Solution Brief: Creating a Secure Base in a Virtual World

Similar documents
Virtual Memory. Background. No. 10. Virtual Memory: concept. Logical Memory Space (review) Demand Paging(1) Virtual Memory

VRT012 User s guide V0.1. Address: Žirmūnų g. 27, Vilnius LT-09105, Phone: (370-5) , Fax: (370-5) ,

DLK Pro the all-rounder for mobile data downloading. Tailor-made for various requirements.

Virtual Machine Migration based on Trust Measurement of Computer Node

Oracle Database: 12c Administrator

An Optimal Algorithm for Prufer Codes *

FIBARO WALL PLUG OPERATING MANUAL FGBWHWPE-102/FGBWHWPF-102 CONTENTS

IP Camera Configuration Software Instruction Manual

Simulation Based Analysis of FAST TCP using OMNET++

USING GRAPHING SKILLS

Wishing you all a Total Quality New Year!

Mathematics 256 a course in differential equations for engineering students

TECHNIQUE OF FORMATION HOMOGENEOUS SAMPLE SAME OBJECTS. Muradaliyev A.Z.

A mathematical programming approach to the analysis, design and scheduling of offshore oilfields

Energy-Efficient Workload Placement in Enterprise Datacenters

Evaluation of an Enhanced Scheme for High-level Nested Network Mobility

Mellanox CloudX, Mirantis Fuel Solution Guide

Avaya T3 Telephones connected to Integral 5 Setting up and using conference bridge Appendix to user s guide

Assignment # 2. Farrukh Jabeen Algorithms 510 Assignment #2 Due Date: June 15, 2009.

The Codesign Challenge

Run-Time Operator State Spilling for Memory Intensive Long-Running Queries

Configure Address Book. Configure Show Send To. Options Supervision Message. Options Flood Preventer

Wireless Temperature Monitoring Overview

Wightman. Mobility. Quick Reference Guide THIS SPACE INTENTIONALLY LEFT BLANK

Research of Dynamic Access to Cloud Database Based on Improved Pheromone Algorithm

Resolving Ambiguity in Depth Extraction for Motion Capture using Genetic Algorithm

Efficient Distributed File System (EDFS)

Security. Workplace Manager

Analysis of 3D Cracks in an Arbitrary Geometry with Weld Residual Stress

SLAM Summer School 2006 Practical 2: SLAM using Monocular Vision

TripS: Automated Multi-tiered Data Placement in a Geo-distributed Cloud Environment

Analysis of Collaborative Distributed Admission Control in x Networks

ELEC 377 Operating Systems. Week 6 Class 3

The Greedy Method. Outline and Reading. Change Money Problem. Greedy Algorithms. Applications of the Greedy Strategy. The Greedy Method Technique

Energy Aware Virtual Machine Migration Techniques for Cloud Environment

Feature Reduction and Selection

ETAtouch RESTful Webservices

Cluster Analysis of Electrical Behavior

INSTALL AND REGISTER PASTEL EVOLUTION

An optimized workflow for coherent noise attenuation in time-lapse processing

Circuit Analysis I (ENGR 2405) Chapter 3 Method of Analysis Nodal(KCL) and Mesh(KVL)

with Optic65 and Optic25 Cameras FOR OUTDOOR TRACKING ONLY unless used in conjunction with the Indoor Tracking Accessory.

mquest Quickstart Version 11.0

VideoJet X10 SN Network Video Server. Installation and Operating Manual

Outline. Digital Systems. C.2: Gates, Truth Tables and Logic Equations. Truth Tables. Logic Gates 9/8/2011

If you miss a key. Chapter 6: Demand Paging Source:

User Manual SAPERION Rich Client 7.1

Codian MCU MCU 4200 Series

kccvoip.com basic voip training NAT/PAT extract 2008

Parallelization of a Series of Extreme Learning Machine Algorithms Based on Spark

An Efficient Garbage Collection for Flash Memory-Based Virtual Memory Systems

Internet Traffic Managers

Resource and Virtual Function Status Monitoring in Network Function Virtualization Environment

