Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtualization Security

Published byBertram Bradley Modified over 6 years ago

Similar presentations

Presentation on theme: "Virtualization Security"— Presentation transcript:

1 Virtualization Security
Erez Berkner Virtualization Team Manager Check Point R&D May 2009

2 Agenda Virtualization overview Virtualization security hazards
VPN-1 Virtual Edition (VE) Common use cases vSwitch integrated security (VMSafe)

3 Virtualization Overview

4 Virtualization decouples physical resources from the OS & applications
Virtualization Layer Virtualization decouples physical resources from the OS & applications Machines are encapsulated as files Virtualization breaks the rigid bond between hardware and software, and allows multiple instances of an operating systems and multiple software applications to run on the same hardware box. In essence, virtualization “bundles” or encapsulates the operating system and a software application into a virtual machine. This entire “package” of virtual hardware - CPU, memory and networking, OS and application, is turned into a single software file. Virtual machines are hardware independent, and because they are files, they can be manipulated with the ease of file copy and paste. Virtual machines bring an entirely new level of efficiency and flexibility to the IT environment. One way to understand the impact of virtualization on the IT industry is to compare it with electronic banking – once the cash money was turned into bytes, it increased the velocity of commerce – money can be moved around the world now with lightening speed – because it is virtual, it is information. By turning physical capabilities into information, virtualization makes provisioning and managing the entire IT infrastructure a lot faster and more flexible.

5 Non-Virtualized World Virtual Infrastructure
Virtualization 101 Non-Virtualized World Virtual Infrastructure Exchange File/Print Virtual Infrastructure Operating System Operating System Operating System Operating System Virtualization Virtualization CPU Pool Memory Pool VPN CRM Storage Pool Operating System Operating System Operating System Operating System Virtualization Virtualization Interconnect Pool

6 Enables the Virtual Datacenter
Virtual Infrastructure Interconnect Pool CPU Pool Memory Pool Storage Pool

7 Dynamic resource allocation
Exchange CRM File/Print APP OS APP OS APP OS Virtual Infrastructure Interconnect Pool CPU Pool Memory Pool Storage Pool

8 Heals Itself Automatically
Exchange CRM File/Print APP OS APP OS APP OS Virtual Infrastructure Interconnect Pool CPU Pool Memory Pool Storage Pool

9 VMotion - Its time to have some fun…
Dynamic migration of VMs across disparate hardware with no downtime or disruption to applications or users App OS App OS App OS App OS VMotion VMware Infrastructure The value of distributed virtualization is the ability to consistently manage and provide service levels not at the individual server level, but across a pool of servers. The same is true for storage and networking. VMotion, which was introduced more than 5 years ago by Vmware, truly frees the OS + application workloads from the hardware. [Describe what VMotion does] VMotion for servers is only the beginning. Today, this concept has been extended to storage. [Describe what Storage VMotion does] Storage Vmotion is far superior to today’s approach, for example moving entire LUNs with datamovers/SAN tools , which almost always involving downtime. Now performance optimization of VMs with the right type of storage becomes a trivial problem to solve. Storage VMotion 9 9 9

10 Hazards! 10

11 Virtualization Benefits Security and Compliance Issues
No Free Lunches… Virtualization Benefits Virtualization Risks Security and Compliance Issues Easy machine creation “VM sprawl” Rapid change accelerates configuration drift Consolidation of dozens of physical servers “Guest escape” of control from VM into hypervisor Malicious VM takes control of the entire virtualization server Easy provisioning of networks Misconfiguration errors Breaking separation between different security zones Mobility enables high availability, dynamic resource optimization Mobility can break static security Maintain isolation and network controls Hypervisor enables consolidation New privileged layer to be secured Access to sensitive data in VM So how does virtualization and server consolidation affect security. Unfortunately with the benefits also come some challenges, so there is no free lunch. For example, it is much easier and quicker to create a new virtual machine, whether copied from an existing machine or from a template, which is akin to a gold image. Whereas many customers often had a provisioning workflow to requesitioning a new machine on the order of 3-4 months, they often are now able to reduce that down to 1-2 days. The actual creation of a virtual machine in VMware itself only takes about 30 seconds. The downside of this ease is that it can often lead to a proliferation of VM’s much faster then with physical machines, or what we call “VM sprawl”. This makes is much more challenging to security teams to keep up and ensure new machines are properly configured and protected. Note this is not a fundamental problem with vritualization technology itself, but an operational issue exacerbated by businesses becoming much more agile and fluid as a result of virtualization. The question is whether the security operations that assumed a much slower machine lifecycle can keep up. Mobility is another operational challenge. VM’s are now VMDK files that can be much more quickly edited, moved, copied, just like a Word document. However, this can break static security policies that are often based on fixed network and machine topologies. Finally, the hypervisor is a new and very privileged piece of software that runs underneath all of your virtual machine. It is a critical layer of software that itself must be secured and protected. 11

