Security of vmware vsphere
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Security of VMware vSphere PowerPoint PPT Presentation


  • 83 Views
  • Uploaded on
  • Presentation posted in: General

Security of VMware vSphere. Bob van der Werf Sr. Systems Engineer VMware. VMware Security Strategy. .OVF. Virtualization of Security. Platform Security. Secure Operations. Secure hypervisor architecture Platform hardening features Secure Development Lifecycle.

Download Presentation

Security of VMware vSphere

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Security of vmware vsphere

Security of VMware vSphere

Bob van der Werf

Sr. Systems Engineer

VMware


Vmware security strategy

VMware Security Strategy

.OVF

Virtualization of Security

Platform Security

Secure Operations

  • Secure hypervisor architecture

  • Platform hardening features

  • Secure Development Lifecycle

  • Prescriptive guidance for deployment and configuration

  • Integration into existing policies, procedures, and tools in the enterprise

  • Self-describing, Self-configuring security

  • Unique Advantage of virtualization

2


Architecture isolation by design

Architecture: Isolation by design


Secure implementation

VMware ESXi

Compact 59 MB footprint

Fewer patches

Smaller attack surface

Absence of general-purpose management OS

No arbitrary code running on server

Not susceptible to common threats

Secure Implementation

ESXi


Secure implementation1

Secure Implementation

  • Platform Hardening

    • Integrity in Memory Protection

      • ASLR – Randomizes where core kernel modules load into memory

      • NX/XD – Marks writable areas of memory as non-executable

    • Kernel Integrity

      • Digital signing – ensures the integrity of drivers and applications as they are loaded by the VMkernel.

      • Module signing – allows ESX to identify the providers of modules, drivers, or applications and whether they are VMware-certified.


Independently validated

Independently validated

  • Common Criteria Certification EAL (Evaluation Assurance Level)

    • CC EAL 4+ certification

      • Highest recognized level

      • Achieved for ESX 3.0; in process for ESX 3.5 and vSphere 4

  • DISA STIG for ESX

    • Approval for use in DoD information systems

  • NSA Central Security Service

    • guidance for both datacenter and desktop scenarios

6


Vmware vsphere components

Application Services

Infrastructure Services

VMware vSphere™ – Components

  • Dynamic Resource Sizing

  • Firewall

  • Anti-virus

  • Intrusion Prevention

  • Intrusion Detection

  • Clustering

  • Data Protection

Security

Scalability

Availability

vSphere 4.0

vCompute

vStorage

vNetwork

  • Network Management

  • Hardware Assist

  • Enhanced Live Migration Compatibility

  • StorageManagement & Replication

  • Storage Virtual Appliances


Vmware vmsafe api s

VMware VMsafe API’s

VMware


Vmware vmsafe

ESX

ESX with VMsafe

VMware VMsafe™

  • New approach to VM Security

    • Protect by inspection of virtual components (CPU, Memory, Network and Storage)

    • Functionality provided in Security Virtual Appliance

  • Complete integration with VMware vSphere, e.g.

    • Vmotion

    • Storage Vmotion

    • HA

  • Better Context

    • Isolated from the malware

    • In cooperation with the smaller, trustable codebase of the hypervisor

VMsafe


Vmsafe cpu memory api

VMsafe CPU/Memory API

  • Can inspect memory locations and CPU registers

  • Hypervisor Extension implemented as VMX/VMM modules

  • VMsafe API Library

  • Capabilities:

    • Detect current application state in the protected VMs CPU from general purpose register values

    • Sense system configuration state from the control registers on the protected VM


Vmsafe cpu memory interface

VMsafe CPU/Memory Interface

Security

Virtual Machine

Protected

Virtual Machine

Protected

Virtual Machine

Security

Agent

VMsafe

Library

VMware vSphere™

VMX

VMX

VMX

VMsafe

Extension

VMsafe

Extension

VMM

VMM

VMM


Vmsafe cpu memory api use cases

VMsafe CPU/Memory API Use Cases

  • BIOS: Early Boot Security

    • Security Agents are up and running before the protected VM powers on

  • System Integrity Protection

    • The Security Agent can monitor the protected VMs physical memory accesses

  • Enforce Multiple Policies (verify-before-execute)

    • Defeats: Shellcode interjection attack (overflow attack)

    • Defeats: Kernelcode injection attack (bypass driver-signing processes)


Vmsafe network packet inspection api

Vmsafe Network Packet Inspection API

  • Provides distributed virtual filter (DVFilter) solutions to protect network packet streams

  • vNetwork Data Path Agent (Fast Agent)

    • Installs as a kernel module and directly intercepts packets in the virtual network packet stream

  • vNetwork Control Path Agent (Slow Agent)

    • Resides in a security virtual appliance and can be used for further thorough processing


Vmsafe net data control path agents

VMsafe Net Data/Control Path Agents

Security

Virtual Machine

Protected

Virtual Machine

Protected

Virtual Machine

Security Agent

Control Path

Agent

DVFilter

Library

vNIC

vNIC

DVFilters

Data Path

Agent

Data Path

Agent

vNetwork

Distributed

Switch

vSwitch

VMware vSphere™

pNICs


Vmsafe network packet inspection api capabilities

VMsafe Network Packet Inspection API Capabilities

  • Inspecting packets

  • Modifying packets

  • Passing a packet to the control path agent for further processing

  • Dropping packets from the packet stream

  • Injecting packets in the packet stream


Vmsafe virtual disk development kit

VMsafe Virtual Disk Development Kit

  • Provides interfaces that allow for applications with possibilities for direct manipulation of Virtual Machine Disk Format (VMDK) images

    VDDK: Virtual Disk Development Kit

    • Read/write data anywhere in a VMDK file

    • Create and manage redo logs (parent-child disk chaining)

    • Read and write disk metadata


Vmsafe virtual disk development kit use cases

VMsafe Virtual Disk Development Kit: Use Cases

  • Read the VMDK image files offline, checking each sector for a virus signature

  • Perform a forensic analysis on the VMDK image files

  • Monitor compliance of configuration files on virtual disks

  • Scan for unauthorized content on virtual disks, such as credit card or social security numbers


Current vmsafe program partnerships

Current VMsafe Program Partnerships


Where to learn more

Security

Hardening Best Practices

Implementation Guidelines

http://vmware.com/go/security

Compliance

Partner Solutions

Advice and Recommendation

http://vmware.com/go/compliance

Operations

Peer-contributed Content

http://viops.vmware.com

Where to Learn More


Thank you

Thank You

Bob van der Werf

[email protected]

http://www.vmware.com/go/securityhttp://www.vmware.com/go/compliance


  • Login