A RECONFIGURABLE ARCHITECTURE FOR MULTI-GIGABIT SPEED CONTENT-BASED ROUTING. James Moscola, Young H. Cho, John W. Lockwood

Energy Saving Techniques in Ad hoc Networks

#4 Inverted page table. The need for more bookkeeping. Inverted page table architecture. Today. Our Small Quiz

Channel 0. Channel 1 Channel 2. Channel 3 Channel 4. Channel 5 Channel 6 Channel 7

A MOVING MESH APPROACH FOR SIMULATION BUDGET ALLOCATION ON CONTINUOUS DOMAINS

COMPRESSORS. Compressed Air Management System. SIGMA AIR MANAGER 4.0 Key technology for Industrie 4.0 For compressor and blower stations

Two-Stage Data Distribution for Distributed Surveillance Video Processing with Hybrid Storage Architecture

Configuration Management in Multi-Context Reconfigurable Systems for Simultaneous Performance and Power Optimizations*

Game Based Virtual Bandwidth Allocation for Virtual Networks in Data Centers

user journey: a series of steps (typically 4-12) which represent a scenario in which a user might interact with the thing you are designing.

Setup and Use. Version 3.7 2/1/2014

Sensor-aware Adaptive Pull-Push Query Processing for Sensor Networks

Support for Wireless LAN Design

CSE 237A: Final Project Report Object Tracking Willis Hoang & Shimona Carvalho November 27, 2006

Mouse Biometric Authentication

Towards High Fidelity Network Emulation

CACHE MEMORY DESIGN FOR INTERNET PROCESSORS

AVL. Mobile Data, AVL & Mapping. Track with Confidence

Real-Time Guarantees. Traffic Characteristics. Flow Control

Complex Numbers. Now we also saw that if a and b were both positive then ab = a b. For a second let s forget that restriction and do the following.

Compressed Air Management System. SIGMA AIR MANAGER 2 Key technology for Industry

An IPv6-Oriented IDS Framework and Solutions of Two Problems

Solving two-person zero-sum game by Matlab

Shared Running Buffer Based Proxy Caching of Streaming Sessions

Security Analysis of IMA Primary Processing System Based on DFTA

High Utility Video Surveillance System on Public Transport using WiMAX technology

Fibre-Optic AWG-based Real-Time Networks

6.854 Advanced Algorithms Petar Maymounkov Problem Set 11 (November 23, 2005) With: Benjamin Rossman, Oren Weimann, and Pouya Kheradpour

Some material adapted from Mohamed Younis, UMBC CMSC 611 Spr 2003 course slides Some material adapted from Hennessy & Patterson / 2003 Elsevier

InfoTerminal Touch Installation Instructions

A dynamic bandwidth allocator for virtual machines in a cloud environment

Decision Support for the Dynamic Reconfiguration of Machine Layout and Part Routing in Cellular Manufacturing


RAP. Speed/RAP/CODA. Real-time Systems. Modeling the sensor networks. Real-time Systems. Modeling the sensor networks. Real-time systems:

Video Proxy System for a Large-scale VOD System (DINA)

Cisco TelePresence MCU 4200 Series

On the Fairness-Efficiency Tradeoff for Packet Processing with Multiple Resources

SAO: A Stream Index for Answering Linear Optimization Queries

A Model Based on Multi-agent for Dynamic Bandwidth Allocation in Networks Guang LU, Jian-Wen QI

DEAR: A DEVICE AND ENERGY AWARE ROUTING PROTOCOL FOR MOBILE AD HOC NETWORKS

A Framework for Distributed Computation Over a Heterogeneous Beowulf Cluster.

