Session D8 Real Security for Server Virtualization Wednesday, April 21, 2010 9:45 am Eric Schultze Independent Consultant eric@pureplaysecurity.com Key Points How to configure your virtual infrastructure servers for maximum security Performing patch management for your virtual server guests How to monitor virtual server sprawl Third-party tools to help secure your virtual environment Page 1
Definitions for today Host The physical machine that is running the hypervisor and contains one or most Guests. Guest The virtualized operating system. One or more Guests can be running on a single Host. Securing the Host Best Practices for VMware http://tinyurl.com/ykp2rd9 VMs Host vnetwork vcenter Best Practices for Securing Hyper-V http://tinyurl.com/yey8u6y Hardening Hyper-V Delegating VM Management Protecting VMs Page 2
Securing the Host Best Practices for Securing VMware Hosts http://tinyurl.com/ykp2rd9 Prevent others users from spying on Administrator remote consoles Ensure VMotion Traffic is isolated Disable remote operations within the guest Restrict access to VMsafe CPU/Memory/Network APIs Disable Managed Object Browser Disable Web Access Ensure ESX is Configured to Encrypt All Sessions Ensure only authorized users have access to the DCUI Disable Tech Support Mode Sample of VMware Guidance Page 3
Securing the Host Best Practices for Securing Hyper-V http://tinyurl.com/yey8u6y Reduce attack surface consider WS08 Core Patch OS and HyperV application Use two NICs one for Mgmt functions only Apply Specialized Security Limited Functionality (SSLF) baseline Read Windows Server 2008 Security Guide http://technet.microsoft.com/en-us/library/cc514539.aspx Items to Consider when Securing Virtual Environments Securing the Host Securing the Guest OS and applications Encryption of Guest Image files on Host Intrusion Detection/Prevention for Host Intrusion Detection/Prevention for Guests Including Guest to Guest communication Malware\AV prevention for Host and Guests Encryption of traffic to\from Guests and Host Management network for Host Virtual Switch configuration Backup and Recovery Patch Management for Guests and Host Inventory \ Managing Guest Sprawl Access to Disk Page 4
Securing VM image files For Both Microsoft and VMware images you must Secure access to the.vm* image files Secure access to the Host console Secure access to the Storage devices Limit administrative access to HyperV servers and to VirtualCenter servers Demo What happens if you don t Patch Management Keep patches up to date on Guests As you would do with physical systems Watch for patch rollback when VMs are reverted to snapshots Snapshots may not have included latest patches Even more important to scan VM images for patch state when they are offline Booting up an unpatched image can be dangerous Page 5
Scanning and Patching Patch Management VMware Update Manager Updates ESX Host applications Patches Windows and certain Linux Guest images Includes third party Windows apps like Adobe, Apple, Mozilla, Sun Java, etc. Can patch online or offline images Snapshots are created prior to patching VMs can be removed from network prior to booting up to install patch Patch Management Scanning and Patching Microsoft Offline Virtual Machine Servicing Tool Remove image from library Move image to maintenance network Wake virtual images Trigger WSUS or SCCM actions Patches are deployed Shutdown image Move image back to Library Requires: WSUS or SCCM Powershell PSExec.NET Framework 3.0 Page 6
Patch Management Scanning and Patching Shavlik NetChk (third party tool) Remotely scans and patches Windows Guests and third party Windows applications Operates against Online and Offline VMware images (ESX, ESXi, and VMware Workstation) DEMO VM Sprawl Sprawl Defined: a large amount of virtual machines on your network without the proper IT management or control Steven Warren - blogs.techrepublic.com Risk Rogue machines Unknown configurations Unpatched systems Wasted processor and disk space Evil Services (DHCP, AD, DNS, Sniffers, etc) Page 7
Controlling VM Sprawl Many vendors claim to manage VM sprawl, ranging from: Passive inventory of images registered on ESX servers, to Actively preventing unauthorized images from mounting or joining network (NAC-like) Make sure to ask your virtualization vendor exactly what they mean by managing VM sprawl Ideas for Controlling VM Sprawl Limit the number of people who can create VMs Implement request and approval process Tough to control VM Workstation image creation Annotate VMs with end dates Review each week and end-of-life VMs that aren t needed anymore Scan network weekly to look for new ESX servers Look for special TCP ports 22, 80, 443, 902 Review ESX Servers on VSphere\VCenter servers Inventory images registered on each ESX Server Implement third party products Page 8
Products for Securing Virtual Environments Catbird Configuresoft (VMware) DynamicOps Embotics Fortisphere HyTrust ManageIQ QLayer Replicate Technologies Shavlik Third Brigade (Trend Micro) Veeam Vizioncore VMware Email eric@pureplaysecurity.com for copy Page 9
Email eric@pureplaysecurity.com for copy Page 10
Page 11
Page 12
Page 13
Page 14
Summary Lock down the Host Secure the Guests Patch online and offline VMs Secure access to and/or encrypt virtual images Leverage third-party products to manage sprawl, configuration, and management Page 15