Sicherheitsüberlegungen zur Servervirtualisierung
-
Upload
digicomp-academy-ag -
Category
Education
-
view
648 -
download
0
description
Transcript of Sicherheitsüberlegungen zur Servervirtualisierung
Consecom AG Bellariastr. 12 CH-8002 Zürich http://www.consecom.com
Dr. Lukas Ruf [email protected] Büro +41-44-586-28-20 Mobil +41-79-557-20-20
Copyright © by Consecom AG
Sicherheitsüberlegungen zur Servervirtualisierung
Opportunitäten, Bedrohungen und Risiken
VMware@Night @Kybernetika AG
08. März 2011
Date: 08.03.2011 Slide 2
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
The Speaker
Dr. Lukas Ruf
Senior Security and Strategy Consultant, CEO, Consecom AG
ISSS board member, Chair of Public Relations
Member IEEE, ACM, SwissICT
ETH Zurich Graduate
Specialized in strategies, processes, concepts, architectures, reviews and audits
Long standing track record in research and engineering of OS, system, network and application – Lead architect of two Operating Systems: Topsy and PromethOS
Active in research and engineering – Current research projects on End-User Platform Security and Infrastructure Audits
– Collaboration with ETH, BBT/KTI, BFH, ZHAW
Frequent member on conference program committees – On virtualization, cloud computing, operating systems, network architecture, network and system security.
Date: 08.03.2011 Slide 3
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Consecom AG – ICT Security and Strategy Consulting
Services
Design – Strategies, Processes, Concepts,
Architectures, Specifications, Solutions
Build – Implementation / Hardening, Integration,
Programming, Project Management
Review – Audits, Security Reviews, Penetration
Testings, Assessments, Analysis
Consecom AG
Swiss-based consultancy with focus on Strategic ICT Security
Founded by a team of skilled and experienced ETH Zurich graduates
Delivering services to SMEs and large global enterprises
Interfaces organization with technology
Date: 08.03.2011 Slide 4
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Content
Motivation
Virtualization Primer
Opportunities, Threats and Challenges
Summary and conclusion
Date: 08.03.2011 Slide 5
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Motivation
If we are concerned with trust assurance levels and costs…..
Date: 08.03.2011 Slide 6
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Today: Network Zones (Tenants) with Specific Trust Assurance Level
Traditional Network Zones
– Onion style protection by routing / cabling
– Often a N-tier approach
Inherent Advantages – Separation by security devices (firewalls)
– Manageable interdependencies
– Support segregation of duties and separation of concerns
Deliver trust assurance at significant costs
Sysadmin
Network/Firewall
admin
Storage
admin
Fire
wa
ll Guest
Binaries
Services
Data
Physical Interfaces
Hardware
Network
Network Zone Y
Stor-age
Guest
Binaries
Services
Data
Physical Interfaces
Hardware
Network Zone A
Stor-age
Network
Interfaces
Zone local
SwitchZone local
Switch
Core
Switch
User
Fire
wa
ll Guest
Binaries
Services
Data
Physical Interfaces
Hardware
Network
Network Zone Z
Zone local
Switch
Network
Storage Area NetworkStor-age
Fire
wa
ll
Date: 08.03.2011 Slide 7
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Can Server Virtualization Meet Common Security Requirements
Operational Security Principles
Need-to-know
Segregation of Duties
Separation of Concerns
Comprehensive Administration
Manageable Interdependencies
Compliancy Requirements
Date: 08.03.2011 Slide 8
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Virtualization Primer
Pave the way...
Date: 08.03.2011 Slide 9
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Virtualization – Timeline
Has been around for quite a while…..
Computing – IBM’s System 360-67 announced in 1965
• S/370 released in 1976
• S/390 introduced LPAR in 1988
– SUN’s SoftPC in 1988
Networking – VLANs, MPLS, VPNs
Storage – Partitioning, Logical volume management
… but rather new in commodity PC-computing
Open Source – Bochs, starting 1996 – Xen, 2003
Commercial – Connectix’ VirtualPC in 1997 – Many more…..