12 Specific Challenges with Network Security
Lack of inter-VM visibility for monitoring and enforcement Aligning static policies with fast VM sprawl and mobility Maintaining network session state with live migration (VMotion) Loss of SOD between server admin and network/security teams

13 Introducing VPN-1 VE Certified Virtual Appliance by VMware
Protects against inter-VM and external threats No need for physical appliances and switches Same management console – security policy cross virtual and physical boundaries VE provides visibility inside the virtualization environment (logs / Compliance) Protects virtualization resources (e.g. service console)

14 VPN-1 VE Key points Check Point is the only major network security vendor to protect the virtualization environment Persistent security in all scenarios (Failure, VMotion, DRS, etc..) Full redundancy using ClusterXL – No single point of failure Provides the same level of security as in the physical world, inside the virtualization environment

15 Deploying virtualization security

16 Deploying virtualization security
Data Center Virtualization

17 Towards Application-Centric Security Policy
IIS #1 Firewall Firewall Before Tomcat App Server Oracle Load Balancer IIS #2 After Today, the way security is setup, deployed, and operated within the datacenter contains a lot of overhead and redundant processes. In addition, this security is “static” – i.e. security products have to be manually and statically configured to deal with a particular set of applications and machines that are in the datacenter. With the advent of the “fluid” datacenter with machines and machine boundaries constantly changing, “static” security will have to be replaced by a more dynamic set of security products that will enable the “self-securing datacenter”. Key to this datacenter are a set of security products that automatically get most of their configuration information from the existing architecture of the system (through Virtual Center) and OVF-based information from virtual machines. These can be consumed by VMsafe-enabled security products that can handle VMotion and other mobility features within the system, and with the help of core security policies setup not by machine, port number, application, etc. – these can be setup once and applied to each machine within the datacenter, regardless of its location in the datacenter and what application it will run. 17 17 17

18 VMotion & ClusterXL The Internet Web VE Active VE Standby Active App1
Pkt pkt pkt The Internet ESX server 1 ESX server 2 ext Web ext Web Web Vswitch Web Vswitch Web VE Active VE Standby Sync Sync Vswitch ext Vswitch sync Vswitch sync Vswitch ext Active int int Vswitch App Switch Vswitch App App1 App2 App3 Mgmt

19 ESX farms The Internet pkt pkt pkt ESX 1 ESX 2 ESX 3 ESX 4 Ext Ext Ext
Active Standby Sync Sync Sync App App App

20 Service Providers Specific service/s to specific customer/s
Adding virtualized security to the cloud Protecting it with Check Point VPN-1 VE VPN-1 VE per customer VPN-1 VE per service Specific service/s to specific customer/s Antivirus Anti-spam\Malware Mail scanning Web Filtering VoIP

21 Deploying virtualization security
pkt pkt MSP-s UTM-1 full-set UTM-1 Antivirus UTM-1 Web Filtering Int ext ESX Server Customer A Customer B Customer C VE

22 Office in a box (SMB & Branch offices)
Deploying virtualization security Office in a box (SMB & Branch offices) Consolidate and virtualized all physical devices under one single server Simplifies provisioning of remote office VPN-1 VE protect consolidated virtual machines as well as the office physical servers & clients VPN services Multiple SMB/BR sites can be managed by one management server

23 Office in a box The Internet VE pkt pkt pkt Ext Int Web DB FTP
VPN Tunnel Trunk port VE Int V1 Trunk port V2 V3 V4 Web pkt DB FTP V5 Service Console V6 V7 pkt

24 Deploying virtualization security
Disaster Recovery Preserve security in DR scenarios No need for additional physical Firewall on the DR site “DR on a Disk” Fast deployment – zero time

25 Is running VPN-1 VE on VMware is safe?
A hypervisor is at less risk of an external attack because There is no ip on vSwitch/Hypervisor It doesn't listen on input/output ports The hypervisor network attack surface (the vSwitch) is very thin (think of it as a nic driver) VE can protect the service console Every incoming packet should go through VE security inspection before it reaches a VM VMware has resource allocation abilities to prevent DoS on resource by a malicious VM

