Auditing Virtual Infrastructure: You can t protect what you can t detect

Transcription

1 Auditing Virtual Infrastructure: You can t protect what you can t detect Michael Berman, CISSP, NSA-IAM CTO, Catbird August 8, 2008

2 Platforms 2

3 Virtualization will be everywhere Reduce hardware and operating costs by as much as 50% Reduce energy costs by 80% Reduce the time it takes to provision new servers by up to 70% (actually much faster) Save more than $3,000 per year for every server workload virtualized HA and BCP applications Eliminate planned downtime 3

4 NOTE: In this talk non-virtualized equals physical 4

5 #1 Deja Fu -- Temporal attacks against crypto The Digital Signature Standard (DSS), will leak the secret signing key if two signatures are generated using the same randomness M. Bellare, S. Goldwasser, and D. Micciancio. Pseudo-random number generation within cryptographic algorithms: The DDS case. In CRYPTO, pages , Virtual Machines can be rolled back but an attacker s packet capture can not. SSL, S/Key, Stream ciphers among others can be broken by a temporal attack 5

6 Things to take away, more to think about Virtual Machines (VM) are less secure than the physical machines they replace Current security practices do not protect you Virtualization changes everything Review of current research Prescription Prognosis Q&A 6

7 Gartner Cautions Against Virtualization Without Security Many organizations mistakenly assume that their approach for securing virtual machines (VMs) will be the same as securing any OS and thus plan to apply their existing configuration guidelines, standards and tools. While this is a start, simply applying the technologies and best practices for securing physical servers won t provide sufficient protections for VMs. Neil MacDonald, vice president and Gartner Fellow 7

8 It s 3:00 AM; Where are your virtual machines? Virtual computing platforms cannot be deployed securely simply by dropping them into existing systems the fast and unpredictable growth that can occur with VMs can exacerbate management tasks and significantly multiply the impact of catastrophic events When Virtual is Harder than Real: Security Challenges in Virtual Based Computing Environments Mendel Rosenblum, CTO, VMware Tal Garfinkel, Stanford University Do you know what they are doing? 8

9 #2 Reduce threat surface, use defense in depth HIPAA Administrative safeguards 45 CFR (a)(4) Security management process: Implement policies and procedures to prevent, detect, contain, and correct security violations. Implement Virtual Security to ensure: flaw and defect management monitor the virtual network enforce network access control policies 9

10 Question: What are people doing? Answer: Running naked. People think of virtualization as this very different architecture, said a large platform vendor. It isn t actually. Virtual machines are more secure My physical security protects my virtual infrastructure VM are just like physical Use HIDS/anti-malware Do nothing 10

11 #3 Enforce least privilege and roles Gramm-Leach-Bliley Act (GLBA) Gramm-Leach-Bliley Bill Section 501(b) Financial Institutions Safeguards: protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. Virtual security practice: VI administrators should administrate in-scope VMs Detect, manage and audit transition, vmotion and virtual network configuration changes Audit trail of network events must follow the virtual machine throughout the virtual infrastructure 11

12 Virtual Machines are just as secure Virtual Machines are less secure Virtual machines have a larger threat surface than the physical machines they replace M equals the attack surface of the machine Assume M v equals M p However, M v equals (M p + M h + M g ) where (M h 1 < M h 2 ) M h equals zero if and only if Hypervisor is flawless M g equals zero if and only if VM isolation is flawless Therefore M p < (M p + M h + M g ) M p < M v 12

13 Current security practices protect you Current security practices do not protect you Policies are broken Data protection, access control Practices are broken Change management Dual Controls Physical security technologies are broken Say goodbye to security, integrity and compliance Security architecture broken Isolation and segmentation will not protect you 13

14 #4 The TCB includes all hosts a VM runs on PCI Data Security Standard (PCI DSS) Requirement 4: Encrypt transmission of cardholder data across open, public networks During VMotion, virtual machines are transferred in the clear VMotion network must be strictly isolated Requirement 10: Track and monitor all access to network resources and cardholder data Each host becomes part of the trust zone for the virtual machine Monitoring and protection must follow the virtual machine Audit trail should include VI and network events 14

15 Virtual Machines are just like physical machines Virtual Machines are not like physical machines Scaling Fast and unpredictable growth so fast you ll think you re hallucinating Transience Up/down, creation/deletion, motion Software Lifecycle Branches, roll-backs, temporal replay Diversity Proliferation of OS types and versions Visibility Virtual infrastructure creates unobserved areas Sources: 1. When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments Real Security for the Virtual World

16 Virtual Machines are very different Mobility Trusted Computing Base now includes all hosts that a VM has run on Identity Complicated ownership history, asset management Data Lifetime Data leakage and erasure issues Separation of Duties One hyper-user rules them all Dual Controls Server ops no longer needs network ops, security ops or purchasing 16

17 Virtualization changes nothing Virtualization changes everything New servers in 5 minutes or less Thin provisioning and JEOS Machines are files Networks are bytes in a memory backplane Live machines migrate geographies Imagine 300 hosts with 32 cores running 15,000 virtual machines, 600 virtual networks across 5 data centers growing at 5% per month! 17