High resolution 3D Tau-p transform by matching pursuit Weiping Cao* and Warren S. Ross, Shearwater GeoServices

General Description. Description

Setup and Use. For events not using AuctionMaestro Pro. Version /7/2013

Motivation. EE 457 Unit 4. Throughput vs. Latency. Performance Depends on View Point?! Computer System Performance. An individual user wants to:

Advanced Computer Networks

Achieving class-based QoS for transactional workloads

Transcription:

Soluton Bref: Creatng a Secure Base n a Vrtual World

Soluton Bref: Creatng a Secure Base n a Vrtual World Abstract The adopton rate of Vrtual Machnes has exploded at most organzatons, drven by the mproved cost effectveness of ncreased server utlzaton. The savngs n rack space, hardware costs, power consumpton, and many other factors are drvng ths steadly ncreasng trend. However, ths boom n logcal servers has resulted n a substantal ncrease n the number of devces connected to the network, and each needs to be ndvdually confgured, patched, and secured. Fortunately, solutons from Shavlk Technologes provde the same secure operatng base and patch management for vrtual machnes as they do for ther physcal counterparts. The Realty of Vrtualzaton In the past few years, medum- to large-szed organzatons have mplemented at least some level of vrtualzaton. Ths trend, whch leverages a sngle physcal resource such as a server to functon as multple logcal servers, s growng at an explosve rate. Research frm IDC estmates that between 2006 and 2009, vrtualzaton wll grow at a compound annual growth rate of almost 50 percent. Vrtualzaton s quckly becomng a realty at most organzatons. Ths document s provded strctly as a gude. provded or expected. Ths rapd growth n vrtualzaton s drven by a number of factors. These nclude better utlzaton of dle or avalable processng power wthn servers, reduced rack space and power consumpton, less hardware acquston and mantenance costs, easer backup, mproved hgh avalablty and dsaster recovery, and centralzed software management. Vrtual Machnes - Real Exposure Whle there are many benefts to vrtualzaton, organzatons must take care to apply approprate securty safeguards. Vrtualzaton can actually ncrease the need for securty, and system and securty admnstrators need to plan for and mplement defenses accordngly. Because each vrtual machne has ts own network address and can be scanned, hacked, nfected, and compromsed just lke a dedcated physcal devce, applyng securty to each ndvdual vrtual machne s as crtcal as securng dedcated physcal devces. Pag e 2

Soluton Bref: Creatng a Secure Base n a Vrtual World Although vrtualzaton may cause the number of physcal devces n an organzaton to be reduced, the number of logcal machnes usually ncreases. It s not uncommon to experence an enormous ncrease n the number of logcal servers. Because vrtualzaton allows new servers to be added wthout the costs of deployng new hardware, there s a strong tendency to ncrease the number of logcal servers. Rapd adopton of vrtualzaton technology results n a sgnfcant ncrease n the total number of servers that must be securely confgured and patched. Wth the ncreased number of servers to safeguard, securty and IT admnstrators need to aggressvely and contnuously montor for new devces, servers, and servces. Pror to vrtualzaton when addng a new devce meant deployng new hardware, the addton of new servers and applcatons was naturally throttled due to budget, hardware acquston, rack space, and other tme consumng actvtes. These physcal constrants created a natural process for IT operatons and securty teams to be notfed when new servers were beng added. Vrtualzaton elmnates much of ths process and structure, and as a result new servers and applcatons can appear sgnfcantly faster and easer, oftentmes wthout the coordnaton of the securty team. New vrtual servers can appear wthout authorzaton at all. Securty admnstrators must be equpped wth tools to proactvely dscover new vrtual devces as soon as they appear. Ths document s provded strctly as a gude. provded or expected. Wth the addtonal number of vrtual devces, securty admnstrators must have robust and comprehensve ways of trackng and managng the securty confguraton and patch status of each and every vrtual system. Each one needs ndvdual attenton. For example, an unpatched vrtual machne can stll be exploted, even f the host system s patched and not vulnerable. A common mstake s for IT or securty admnstrators to assume that a well-protected host nsulates the vrtual systems runnng behnd t. That s not the case. A UNIX based host, or any host for that matter, that s up to date wth all securty patches, perfectly confgured and hardened wll not protect a vrtual Mcrosoft IIS server runnng underneath. Lkewse, vrtual machnes and applances potentally carry embedded vulnerabltes and requre specal consderaton for patchng and updates. To establsh an effectve securty baselne, each and every vrtual machne needs ndvdual attenton and management. Pag e 3

