security of vmware vsphere n.
Skip this Video
Loading SlideShow in 5 Seconds..
Security of VMware vSphere PowerPoint Presentation
Download Presentation
Security of VMware vSphere

Security of VMware vSphere

161 Views Download Presentation
Download Presentation

Security of VMware vSphere

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Security of VMware vSphere Bob van der Werf Sr. Systems Engineer VMware

  2. VMware Security Strategy .OVF Virtualization of Security Platform Security Secure Operations • Secure hypervisor architecture • Platform hardening features • Secure Development Lifecycle • Prescriptive guidance for deployment and configuration • Integration into existing policies, procedures, and tools in the enterprise • Self-describing, Self-configuring security • Unique Advantage of virtualization 2

  3. Architecture: Isolation by design

  4. VMware ESXi Compact 59 MB footprint Fewer patches Smaller attack surface Absence of general-purpose management OS No arbitrary code running on server Not susceptible to common threats Secure Implementation ESXi

  5. Secure Implementation • Platform Hardening • Integrity in Memory Protection • ASLR – Randomizes where core kernel modules load into memory • NX/XD – Marks writable areas of memory as non-executable • Kernel Integrity • Digital signing – ensures the integrity of drivers and applications as they are loaded by the VMkernel. • Module signing – allows ESX to identify the providers of modules, drivers, or applications and whether they are VMware-certified.

  6. Independently validated • Common Criteria Certification EAL (Evaluation Assurance Level) • CC EAL 4+ certification • Highest recognized level • Achieved for ESX 3.0; in process for ESX 3.5 and vSphere 4 • DISA STIG for ESX • Approval for use in DoD information systems • NSA Central Security Service • guidance for both datacenter and desktop scenarios 6

  7. Application Services Infrastructure Services VMware vSphere™ – Components • Dynamic Resource Sizing • Firewall • Anti-virus • Intrusion Prevention • Intrusion Detection • Clustering • Data Protection Security Scalability Availability vSphere 4.0 vCompute vStorage vNetwork • Network Management • Hardware Assist • Enhanced Live Migration Compatibility • StorageManagement & Replication • Storage Virtual Appliances

  8. VMware VMsafe API’s VMware

  9. ESX ESX with VMsafe VMware VMsafe™ • New approach to VM Security • Protect by inspection of virtual components (CPU, Memory, Network and Storage) • Functionality provided in Security Virtual Appliance • Complete integration with VMware vSphere, e.g. • Vmotion • Storage Vmotion • HA • Better Context • Isolated from the malware • In cooperation with the smaller, trustable codebase of the hypervisor VMsafe

  10. VMsafe CPU/Memory API • Can inspect memory locations and CPU registers • Hypervisor Extension implemented as VMX/VMM modules • VMsafe API Library • Capabilities: • Detect current application state in the protected VMs CPU from general purpose register values • Sense system configuration state from the control registers on the protected VM

  11. VMsafe CPU/Memory Interface Security Virtual Machine Protected Virtual Machine Protected Virtual Machine Security Agent VMsafe Library VMware vSphere™ VMX VMX VMX VMsafe Extension VMsafe Extension VMM VMM VMM

  12. VMsafe CPU/Memory API Use Cases • BIOS: Early Boot Security • Security Agents are up and running before the protected VM powers on • System Integrity Protection • The Security Agent can monitor the protected VMs physical memory accesses • Enforce Multiple Policies (verify-before-execute) • Defeats: Shellcode interjection attack (overflow attack) • Defeats: Kernelcode injection attack (bypass driver-signing processes)

  13. Vmsafe Network Packet Inspection API • Provides distributed virtual filter (DVFilter) solutions to protect network packet streams • vNetwork Data Path Agent (Fast Agent) • Installs as a kernel module and directly intercepts packets in the virtual network packet stream • vNetwork Control Path Agent (Slow Agent) • Resides in a security virtual appliance and can be used for further thorough processing

  14. VMsafe Net Data/Control Path Agents Security Virtual Machine Protected Virtual Machine Protected Virtual Machine Security Agent Control Path Agent DVFilter Library vNIC vNIC DVFilters Data Path Agent Data Path Agent vNetwork Distributed Switch vSwitch VMware vSphere™ pNICs

  15. VMsafe Network Packet Inspection API Capabilities • Inspecting packets • Modifying packets • Passing a packet to the control path agent for further processing • Dropping packets from the packet stream • Injecting packets in the packet stream

  16. VMsafe Virtual Disk Development Kit • Provides interfaces that allow for applications with possibilities for direct manipulation of Virtual Machine Disk Format (VMDK) images VDDK: Virtual Disk Development Kit • Read/write data anywhere in a VMDK file • Create and manage redo logs (parent-child disk chaining) • Read and write disk metadata

  17. VMsafe Virtual Disk Development Kit: Use Cases • Read the VMDK image files offline, checking each sector for a virus signature • Perform a forensic analysis on the VMDK image files • Monitor compliance of configuration files on virtual disks • Scan for unauthorized content on virtual disks, such as credit card or social security numbers

  18. Current VMsafe Program Partnerships

  19. Security Hardening Best Practices Implementation Guidelines Compliance Partner Solutions Advice and Recommendation Operations Peer-contributed Content Where to Learn More

  20. Thank You Bob van der Werf