Security in a virtual world
This presentation is the property of its rightful owner.
Sponsored Links
1 / 39

Security in a Virtual World PowerPoint PPT Presentation


  • 35 Views
  • Uploaded on
  • Presentation posted in: General

Security in a Virtual World. Kai Axford, CISSP, MCSE Sr. Security Strategist, Trustworthy Computing Group Microsoft Corporation [email protected] http://blogs.technet.com/kaiaxford. Why should I care?.

Download Presentation

Security in a Virtual World

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Security in a virtual world

Security in a Virtual World

Kai Axford, CISSP, MCSE

Sr. Security Strategist, Trustworthy Computing Group

Microsoft Corporation

[email protected]

http://blogs.technet.com/kaiaxford


Why should i care

Why should I care?

The number of virtual servers will rise to more than 1.7 million physical servers by 2010, resulting in 7.9 million logical servers. Virtualized servers will represent 14.6% of all physical servers in 2010 compared to just 4.5% in 2005.

60% of production virtual machines will be less secure than their physical counterparts through to 2009.

Source: IDC

Source: Gartner


Virtualization is a good thing

Virtualization…is a good thing.


Security in a virtual world

Microsoft’s Virtualization Technologies

Server Virtualization

Presentation Virtualization

Management

Desktop Virtualization

Application Virtualization


Some common vm security myths

Some Common VM Security Myths…

  • “I only have to patch my host OS / Kernel”

  • “If I protect my Host machine, it will protect my VMs.”

  • “Virtual Hard Disk files are secure by default.”

  • “If you expose the virtual machine, you have to expose all virtual machines and the host.”

  • “All virtual machines can see each other.”


Windows server virtualization

VirtualHard Disks

(VHD)

Windows Server Virtualization

Windows Server Virtualization

  • Greater Scalability and improved performance

    • x64 bit host and guest support

    • SMP support

  • Increased reliability and security

    • Minimal Trusted Code base

    • Windows running a foundation role

  • Better flexibility and manageability

    • New UI/Integration with SCVMM

VM 2“Child”

VM 3“Child”

VM 2

VM 3

VM 1“Parent”

Virtual Server 2005 R2

Windows Server 2003

Hardware

Windows Hypervisor

AMD-V / Intel VT


The old virtualization architecture

The Old Virtualization Architecture

Host OS

Guest OS

Host

Virtual Server

WebApp

IIS

Virtual Server

Service

Guest

Applications

Virtualisation

layer

Guest App

Ring 3

Hardware

Ring 1

Ring 3

VS Additions

Windows (NT4, 2000, 2003)

Ring 0

Windows Server 2003 or XP

Ring 0

Kernel

VMM.sys

VMM.sys

Designed for Windows Server Hardware


Virtualization architecture hypervisor

Virtualization Architecture Hypervisor

Primary Partition

Child Partitions

Virtualization Stack

Applications

VM

Service

WMI Provider

VM Worker

Processes

Ring 3

MinWin

Virtualization

Service

Providers

(VSPs)

Virtualization

Service

Clients

(VSCs)

Windows

Kernel

Guest OS

Kernel

IHV

Drivers

VMBus

VMBus

Enlightenments

Ring 0

Windowshypervisor

Ring “-1”

Server Hardware


Hyper v security assumptions

Hyper-V Security Assumptions

  • Guests are untrusted

  • Trust relationships

    • Parent must be trusted by hypervisor

    • Parent must be trusted by children

  • Code in guests can run in all available processor modes, rings, and segments

  • Hypercall interface will be well documented and widely available to attackers

  • All hypercalls can be attempted by guests

  • Can detect you are running on a hypervisor

    • (We’ll even give you the version)

  • The internal design of the hypervisor will be well understood


Hyper v security goals

Hyper –V Security Goals

  • Strong isolation between partitions

  • Protect confidentiality and integrity of guest data

  • Separation

    • Unique hypervisor resource pools per guest

    • Separate worker processes per guest

    • Guest-to-parent communications over unique channels

  • Non-interference

    • Guests cannot affect the contents of other guests, parent, hypervisor

    • Guest computations protected from other guests

    • Guest-to-guest communications not allowed through VM interfaces


  • Hyper v isolation

    Hyper-V Isolation

    • We’re serious….

