VMware Security Architecture and Best Practices Rob Randell, CISSP Senior Security Specialist SE

Agenda  Virtualization Specific Security Issues Security Concepts in Virtualization Architecture Operational Security Issues with Virtualization  VMware Security Architecture Isolation and Containment Secure Management  Security Best Practices Primary Issues that Affect Virtualization Security Secure Design Secure Deployment Secure Operations

Security Concepts in Architecture  Extended computing stack New privileged layers (Hypervisor) exist underneath the operating system  Guest isolation One guest VM cannot access or even address the “hardware resources” of another guest VM or the host/hypervisor  Host visibility Difficult to see from the guest whether someone is monitoring from host or host even exists  Virtualized interfaces Physical connectivity between guests is recreated, e.g. IP network, file shares, may be more or less like true physical counterparts  Management interfaces The protection of mgmt interfaces (Console OS, VirtualCenter, etc…) very important  Greater co-location of data and assets on one box Potential single point of failure for not just availability, but also integrity/confidentiality Host access gives you “keys to the kingdom”

Operational Security Issues  Most security issues arise not from the virtualization infrastructure itself but from operational issues Adapting existing security processes and solutions to work in the virtualized environment Most security solutions don’t care whether a machine is physical or virtual The datacenter and its workloads just became a much more dynamic and flexible place The risk of misconfiguration requires use of best practices specific to virtualization

VMware Security Architecture

Hardware VM VMM ESX Server Service Console VMX Device Drivers I/O Stack SDK / VirtualCenter Agent Device Drivers VMkernel Hardware Interface Third- Party Agents Storage StackNetwork Stack Distributed Virtual Machine File System Virtual NIC and Switch Resource Management CPU Scheduling Memory Scheduling Storage Bandwidth Network Bandwidth VM VMware ESX Server Architecture  VMkernel designed for Hypervisor-based virtualization  VMkernel dedicated to run VMs only  No public interface to VMkernel  Device drivers qualified in-house as an integral part of the system

VM Isolation Design Privileged instructions within a VM are “de- privileged” and run within an isolated virtual memory space VMs have no direct access to hardware, only have visibility to virtual devices VMs can only communicate with each other through Virtual Switches Resource reservations and limits guarantees performance isolation OS and applications within a VM run as is with no modification (hence no recertification required) VMM Production Use Proof Points Passed security audit and put into production by the largest Financial Institutions Passed Defense and Security Agencies scrutiny and audit (NetTop and HAP) Large number of customers run mission critical and transaction processing applications CC EAL 2 certification (for ESX 2.5) CC EAL 4+ certification (for VI 3.0) expected in Q1 2008

Memory Management Memory Partitioning for VMs Each VM sees its own zero-based physical address space. ESX abstracts physical memory by adding a layer of memory address translation. Memory isolation is imposed by segmentation and paging in x86 (hardware enforced). Physical memory is zeroed out when allocated to a VM. No inter-VM memory leaks Transparent Page sharing – Copy on Write

Virtual Network Design Principles Port Groups Port groups are user named objects which contain configuration information to provide consistent network access for virtual NICs: vSwich Name VLAN ID(s) and tagging/filtering policy Layer 2 Security Options NOT VLAN Groups Virtual ports ignore any requests from the virtual NIC which would violate the L2 security policy Virtualization protects against specific types of network attacks Double-Encapsulation Attacks Spanning Tree Attacks Random Frame Attacks MAC Flooding Attacks 802.1g and ISL Tagging Attacks Multicast Brute-Force Attacks Virtual Switch Isolation vSwitches do not learn from the network. Independent forwarding tables for each vSwitch vSwitches makes private copy frame data used to make forwarding or filtering decisions No trust in user-accessible data No Spanning Tree support

Virtual Storage Isolation  VMs have no knowledge or understanding of SANs  Each VM is able to see only the virtual disks that are presented to it on its virtual SCSI adapters.  The VMware VMFS file system coordinates hosts in the cluster  File Locks are stored on the disk as part of the volume metadata Storage A.vmdk

