CYBER SECURITY MALAYSIA AWARDS, CONFERENCE & EXHIBITION (CSM-ACE) 2010 October 25 29, 2010 Kuala Lumpur Convention Centre Securing Virtual Environments Raimund Genes CTO Trend Micro
The Changing Datacenter PHYSICAL VIRTUAL CLOUD By 2012, more than 40% of x86 architecture server loads in enterprises will be running in virtual machines (October 7, 2009)
The Benefits of Virtualisation Reduce IT Capital Expense by 50% Reduce Administration overhead Reduce IT operational expense Scalability & Business Agility Reduce Carbon Footprint Increase Flexibility
Challenges of Virtualization Security What analysts now say: The combination of more workloads being virtualized and workloads becoming more mobile creates a complex and dynamic environment that will be more difficult to secure. Neil MacDonald Gartner Group Addressing the Most Common Security Risks in Data Center Virtualization Projects January 2010
Virtualisation Creates Security Challenges Old Model Infrastructure security protects applications & servers New Model Virtual servers and apps move, change IPS needs reconfiguration so does firewall where is file OS? VM1 VM2 VM3 App1 App2 App3 App4 App1 OS1 App2 OS2 App3 OS3 OS HW OS HW OS HW OS HW Hypervisor VM4 App4 OS4
Perimeter defenses are not enough 1 Encrypted Attacks 1001110011100 2 Mobile Computers 3 Wireless Networks Unsuspecting 4 Users? 5 Insider Attacks
Exploits are happening before patches are developed # of days until vulnerability is first exploited, after patch is made available 28 days 18 days 10 days Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year. -- ZDNet, January 21, 2010 Zero-day Zero-day 2003 MS- Blast 2004 Sasser 2005 Zotob 2006 2010 WMF IE zero-day
Where are you vulnerable? Takes days to months until patches are available and can be tested & deployed: Microsoft Tuesday Oracle Adobe Developers not available to fix vulnerabilities: No longer with company Working on other projects Patches are no longer being developed: Red Hat 3 -- Oct 2010 Windows 2000 -- Jul 2010 Solaris 8 -- Mar 2009 Oracle 10.1 -- Jan 2009 Can t be patched because of cost, regulations, SLA reasons: POS Kiosks Medical Devices
Outside-in or perimeter-only approach and rapid virtualisation have created less secure application environments
Where is Our Company Data? I can replace my device, but not my data I I have data in multiple places use company applications, but I put my data anywhere Information store 1 Laptop! INFECTED Company Data Information store 2: Mobile phone/pda! STOLEN Information store 3: Internet-based app Gmail, Peoplesoft! DOWN, HACKED
Data protection is the most strategic concern but data is mobile, distributed, and unprotected
VMs Need Specialised Protection Same threats in virtualised servers as physical Software Vulnerability Exploits Patch Management Web ApplicationThreats Policy & Compliance System & Data Integrity New challenges: 1. Dormant VMs 2. Resource contention 3. VM Sprawl 4. Inter-VM traffic 5. vmotion App App App OS OS OS Hypervisor
Problem 1: Dormant VMs are unprotected Dormant VMs includes VM templates and backups Cannot run scan agents yet still can get infected Outdated malware signatures
Problem 2: Resource Contention:Full System Scans Existing AV solutions are not VM-aware Simultaneous full malware scans on same host can cause severe performance degradation
Problem 3: Managing VM Sprawl Security weaknesses replicate quickly Security provisioning creates bottlenecks Lack of visibility into, or integration with, virtualization console increases management complexity
Problem 4: Inter-VM Traffic NIDS / NIPS blind to intra-vm traffic First-generation security VMs require intrusive vswitch changes Tradeoff between bottleneck or security?
Problem 5: VM Mobility vmotion & vcloud: Reconfiguration required: cumbersome VMs of different sensitivities on same server VMs in public clouds (IaaS) are unprotected
Vision for the New Datacenter Security Model The virtual host must protect itself Self-secured Application App FW, IPS, AV VM & Network Security Integration VM1 VM3 App1 OS1 App3 OS3 Hypervisor
Coordinated Protection with Agent and Security Virtual Appliance Deep Packet Inspection Firewall Antimalware Log Inspection Integrity Monitoring Virtual Appliance Hypervisor Agent adds additional protection not possible over hypervisor today VM integration makes agents virtualization-aware Useful for offline desktops, cloud, defense in depth
Leveraging New Security Paradigms App OS App OS App OS Virtual Appliance Firewall IDS / IPS Web app Anti-Virus ESX Server VMsafe & vshield Endpoint APIs Secures VMs from the outside, no changes to VM VMsafe enables traffic inspection at hypervisor layer vshield Endpoint enables agentless AV scanning Enables strong tamper-proofing from malware
Intrusion Defense with VMsafe Pass Stateful Firewall DPI Drop Pass Slowpath Driver Incoming/ Outgoing Packet Tap/Inline Micro Firewall (Blacklist & Bypass) Drop Fastpath Driver
The Promise of Agentless Anti-malware Agent BEFORE Agent Agent AFTER Virtual Appliance vsphere vshield Endpoint Significantly improved manageability - no agents to configure, update and patch Faster performance Freedom from AV Storms Stronger security Instant ON protection + tamper-proofing Higher consolidation levels Inefficient operations removed
REST Anti-malware over vshield Endpoint Security Virtual Appliance Anti-malware Product Console Anti-malware Scanning Module VM VM Guest VM Security Admin vshield Endpoint Library On Access Scans On Demand Scans EPsec Interface APPs APPs APPs OS OS OS Status Monitor Remediation Caching & Filtering Kernel Kernel Vshield Guest Driver BIOS BIOS VI Admin ESX 4.1 vsphere Platform vshield Endpoint ESX Module
The Host needs to defend itself! W