Sicherheitsüberlegungen zur Servervirtualisierung

Consecom AG Bellariastr. 12 CH-8002 Zürich http://www.consecom.com

Dr. Lukas Ruf [email protected] Büro +41-44-586-28-20 Mobil +41-79-557-20-20

Copyright © by Consecom AG

Sicherheitsüberlegungen zur Servervirtualisierung

Opportunitäten, Bedrohungen und Risiken

VMware@Night @Kybernetika AG

08. März 2011

Date: 08.03.2011 Slide 2

Consecom AG ICT Security and Strategy Consulting Design – Build – Review

VMware@Night Sicherheitsüberlegungen zur Servervirtualisierung Copyright © by Consecom AG

The Speaker

Dr. Lukas Ruf

Senior Security and Strategy Consultant, CEO, Consecom AG

ISSS board member, Chair of Public Relations

Member IEEE, ACM, SwissICT

ETH Zurich Graduate

Specialized in strategies, processes, concepts, architectures, reviews and audits

Long standing track record in research and engineering of OS, system, network and application – Lead architect of two Operating Systems: Topsy and PromethOS

Active in research and engineering – Current research projects on End-User Platform Security and Infrastructure Audits

– Collaboration with ETH, BBT/KTI, BFH, ZHAW

Frequent member on conference program committees – On virtualization, cloud computing, operating systems, network architecture, network and system security.

Date: 08.03.2011 Slide 3



Consecom AG – ICT Security and Strategy Consulting

Services

Design – Strategies, Processes, Concepts,

Architectures, Specifications, Solutions

Build – Implementation / Hardening, Integration,

Programming, Project Management

Review – Audits, Security Reviews, Penetration

Testings, Assessments, Analysis

Consecom AG

Swiss-based consultancy with focus on Strategic ICT Security

Founded by a team of skilled and experienced ETH Zurich graduates

Delivering services to SMEs and large global enterprises

Interfaces organization with technology

Date: 08.03.2011 Slide 4



Content

Motivation

Virtualization Primer

Opportunities, Threats and Challenges

Summary and conclusion

Date: 08.03.2011 Slide 5



Motivation

If we are concerned with trust assurance levels and costs…..

Date: 08.03.2011 Slide 6



Today: Network Zones (Tenants) with Specific Trust Assurance Level

Traditional Network Zones

– Onion style protection by routing / cabling

– Often a N-tier approach

Inherent Advantages – Separation by security devices (firewalls)

– Manageable interdependencies

– Support segregation of duties and separation of concerns

Deliver trust assurance at significant costs

Sysadmin

Network/Firewall

admin

Storage

admin

Fire

wa

ll Guest

Binaries

Services

Data

Physical Interfaces

Hardware

Network

Network Zone Y

Stor-age

Guest

Binaries

Services

Data

Physical Interfaces

Hardware

Network Zone A

Stor-age

Network

Interfaces

Zone local

SwitchZone local

Switch

Core

Switch

User

Fire

wa

ll Guest

Binaries

Services

Data

Physical Interfaces

Hardware

Network

Network Zone Z

Zone local

Switch

Network

Storage Area NetworkStor-age

Fire

wa

ll

Date: 08.03.2011 Slide 7



Can Server Virtualization Meet Common Security Requirements

Operational Security Principles

Need-to-know

Segregation of Duties

Separation of Concerns

Comprehensive Administration

Manageable Interdependencies

Compliancy Requirements

Date: 08.03.2011 Slide 8



Virtualization Primer

Pave the way...

Date: 08.03.2011 Slide 9



Virtualization – Timeline

Has been around for quite a while…..

Computing – IBM’s System 360-67 announced in 1965

• S/370 released in 1976

• S/390 introduced LPAR in 1988

– SUN’s SoftPC in 1988

Networking – VLANs, MPLS, VPNs

Storage – Partitioning, Logical volume management

… but rather new in commodity PC-computing

Open Source – Bochs, starting 1996 – Xen, 2003

Commercial – Connectix’ VirtualPC in 1997 – Many more…..

VMware Inc. – Filed patent in 1998 – Virtual Platform for ia32 in 1999 – Server Virtualization in 2001

based on IBM’s redbook on LPAR, wikipedia and own mailinglist archive records

Date: 08.03.2011 Slide 10



Examples of Virtual Machine Types

Host-OS based – Commodity OS used for bootup and hardware

abstractions

– VM provided by a hypervisor (virtual machine

monitor)

– VMM Management

Do

ma

in

Mg

mt

HardwareSPARC sun4v

Firmware (LDOM)

IO D

om

ain

Se

rvic

e D

om

ain

Service DomainRoot / Primary / Control

Application(s)

OSSolaris, Linux

Application(s)

OSSolaris, Linux

Application(s)

OSSolaris, Linux

Application(s)

OSSolaris, Linux

Guest Domains

Application(s)

OSSolaris, Linux

Hardware

x86, x64

Host OS (Linux)

Virtual Machine MonitorVMWare ESX, Xen

VM

M M

gm

t (v

Ce

nte

r /

vC

on

so

le)

Virtual Machine

Application(s)

OSWindows, Linux

Virtual Machine

Application(s)

OSWindows, Linux

Firmware based(*)

– Hypervisor implemented in firmware

– “No need of additional OS”

– Examples:

• SUN LDOMs or IBM’s LPARs,

“VMware embedded”

(*) movable boundaries

Date: 08.03.2011 Slide 11



Opportunities, Threats and Challenges

Date: 08.03.2011 Slide 12



Opportunities with Server Virtualization

Alleviated administration – Software-based assembly – Software-based deployment – Resource allocation – VM relocation

Software-based Isolation – Eased integration of different

operational models

Server Consolidation – Reduction of hardware costs – Energy and space saving

Fire

wa

ll Guest

Binaries

Services

Data

Physical Interfaces

Cluster Hardware

Network

Network Zone Y

Stor-age

Guest

Binaries

Services

Data

Physical Interfaces

Hardware

Network Zone A

Stor-age

Network

Interfaces

Zone local

Switch

Zone local

Switch

Ne

two

rk

Core

Switch

User

Virtual Machine Monitor

VM

Guest

Binaries

Services

Data

VM

vF

ire

wa

ll

vNetwork

vStor-age

Network Zone Z

vSwitch

Isolation

vStor-age

Storage Area Network Stor-age

Fire

wa

ll

Storage Virtualization

vStor-age

Where are the limits?