Secure Management VirtualCenter: primary management tool Encrypted communication Integration with global security framework, e.g. Authentication via Active Directory Detailed auditing Extensive roles system for fine-grained separation-of-duties Operational Best Practices for maximum security, e.g. Dedicated management network Lock-down of Administrator access

Unmatched security and reliability: Compact 32MB footprint OS independence means minimal interfaces and a small attack profile Embedded in hardware --- reduces risk of tampering Unstructured Service Console management replaced by controlled API-based management ESX Server 3i: The next step in Virtualization Security

Security Best Practices

Primary issues that affect Virtualization Security 1.Control of administrative access 2.Risk of improper configuration 3.Lack of Virtual Network Visibility 4.Management of ever-growing environment

Primary issues that affect Virtualization Security  Control of administrative access Issue: Administrative interfaces become avenues of attack Mitigation: Follow Best Practices for Secure Design Secure Deployment Secure Operations Issue: Great amount of power in single administration console Mitigation Follow Best Practices for Secure Operations

Primary issues that affect Virtualization Security  Risk of improper configuration Issue: VMs placed on incorrect virtual network can break security Mitigation: Follow Best Practices for Secure Design Secure Deployment Secure Operations

Primary issues that affect Virtualization Security  Lack of Virtual Network Visibility Issue: Inter-VM traffic within one host not visible to Network- based IDS/IPS Mitigation: Forward all traffic to outside system for inspection using a special Promiscuous-mode forwarding VM Utilize 3 rd party NIPS/NIDS tools which run in VMs and sit directly on Virtual Switch

Primary issues that affect Virtualization Security  Management of ever-growing environment Issue: Security of offline VMs can go out of date Mitigation: Follow Best Practices for Secure Deployment Utilize 3 rd party tools for network-based IDS/IPS (Future) utilize tools for patching of offline VMs Issue: Difficult to keep track of virtual machine provenance and configuration Mitigation: Follow Best Practices for Secure Deployment Utilize 3 rd party tools for VM lifecycle management

Best Practices: Secure Design  Separate and Isolate Management Networks 1. Service Console 2. Vmkernel: Vmotion and NFS & iSCSI datastores  Plan for VM mobility: 3 options 1. Partition trust zones 2. Combine trust zones using virtual network segmentation and virtual network management best practices 3. Combine trust zones using portable VM protection with 3 rd -party tools (Blue Lane, etc)

Best Practices: Secure Deployment  Harden VMware Infrastructure 3 according to guidelines 1. VMware-provided 2. 3 rd -party: STIG (draft), CIS (draft), Xtravirt Security Risk Assessment template, etc.  Always secure virtual machines like you would physical servers 1. Anti-virus 2. Patching 3. Host-based intrusion detection/prevention  Use Templates and Cloning to enforce conformity of virtual machines

Best Practices: Secure Operations  Strictly control administrative access 1. Favor controlled management interfaces (VI Client, Web Access) over unstructured interfaces (Service Console) 2. Avoid VI Console access except when absolutely necessary; favor OS-based access to VM (RDP, ssh, etc). 3. Use roles-based access control to limit administrative capabilities and enforce separation of duties, and never use anonymous accounts (e.g. “Administrator”) 4. Allow powerful access only to small, privileged group; implement break-glass policy for top level administrative account

Best Practices: Secure Networking  Restrict access to privileged networks 1. Closely restrict administrative access on any host with privileged network 2. For less privileged users, only allow template-based provisioning on those hosts  Guard against misconfiguration 1. Clearly label sensitive virtual networks 2. Generate audit reports that flag suspicious configurations 3. Routinely inspect event and task logs

Best Practices References Detailed Prescriptive Guidance Security Design of the VMware Infrastructure 3 Architecture ( VMware Infrastructure 3 Security Hardening ( Managing VMware VirtualCenter Roles and Permissions ( STIG (Secure Technology Implementation Guide) draft ( CIS (Center for Internet Security) Benchmark ( Xtravirt Virtualization Security Risk Assessment ( func=fileinfo&id=15) func=fileinfo&id=15

Questions? Rob Randell, CISSP Senior Systems Engineer - Security Specialist