Virtualization and cloud computing
This presentation is the property of its rightful owner.
Sponsored Links
1 / 50

Virtualization and Cloud Computing PowerPoint PPT Presentation


  • 116 Views
  • Uploaded on
  • Presentation posted in: General

Virtualization and Cloud Computing. Virtualization, Cloud and Security Michael Grafnetter. Agenda. Virtualization Security Risks and Solutions Cloud Computing Security Identity Management. Virtualization and Cloud Computing. Virtualization Security Risks and Solutions. Blue Pill Attack.

Download Presentation

Virtualization and Cloud Computing

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Virtualization and cloud computing

Virtualization and Cloud Computing

Virtualization, Cloud and Security

Michael Grafnetter


Agenda

Agenda

  • Virtualization Security Risks and Solutions

  • Cloud Computing Security

  • Identity Management


Virtualization and cloud computing1

Virtualization and Cloud Computing

Virtualization SecurityRisks and Solutions


Blue pill attack

Blue Pill Attack


Blue pill attack1

Blue Pill Attack

  • Presented in 2006 by Joanna Rutkowska at Black Hat conference

  • Traps running OS by starting a hypervisor and virtualizing the underlaying machine (needs right to run privileged instructions to achieve this)

  • Could intercept nearly anything and send fake responses (hardware interrupts, requests for data, system time etc.)


Red pill

Red Pill

  • Blue Pill is detectable by timing attack

    • Trap-and-Emulate takes much longer than native instructions

    • External time sources (NTP) need to be used, because system time could be spoofed


Vmm vulnerability

VMM Vulnerability

  • By attacking a VMM, one could attack multiple servers at once


Datacenter management sw

Datacenter Management SW

  • Virtualization infrastructure management software (VMware vCenter, Microsoft SC VMM) is used to control multiple hostsat once


Web access to dcs

Web Access to DCs

  • Multiple datacenters can be managed from a central console. Therefore, its security has to be hardened.


One ring to rule them all

One Ring to rule them all…

  • Management commands available using PowerShell or Web APIs

    • Get-VM –Name * | Stop-VM

    • Get-VM –Name * | Remove-VM

    • Copy-VMGuestFile

    • Invoke-VMScript–Type Bash


Virtualization and cloud computing

Demo

DoS attack on virtualization infrastructure


Disabling host vm communication

Disabling Host-VM Communication


Physical vs virtual firewall

Physical vs. Virtual Firewall

  • With virtualization, servers from different Trust Zones usually share the same physical resources (memory, network card, etc.)


Traffic isolation

Traffic isolation


Virtualization and cloud computing

Demo

Configuring traffic isolationon VmwareESXi


Other risks of virtualization

Other risks of virtualization

  • Introduction of yet another OS

  • Reliance on traditional barriers

  • Accelerated provisioning

  • Security left to non-traditional security staff

  • Audit scope creep


Security solutions

Security Solutions

  • Virtual Firewall

    • Live migration

    • Stretched clusters

  • Agentless Antivirus

  • Extensible Switches

  • Mobile Virtualization Platform

  • Virtual Desktop Infrastructure (VDI)


Agentless av

Agentless AV


Extensible switch

Extensible Switch


Mobile virtualization platform

Mobile Virtualization Platform


Mobile virtualization platform1

Mobile Virtualization Platform


Mobile virtualization platform2

Mobile Virtualization Platform

  • Supported devices


Virtual desktop infrastructure

Virtual Desktop Infrastructure


Virtualization and cloud computing2

Virtualization and Cloud Computing

Cloud Computing Security Risks


Who has access to our data

Who has access to our data?


Physical security

Physical Security


Hard disk crushers

Hard Disk Crushers


Other cloud risks

Other Cloud Risks

  • Unclear data location

  • Regulatory compliance

  • Data segregation

  • Lack of investigative support

  • Disaster recovery

  • Long-term viability, vendor lock-in


Virtualization and cloud computing3

Virtualization and Cloud Computing

Identity Management


Identity management

Identity Management

  • Basic Concepts

    • External user DBs

    • Two-factor authentication

    • Role-Based Access Control (RBAC)

  • Identity Federation

    • OAuth

    • OpenID

    • SAML

    • RADIUS Proxy

    • Identity Bridges


External user dbs

External User DBs

  • Typically Active Directory or generic LDAP is used as central identity store for virtualization infrastructures


Azure active directory

Azure Active Directory


Two factor authentication

Two-Factor Authentication


Role based access control

Role-Based Access Control


Identity federation

Identity Federation


Oauth

OAuth

  • Used to delegate user authorizationto a 3rd-party service provider


Virtualization and cloud computing

Demo

Creating a web applicationwith Facebook/Twitter/Microsoft Account authentication


Openid

OpenID


Openid1

OpenID

http://someopenid.provider.com/john.smith


Virtualization and cloud computing

SAML

  • Similar to OpenID, but targeted to the enterprise

  • Security Assertion Markup Language

  • XML-based

  • Supports Single sign-on

  • Requires mutual trust between IdP and SP

  • Multiple bindings, not just HTTP

  • Supports Identity provider initiated authentication


Virtualization and cloud computing

SAML


Saml google apps

SAML (Google Apps)


Saml example

SAML Example

<saml:Assertion

ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac“ Version="2.0"

IssueInstant="2004-12-05T09:22:05">

<saml:Issuer>https://idp.example.org/SAML2</saml:Issuer>

<ds:Signature>...</ds:Signature>

<saml:Conditions

NotBefore="2004-12-05T09:17:05" NotOnOrAfter="2004-12-05T09:27:05">

</saml:Conditions>

<saml:AttributeStatement>

<saml:Attributex500:Encoding="LDAP" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" FriendlyName="eduPersonAffiliation">

<saml:AttributeValuexsi:type="xs:string">member</saml:AttributeValue>

<saml:AttributeValuexsi:type="xs:string">staff</saml:AttributeValue>

</saml:Attribute>

</saml:AttributeStatement>

</saml:Assertion>


Microsoft active directory federation services

Microsoft Active Directory Federation Services

  • SAML-based

  • Typically used to give access to intranet portals to business partners


Shibboleth

Shibboleth

  • SAML-based federation portal

  • Open Source


Virtualization and cloud computing

Demo

Signing in to a federatedweb application


Radius proxy eduroam

RADIUS Proxy (Eduroam)


Identity bridges

Identity Bridges


Identity bridges azure access control service

Identity Bridges:Azure Access Control Service


  • Login