      • No sharing of virtualized devices

      • Separate VMBus per VM to the parent

      • No sharing of memory

        • Each has its own address space

      • VMs cannot communicate with each other, except through traditional networking

      • Guests can’t perform DMA attacks because they’re never mapped to physical devices

      • Guests cannot write to the hypervisor

      • Parent partition cannot write to the hypervisor


    Hyper v security hardening

    Hyper-V Security Hardening

    • Hypervisor has separate address space

      • Guest addresses != Hypervisor addresses

    • No 3rd party code in the Hypervisor

    • Limited number of channels from guests to hypervisor

      • No “IOCTL”-like things

    • Guest to guest communication through hypervisor is prohibited

    • No shared memory mapped between guests

    • Guests never touch real hardware I/O


    Hyper v security model

    Hyper-V Security Model

    • Uses Authorization Manager (AzMan)

      • Fine grained authorization and access control

      • Department and role based

      • Segregate who can manage groups of VMs

    • Define specific functions for individuals or roles

      • Start, stop, create, add hardware, change drive image

    • VM administrators don’t have to be Server 2008 administrators

    • Guest resources are controlled by per VM configuration files

    • Shared resources are protected

      • Read-only (CD ISO file)

      • Copy on write (differencing disks)


    Security in a virtual world

    demo

    • Windows Server 2008 Hyper-V


    Virtualization attack vectors

    Virtualization Attack Vectors


    Common attacks host

    Common Attacks: Host

    • Host Compromise for

      • Deployment, Duplication and Deletion

      • Control of Virtual Machines

      • Direct Code / File injection to Virtualization File Structure

        • Virtual Hard Disks

        • Virtual Configuration Files

      • Time Sync

    • Hardware

      • Rootkits / Malware

      • Drivers (Attack Surface / Stability)


    Some attacks making the news

    Some attacks making the news..

    • SubVirt(Samuel T. King, Peter M. Chen: Michigan U)

      • Kernel based Rootkit based on a commercial VMM, which creates and emulates virtual hardware.

    • BluePill(AMD SVM) – Joanna Rutkowska

      • Moves the Host OS to a Virtual Machine at the hardware later (PoC on AMD, Theory on Intel)

    • Vitriol(Intel VT-x Mac OSX) – Dino Dai Zovi

      • VM Rootkit similar to BluePill but this time targeting Mac OSX

    • Detecting a Virtual Environment..

      • RedPill / NoPill / scoopy_doo

      • Determines if a current OS is running inside a Virtual Machine


    Use remote management

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    VM

    Use Remote Management

    • All Virtualization Solutions include some form of remote control.

      • Access to these tools should be limited.

      • Limit scope of access / control

    • Protect the remote control mechanisms!

      • Use limited use accounts for control

      • Make sure the connections are encrypted / authenticated (SSL, RDP over SSL)

      • Use logging


    Announcing systems center virtual machine manager 2008 beta

    ANNOUNCING: Systems Center Virtual Machine Manager 2008 (Beta)


    Top 10 reasons for scvmm 2008

    Top 10 Reasons for SCVMM 2008

    • Designed for virtual machines running on Windows Server 2008 and Microsoft Hyper-V Server

    • Support for Microsoft Virtual Server and VMware ESX

    • Performance and Resource Optimization (PRO)

    • Maximize datacenter resources through consolidation

    • Machine conversions are a snap!

    • Quick provisioning of new machines

    • Intelligent Placement minimizes virtual machine guesswork in deployment

    • Delegated virtual machine management for Development and Test

    • The library helps keep virtual machine components organized

    • Windows PowerShell™ provides rich management and scripting environment


    Security in a virtual world

    demo

    • SCVMM 2008 (Beta)


    Host attacks potential solutions

    Host Attacks: Potential Solutions

    • Harden the Host Servers

      • Where a Hypervisor or Specialist Kernel is used, the Host attack surface is smaller, however updating and patching is still required.

      • Use single role servers and remove unwanted and un-necessary services / attack vectors

      • Use a local firewall and only allow limited host control / management ports over encrypted and authenticated channels.

      • Use limited scope admin accounts with strong passwords

    • Protect the Virtual Machine files

      • Access Control Lists (limited to the security context for the users who manage them and the services that control them.

      • Encryption

        • Disk / Volume / Folder / File

      • Auditing

        • file access, creation, deletion …

      • Don’t forget the backup files / archives


    Coming soon windows server 2008 virtualization hardening guide

    COMING SOON: Windows Server 2008 Virtualization Hardening Guide


    Use access control lists

    Use Access Control Lists


    Common attacks guest

    Common Attacks: Guest

    • Unpatched Virtual Machines

    • Older Operating Systems

    • Test or Development machines (these often are not managed in the same way as production machines)

    • Un-managed or user deployed virtual machines

    • Backups and archives


    Guest attacks potential solutions

    Guest Attacks: Potential Solutions

    • Harden the Guest Operating Systems

      • Treat the guest OS as if it was a physical machine

    • Isolate the machine with Virtual Networks / VLANs

      • Local Only Access

      • NAT

      • Segmented networks

        • IPSec Isolation

        • Physical Isolation (Separate NICs)