VMware Inc. – Filed patent in 1998 – Virtual Platform for ia32 in 1999 – Server Virtualization in 2001
based on IBM’s redbook on LPAR, wikipedia and own mailinglist archive records
Date: 08.03.2011 Slide 10
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Examples of Virtual Machine Types
Host-OS based – Commodity OS used for bootup and hardware
abstractions
– VM provided by a hypervisor (virtual machine
monitor)
– VMM Management
Do
ma
in
Mg
mt
HardwareSPARC sun4v
Firmware (LDOM)
IO D
om
ain
Se
rvic
e D
om
ain
Service DomainRoot / Primary / Control
Application(s)
OSSolaris, Linux
Application(s)
OSSolaris, Linux
Application(s)
OSSolaris, Linux
Application(s)
OSSolaris, Linux
Guest Domains
Application(s)
OSSolaris, Linux
Hardware
x86, x64
Host OS (Linux)
Virtual Machine MonitorVMWare ESX, Xen
VM
M M
gm
t (v
Ce
nte
r /
vC
on
so
le)
Virtual Machine
Application(s)
OSWindows, Linux
Virtual Machine
Application(s)
OSWindows, Linux
Firmware based(*)
– Hypervisor implemented in firmware
– “No need of additional OS”
– Examples:
• SUN LDOMs or IBM’s LPARs,
“VMware embedded”
(*) movable boundaries
Date: 08.03.2011 Slide 11
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Opportunities, Threats and Challenges
Date: 08.03.2011 Slide 12
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Opportunities with Server Virtualization
Alleviated administration – Software-based assembly – Software-based deployment – Resource allocation – VM relocation
Software-based Isolation – Eased integration of different
operational models
Server Consolidation – Reduction of hardware costs – Energy and space saving
Fire
wa
ll Guest
Binaries
Services
Data
Physical Interfaces
Cluster Hardware
Network
Network Zone Y
Stor-age
Guest
Binaries
Services
Data
Physical Interfaces
Hardware
Network Zone A
Stor-age
Network
Interfaces
Zone local
Switch
Zone local
Switch
Ne
two
rk
Core
Switch
User
Virtual Machine Monitor
VM
Guest
Binaries
Services
Data
VM
vF
ire
wa
ll
vNetwork
vStor-age
Network Zone Z
vSwitch
Isolation
vStor-age
Storage Area Network Stor-age
Fire
wa
ll
Storage Virtualization
vStor-age
Where are the limits?
Can we really consolidate multiple tenants?
Date: 08.03.2011 Slide 13
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Threats in General….
Remain identical as with physical servers
But some are amplified
– Attack surfaces increase, new interfaces, “unknown” code
– Administrative complexity increases
– Tighter coupling of servers
– Software-based isolation
– New vulnerabilities
– Human errors
Date: 08.03.2011 Slide 14
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Challenges|1: Logical Resource Boundaries
Shared Resources – How to establish
“Separation of Concerns”?
– What to control?
• Interrupt rates?
• Bus limits?
Interdependencies – How to avoid cyclic
interdependencies?
– Who is responsible?
Fire
wa
ll Guest
Binaries
Services
Data
Physical Interfaces
Cluster Hardware
Network
Network Zone Y
Stor-age
Guest
Binaries
Services
Data
Physical Interfaces
Hardware
Network Zone A
Stor-age
Network
Zone local
Switch
Zone local
Switch
Ne
two
rk
Core
Switch
User
Virtual Machine Monitor
VM
Guest
Binaries
Services
Data
VM
vF
ire
wa
ll
vNetwork
vStor-age
Network Zone Z
vSwitch
Isolation
vStor-age
Storage Area Network Stor-age
Fire
wa
ll
Storage Virtualization
vStor-age
Date: 08.03.2011 Slide 15
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Challenges|2: Administration and Management
Trustworthy identification of virtual resources – VMs are copied, cloned, moved…. – New resources are easily created!