26 vSwitch integrated security (VMsafe)
VPN-1 VE Firewall IPS/IDS Anti-Virus pkt pkt Security API ESX Server Creates a new, stronger layer of defense – fundamentally changes protection available for VMs running on VMware Infrastructure vs. physical machines Protect the VM by inspection of virtual components (CPU, Memory, Network and Storage) Complete integration and awareness of VMotion, Storage VMotion, HA, etc. Provides an unprecedented level of security – “Virtual is more secure than Real” 26 26

27 VPN-1 VE with VMsafe Ability to firewall and protect individual VMs, even between VMs on a same vSwitch VMotion awareness Inspection at the Hypervisor level Great performance

28

29

Download ppt "Virtualization Security"

Similar presentations

© 2009 VMware Inc. All rights reserved vCenter Site Recovery Manager 5.1.

© 2009 VMware Inc. All rights reserved vCenter Site Recovery Manager 5.1.
Cloud computing is used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication.

Cloud computing is used to describe a variety of computing concepts that involve a large number of computers connected through a real-time communication.
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
1 Chapter 11: Data Centre Administration Objectives Data Centre Structure Data Centre Structure Data Centre Administration Data Centre Administration Data.

1 Chapter 11: Data Centre Administration Objectives Data Centre Structure Data Centre Structure Data Centre Administration Data Centre Administration Data.
Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security.

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud Rob Randell, CISSP, CCSK Principal Systems Engineer – Security.
System Center 2012 R2 Overview

System Center 2012 R2 Overview
Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.

Virtualization and Cloud Computing. Definition Virtualization is the ability to run multiple operating systems on a single physical system and share the.
Protect Your Business and Simplify IT with Symantec and VMware Presenter, Title, Company Date.

Protect Your Business and Simplify IT with Symantec and VMware Presenter, Title, Company Date.
Virtualization of Fixed Network Functions on the Oracle Fabric Krishna Srinivasan Director, Product Management Oracle Networking Savi Venkatachalapathy.

Virtualization of Fixed Network Functions on the Oracle Fabric Krishna Srinivasan Director, Product Management Oracle Networking Savi Venkatachalapathy.
Virtualization Futures VMworld Europe 2008 Dr. Stephen Alan Herrod CTO and VP of R&D, VMware.

Virtualization Futures VMworld Europe 2008 Dr. Stephen Alan Herrod CTO and VP of R&D, VMware.
VMware Virtualization Last Update 2014.02.06 2.0.0 1Copyright 2011-2014 Kenneth M. Chipps Ph.D. www.chipps.com.

VMware Virtualization Last Update Copyright Kenneth M. Chipps Ph.D.
Adam Duffy Edina Public Schools.  The heart of virtualization is the “virtual machine” (VM), a tightly isolated software container with an operating.

Adam Duffy Edina Public Schools.  The heart of virtualization is the “virtual machine” (VM), a tightly isolated software container with an operating.
Transform your desktop with virtualization. 22 Agenda Evolution of VDI VDI Solution VDI Use Cases Questions & Answers.

Transform your desktop with virtualization. 22 Agenda Evolution of VDI VDI Solution VDI Use Cases Questions & Answers.
-How To leverage Virtual Desktop for Manageability & Security -Desktop Computing “as a service” Andreas Tsangaris CTO, PERFORMANCE

-How To leverage Virtual Desktop for Manageability & Security -Desktop Computing “as a service” Andreas Tsangaris CTO, PERFORMANCE
Virtual techdays INDIA │ 9-11 February 2011 Cross Hypervisor Management Using SCVMM 2008 R2 Vikas Madan │ Partner Consultant II, Microsoft Corporation.

Virtual techdays INDIA │ 9-11 February 2011 Cross Hypervisor Management Using SCVMM 2008 R2 Vikas Madan │ Partner Consultant II, Microsoft Corporation.
Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.

Virtual Machine approach to Security Gautam Prasad and Sudeep Pradhan 10/05/2010 CS 239 UCLA.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
Copyright © 2005 VMware, Inc. All rights reserved. VMware Virtualization Phil Anthony Virtual Systems Engineer

Copyright © 2005 VMware, Inc. All rights reserved. VMware Virtualization Phil Anthony Virtual Systems Engineer
5205 – IT Service Delivery and Support

5205 – IT Service Delivery and Support
Virtualization 101.

Virtualization 101.

Similar presentations

Ads by Google