloud and Security Michael Grafnetter

2 Agenda Virtualization Security Risks and Solutions
Cloud Computing Security Identity Management

3 Virtualization and Cloud Computing
Virtualization Security Risks and Solutions

4 Blue Pill Attack Joanna Rutkowska
nearly anything, including hardware interrupts, requests for data and even the system time could be intercepted (and a fake response sent) by the hypervisor Timing attack, Trap-and-Emulate

5 Blue Pill Attack Presented in 2006 by Joanna Rutkowska at Black Hat conference Traps running OS by starting a hypervisor and virtualizing the underlaying machine (needs right to run privileged instructions to achieve this) Could intercept nearly anything and send fake responses (hardware interrupts, requests for data, system time etc.)

6 Red Pill Blue Pill is detectable by timing attack
Trap-and-Emulate takes much longer than native instructions External time sources (NTP) need to be used, because system time could be spoofed

7 VMM Vulnerability By attacking a VMM, one could attack multiple servers at once

8 Datacenter Management SW
Virtualization infrastructure management software (VMware vCenter, Microsoft SC VMM) is used to control multiple hosts at once

9 Web Access to DCs Multiple datacenters can be managed from a central console. Therefore, its security has to be hardened.

10 One Ring to rule them all…
Management commands available using PowerShell or Web APIs Get-VM –Name * | Stop-VM Get-VM –Name * | Remove-VM Copy-VMGuestFile Invoke-VMScript –Type Bash

11 DoS attack on virtualization infrastructure
Demo DoS attack on virtualization infrastructure


13 Disabling Host-VM Communication

14 Physical vs. Virtual Firewall
8th ISO/OSI Layer: Politics and religion With virtualization, servers from different Trust Zones usually share the same physical resources (memory, network card, etc.)

15 Traffic isolation

16 Configuring traffic isolation on Vmware ESXi
Demo Configuring traffic isolation on Vmware ESXi

17 Other risks of virtualization
Introduction of yet another OS Reliance on traditional barriers Accelerated provisioning Security left to non-traditional security staff Audit scope creep

18 Security Solutions Virtual Firewall Agentless Antivirus
Live migration Stretched clusters Agentless Antivirus Extensible Switches Mobile Virtualization Platform Virtual Desktop Infrastructure (VDI) Virtual firewalls are aware of the virtualized environments

19 Agentless AV Update Storms/Scan Storms
Not always implementable: intrusion protection, packet analysis, browser protection, real time heuristics, application control, device control, NAC

20 Extensible Switch

21 Mobile Virtualization Platform

22 Mobile Virtualization Platform

23 Mobile Virtualization Platform
Supported devices

24 Virtual Desktop Infrastructure
+ Data ostavaju iba vo firme - Vyzadovane stabilne prispojenie

25 Virtualization and Cloud Computing
Cloud Computing Security Risks

26 Who has access to our data?

27 Physical Security

28 Hard Disk Crushers

29 Other Cloud Risks Unclear data location Regulatory compliance
Data segregation Lack of investigative support Disaster recovery Long-term viability, vendor lock-in

30 Virtualization and Cloud Computing
Identity Management

31 Identity Management Basic Concepts Identity Federation
External user DBs Two-factor authentication Role-Based Access Control (RBAC) Identity Federation OAuth OpenID SAML RADIUS Proxy Identity Bridges

32 External User DBs Typically Active Directory or generic LDAP is used as central identity store for virtualization infrastructures

33 Azure Active Directory

34 Two-Factor Authentication

35 Role-Based Access Control

36 Identity Federation

37 OAuth Used to delegate user authorization to a 3rd-party service provider

38 Demo Creating a web application with Facebook/Twitter/ Microsoft Account authentication

39 OpenID

40 OpenID

41 SAML Similar to OpenID, but targeted to the enterprise
Security Assertion Markup Language XML-based Supports Single sign-on Requires mutual trust between IdP and SP Multiple bindings, not just HTTP Supports Identity provider initiated authentication


43 SAML (Google Apps) The user attempts to reach a hosted Google application, such as Gmail, Start Pages, or another Google service. Google generates a SAML authentication request. The SAML request is encoded and embedded into the URL for the partner's SSO service. The RelayState parameter containing the encoded URL of the Google application that the user is trying to reach is also embedded in the SSO URL. This RelayState parameter is meant to be an opaque identifier that is passed back without any modification or inspection. Google sends a redirect to the user's browser. The redirect URL includes the encoded SAML authentication request that should be submitted to the partner's SSO service. The partner decodes the SAML request and extracts the URL for both Google's ACS (Assertion Consumer Service) and the user's destination URL (RelayState parameter). The partner then authenticates the user. Partners could authenticate users by either asking for valid login credentials or by checking for valid session cookies. The partner generates a SAML response that contains the authenticated user's username. In accordance with the SAML 2.0 specification, this response is digitally signed with the partner's public and private DSA/RSA keys. The partner encodes the SAML response and the RelayState parameter and returns that information to the user's browser. The partner provides a mechanism so that the browser can forward that information to Google's ACS. For example, the partner could embed the SAML response and destination URL in a form and provide a button that the user can click to submit the form to Google. The partner could also include JavaScript on the page that automatically submits the form to Google. Google's ACS verifies the SAML response using the partner's public key. If the response is successfully verified, ACS redirects the user to the destination URL. The user has been redirected to the destination URL and is logged in to Google Apps.

44 SAML Example <saml:Assertion ID="b07b804c-7c29-ea f3d6f7928ac“ Version="2.0" IssueInstant=" T09:22:05"> <saml:Issuer></saml:Issuer> <ds:Signature>...</ds:Signature> … <saml:Conditions NotBefore=" T09:17:05" NotOnOrAfter=" T09:27:05"> </saml:Conditions> <saml:AttributeStatement> <saml:Attribute x500:Encoding="LDAP" Name="urn:oid: " FriendlyName="eduPersonAffiliation"> <saml:AttributeValue xsi:type="xs:string">member</saml:AttributeValue> <saml:AttributeValue xsi:type="xs:string">staff</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion>

45 Microsoft Active Directory Federation Services
SAML-based Typically used to give access to intranet portals to business partners

46 Shibboleth SAML-based federation portal Open Source

47 Signing in to a federated web application
Demo Signing in to a federated web application

48 RADIUS Proxy (Eduroam)

49 Identity Bridges

50 Identity Bridges: Azure Access Control Service

Download ppt "Virtualization and Cloud Computing"

Similar presentations

Ads by Google