18 #5 Velocity of change complicates compliance Federal Financial Institutions Examination Council (FFIEC) Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended Strict change management processes must be followed for the configuration of controls and operation of security measures within the virtual infrastructure Separation of Duties and Dual Controls should be required to ensure proper authorization 18

19 Review Hypervisor Security: Ian Pratt, Citrix Systems 19

20 Review Virtualization Security: Brandon Baker, Microsoft 20

21 Review: Hypervisor Exploits: Joanna Rutkowska, Invisible Things Lab 21

22 Review Secure Implementation: Center for Internet Security Chris Farrow, Fortisphere Dave Shackleford, Center for Internet Security Dennis Moreau, Configuresoft 22

23 Review Best Practices: VMware, DISA and Catbird 23

24 #6 Screen shots are a poor man s compliance report DISA ESX Server Security Technical Implementation Guide (DISA STIG r1v1) (ESX0820: CAT II) The IAO/SA will review all VirtualCenter logs on a daily basis for any suspicious or unusual activity. Deploy virtual security tools that correlate VirtualCenter activities with vulnerability, discovery, network access control, and virtual network traffic monitoring and controls (ESX0860: CAT II) The IAO/SA will have up-to-date documentation of the virtualization infrastructure. This will include all ESX Servers, virtual machines, IP addresses, MAC addresses, virtual switches, operating systems, and virtual applications. Use virtual security tools to automate the data collection and reporting. These tools should detect changes to the virtual network topology 24

25 Don t run naked Virtualization changes everything How do I manage my risk? Two options: 1. Assume risk (Run naked) 2. Mitigate risk (Protect your data and services) 25

26 Prescription 26

27 Security Vendors Source: VMware 27

28 #7 Physical security for virtual machines HIPAA Physical safeguards 45 CFR (a)(1) Facility access controls: Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Virtualization implication: Machine console available through VI management Access to VM file equals physical access to machine Very difficult to provide secure deletion of data 28

29 Virtualized infrastructure will be more secure Assess risk Adapt security policy Implement new management processes Deploy virtualized security technology and automation Plan-Do-Check-Act 29

30 What is Virtualization Security? Take the red pill. Threats: Human error, misconfiguration or bad design Software flaws Malicious insider Malicious outsider exploiting any of the above Virtualization security addresses these security risks in virtualized environments Yes, it s different Remember virtualization changes everything 30

31 Visibility Nine of 10 breaches involved some type of unknown unknown, the most common of which was data that was not known to be on the compromised system. Most breaches go undetected for quite a while and are discovered by a third party rather than the victim organization. Attacks tend to be of low to moderate difficulty and largely opportunistic in nature rather than targeted. Due, in part, to these reasons, investigators concluded that nearly all breaches would likely have been prevented if basic security controls had been in place at the time of attack. Verizon 2008 Data Breach Report 31

32 V-Security architecture Management switch: Enforce access control Monitor traffic Block unauthorized or malicious activity Workload switch: Enforce access and traffic controls between virtual machines Monitor traffic Validate secure build and configuration policies for virtual machines Enforce policies for proxy use and authorized traffic Sources: 1. ESX 3 Server Configuration Guide, VMware 2. Secure Configuration Guide for ESX and ESXi, Catbird Storage access switch: Enforce access control Monitor traffic Block unauthorized or malicious activity Do not configure a default gateway for the service console 32

33 #8 Features you need Visibility and validation for configuration of Hosts and VMs Device access and traffic control Monitor, secure and audit service console and VirtualCenter Enforce virtual network isolation Restrict traffic to/from individual virtual machines Restrict traffic in/out trust zones Dual control/separation of duties for critical tasks Distributed multi-site security with central management 33

34 Management Shared dashboard Shared reports Shared event management Silos Network Operations Server Operations Security Operations 34

35 Prognosis Security is ALWAYS the last thing to get addressed when a new technology hits. Mike Rothman Budget Cycles Priorities Politics Who owns virtual security? 35

36 #9 Don t let security steal too many cycles Anti-virus accounts for 10% of all my CPU cycles, that s 30 hosts in my 300 host cluster, said the Security Architect for a large enterprise. Traditional in-line deployment of security appliances will not work Your security solution must be comprehensive, flexible, mobile, and compatible with the virtual architecture Security overhead must either be narrow or thin c HOST 36

37 Back to the future Virtualized desktops, thin provisioning and mobility will support central management and reduce costs while allowing greater diversity and improved services Virtualization gives enterprises a second chance to get the IT security playbook right. Five Server Virtualization Security Dos and Don ts, Thomas Ptacek, SearchSecurity.com June

38 #10 Find it, secure it, build it secure Organizationally Unique Identifiers (OUI) VMware 00-0C-29 (dynamic) (manually configured) C-14 Virtual Iron F-4B F6 Parallels Desktop 00-1C-42 XEN E (default) Microsoft Hyper-V FF A A D FA 00-1D-D F2 38

39 QA 39

40 Thank you For more information about Catbird, please contact: New virtual machine requested Catbird continuously monitors and and reports changes to to VirtualCenter configuration Change review Machine moved to production vswitch Catbird access control restricts access to authorized devices Catbird validates secure configuration New machine provisioned on isolated vswitch Machine added to authorized device list Machine configured and tested 40