1 / 19

Securing and Leveraging the Power of Virtual Servers and Desktops

Securing and Leveraging the Power of Virtual Servers and Desktops. Conrado Wang Cheng Niemeyer < chengw (at) sacredheart.edu> Information Security Officer, Sacred Heart University. Virtualization Advantages. Virtualization? “Cheap”, fast, easy to setup Application isolation

maxine
Download Presentation

Securing and Leveraging the Power of Virtual Servers and Desktops

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Securing and Leveraging the Power of Virtual Servers and Desktops Conrado Wang Cheng Niemeyer <chengw (at) sacredheart.edu> Information Security Officer, Sacred Heart University

  2. Virtualization Advantages • Virtualization? • “Cheap”, fast, easy to setup Application isolation • Template Deployment • Disaster Recovery • High Availability • Forensic Analysis w/P2V & in place with memory snapshots • Honeypotting

  3. Virtualization Disadvantages • Using a template image • One vulnerability is shared by all • Same admin/root passwords??!! • Possibly sequential IP range • Single file Servers & Workstations • Just copy one file and you’re done! • Poor multimedia support • Many eggs in fewer baskets • Virtual Machine Sprawl

  4. Virtualization Vulnerabilities • Guest to Guest Attacks • Guest to Host Attacks • Guest Client Vulnerabilities • Management Console/Host OS Vulnerabilities • Hypervisor Vulnerabilities • Not well developed and widespread, YET…

  5. VM Security Best Practices • Security Best Practices (Firewalls, IPS, Patching, Patching, Patching, Patching) • Secure your VMs as you would physical machines • Secure the Network • Use Separate Private backup and SAN network • Use Separate Private Management Console network • Favor Type 1 Hypervisors for Production and Testing Servers • VMWare ESX Server, Citrix XenServer, MS Hyper-V, etc. • Favor Type 2 use in Security applications • Disable Hardware Acceleration • Use QEmu (full emulation mode w/out kqemu) • Disable all sharing features • Favor Type 2 for Development environments • Run different security zones VMs on separate physical hosts • Use separate physical switches or VLANs in physical switches • Run different Management stations • Disable/remove unnecessary virtual hardware

  6. Monitoring in a vSwitch

  7. VMWare ESX Specific • VMWare Update (ESX 3.5 & VC 2.5) • Fix maximum size and rotation for Log Files • Use Resource Management • Secure the VI Console Access • Verify the ESX Console Firewall rules • Use SSL Certificates Encrypt Access to Virtual Center • Secure Console’s Linux environment

  8. Virtualization Applications • Setting up Development Environments • Setting up Testing Environments • Setting up Research Environments • Honeypotting • Consolidate Physical Servers • Virtual Secure Desktops… • Provide a desktop environment for users • Quickly deployed • Secured • Easily maintained • Provide access from those environments to all work tools, systems, and services

  9. Secure Desktop Advantages • Secured Access to Sensitive Systems  • Separation of Critical Business data from User data • Quick and Easy Deployment • Stand a new VM(s) in under 2mins • Ease of Policy Enforcement • Can Provide local admin elevation when necessary • Anywhere anytime access (or not) • Easy Integration into Identity Management • Currently • ERP (Datatel Colleague R17, R18) • Registrar’s • Human Resources • Business Office • Admissions (Recruitment Plus) • Financial Aid (PowerFAIDS, EDConnect) • Institutional Advancement (Raiser’s Edge) • Payroll (ADP) • Future Expansion • Document Imaging • Department Shares • MicroFAIDS (MS-DOS!!!!!)

  10. Secure Desktop Disadvantages • Poor Multimedia Support • ACL/Firewall Rule Maintenance • Vulnerable to Screen Scrapping • Increased Disaster Recovery Complexity • SSL Gateway • Connection Broker • Provisioning Server • ESX Servers • SAN & Blade Infrastructure • “Quality of Life” Issues • Cannot browse the web • Cannot persist software changes • Cannot connect certain USB devices • Coming Soon • Cannot access e-mail • Cannot copy & paste to host • Cannot connect any USB devices

  11. Secure Desktop Backend at SHU Hardware Software • HP c7000 Blade Enclosure • HP BL460c • 2 x Quad Core 2.3Ghz (Intel E5345) • 16 GB RAM • 4 x 1Gb Ethernet (on 2 separate boards) • Netapp 3020c Filers • 7TB (4TB Usable ??!!) for VMs • 12TB for User/Department Data • iSCSI all the way baby!!! • Cisco Catalyst 3750 Switches • 1Gb Ethernet (Copper) • 10Gb Uplink • VMWare VI3 (ESX 3.5 and Virtual Center 2.5) • Provision Networks Virtual Access Suite 5.9 • SSL Gateway • RDP Connection Broker • Citrix Provisioning Server Desktops v4.5 Sp1 • PXE Boot • HDD Streaming • Microsoft DHCP Server • Microsoft Windows XP Sp2

  12. Connection Broker Architecture

  13. SSL Gateway Architecture

  14. HDD Streaming Architecture

  15. Physical vs. Virtual Hardware Physical Virtual • Dell OptiPlex 755 • Intel Core2 2.4Ghz • 2GB RAM • 160GB HDD • Integrated Graphics • 1Gb Ethernet • ~$1,000 • VMWare ESX 3.5 • Virtual Dual to Quad Core 2.3Ghz • 256MB RAM • 1MB HDD • RDP Graphics • 1Gb Ethernet • ~$290 w/existing hardware

  16. Getting Buy-in • Initial deployment as test environments • Clarifying the difference between a purely work environment and a hybrid work/personal one • No other alternatives with new versions • Ease of use and virtually no training required • Unreliability of VPN and Citrix • Ability to access legacy environments with new simultaneously

  17. Demo • https://securedesk.sacredheart.edu/

  18. New Developments • Embedded Hypervisors • ESX 3i, XenServer OEM, etc. • VMSafe • VDI • SAN Snapshot Clones • Netapp FlexClone • Sophisticated Virtual Machine Detection

  19. Resources, Q & A • http://www.cisecurity.org/ • http://www.securityfocus.com/ • http://www.vmware.com/resources/techresources/cat/91 • http://www.citrix.com/ • http://www.provisionnetworks.com/

More Related