Management, administration and
maintenance of all resources – How to avoid unmaintained VMs? – What is the “right” decomposition of services? – How to integrate into existing infrastructures and
processes?
New super admin
– How can we provide the segregation of duties? • Whom do we trust? • Who is able to manage the complexity? • How to confine errors?
Sysadmin
Network/Firewall
admin
Storage
admin
Fire
wa
ll Guest
Binaries
Services
Data
Physical Interfaces
Cluster Hardware
Network
Network Zone Y
Stor-age
Guest
Binaries
Services
Data
Physical Interfaces
Hardware
Network Zone A
Stor-age
Network
Zone local
Switch
Zone local
Switch
Ne
two
rk
Core
Switch
User
Virtual Machine Monitor
VM
Guest
Binaries
Services
Data
VM
vF
ire
wa
ll
vNetwork
vStor-age
Network Zone Z
vSwitch
Isolation
vStor-age
Storage Area Network Stor-age
Trust?
Super-
admin?
Fire
wa
ll
Storage Virtualization
vStor-age
Date: 08.03.2011 Slide 16
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Challenges|3: Protection and Isolation
Can we trust and rely on the virtualizer? – Is CC EAL4+ Security Target applicable for
home-use or enterprise grade computing?
Local interface protection – At what level? – At what costs? – Manageability?
Side channels? – Protection of VM-images against
manipulation, loss and “disclosure”? – How to deal with privileged VMs? – Limit effect of compromised machines?
Sysadmin
Network/Firewall
admin
Storage
admin
Fire
wa
ll Guest
Binaries
Services
Data
Physical Interfaces
Cluster Hardware
Network
Network Zone Y
Stor-age
Guest
Binaries
Services
Data
Physical Interfaces
Hardware
Network Zone A
Stor-age
Network
Interfaces
Zone local
Switch
Zone local
Switch
Ne
two
rk
Core
Switch
User
Virtual Machine Monitor
VM
Guest
Binaries
Services
Data
VM
vF
ire
wa
ll
vNetwork
vStor-age
Network Zone Z
vSwitch
Isolation
vStor-age
Storage Area Network Stor-age
Trust?
Super-
admin?
Fire
wa
ll
Storage Virtualization
vStor-age
Date: 08.03.2011 Slide 17
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Summary…
New opportunities – Enabler for flexible server consolidation and flexible resource sharing – Reduction of hardware, energy savings – Alleviation of administration – Accelerated server “creation” and deployment – Alleviation of BCP – Support of cost-efficient, software-based service isolation
Improvements in methods and mechanisms on the horizon – Identification – Administration and Orchestration – VM binding and verification on the horizon
Date: 08.03.2011 Slide 18
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Summary II
Server consolidation does not come for free – Increase in interdependencies
– Increase in complexity
– Increase in maintenance effort
Fundamental challenges with virtualization remain – Identification and addressing
– Trust in virtualizers and privileged VMs
– Resource allocation and control
– Fine granular resource protection
– Methods and mechanisms to segregate duties
– Administrative competencies
– Limit effects of compromised machines
– Confine human errors of super admin
Date: 08.03.2011 Slide 19
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
… and Conclusion
The enterprise must be ready
– Data classification
– Concepts, policies and guidelines
– Sound and up-to-date base infrastructure
– Proper dimensioning
– Roles, competencies and responsibilities defined and in place
– Processes, mechanisms and tools established
Last but not least:
Trust the hypervisor…
Date: 08.03.2011 Slide 20
Consecom AG ICT Security and Strategy Consulting Design – Build – Review
VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG
Consecom AG – Global Vision – Swiss Values
Vielen Dank für Ihre Aufmerksamkeit.
Consecom AG Bellariastr. 12 CH-8002 Zürich http://www.consecom.com
[email protected] Büro +41-44-586-28-20 Mobil +41-79-557-20-20