Soluton Bref: Creatng a Secure Base n a Vrtual World Shavlk Securty For Your Vrtual Machnes One of the myths surroundng vrtual machnes s that the low-level nfrastructure and nterfaces that connect them to the network and management systems are subtly dfferent, and prevent many systems and applcatons from workng wth them. For example, t s commonly (but wrongly) thought that patch management systems wll not effectvely work wth vrtual machnes. Fortunately ths s not the case. Whle t s true that the system hostng the vrtual machne acts as a proxy, t s not true that ths causes problems for patch management. Today s vrtual machne host mplementatons are so well done that the proxes are capable of handlng even low level system orented tasks such as system shut-downs, re-starts, reconfgures, and system updates. Patch management, as mplemented by Shavlk Technologes, works equally well wth vrtual machnes and ther physcal counterparts. Vrtual machnes have the same vsblty to Shavlk s patch and vulnerablty management products as do dedcated machnes. Exstng and new vrtual devces are dscovered n the same way as dedcated devces. They have the same rsks and vulnerabltes, and they are detected n the same manner. Lkewse, securty baselnes are determned and establshed n the same manner. Ths document s provded strctly as a gude. provded or expected. When t comes tme to apply securty updates to vrtual machnes, admnstrators treat them just lke dedcated physcal devces. Vrtual machnes requre the same patches as dedcated devces, and the patches are tested, receved, appled, rolled back f necessary, and managed n the same way. Addtonal Dvdends from Shavlk Not only are Shavlk products compatble wth vrtual machnes, organzatons usng them wll fnd addtonal benefts that are not avalable n other patch and vulnerablty management solutons. Pag e 4

Soluton Bref: Creatng a Secure Base n a Vrtual World Agentless Approach Easest Way to Patch Vrtual Machnes Shavlk patch management does not requre agents. Ths has partcular advantages for organzatons rollng out vrtualzaton because of the shear numbers of new vrtual devces. Not only can these new devces be protected by Shavlk, patch and vulnerablty management can be done easly, from a sngle console, n a matter of mnutes. Ths s a tremendous advantage over solutons that requre agents to be nstalled on each new vrtual machne. Deployng and mantanng hundreds or thousands of agents on vrtual machnes wthn large organzatons s a tme consumng, tedous, and expensve effort. An agentless approach s less expensve to acqure, easer to deploy and mantan, and provdes mmedate protecton. Wth Shavlk s agentless approach, organzatons can rapdly accelerate ther level of securty because they can begn assessment, remedaton and generatng useful reports wthn mnutes of a new vrtual machne gong actve. There s lttle to no mpact on the data center or staff. Ths s crtcal gven the nature of contnuous operatons n large data centers. All of these benefts of an agentless approach are magnfed n a vrtual machne envronment, not only because of the rapd growth of vrtual machnes, but because they are more dynamc n nature - comng and gong at a much qucker pace than physcal, dedcated servers. Ths document s provded strctly as a gude. provded or expected. Shavlk Only Vendor Patchng Offlne Vrtual Machnes The unque advantage of usng Shavlk solutons to secure vrtual machnes s the ablty to patch ALL vrtual machnes, both onlne and offlne. As md- to large-szed organzatons have dscovered, patchng offlne machnes can be a real headache. For varous reasons, most enterprses have a sgnfcant number of vrtual mages offlne at any gven tme. Patch management systems can t patch what they can t see, so anythng that s beng servced, or offlne for any reason does not get patched. Whle there are varous technques to deal wth ths and ease the pan, t s stll panful. Everyone wants to see a report that says for a partcular crtcal vulnerablty, 100% of the organzaton s applcable machnes have been patched. Closure for each patch s greatly desred, and no securty offcers want to report to upper management that 77% of the vulnerable machnes have been patched. Untl that report says 100%, a certan amount of anxety or even nausea remans as an awful pt n the stomach of those responsble. Pag e 5

