security challenges in the virtualized world ibm virtual server protection for vmware

10.03.2011

1

© 2009 IBM Corporation

Security Challenges in the Virtualized WorldIBM Virtual Server Protection for VMware

Peter Rossi, IBM Senior Security Specialist

IBM Virtual Server Protection

© 2011 IBM Corporation2 10.03.2011

Agenda

■ IBM Security Framework

■ Security Challenges in the Virtualized World–Vulnerability examples

■ IBM Virtual Server Protection for VMware


IBM Security Framework


IBM delivers a new approach to Security Management

IBM's approach is to strategically manage risk end-to end across all risk areas within an organization.

IBM's approach is to strategically manage risk end-to end across all risk areas within an organization.


IBM Security Framework

Protect sensitive business data

Give the right users access to the right resources at the right time

Keep applications available and protected from malicious or fraudulent use.

Optimize service availability by mitigating risks

Provide actionable intelligence & improve physical infrastructure security


Prove that you’re in control.COMPLIANCE IBM is #1 in this space

IBM Tivoli Security Focus AreasTrusting Identities

Customers, partners, employees (known)

Managing Access

Securing Services

Protecting Data

IBM

H C R U6

IBM

Payroll

Online banking

Loan applications

Retail sales

Inventory

IBM is #1 in this space

Manage those you know.

ENFORCE

POLICY

Criminals, competitors, hackers (unknown)IBM is #1 in this space

Protect against those you don’t.


Security Challenges in the Virtualized World


Server and Network Convergence


Security Challenges with Virtualization: What is the Impact to Overall Security Posture?


Resource sharing——————————Single point of failure——————————Loss of visibility

MORE COMPONENTS = MORE EXPOSURE

Traditional Threats

Virtual server sprawl——————————Dynamic state——————————Dynamic relocation

Stealth rootkitsin hardware

Management Vulnerabilities——————————Secure storage of VMsand the management data——————————Requires new skill sets——————————Insider threat

New threats to VM environments

Traditional threats can attack VMs just like real systems

Security Challenges with Virtualization: New Risks


The Importance of Virtualization System Security

■ Businesses are increasingly relying on virtualization technology

■ In Q4 2009, 18.2% of servers shipped were virtualized1

– 20% increase over 15.2% shipped in Q4 2008

■ Growing interest in cloud computing will fuel further demand

■ Vulnerability disclosures have grown as interest has grown

1Source: IDC


The Risk Imposed by Virtualization System Vulnerabilities■ Disclosed vulnerabilities pose a significant security risk

■ 40% of all reported vulnerabilities have high severity– Tend to be easy to exploit, provide full control over attacked system

■ Exploits have been publically disclosed for 14% of vulnerabilities


Vendor Disclosures Include Some Surprising Results

■ Low percentages for Oracle, IBM, and Microsoft

VMware: 80.9% RedHat: 6.9% Citrix: 5.8%

Oracle: 1.8% IBM: 1.1% Microsoft: 0.9%


Virtualization System Vulnerability Classes■ Vulnerabilities can be classified by what they affect

System Administrators

Management Console Management Server

Virtualiza on Server

Hypervisor

GuestVM

GuestVM

Hardware

Virtualization System

1

2 4 6

AdminVM

3

5Guest VM Users


Virtualization System Vulnerability Classes

■ 1. Management console vulnerabilities–Affect the management console host–Can provide platform or information allowing attack of management

server–Can occur in custom consoles or web applications

■ 2. Management server vulnerabilities–Potential to compromise virtualization system configuration–Can provide platform from which to attack administrative VM

■ 3. Administrative VM vulnerabilities–Compromises system configuration–In some systems (like Xen), equivalent to a hypervisor vulnerability in

that all guest VMs may be compromised–Can provide platform from which to attack hypervisor and guest VMs


Virtualization System Vulnerability Classes

■ 4. Hypervisor vulnerabilities–Compromise all guest VMs–Cannot be exploited from guest VMs

