CYBER SECURITY MALAYSIA AWARDS, CONFERENCE & EXHIBITION (CSM-ACE) Securing Virtual Environments

Transcription

1 CYBER SECURITY MALAYSIA AWARDS, CONFERENCE & EXHIBITION (CSM-ACE) 2010 October 25 29, 2010 Kuala Lumpur Convention Centre Securing Virtual Environments Raimund Genes CTO Trend Micro

2 The Changing Datacenter PHYSICAL VIRTUAL CLOUD By 2012, more than 40% of x86 architecture server loads in enterprises will be running in virtual machines (October 7, 2009)

3 The Benefits of Virtualisation Reduce IT Capital Expense by 50% Reduce Administration overhead Reduce IT operational expense Scalability & Business Agility Reduce Carbon Footprint Increase Flexibility

4 Challenges of Virtualization Security What analysts now say: The combination of more workloads being virtualized and workloads becoming more mobile creates a complex and dynamic environment that will be more difficult to secure. Neil MacDonald Gartner Group Addressing the Most Common Security Risks in Data Center Virtualization Projects January 2010

5 Virtualisation Creates Security Challenges Old Model Infrastructure security protects applications & servers New Model Virtual servers and apps move, change IPS needs reconfiguration so does firewall where is file OS? VM1 VM2 VM3 App1 App2 App3 App4 App1 OS1 App2 OS2 App3 OS3 OS HW OS HW OS HW OS HW Hypervisor VM4 App4 OS4

6 Perimeter defenses are not enough 1 Encrypted Attacks Mobile Computers 3 Wireless Networks Unsuspecting 4 Users? 5 Insider Attacks

7 Exploits are happening before patches are developed # of days until vulnerability is first exploited, after patch is made available 28 days 18 days 10 days Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year. -- ZDNet, January 21, 2010 Zero-day Zero-day 2003 MS- Blast 2004 Sasser 2005 Zotob WMF IE zero-day

8 Where are you vulnerable? Takes days to months until patches are available and can be tested & deployed: Microsoft Tuesday Oracle Adobe Developers not available to fix vulnerabilities: No longer with company Working on other projects Patches are no longer being developed: Red Hat 3 -- Oct 2010 Windows Jul 2010 Solaris 8 -- Mar 2009 Oracle Jan 2009 Can t be patched because of cost, regulations, SLA reasons: POS Kiosks Medical Devices

9 Outside-in or perimeter-only approach and rapid virtualisation have created less secure application environments

10 Where is Our Company Data? I can replace my device, but not my data I I have data in multiple places use company applications, but I put my data anywhere Information store 1 Laptop! INFECTED Company Data Information store 2: Mobile phone/pda! STOLEN Information store 3: Internet-based app Gmail, Peoplesoft! DOWN, HACKED

11 Data protection is the most strategic concern but data is mobile, distributed, and unprotected

12 VMs Need Specialised Protection Same threats in virtualised servers as physical Software Vulnerability Exploits Patch Management Web ApplicationThreats Policy & Compliance System & Data Integrity New challenges: 1. Dormant VMs 2. Resource contention 3. VM Sprawl 4. Inter-VM traffic 5. vmotion App App App OS OS OS Hypervisor

13 Problem 1: Dormant VMs are unprotected Dormant VMs includes VM templates and backups Cannot run scan agents yet still can get infected Outdated malware signatures

14 Problem 2: Resource Contention:Full System Scans Existing AV solutions are not VM-aware Simultaneous full malware scans on same host can cause severe performance degradation

15 Problem 3: Managing VM Sprawl Security weaknesses replicate quickly Security provisioning creates bottlenecks Lack of visibility into, or integration with, virtualization console increases management complexity

16 Problem 4: Inter-VM Traffic NIDS / NIPS blind to intra-vm traffic First-generation security VMs require intrusive vswitch changes Tradeoff between bottleneck or security?

17 Problem 5: VM Mobility vmotion & vcloud: Reconfiguration required: cumbersome VMs of different sensitivities on same server VMs in public clouds (IaaS) are unprotected

18 Vision for the New Datacenter Security Model The virtual host must protect itself Self-secured Application App FW, IPS, AV VM & Network Security Integration VM1 VM3 App1 OS1 App3 OS3 Hypervisor

19 Coordinated Protection with Agent and Security Virtual Appliance Deep Packet Inspection Firewall Antimalware Log Inspection Integrity Monitoring Virtual Appliance Hypervisor Agent adds additional protection not possible over hypervisor today VM integration makes agents virtualization-aware Useful for offline desktops, cloud, defense in depth

20 Leveraging New Security Paradigms App OS App OS App OS Virtual Appliance Firewall IDS / IPS Web app Anti-Virus ESX Server VMsafe & vshield Endpoint APIs Secures VMs from the outside, no changes to VM VMsafe enables traffic inspection at hypervisor layer vshield Endpoint enables agentless AV scanning Enables strong tamper-proofing from malware

21 Intrusion Defense with VMsafe Pass Stateful Firewall DPI Drop Pass Slowpath Driver Incoming/ Outgoing Packet Tap/Inline Micro Firewall (Blacklist & Bypass) Drop Fastpath Driver

22 The Promise of Agentless Anti-malware Agent BEFORE Agent Agent AFTER Virtual Appliance vsphere vshield Endpoint Significantly improved manageability - no agents to configure, update and patch Faster performance Freedom from AV Storms Stronger security Instant ON protection + tamper-proofing Higher consolidation levels Inefficient operations removed

23 REST Anti-malware over vshield Endpoint Security Virtual Appliance Anti-malware Product Console Anti-malware Scanning Module VM VM Guest VM Security Admin vshield Endpoint Library On Access Scans On Demand Scans EPsec Interface APPs APPs APPs OS OS OS Status Monitor Remediation Caching & Filtering Kernel Kernel Vshield Guest Driver BIOS BIOS VI Admin ESX 4.1 vsphere Platform vshield Endpoint ESX Module

24 The Host needs to defend itself! W

25