© 2010 IBM Corporation Virtualization Security Best Practices IBM Institute for Advanced Security...
-
Upload
percival-lynch -
Category
Documents
-
view
218 -
download
0
Transcript of © 2010 IBM Corporation Virtualization Security Best Practices IBM Institute for Advanced Security...
© 2010 IBM Corporation
Virtualization Security Best PracticesIBM Institute for Advanced Security
November, 2010November, 2010
© 2010 IBM Corporation
IBM Internet Security Systems
Virtualization Security Best Practices
Moderator
Charles Palmer, Director of the Institute for Advanced Security, IBM
Expert Panelists
Edward L. Haletky, Analyst, The Virtualization Practice, LLC - virtualizationpractice.com
David Abercrombie, Senior Product Manager, Server Protection Solutions - IBM
Ajay Dholakia, Senior Technical Staff Member, System x - IBM
© 2010 IBM Corporation
IBM Internet Security Systems
Agenda
Introduction and Overview of Virtualization – Charles Palmer
Virtualization: The Basics - Edward L. Haletky virtualizationpractice.com
Virtualization Approaches – David Abercrombie
Virtualization Requirements and Imperatives – Ajay Dholakia
Questions & Answers
© 2010 IBM Corporation
IBM Internet Security Systems
4 10/04/10
The Virtualization Journey
Consolidate Resources• Improved efficiency and
utilization of IT resources with simple virtualization tools
Manage Workloads• Improved IT staff productivity with
integrated systems management dashboard for physical and virtual resources
Automate Processes• Consistent and repeatable
processes based on best practices, business priorities and service level agreements with simple virtualization tools
Optimize Delivery• Self provisioned by users based
on business imperatives, unconstrained by physical barriers or location.
ManageWorkloads
AutomateProcesses
OptimizeDelivery
Consolidate Resources
Increased AgilityNetworkStorage
Server
© 2010 IBM Corporation
Virtualization Security ReviewEdward L. Haletky
© 2010 IBM Corporation
IBM Internet Security Systems
The HypervisorThe Hypervisor
© 2010 IBM Corporation
IBM Internet Security Systems
The HypervisorThe Hypervisor
Hardware Layer
© 2010 IBM Corporation
IBM Internet Security Systems
The HypervisorThe Hypervisor
Driver/Module Layer
Hardware Layer
© 2010 IBM Corporation
IBM Internet Security Systems
The HypervisorThe Hypervisor
Kernel Layer
Driver/Module Layer
Hardware Layer
© 2010 IBM Corporation
IBM Internet Security Systems
The HypervisorThe Hypervisor
Virtual Machine Manager
Kernel Layer
Driver/Module Layer
Hardware Layer
© 2010 IBM Corporation
IBM Internet Security Systems
The HypervisorThe Hypervisor
Guest OS Layer
Virtual Machine Manager
Kernel Layer
Driver/Module Layer
Hardware Layer
© 2010 IBM Corporation
IBM Internet Security Systems
The HypervisorThe Hypervisor
Application LayerGuest OS Layer
Virtual Machine Manager
Kernel Layer
Driver/Module Layer
Hardware Layer
© 2010 IBM Corporation
IBM Internet Security Systems
The HypervisorThe Hypervisor
Application LayerGuest OS Layer
Virtual Machine Manager
Kernel Layer
Driver/Module Layer
Hardware Layer
© 2010 IBM Corporation
IBM Internet Security Systems
The HypervisorThe Hypervisor
Application LayerGuest OS Layer
Virtual Machine Manager
Kernel Layer
Driver/Module Layer
Hardware Layer
Hypervisor
© 2010 IBM Corporation
IBM Internet Security Systems
Hypervisor Basics
How the Hypervisor Protects Itself
or
Internal Workings of a Hypervisor
© 2010 IBM Corporation
IBM Internet Security Systems
Understand Hypervisor Security: Access to CPU
Hypervisor Controls CPUHypervisor Controls CPU
© 2010 IBM Corporation
IBM Internet Security Systems
Understand Hypervisor Security: Access to CPU
Hypervisor Controls CPUHypervisor Controls CPU
© 2010 IBM Corporation
IBM Internet Security Systems
Understand Hypervisor Security: Access to CPU
Hypervisor Controls CPUHypervisor Controls CPU
© 2010 IBM Corporation
IBM Internet Security Systems
Understand Hypervisor Security: Access to Memory
vmkernel
Memory
© 2010 IBM Corporation
IBM Internet Security Systems
Understand Hypervisor Security: Access to Memory
vmkernel VM
Memory
VM
© 2010 IBM Corporation
IBM Internet Security Systems
Understand Hypervisor Security: Access to Memory
vmkernel VM
Memory MemoryMemory
VM
Memory
© 2010 IBM Corporation
IBM Internet Security Systems
Understand Hypervisor Security: Access to Memory
vmkernel VM
Memory MemoryMemory
VM
Memory
Memory
Memory
© 2010 IBM Corporation
IBM Internet Security Systems
Understand Hypervisor Security: Access to Memory
vmkernel VM
Memory MemoryMemory
VM
Memory
Memory
Memory
© 2010 IBM Corporation
IBM Internet Security Systems
Understand Hypervisor Security: Access to Memory
vmkernel VM
Memory MemoryMemory
VM
Memory
Memory
Memory
.vswp
© 2010 IBM Corporation
IBM Internet Security Systems
Understand Hypervisor Security: Access to Memory
vmkernel VM
Memory MemoryMemory
VM
Memory
Memory
Memory
MemoryPage
Memory
Page
© 2010 IBM Corporation
IBM Internet Security Systems
Understand Hypervisor Security: Access to Memory
vmkernel VM
Memory MemoryMemory
VM
Memory
Memory
Memory
.vswp
MemoryPage
Compare
Memory
Page
© 2010 IBM Corporation
IBM Internet Security Systems
Understand Hypervisor Security: Access to Memory
vmkernel VM
Memory MemoryMemory
VM
Memory
Memory
Memory
.vswp
MemoryPage
Compare
Ptr
Page
Memory
PagePtr
© 2010 IBM Corporation
IBM Internet Security Systems
Understand Hypervisor Security: Access to Memory
vmkernel VM
Memory MemoryMemory
VM
Memory
Memory
Memory
.vswp
MemoryPagePtr
Page
Memory
PagePtr
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAM
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAM
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAM
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAMXX
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAM
PG-100 PG-200
XX
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAM
PG-100 PG-200
XX
XX
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAM
PG-100 PG-200
XX
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAM
PG-100 PG-200
XXXX
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAM
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAM
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAM
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAM
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAM
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAMNexus 1000V
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAMXX
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAMXX
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAMXX
© 2010 IBM Corporation
IBM Internet Security Systems
Understanding Hypervisor Security: ESX Network Protections
L2-Switch CAM
© 2010 IBM Corporation
IBM Internet Security Systems
Virtual Environment
Threats
Two Sets
© 2010 IBM Corporation
IBM Internet Security Systems
Virtual Environment ThreatsVirtual Environment Threats
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
© 2010 IBM Corporation
IBM Internet Security Systems
Virtual Environment ThreatsVirtual Environment Threats
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
ExistingThreat Vectors
NetworkAttacks
ExistingThreat Vectors
NetworkAttacks
© 2010 IBM Corporation
IBM Internet Security Systems
Virtual Environment ThreatsVirtual Environment Threats
NewThreat Vectors
ManagementUSB over IP
Backup Server
NewThreat Vectors
ManagementUSB over IP
Backup Server
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
ExistingThreat Vectors
NetworkAttacks
ExistingThreat Vectors
NetworkAttacks
© 2010 IBM Corporation
IBM Internet Security Systems
Virtual Environment ThreatsVirtual Environment Threats
NewThreat Vectors
ManagementUSB over IP
Backup Server
NewThreat Vectors
ManagementUSB over IP
Backup Server
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
ExistingThreat Vectors
NetworkAttacks
ExistingThreat Vectors
NetworkAttacks
© 2010 IBM Corporation
IBM Internet Security Systems
Virtual Environment ThreatsVirtual Environment Threats
NewThreat Vectors
ManagementUSB over IP
Backup Server
NewThreat Vectors
ManagementUSB over IP
Backup Server
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
ExistingThreat Vectors
NetworkAttacks
ExistingThreat Vectors
NetworkAttacks
© 2010 IBM Corporation
IBM Internet Security Systems
Virtual Environment ThreatsVirtual Environment Threats
NewThreat Vectors
ManagementUSB over IP
Backup Server
NewThreat Vectors
ManagementUSB over IP
Backup Server
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
ExistingThreat Vectors
NetworkAttacks
ExistingThreat Vectors
NetworkAttacks
© 2010 IBM Corporation
IBM Internet Security Systems
Virtual Environment ThreatsVirtual Environment Threats
NewThreat Vectors
ManagementUSB over IP
Backup Server
NewThreat Vectors
ManagementUSB over IP
Backup Server
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
ExistingThreat Vectors
NetworkAttacks
ExistingThreat Vectors
NetworkAttacks
© 2010 IBM Corporation
IBM Internet Security Systems
Virtual Environment ThreatsVirtual Environment Threats
NewThreat Vectors
ManagementUSB over IP
Backup Server
NewThreat Vectors
ManagementUSB over IP
Backup Server
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
ExistingThreat Vectors
NetworkAttacks
ExistingThreat Vectors
NetworkAttacks
© 2010 IBM Corporation
IBM Internet Security Systems
Virtual Environment ThreatsVirtual Environment Threats
NewThreat Vectors
ManagementUSB over IP
Backup Server
NewThreat Vectors
ManagementUSB over IP
Backup Server
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
ExistingThreat Vectors
NetworkAttacks
ExistingThreat Vectors
NetworkAttacks
NewThreat Vectors
VM EscapeIntrospection
APIs
NewThreat Vectors
VM EscapeIntrospection
APIs
© 2010 IBM Corporation
IBM Internet Security Systems
Virtual Environment ThreatsVirtual Environment Threats
NewThreat Vectors
ManagementUSB over IP
Backup Server
NewThreat Vectors
ManagementUSB over IP
Backup Server
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
ExistingThreat Vectors
NetworkAttacks
ExistingThreat Vectors
NetworkAttacks
NewThreat Vectors
VM EscapeIntrospection
APIs
NewThreat Vectors
VM EscapeIntrospection
APIs
© 2010 IBM Corporation
IBM Internet Security Systems
Virtual Environment ThreatsVirtual Environment Threats
NewThreat Vectors
ManagementUSB over IP
Backup Server
NewThreat Vectors
ManagementUSB over IP
Backup Server
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
Existing ThreatVectors
WormsTrojansVirusSpamDDoS
ExistingThreat Vectors
NetworkAttacks
ExistingThreat Vectors
NetworkAttacks
NewThreat Vectors
VM EscapeIntrospection
APIs
NewThreat Vectors
VM EscapeIntrospection
APIs
© 2010 IBM Corporation
Virtualization Security Best PracticesDavid Abercrombie
All information represents IBM's current intent, is subject to change or withdrawal without notice, and represents only IBM ISS’ goals and objectives. By providing this information, IBM is not committing to provide this capability.
© 2010 IBM Corporation
IBM Internet Security Systems
Security Must Evolve
Static Dynamic
SECURITY
69
Physical
Blocks threats and attacks at the perimeterBlocks threats and attacks at the perimeter
Secures each physical server with protection and reporting for a single agent
Secures each physical server with protection and reporting for a single agent
Patches critical vulnerabilities on individual serversPatches critical vulnerabilities on individual servers
Policies are specific to critical applications in each network segment and server
Policies are specific to critical applications in each network segment and server
Network IPSNetwork IPS
Server ProtectionServer Protection
System PatchingSystem Patching
Security PoliciesSecurity Policies
Virtualized
Should protect against threats at perimeter and between VMs
Should protect against threats at perimeter and between VMs
Securing each VM as if it were a physical server adds time, cost and footprint
Securing each VM as if it were a physical server adds time, cost and footprint
Needs to protect against vulnerabilities that result from VM state changes
Needs to protect against vulnerabilities that result from VM state changes
Policies must be able to move with the VMsPolicies must be able to move with the VMs
Network IPSNetwork IPS
Server ProtectionServer Protection
System PatchingSystem Patching
Security PoliciesSecurity Policies
© 2010 IBM Corporation
IBM Internet Security Systems
Integrated Protection vs. Host-based Protection
70
Host-Based Agent
Firewall functions only in the context of the VMFirewall functions only in the context of the VM
Requires agent to be presentRequires agent to be present
Security is impacted by VM state changeSecurity is impacted by VM state change
Policy is enforced only within the VMPolicy is enforced only within the VM
Isolation Isolation
Attack Prevention
Attack Prevention
VM StateVM State
Security PoliciesSecurity Policies
Virtual Server Protection
Firewall enforces virtual network-wide policyFirewall enforces virtual network-wide policy
Secures all virtual machines automaticallySecures all virtual machines automatically
Security is not impacted by VM state changeSecurity is not impacted by VM state change
Policy is enforced outside of the VM and irrespective of the VMs location
Policy is enforced outside of the VM and irrespective of the VMs location
IsolationIsolation
Attack Prevention
Attack Prevention
VM StateVM State
Security PoliciesSecurity Policies
© 2010 IBM Corporation
IBM Internet Security Systems
IBM Confidential
ESX Server
VM VM VM VM SVM
vSwitchVMSafe
vSwitch
•Firewall•I ntrusion Prevention•Virtual I nfrastructure Auditing•Rootkit detection•Discovery
Integrated Security Benefits
71
© 2010 IBM Corporation
IBM Internet Security Systems
IBM Confidential
Regain Lost Visibility and Control
Identify VMs that are invisible to traditional discovery tools
Control unauthorized crossing of trust zones Ensure VMs that come online do not introduce
vulnerabilities Quarantine unauthorized VMs
– VMs that are not considered trusted are given limited network access
72
Virtual Network
© 2010 IBM Corporation
IBM Internet Security Systems
ESX ServerESX Server
Dynamic Environment Protection
VMVM VMVMSVMSVM
vSwitchvSwitchVMSafeVMSafe
vSwitchvSwitch
VMVM VMVM SVMSVM
vSwitchvSwitchVMSafeVMSafe
vSwitchvSwitch
SiteProtector
Policy
Events
Updates
Maintain security posture irrespective of the physical server on which the VM resides
Abstraction from underlying physical servers provides dynamic security optimized for mobility
73
© 2010 IBM Corporation
IBM Internet Security Systems
ESX ServerESX Server
Dynamic Environment Protection
VMVM VMVMSVMSVM
vSwitchvSwitchVMSafeVMSafe
vSwitchvSwitch
VMVM VMVM SVMSVM
vSwitchvSwitchVMSafeVMSafe
vSwitchvSwitch
VMVM
SiteProtector
Policy
Events
Updates
Maintain security posture irrespective of the physical server on which the VM resides
Abstraction from underlying physical servers provides dynamic security optimized for mobility
74
© 2010 IBM Corporation
IBM Internet Security Systems
IBM Confidential
Defense In Depth
75
Host-Based Agent
Access Management
Security/Configuration Management
Malware Detection/Prevention
File Integrity Monitoring
Encrypted Traffic Inspection
Security Virtual Machine
Firewall
Intrusion Prevention
Malware Detection/Prevention
Access Monitoring
Access Control
Network-Based Appliance
Firewall
Intrusion Prevention
Network Policy Enforcement
Data Loss Prevention
Host-Based Agent
Firewall
Intrusion Prevention
Access Management
Security/Configuration Management
Malware Detection/Prevention
File Integrity Monitoring
Encrypted Traffic Inspection
© 2010 IBM Corporation
IBM Internet Security Systems
IBM Confidential
Evolution of Secure Virtualization solutions
Today…Security Virtual Machines take over some key functions from host-based agents– Host-level firewall, IPS/IDS, guest security configuration, some anti-malware functions– Fewer resources (CPU, memory) consumed – Less intrusive (kernel drivers)– Guest OS-independent
More to come…– Hardware-level root-of-trust (TPMs)– Maturity of virtual machine introspection– Security component collaboration & automated remediation
© 2010 IBM Corporation
IBM Internet Security Systems
IBM Confidential
Summary
Virtualization does impact security posture “Legacy” tools are still relevant New products adapted for virtual environments are available No single product provides adequate protection
77
© 2010 IBM Corporation
Virtualization Security Best Practices Ajay Dholakia
All information represents IBM's current intent, is subject to change or withdrawal without notice, and represents only IBM ISS’ goals and objectives. By providing this information, IBM is not committing to provide this capability.
© 2010 IBM Corporation
IBM Internet Security Systems
Security complexities raised by virtualization
Complexities
Dynamic relocation of VMs
Increased infrastructure layersto manage and protect
Multiple operating systems and applications per server
Elimination of physical boundaries between systems
Manually tracking software and configurations of VMs
Maintenance of virtual images
Image sprawl (proliferation)
Virtual appliances (Trojan Horse)
Public Cloud risks
–“Black box” sharing in clouds reduces visibility and control
–Privacy and accountability regulations
• 1:1 ratio of OSs and applications per server
• 1:Many ratio of OSs and applications per server
• Additional layer to manage and secure
After VirtualizationBefore
Virtualization
© 2010 IBM Corporation
IBM Internet Security Systems
Virtualization security – Driving requirements
RequirementsSecure platforms & engineering processThreat and vulnerability management
–Internal / external threat mitigationPrivileged access
–Role segregation & access controlData confidentiality and integrity
–Data @ rest ( storage ) data in transit (network) Regulatory complianceMulti-tenancy / isolation
–Isolation management of Virtual Servers Image / virtual appliance securityConsolidated systems security
–Consolidated server, storage, net. security mgmt.Systems Integrity Management
–Trusted software / firmware / hardware
© 2010 IBM Corporation
IBM Internet Security Systems
Virtualization security – Imperatives … The Low Hanging Fruit
Easy steps you can follow
7. Do not use Paravirtualized drivers within DMZ based VMs, or any that hold sensitive data unless there is an absolute performance requirement to do so, and then only use the specific driver instead of installing them all.
© 2010 IBM Corporation
IBM Internet Security Systems
Virtualization security – Imperatives … The Low Hanging Fruit
Easy steps you can follow
7. Do not use Paravirtualized drivers within DMZ based VMs, or any that hold sensitive data unless there is an absolute performance requirement to do so, and then only use the specific driver instead of installing them all.
6. Use a centralized directory service to provide authentication
5. Use a centralized tool to provide authorization.
4. Use a centralized syslog/log server for collecting audit and standard log data for analysis
3. Analyze/Review your log data daily for issues.
© 2010 IBM Corporation
IBM Internet Security Systems
Virtualization security – Imperatives … The Low Hanging Fruit
Easy steps you can follow
7. Do not use Paravirtualized drivers within DMZ based VMs, or any that hold sensitive data unless there is an absolute performance requirement to do so, and then only use the specific driver instead of installing them all.
6. Use a centralized directory service to provide authentication
5. Use a centralized tool to provide authorization.
4. Use a centralized syslog/log server for collecting audit and standard log data for analysis
3. Analyze/Review your log data daily for issues.
2. Ensure only the hypervisor can access any LUN assigned to a hypervisor.
© 2010 IBM Corporation
IBM Internet Security Systems
Virtualization security – Imperatives … The Low Hanging Fruit
Easy steps you can follow
7. Do not use Paravirtualized drivers within DMZ based VMs, or any that hold sensitive data unless there is an absolute performance requirement to do so, and then only use the specific driver instead of installing them all.
6. Use a centralized directory service to provide authentication
5. Use a centralized tool to provide authorization.
4. Use a centralized syslog/log server for collecting audit and standard log data for analysis
3. Analyze/Review your log data daily for issues.
2. Ensure only the hypervisor can access any LUN assigned to a hypervisor.
1. Firewall your virtualization management tools from the rest of your network
© 2010 IBM Corporation
IBM Internet Security Systems
Virtualization Security wrap up
• Important to understand the inner workings of a hypervisor and how it protects itself
• Type of threats that virtual environments are vulnerable to
• Security posture impacted by virtualization and no single product provide adequate protection but…
• Firewall tools are a good start to protect your virtual environment
Virtualization Security wrap up
• Important to understand the inner workings of a hypervisor and how it protects itself
• Type of threats that virtual environments are vulnerable to
• Security posture impacted by virtualization and no single product provide adequate protection but…
• Firewall tools are a good start to protect your virtual environment
Summary
© 2010 IBM Corporation
IBM Internet Security Systems
Questions & Answers
© 2010 IBM Corporation
Thank you!
For more information on Virtualization Security, visit,
IBM Institute for Advanced Security: www.instituteforadvancedsecurity.com
The Virtualization Practicehttp://www.virtualizationpractice.com/blog/?page_id=2
All information represents IBM's current intent, is subject to change or withdrawal without notice, and represents only IBM ISS’ goals and objectives. By providing this information, IBM is not committing to provide this capability.
© 2010 IBM Corporation
IBM Internet Security Systems
Seed Questions
Ed– How do we handle antivirus, patching and malware?– Should we be using VLANs? Are they secure?– Do I have to worry about ‘escaping VM’ attacks?– Can you virtualize a DMZ?
Dave– Performance-wise, how do security virtual machines impact the virtual environment?– Can security virtual machines be integrated with platforms other than VMware?
Ajay– Does virtualization improve security or makes it more challenging?– Does security of physical end-points interact with security for virtual end-points? Or does
it remain separate?