    Common virtualization scenario

    Database Server

    VM

    DMZ

    Common VirtualizationScenario

    The Segmented Network (with DMZ)

    Application Server

    Web Server

    VM

    VM

    Virtual NICS Virtual NICs

    Bridged virtual network

    Bridged virtual network

    Hardware server

    Virtual Switch

    Physical NICs

    Internal network 1

    Internal network 2


    Common virtualization scenario1

    Gateway Server

    Web Server

    VM

    VM

    DMZ

    Bridged virtual network

    Public external network

    Common VirtualizationScenario

    The three leg network (DMZ and VPN)

    Application Server

    VM

    Virtual NICS Virtual NICs

    Bridged virtual network

    Hardware server

    Virtual Switch

    Physical NICs

    Private internal network


    Patching a virtual machine

    Patching a Virtual Machine


    Backup and dr

    Cluster storage

    Cluster storage

    Backup and DR

    Guest to Guest

    Host to Host

    SAN or iSCSI connection

    iSCSI connection


    Threat landscape virtualized attackers

    Threat Landscape:Virtualized Attackers?

    • Is this is one of the next big attack vectors on the horizon?

    • The VM industry is focused on securing the VMs from attack. Very little thought of VMs being used as the attacker.

    • Cases are starting to appear where people use VMs to attack, then shutdown the VM to remove any trace of evidence.


    Threat landscape virtualized attackers1

    Threat Landscape:Virtualized Attackers?

    • But we do write all events to the SysLog

    • Things that go into drive slack are recoverable using forensics tools

    • We still have network traces…

    • …and audit logs

    • …and firewall and router logs

    • …not to mention video cameras in the server room.


    Virtualization best practices tips and tricks

    Virtualization Best Practices + Tips and Tricks


    Deployment considerations

    Deployment Considerations

    • Minimize risk to the Parent Partition

      • Use Server Core

      • Don’t run arbitrary apps, no web surfing

        • Run your apps and services in guests

    • Moving VMs from Virtual Server to Hyper-V

      • FIRST: Uninstall the VM Additions

    • Two physical network adapters at minimum

      • One for management (use a VLAN too)

      • One (or more) for vm networking

      • Dedicated iSCSI

      • Connect to back-end management network

        • Only expose guests to internet traffic


    Anti virus bitlocker

    Anti-Virus & BitLocker…

    • Parent partition

      • Run AV software and exclude .vhd

    • Child partitions

      • Run AV software within each VM

    • BitLocker

      • Great for branch office

      • Can be used within a VM

        • http://blogs.technet.com/virtualworld/archive/2008/02/16/using-bitlocker-under-virtual-pc-virtual-server.aspx

      • Still testing with Hyper-V; More to come…


    Extra tips

    Extra Tips…

    • Mitigate Bottlenecks

      • Processors

      • Memory

      • Storage

        • Don't run everything off a single spindle…

      • Networking

    • VHD Compaction/Expansion

      • Run it on a non-production system

    • Use .ISOs

      • Great performance

      • Can be mounted and unmounted remotely

      • Having them in SCVMM Library fast & convenient


    Conclusions

    Conclusions

    • Reduce the attack surface on the Host

    • Use least privilege access

    • Audit the deployment, maintenance, control and access to virtual machines

    • Leverage backups, snapshots and redundancy to reduce impact of Host / Guest maintenance

    • Secure your Virtual Machine Hard Disk and configuration files, including backups and archives

    • Use Virtual Networks / VLANs / IPSec to Isolate machines, especially before they are exposed to the network.


    Resources

    Resources

    • Get the slides! (Available June 2008)

      • http://www.microsoft.ca/bootcamp

    • Step-by-Step Guide to Getting Started with Hyper-V

      • http://technet2.microsoft.com/windowsserver2008/en/library/c513e254-adf1-400e-8fcb-c1aec8a029311033.mspx?mfr=true

    • Virtualization Team Blog

      • http://blogs.technet.com/virtualization

    • Microsoft Virtualization Website

      • http://www.microsoft.com/virtualization

    • Using BitLocker under Virtual PC / Virtual Server

      • http://blogs.technet.com/virtualworld/archive/2008/02/16/using-bitlocker-under-virtual-pc-virtual-server.aspx


    Questions

    Questions?

    • Kai Axford, CISSP, MCSE

    • Sr. Security Strategist, Trustworthy Computing Group

    • Microsoft Corporation

    • [email protected]

    • http://blogs.technet.com/kaiaxford


  • Login