Transcript securing and leveraging the power of virtual servers and

SECURING AND
LEVERAGING THE POWER OF
VIRTUAL SERVERS AND
DESKTOPS
Conrado Wang Cheng Niemeyer <chengw (at) sacredheart.edu>
Information Security Officer, Sacred Heart University
Virtualization Advantages







Virtualization?
“Cheap”, fast, easy to setup Application isolation
Template Deployment
Disaster Recovery
High Availability
Forensic Analysis w/P2V & in place with memory
snapshots
Honeypotting
Virtualization Disadvantages

Using a template image
 One
vulnerability is shared by all
 Same admin/root passwords??!!


Possibly sequential IP range
Single file Servers & Workstations
 Just



copy one file and you’re done!
Poor multimedia support
Many eggs in fewer baskets
Virtual Machine Sprawl
Virtualization Vulnerabilities

Guest to Guest Attacks
Guest to Host Attacks
Guest Client Vulnerabilities
Management Console/Host OS Vulnerabilities
Hypervisor Vulnerabilities

Not well developed and widespread, YET…




VM Security Best Practices

Security Best Practices (Firewalls, IPS, Patching, Patching, Patching, Patching)


Secure the Network






Disable Hardware Acceleration
Use QEmu (full emulation mode w/out kqemu)
Disable all sharing features
Favor Type 2 for Development environments
Run different security zones VMs on separate physical hosts



VMWare ESX Server, Citrix XenServer, MS Hyper-V, etc.
Favor Type 2 use in Security applications


Use Separate Private backup and SAN network
Use Separate Private Management Console network
Favor Type 1 Hypervisors for Production and Testing Servers


Secure your VMs as you would physical machines
Use separate physical switches or VLANs in physical switches
Run different Management stations
Disable/remove unnecessary virtual hardware
Monitoring in a vSwitch
VMWare ESX Specific







VMWare Update (ESX 3.5 & VC 2.5)
Fix maximum size and rotation for Log Files
Use Resource Management
Secure the VI Console Access
Verify the ESX Console Firewall rules
Use SSL Certificates Encrypt Access to Virtual
Center
Secure Console’s Linux environment
Virtualization Applications

Setting up Development Environments
Setting up Testing Environments
Setting up Research Environments
Honeypotting
Consolidate Physical Servers

Virtual Secure Desktops…





Provide a desktop environment for users




Quickly deployed
Secured
Easily maintained
Provide access from those environments to all work tools, systems, and
services
Secure Desktop Advantages



Secured Access to Sensitive
Systems

Separation of Critical Business
data from User data
Quick and Easy Deployment







ERP (Datatel Colleague R17,
R18)



Stand a new VM(s) in under
2mins
Ease of Policy Enforcement
Can Provide local admin
elevation when necessary
Anywhere anytime access (or not)
Easy Integration into Identity
Management
Currently





Registrar’s
Human Resources
Business Office
Admissions (Recruitment Plus)
Financial Aid (PowerFAIDS,
EDConnect)
Institutional Advancement
(Raiser’s Edge)
Payroll (ADP)
Future Expansion



Document Imaging
Department Shares
MicroFAIDS (MS-DOS!!!!!)
Secure Desktop Disadvantages




Poor Multimedia Support
ACL/Firewall Rule
Maintenance
Vulnerable to Screen
Scrapping
Increased Disaster
Recovery Complexity





SSL Gateway
Connection Broker
Provisioning Server
ESX Servers
SAN & Blade Infrastructure

“Quality of Life” Issues




Cannot browse the web
Cannot persist software
changes
Cannot connect certain USB
devices
Coming Soon



Cannot access e-mail
Cannot copy & paste to
host
Cannot connect any USB
devices
Secure Desktop Backend at SHU
Hardware

HP c7000 Blade Enclosure



2 x Quad Core 2.3Ghz (Intel E5345)
16 GB RAM
4 x 1Gb Ethernet (on 2 separate
boards)



7TB (4TB Usable ??!!) for VMs
12TB for User/Department Data
iSCSI all the way baby!!!



1Gb Ethernet (Copper)
10Gb Uplink



SSL Gateway
RDP Connection Broker
Citrix Provisioning Server
Desktops v4.5 Sp1

Cisco Catalyst 3750 Switches

VMWare VI3 (ESX 3.5 and
Virtual Center 2.5)
Provision Networks Virtual Access
Suite 5.9

Netapp 3020c Filers



HP BL460c


Software
PXE Boot
HDD Streaming
Microsoft DHCP Server
Microsoft Windows XP Sp2
Connection Broker Architecture
SSL Gateway Architecture
HDD Streaming Architecture
Physical vs. Virtual Hardware
Physical

Dell OptiPlex 755
 Intel
Core2 2.4Ghz
 2GB RAM
 160GB HDD
 Integrated Graphics
 1Gb Ethernet
 ~$1,000
Virtual

VMWare ESX 3.5
Virtual Dual to Quad
Core 2.3Ghz
 256MB RAM
 1MB HDD
 RDP Graphics
 1Gb Ethernet
 ~$290 w/existing
hardware

Getting Buy-in






Initial deployment as test environments
Clarifying the difference between a purely work
environment and a hybrid work/personal one
No other alternatives with new versions
Ease of use and virtually no training required
Unreliability of VPN and Citrix
Ability to access legacy environments with new
simultaneously
Demo

https://securedesk.sacredheart.edu/
New Developments

Embedded Hypervisors
 ESX



3i, XenServer OEM, etc.
VMSafe
VDI
SAN Snapshot Clones
 Netapp

FlexClone
Sophisticated Virtual Machine Detection
Resources, Q & A





http://www.cisecurity.org/
http://www.securityfocus.com/
http://www.vmware.com/resources/techresources/c
at/91
http://www.citrix.com/
http://www.provisionnetworks.com/