Secure Virtualization

Transcription

1 ecure Virtualization Virtualization Congerges with ecurity for Bright New Future George L. Heron VP, Chief cientist 2007 McAfee, Inc McAfee, Inc. CERIA ecurity eminar Purdue University October 24, 2007

2 Evolutionary Convergence in the Enterprise Path 2: Virtualized ystems O/360, Bochs, Chorus, chroot(), Denali, Disco, Ensim, FreeBD, MOL, VMware Workstation EX server Virtual erver oftricity VMware (new) Veridian EX vpro GreenBorder Path 1: Corporate ecurity Callenges and solutions Polymorphic Viruses Zombies Mass Mailer Viruses Denial of ervice Blended Threats Anti-virus Multiple point products Comprehensive layers Proactive & automated Integration pam, Phishing, pyware Corporate Data Theft Risk management

3 Two Models for Virtualizing Hardware 3 App. Host O-Based Virtual Machine 1 Virtual Machine 2 Guest O Guest O Applications Applications Virtual Drivers Virtual Drivers Virtual Machine Monitor Host Operating ystem Hardware BIO- Hypervisor-Based (Layered Model) L5: Virtual Machine Monitor L4: Vertical Functions ecurity and Networking L3: Horizontal Functions Management L2: pecific Hardware Enhancements L1: Hypervisor and Platform Resources

4 Why Virtualization? 4 Virtualization hardware and software is free Moore's Law Virtual servers (and clients) need embedded protection Faster provisioning of security functionality Policy compliance Targeted and financially motivated attacks Malware and users that disable security software User activity monitoring Cloaked rootkits

5 The Convergence. ecure Virtualization 5 Architecture to Deliver Comprehensive ecurity & Compliance for Virtual Environments McAfee ecure Virtualization calable ecurity Mgt NAC for VM Virtualized Risk Mgt Offline VM canning Unfettered Monitoring Details in white paper Uncompromising ecurity in Virtual Machines available at

6 NAC for VM 6 Mgt erver VM HCAP AC ever 4) Enforce AC determines access policy based on posture token. NAD applies the policy Corporate Network 1) Define Define system compliance policies NAC Agent Radius PEAP Compliant Quarantine Network Network Access Device VM VMVM EAPoUDP Non-compliant 3) Assess AC queries host. NAC scanner scans device, provides posture to NAC erver, evaluates posture, returns a token 2) Detect Host attempts to connect. NAD blocks and establishes a connection between AC and NAC canner 5) Remediate Non-compliant systems redirected to Remediation Portal. Auto remediation provided by NAC canner and Mgt Agent Virtualization assists with VM(s) buffering NAC Agent and serving as IP in-line to security management server

7 Offline canning of VM Images 7 VM VMVM epo erver + VM VMVM VM canner/mgr VM VMVM Offline scanning of dormant VMs in background keeps all images fresh and provisioned with latest patches, policies, versions. Multiple VMs for running back-rev versions Multiple (duplicate) VMs of main server image, for scalability Multiple (duplicate) VMs of main server image, for backup

8 Unfettered Monitoring 8 Immutable systems monitoring tealth monitoring API execution Access monitoring Rootkit detection ystems service invocation monitoring Intra-API monitoring and plumb lining Behavioral stack walking Monitoring of memory Execution profiling PatchGuard bypassing

9 calable ecurity Management epo erver VM VMVM Multiple manager of manager VMs provide for virtually unlimited scalability INTERNET Without Virtualized erver Hierarchy Automatic provisioning path from epo security management server 9 With Virtualized erver Hierarchy Automatic provisioning path from epo security management server VM VM VM Enterprise/Corporate Enterprise/Corporate Benefits of reduced server hardware, more available servers, and immediacy of disaster/backups illustrate reduced costly and tentacle-natured provisioning in typical large corporate environments

10 Virtualized-Enhanced Risk Management 10 Vulnerability canning Policy Auditing Asset Information epo Rogue ystem Detection VM sitting outside Auditing Reporting VM ecurity Watchdog entinel watching multiple VMs Manager DLP, NAC, IP Virtual Jail Cell Virtual Taste Testing Patching & Remediation in VM world Re-engage initial VM snapshots AV, FW, A-pam, A-py, IP Outside VM monitoring Unfettered access to kernel

11 Core Virtualization Features also Benefit RM 11 Initial Deployment Rollback Rapid deployment for targeted defenses Disaster Recovery and Business Continuity (CIP tenets)

12 ecure Virtualization Protects consolidated workloads Monitors and protects inter-vm communications oftware isolation protects from tampering or to contain malware Watchdogs for ecurity and compliance All of these are on an as-needed, on-demand basis

13 Thank you George L. Heron VP, Chief cientist McAfee, Inc.