Can we really consolidate multiple tenants?

Date: 08.03.2011 Slide 13



Threats in General….

Remain identical as with physical servers

But some are amplified

– Attack surfaces increase, new interfaces, “unknown” code

– Administrative complexity increases

– Tighter coupling of servers

– Software-based isolation

– New vulnerabilities

– Human errors

Date: 08.03.2011 Slide 14



Challenges|1: Logical Resource Boundaries

Shared Resources – How to establish

“Separation of Concerns”?

– What to control?

• Interrupt rates?

• Bus limits?

Interdependencies – How to avoid cyclic

interdependencies?

– Who is responsible?

Fire

wa

ll Guest

Binaries

Services

Data

Physical Interfaces

Cluster Hardware

Network

Network Zone Y

Stor-age

Guest

Binaries

Services

Data

Physical Interfaces

Hardware

Network Zone A

Stor-age

Network

Zone local

Switch

Zone local

Switch

Ne

two

rk

Core

Switch

User


VM

Guest

Binaries

Services

Data

VM

vF

ire

wa

ll

vNetwork

vStor-age

Network Zone Z

vSwitch

Isolation

vStor-age


Fire

wa

ll


vStor-age

Date: 08.03.2011 Slide 15



Challenges|2: Administration and Management

Trustworthy identification of virtual resources – VMs are copied, cloned, moved…. – New resources are easily created!

Management, administration and

maintenance of all resources – How to avoid unmaintained VMs? – What is the “right” decomposition of services? – How to integrate into existing infrastructures and

processes?

New super admin

– How can we provide the segregation of duties? • Whom do we trust? • Who is able to manage the complexity? • How to confine errors?

Sysadmin

Network/Firewall

admin

Storage

admin

Fire

wa

ll Guest

Binaries

Services

Data

Physical Interfaces

Cluster Hardware

Network

Network Zone Y

Stor-age

Guest

Binaries

Services

Data

Physical Interfaces

Hardware

Network Zone A

Stor-age

Network

Zone local

Switch

Zone local

Switch

Ne

two

rk

Core

Switch

User


VM

Guest

Binaries

Services

Data

VM

vF

ire

wa

ll

vNetwork

vStor-age

Network Zone Z

vSwitch

Isolation

vStor-age


Trust?

Super-

admin?

Fire

wa

ll


vStor-age

Date: 08.03.2011 Slide 16



Challenges|3: Protection and Isolation

Can we trust and rely on the virtualizer? – Is CC EAL4+ Security Target applicable for

home-use or enterprise grade computing?

Local interface protection – At what level? – At what costs? – Manageability?

Side channels? – Protection of VM-images against

manipulation, loss and “disclosure”? – How to deal with privileged VMs? – Limit effect of compromised machines?

Sysadmin

Network/Firewall

admin

Storage

admin

Fire

wa

ll Guest

Binaries

Services

Data

Physical Interfaces

Cluster Hardware

Network

Network Zone Y

Stor-age

Guest

Binaries

Services

Data

Physical Interfaces

Hardware

Network Zone A

Stor-age

Network

Interfaces

Zone local

Switch

Zone local

Switch

Ne

two

rk

Core

Switch

User


VM

Guest

Binaries

Services

Data

VM

vF

ire

wa

ll

vNetwork

vStor-age

Network Zone Z

vSwitch

Isolation

vStor-age


Trust?

Super-

admin?

Fire

wa

ll


vStor-age

Date: 08.03.2011 Slide 17



Summary…

New opportunities – Enabler for flexible server consolidation and flexible resource sharing – Reduction of hardware, energy savings – Alleviation of administration – Accelerated server “creation” and deployment – Alleviation of BCP – Support of cost-efficient, software-based service isolation

Improvements in methods and mechanisms on the horizon – Identification – Administration and Orchestration – VM binding and verification on the horizon

Date: 08.03.2011 Slide 18



Summary II

Server consolidation does not come for free – Increase in interdependencies

– Increase in complexity

– Increase in maintenance effort

Fundamental challenges with virtualization remain – Identification and addressing

– Trust in virtualizers and privileged VMs

– Resource allocation and control

– Fine granular resource protection

– Methods and mechanisms to segregate duties

– Administrative competencies

– Limit effects of compromised machines

– Confine human errors of super admin

Date: 08.03.2011 Slide 19



… and Conclusion

The enterprise must be ready

– Data classification

– Concepts, policies and guidelines

– Sound and up-to-date base infrastructure

– Proper dimensioning

– Roles, competencies and responsibilities defined and in place

– Processes, mechanisms and tools established

Last but not least:

Trust the hypervisor…

Date: 08.03.2011 Slide 20



Consecom AG – Global Vision – Swiss Values

Vielen Dank für Ihre Aufmerksamkeit.

Consecom AG Bellariastr. 12 CH-8002 Zürich http://www.consecom.com

[email protected] Büro +41-44-586-28-20 Mobil +41-79-557-20-20

Education

Sicherheitsüberlegungen zur Servervirtualisierung