■ 5. Guest VM vulnerabilities–Affect a single VM–Can provide platform from which to attack administrative VM,

hypervisor, and other guest VMs

■ 6. Hypervisor escape vulnerabilities–A type of hypervisor vulnerability–Classified separately because of their importance–Allow a guest VM user to “escape” from own VM to attack other VMs or

hypervisor–Violate assumption of isolation of guest VMs


Virtualization System Vulnerability Examples

■ Management console–CVE-2009-2277: A cross-site scripting vulnerability in a VMware web

console allows remote attackers to steal cookie-based authentication credentials

■ Management server–CVE-2008-4281: VMware VirtualCenter management server can allow

a local attacker to use directory traversal sequences to gain elevated privileges

■ Administrative VM–CVE-2008-2097: A buffer overflow in a VMWare management service

running in the administrative VM could allow remote authenticated users to gain root privileges


Virtualization System Vulnerability Examples

■ Guest VM–CVE-2009-2267: A bug in the handling of page fault exceptions in

VMware ESX Server could allow a guest VM user to gain kernel mode execution privileges in the guest VM

■ Hypervisor–CVE-2010-2070: By modifying the processor status register, a local

attacker can cause the Xen kernel to crash

■ Hypervisor escape–CVE-2009-1244: An error in the virtual machine display function on

VMware ESX Server allows an attacker in a guest VM to execute arbitrary code in the hypervisor


Production Virtualization System Vulnerabilities By Class

Hypervisor escape (37.5%)

Admin VM (17.5%)Mgmt console

(16.3%)

Guest VM (15.0%)

Mgmt Server (6.3%)

Indeterminate (6.3%)

Hypervisor (1.3%)


Gartner’s Perspective on Secure Virtualization

“IBM has the first commercial implementation of a rootkitdetection/prevention offering that works from outside of the virtual machine it is protecting...”

-Neil MacDonald, Gartner Neil MacDonald, Gartner


IBM Virtual Server Protection for VMware


Virtualization Security Solutions

■ Firewall■ Intrusion Prevention■ System auditing■ File integrity monitoring■ Anti-malware■ Security configuration Mgmt

Existing solutions certified for protection of

virtual workloads

Threat protection delivered in a virtual form-

factor

Integrated virtual environment-aware threat

protection

§ Firewall§ Intrusion Prevention§ Virtual network segment

protection/policy enforcement

§ Firewall§ Intrusion Prevention§ Virtual host protection and

network policy enforcement§ Network access control§ Virtual infrastructure monitoring


Integrated Security

■ Non-intrusiveo No reconfiguration of the virtual networko No presence in the guest OS

■ Less management overheado One Security Virtual Machine (SVM) per

physical servero 1:many protection-to-VM ratio

■ Automated o Privileged presence gives SVM holistic view of

the virtual networko Protection automatically applied as VM comes

online

■ Lower overheado Eliminates redundant processing tasks

■ Protection for any guest OS

SiteProtectorManagement

Hypervisor

Hardware

SVM VM

OS

Applications

Kernel

VM

OS

Applications

Kernel

Management

OS

Applications

Kernel

Hardened OSKernel

Policy

Response

Engines

VMsafe

IBM Confidential


IBM Virtual Server Protection for VMwareIntegrated threat protection for VMware vSphere 4

Benefits■ Vulnerability-centric, protocol-aware analysis and

protection■ Abstraction from underlying network configuration■ Automated protection for new VMs■ Network-level workload segmentation■ Privileged-level protection of OS kernel structures

IBM Confiden al

Helps customers to be more secure, compliant and cost-effective by delivering integrated and optimized security for virtual data centers.



Intrusion prevention just got smarter with extensible

protection backed by the power of X-Force

What It Does:Shields vulnerabilities from exploitation independent of a software patch, and enables a responsible patch management process that can be adhered to without fear of a breach

Why Important:At the end of 2009, 52% of all vulnerabilities disclosed during the year had no vendor-supplied patches available to remedy the vulnerability.

What It Does:Detects and prevents entire classes of threats as opposed to a specific exploit or vulnerability.

Why Important:Eliminates need of constant signature updates. Protection includes the proprietary Shellcode Heuristics (SCH) technology, which has an unbeatable track record of protecting against zero day vulnerabilities.

What It Does:Monitors and identifies unencrypted personally identifiable information (PII) and other confidential information for data awareness. Also provides capability to explore data flow through the network to help determine if any potential risks exist.

Why Important:Flexible and scalable customized data search criteria; serves as a complement to data security strategy.

What It Does:Protects web applications against sophisticated application-level attacks such as SQL Injection, XSS (Cross-site scripting), PHP file-includes, CSRF (Cross-site request forgery).

Why Important:Expands security capabilities to meet both compliance requirements and threat evolution.

What It Does:Manages control of unauthorized applications and risks within defined segments of the network, such as ActiveX fingerprinting, Peer To Peer, Instant Messaging, and tunneling.

Why Important:Enforces network application and service access based on corporate policy and governance.

What It Does:Protects end users against attacks targeting applications used everyday such as Microsoft Office, Adobe PDF, Multimedia files and Web browsers.

Why Important:At the end of 2009, vulnerabilities, which affect personal computers, represent the second-largest category of vulnerability disclosures and represent about a fifth of all vulnerability disclosures.

Our Protocol Analysis Module is the engine behind our products

Virtual Patch Client-Side Application Protection

Web Application Protection

Threat Detection & Prevention Data Security Application Control


Automated Discovery/vNAC

Features■ Virtual network access

control (VNAC)■ Automated discovery■ Virtual Infrastructure

auditing integration

Benefits■ Rogue VM protection■ Virtual Infrastructure

monitoring■ Virtual network

awareness■ Quarantine or limit

network access until VM security posture has been validated

SVM is notified as soon as a VM

comes online

SVM is notified as soon as a VM

comes online

SVM limits network communications (quarantine group) until the VM is placed in a non-quarantine group

SVM limits network communications (quarantine group) until the VM is placed in a non-quarantine group

The SVM reports to SiteProtector that a new VM is online and initiates a discovery scan.

The SVM reports to SiteProtector that a new VM is online and initiates a discovery scan.

IBM Confiden al



Security Footprint Reduction

■ Security isolated in Security Virtual Machine

■ Less presence in guest OS equals:

o improved stabilityo more CPU/memory available

for workloadso decreased attack surface

■ Customer-defined thresholds for security resource usage

■ Over time, guest OS presence will be reduce to the absolute minimum

CPU-intensive processing removed

from the guest OS and consolidated in SVM

“Lighter” agent used where guest OS

context is required


Mobility (VMotion)

■ Maintain security postureirrespective of the physical server on which the VM resides

Abstraction from underlying physical servers provides dynamic security adapted for mobility



Introspection-Based Rootkit Detection

■ Threat – Malware that embeds itself in the operating system to avoid detection■ Functionality

– Rootkit detection engine that uses memory introspection to identify modifications to key guest OS kernel data structures (SSDT & IDT) by malware


Virtual Infrastructure Auditing

■ Threat – Virtual machine state change or migration that mixes trust zones■ Functionality

– Hooks into VMware management auditing to report events interesting from a security perspective


VMsafe Network Packet Inspection API

VMX parameters for SVM:

ethernet2.networkName = "ibm-vmwarenetwork-appliance"

VMX parameters for VM:

ethernet0.filter0.name = "ibm-iss-vmkmod"ethernet0.filter0.onFailure = "failOpen"

Physical Hardware

ESX Server

VM

VMM

VMkernel

VMkernel Hardware Interface

VM

VMM VMM

introspection

Security Virtual

Machine

VM network traffic

VMsafe introspection

SlowPath Agent

vswitch01

FastPathAgent

FastPathAgent

DVFilterLibrary

■ vNetwork Data Path Agent(FastPath Agent)

– Installs as a kernel module and directly intercepts packets in the virtual network packet stream

■ vNetwork Control Path Agent(SlowPath Agent)

– Resides in a security virtual appliance and can be used for further thorough processing


VMsafe CPU & Memory API

VMX parameters for SVM:

ethernet1.networkName = "ibm-vmwareintrospect-appliance"

VMX parameters for VM:

vmsafe.enable = "true"vmsafe.agentAddress = "169.254.55.2"vmsafe.agentPort = "49999"vmsafe.failOpen = "TRUE"

■ Can inspect memory locations and CPU registers

■ Hypervisor Extension implemented as VMX/VMM modules

■ VMsafe API Library on SVM

■ Capabilities– Detect current application

state in the protected VMsCPU

– Sense system configuration state from the control registers

Physical Hardware

ESX Server

VM

VMM

VMkernel

VMkernel Hardware Interface

VM

VMM VMM

introspection

VMsafe

VMsafe

Security Virtual

Machine

VM Memory/CPU calls

VMsafe introspection

VMsafe Library

VMsafe Vmsafe VMX/VMM extension


IBM Virtual Server Protection for VMware helps to meet compliance best practices

1. Configuration and change management processes should be extended to encompass the virtual infrastructure

– Automatic discovery and protection as a VM comes online

– Dashboard visibility into the virtual host OS and the virtual network to identify vulnerabilities.

– IBM Virtual Patch® technology protects vulnerabilities on virtual servers regardless of patch strategy

*Source: RSA Security Brief: Security Compliance in a Virtual World http://www.rsa.com/solutions/technology/secure/wp/10393_VIRT_BRF_0809.pdf

2. Maintain separate administrative access control although server, network and security infrastructure is now consolidated

– Virtual network access control• Quarantines or limits network access from a virtual server

until VM security posture has been confirmed

– Virtual Infrastructure auditing

3. Provide virtual machine and virtual network security segmentation– Network-level workload isolation

4. Maintain virtual audit logging– Virtual Infrastructure monitoring and reporting


IBM Virtual Server Security for VMware helps customers to be more secure, compliant and cost-effective

Protects and tracks access of critical data housed on virtual machines

How we help your business

Created for and integrated with the virtual platform

Increases virtual server uptime and availability with virtual rootkit detection

Helps meet regulatory compliance mandates by providing security and reporting functionality customized for the virtual infrastructure

Increases ROI with dynamic VM security and discovery

Integrated threat protection for the VMware vSphere 4 platform


For more information on IBM Virtualization Security Solutions

White paper(click the graphic)

Virtualizations Security Solutions Web page(click the graphic)

Links work in slide show mode.

http://www-935.ibm.com/services/us/iss/html/virtualization-security-solutions.html

ftp://ftp.software.ibm.com/common/ssi/sa/wh/n/sew03016usen/SEW03016USEN.PDF


Question?

Thank you!


Trademarks and notes

■ IBM Corporation 2010

■ IBM, the IBM logo, ibm.com, AIX, IBM Internet Security Systems, Proventia, Real Secure, SiteProtector, X-Force and Virtual Patch are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with the appropriate symbol (® or ™), these symbols indicate US registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml

■ VMware, the VMware "boxes" logo and design, Virtual SMP and VMotion are registered trademarks or trademarks (the "Marks") of VMware, Inc. in the United States and/or other jurisdictions.

■ References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.

■ The customer is responsible for ensuring compliance with legal requirements. It is the customer’s sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the reader may have to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law or regulation.

security challenges in the virtualized world ibm virtual server protection for vmware

Education

guest vm user

vm security

ibm conden

virtual infrastructure

attack administrative

vmkernel hardware

security virtual

ibm security