Soluton Bref: Creatng a Secure Base n a Vrtual World Shavlk Technologes has developed a way to patch all vrtual machnes, even those that are offlne. Ths ensures that offlne vrtual mages can be n a constant state of readness to be deployed. Shavlk s the only vendor capable of dong ths, and t s a huge beneft to ther customers. For example, many enterprses ntentonally have a sgnfcant number of vrtual machnes offlne at gven perods. One such usage s to ncrease overall uptme and hgh avalablty. Vrtual machnes have made t much easer for organzatons to have redundant machnes for peak processng perods, or to be used durng mantenance, or for hot standby machnes n case of a server falure. However, t s tme consumng and dffcult operatonally to brng these offlne machnes onlne just for patch management. Shavlk customers have the beneft of beng able to perform full vulnerablty management, ncludng patchng, for all of ther vrtual machnes, even those that are offlne. IT and securty staff can quckly verfy and report that 100% of the organzaton s vulnerable machnes physcal, vrtual, and offlne -- have receved a specfc crtcal patch and are protected. Snce offlne machnes can reman offlne whle they are beng patched, another plus for Shavlk customers s mproved securty. Offlne machnes don t have to be on the network and thus at rsk to the very vulnerablty they are beng patched for. Ths document s provded strctly as a gude. provded or expected. Furthermore, ths feature allows the wndow of vulnerablty to be sgnfcantly reduced. For example, some crtcal patches should be appled mmedately, but requre a system reboot. For operatonal reasons t may be dffcult for an organzaton to shut down a server to apply the patch, so they reman operatng wth the vulnerablty untl they can address t. However, wth the ablty to utlze vrtual redundant servers protected by Shavlk, the organzaton can mmedately patch an offlne standby server, and brng t onlne as the producton server. Ths gves the organzaton near mmedate protecton from the vulnerablty wthout havng to dspend servce. The prmary server, can now also be safely patched whle offlne and not vulnerable to attack. Pag e 6

Soluton Bref: Creatng a Secure Base n a Vrtual World Summary Conclusons It s clear that vrtualzaton, although a relatvely new trend, s seeng explosve adopton rates. The benefts of vrtualzaton that are drvng ths strong trend are not lmted to just operatonal savngs, but wth the rght securty nfrastructure, nclude a number of securty dvdends as well. Whle t s true that mplementng vrtualzaton wthout proper securty actually ncreases an organzaton s vulnerabltes, t s also true that when properly safeguarded wth Shavlk s agentless solutons and ther unque ablty to secure offlne vrtual servers, an organzaton can experence an mproved level of securty. Shavlk s agentless approach, and unque capablty of patchng offlne vrtual servers and machnes gves organzatons several benefts, ncludng: Proactvely engagng n a contnuous and ongong process to provde vulnerablty and patch management for vrtual machnes. Quck and automatc dscovery of new vrtual machnes, even before they come onlne. Scannng of exstng and new vrtual machnes for vulnerabltes. Report shortcomngs and, f desred, automatcally remedate them. Patch vrtual machnes whle they are offlne, and not subject to attack Ths document s provded strctly as a gude. provded or expected. Allow organzatons to respond mmedately to crtcal vulnerabltes that requre rebootng. Shavlk s powerful technologes and features for securng vrtual machnes make t possble for organzatons to experence all of the above, and many more benefts. Beng able to acheve ths wthout deployng agents makes t possble from both a cost and IT resource perspectve, to effectvely and effcently respond to the sgnfcant ncrease n the total number of logcal servers and devces caused by the mplementaton and growth of vrtual machnes. The myth that vrtual machnes can t be adequately patched s just that a myth. Wth Shavlk not only can they be effcently patched and managed, vrtual machnes can experence greater securty and advantages than ther physcal counterparts. Pag e 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback