Security Solutions Microsoft Virtualization Solutions Marketing 2009.
-
date post
21-Dec-2015 -
Category
Documents
-
view
227 -
download
9
Transcript of Security Solutions Microsoft Virtualization Solutions Marketing 2009.
Security SolutionsMicrosoft Virtualization Solutions Marketing
2009
BusinessSolutionScenarios
HorizontalSolutionScenarios
Core PlatformCapability Scenarios
Microsoft Virtualization Solution Scenarios
Business Critical Applications
Branch Infrastructure
Small and Mid-Sized Business (SMB)
Business Continuity
IT Consolidation
Lab Automation and Stage Management
SecurityStorage
System ManagementHosting/Cloud Computing
Networking
Centralized Desktop
3
VHD Container
Security Solution Overview
What is Security Virtualization?Security virtualization refers to the following virtualized security mechanisms:
Secure Platform
Offline VM
Inter VMCommunication
Hypervisor Server Core
Security Solutions Specific to Virtual Systems
Introspection
Security Solutions for Physical and Virtual Systems
Systems ManagementPatching/Configuration
Policy/Compliance
Online Anti-Virus
Authentication & Authorization
Centralized Desktop Security
1. Platform components of the virtualization stack (hypervisor, the root and child partitions) are configured optimally and have all mechanisms in place to proactively detect and mitigate security threats
2. Authentication and authorization management is in place along with role-based access control3. Security solutions, such as anti-virus and patch updates, are in place in online and offline VMs to mitigate
threats4. Additional security mechanisms, like introspection, are available for forensic analysis and auditing
5
Security Challenges in VirtualizationScenarios in Virtualization
Capital and operational cost savings
Flexibility and cost savings
IT responsiveness
Consolidation of Server Hardware
Collapse of Switches and Servers into One Device Challenge 2
No separation-by-default of administration and elevated risk of misconfiguration
Challenge 1Higher impact of attack and increased surface area for attack
Apps
OS
Apps
OS
Apps
OS
Challenge 3Lack of adequate planning and incomplete knowledge of current state of infrastructure
Faster Deployment
6
Associated Security Challenges
Security Challenges in Virtualization
Scenarios in Virtualization
Ease of business continuity and ability to impose restrictions on systems
Improved service levels
Mobility
Challenge 5Identity divorced from physical location and security policies need to move with virtual machine
Encapsulation
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Apps
OS
Challenge 4Additional efforts to manage offline systems
7
Associated Security Challenges
Risk Mitigation Strategy in Virtualization
Isolate, non-interference between VMs Secure the Microsoft® Hyper-V™ and the root
partition
Challenge 1 Higher impact of attack Increased surface area for attack
Use tools that provide separation-of-duties Strong change controls and meticulous log and event monitoring
Centralized security management – patch and configuration management, policy and compliance management, anti-virus scan, etc.
8
Security Challenge Solution
Use anti-virus and patching tools that can update an offline machine
Challenge 2 No separation-by-default of administration and
elevated risk of misconfiguration
Challenge 3 Lack of adequate planning Incomplete knowledge of current state of
infrastructure
Challenge 4 Additional efforts to manage offline systems
Challenge 5 Identity divorced from physical location Security policies need to move with virtual
machine
Migrate security policies along with virtual machine
Security solutions must be virtualization aware and must work after migration
Microsoft Virtualization Security Management
Microsoft Products and Technologies
Microsoft Virtualization Solutions Not just a product, but an end-to-end offering
Microsoft Partner Hardware, Software,
and Services
10
Joint ReferenceArchitecture and
Deployment Resources
Microsoft offers a fully integrated approach for virtualization security: Protects both virtual and physical environments with optimal ROI Provides an ecosystem of security solutions partners for comprehensive coverage
Microsoft + Partner Virtualization Security Strategy and Ecosystem
Offline Virtual Machine Security Tool
McAfee, Symantec, Altor Networks
McAfee, Symantec
Secure Platform
Offline VM
Inter VMCommunication
Hypervisor Server Core
Security Solutions Specific to Virtual Systems
Introspection
Security Solutions for Physical & Virtual Systems
Online Anti-Virus
Authentication & Authorization
Centralized Desktop Security
11
Systems ManagementPatching/Configuration
Policy/Compliance
Secure Platform: Microsoft + Partner Solutions
Hypervisor Server Core
Secure computing platform across both physical and virtual environments Next-generation architecture: Microsoft® Windows Server® 2008 Hyper-V™ designed for
security
12
Challenge 1 Higher impact of attack Increased surface area for attack
• Micro-kernelIsolation, non-interference between VM with secure Micro-kernel architecture
• Defense with Hyper-VEliminated risk of attack with secure architecture
Secure Platform
Microsoft + Partner Solutions for Mitigating Security Challenges
Secure Platform
Security Solutions for Physical/Virtual System
Virtualization Specific Security
Hypervisor: Micro-kernel vs. Monolithic
Virtualization: Hypervisor + Drivers + Virtualized Software Stack + Management Interface
Windows Server® 2008 Hyper-V™ uses the micro-kernel as it delivers additional security benefits:
13
Micro-kernel Hypervisor
Hardware
Hypervisor
Virtualization Stack
DriversDriversDrivers DriversDriversDrivers DriversDriversDrivers
Only partitioning memory and CPU Increase reliability and minimize trusted
computing base No third-party code Drivers run within guests
Monolithic Hypervisor
Includes all virtualization components, including drivers
Runs all code in most privileged part of the processor
Patching more likely given included code
VM 1(Admin) VM 2 VM 3
Hardware
DriversDriversDrivers
VM 1(“Root”)
VM 2(“Guest”)
VM 3(“Guest”)
Hypervisor
Secure Platform
Security Solutions for Physical/Virtual System
Virtualization Specific Security
Secure Platform
Security Solutions for Physical/Virtual System
Virtualization Specific Security
Comprehensive Defense from Risk of Attack
1
2
3
4
Main Targets of Attack Secure Microsoft® Hyper-V™ Solutions1 Virtual machines running on same box Strong isolation between partitions 2 Hypervisor Separation of components by privilege3 VSPs through the VSC-VSP communication path Validation and protection from untrusted requests4 VM worker process Separation between VM worker processes
Hyper-V™ provides secure architecture: Separation of components by privilege
and process Micro-kernel hypervisor with very small
surface area Server core – lock down the root
partition and minimize size Guest-to-guest isolation mitigates risks
malware
14
Secure Platform
Security Solutions for Physical/Virtual System
Virtualization Specific Security
Security Solutions for Physical and Virtual SystemsMicrosoft + Partner Solutions
Challenge 2No separation-by-default of administration and elevated risk of misconfiguration
Security Solutions for Physical & Virtual SystemsAuthentication Authorization
Microsoft + Partner Solutions for Mitigating Security Challenges
Challenge 3Lack of adequate planningIncomplete knowledge of current state of infrastructure
Risk mitigation from unauthorized access and misconfiguration Defense-in-depth combining Windows Server® 2008 security features with protection
tools
McAfeeSymantec
15
• Authentication Single identity store to authenticate users
• Authorization Separation of duties through role-based authorization
• Accounting/AuditingLog all administrative activity
• VM Protection Anti-Virus protection
• Patch & Configuration, Policy & Compliance
Systems ManagementPatching / Configuration
Policy / Compliance
Online Anti-Virus
Secure Platform
Security Solutions for Physical/Virtual System
Virtualization Specific Security
All Microsoft solutions for virtualization provide a single identity store to authenticate users with Microsoft® Active Directory® across physical and virtual systems.
Virtualization
Hyper-V™
Hardware Presentation Application
Network Access Protection
Server and Domain Isolation
Forefront™ Security Solutions
System Center Virtual Machine Manager
Identity Lifecycle Manager 2007
Activ
e Di
rect
ory
Integrated User Authentication
Active Directoryo Single identity store to
authenticate users o Support across physical and
virtual systems
Microsoft® Identity Lifecycle Manager 2007o Easy user provisioning reduces
high costs and risks associated with manual provisioning
o Identity synchronizationo Simplified management of new
security initiatives
16
Terminal Services
Microsoft App. Virt.
Secure Platform
Security Solutions for Physical/Virtual System
Virtualization Specific Security
Enhance security by granting role based access for physical and virtual systems
Improve administration throughActive Directory® and Hyper-V™
Remove the risk of misconfiguration Save time by delegating authority over
virtual machines without administration having authority over entire system
Microsoft Authorization Manager (AzMan) is part of Windows Server and allows role-based access control to provide separation-of-duties for virtualized environment.
AuthorizationSeparation of duties with Microsoft Authorization Manager
17
Secure Platform
Security Solutions for Physical/Virtual System
Virtualization Specific Security
Solutions for Online Virtual Machine ProtectionMicrosoft + Partner Solutions
Solutions Microsoft + Partner
Anti-Virus Online
• Anti-virus protection for online VMs
• Blocks and removes viruses
Anti-Spyware Protection
• Protection from unwanted programs
• Programs are identified and stopped before they install
Host Intrusion Prevention
• Host intrusion prevention for server monitors
18
Partner Products:
Total Protection Service
Endpoint Protection
Secure Platform
Security Solutions for Physical/Virtual System
Virtualization Specific Security
Integrated defense-in-depth security for online VM anti-virus: Integration with Microsoft applications and infrastructure to protect physical/virtual assets Line of business security products for protecting clients and server applications
• Real-time protection from viruses and spyware
• Simplify administration through integration with Active Directory® and other Microsoft infrastructure
• Real-time reporting into both threats and vulnerabilities impacting the environment
• Integration of multiple antivirus scan engines from industry-leading security firms
• Comprehensive application specific protection – messaging and collaboration
Solutions for Online Virtual Machine Protection (continued)
19
Client & Server OS Server Applications
Secure Platform
Security Solutions for Physical/Virtual System
Virtualization Specific Security
Site role changes Microsoft® Windows® deployment Software distribution Software update management Desired configuration management Asset intelligence Device management
Patching / Configuration
Baseline of IT controls for Microsoft platform offerings
Support IT compliance frameworks:o COBITo ISO 17799
Systems Management for Online Virtual Machines
Policy / Compliance
Reduce complexities of monitoring configuration changes and reduce problems associated with configuration drift.
20
Microsoft® Windows® Update Manager Planned Desired Configuration Management (DCM) Compliance Packs
GLBA, HIPPA, SOX, EUDPD, FISMA, OTHERS
Secure Platform
Security Solutions for Physical/Virtual System
Virtualization Specific Security
Security Solutions Specific to Virtual Systems Microsoft + Partner Solutions
• Offline VM Patch Management Automate patching on offline VMs
• Protection Solution for Offline VM• Virtual Machine Policy Migration - TBD• Inter VM Communication/Introspection
Microsoft + Partner Solutions for Mitigating Security Challenges
Offline VM
Inter VMCommunication
Security Solutions Specific to Virtual Systems
Introspection Centralized Desktop Security
Challenge 5• Identity divorced from physical location • Security policies need to move with virtual
machine
Challenge 4• Additional efforts to manage offline systems
• Solutions for offline protection of virtual machines with patches and security scans• Enterprise-wide view of virtual assets for planning and compliance
McAfee, Symantec, Altor Networks
21
Secure Platform
Security Solutions for Physical/Virtual System
Virtualization Specific Security
Microsoft Offline Virtual Machine Servicing Tool is a freely available solution:• Automates updating patches on virtual machines offline• Integrated with Microsoft® System Center Virtual Machine Manager (VMM) 2008 and
Microsoft® Configuration Manager 2007
Offline VMServicing Tool
Maintenance Network
Configuration Manager 2007
or WSUS
VMM 2008
Offline VM Patch Management
Automate Servicing of Dormant VMs:o Apply service patches to OSo Apply service patches to Applications
(future)o True up-configuration (future)
Integrate with System Center Products:o Virtual Machine Manager 2008o Configuration Manager 2007o Windows Server Update Service
VMM Library
22
Maintenance Hosts
Secure Platform
Security Solutions for Physical/Virtual System
Virtualization Specific Security
Protection Solutions for Offline VMsMicrosoft + Partner Solutions
Solutions Microsoft + Partner
Anti-Virus for Offline VMs
• Anti-Virus protection for offline VMs• Offline images do not need to be
brought online for protection
Anti-Spyware Protection
for Offline VMs
• Protection from unwanted programs• Programs are identified and stopped
before they install
Host Intrusion Prevention
for Offline VMs• Host intrusion prevention for server
monitors
23
Partner Products:
Total Protection Service
Endpoint Protection
Secure Platform
Security Solutions for Physical/Virtual System
Virtualization Specific Security
Microsoft does not support inter VM communication
o There is potential risk of attack as the hypervisor is extensive
o Vulnerable from third parties who share the extended interface
Inter VM Communication/Introspection
Inter VM Communication
24
Based on snapshots scan in file format Virtualization deployments can be
protected and enhanced as introspection capabilities emerge in virtualization platforms
Microsoft offers introspection by providing ISVs with a file format for the Hyper-V™ scanning snapshot file
Introspection
Additional virtualization security options
Secure Platform
Security Solutions for Physical/Virtual System
Virtualization Specific Security
Microsoft VMWareSecure Platform
Hypervisor architecture
Micro-kernel: Minimal attack surface
Root lockdown (WS08 Server Core)
Architecture SDL tested
Monolithic: Increases attack surface
Runs all code – custom OS, drivers, extensible code – in most
privileged part of processor
Ease of updating & management
Micro-kernel hypervisor easy to replaceUse all existing mgmt tools &
device drivers
Monolithic likely requires patching
Need to learn new tools. Only use drivers that ship with
hypervisor
Comprehensive virtual solution
YesHardware, presentation, and application
NoOnly hardware virtualization
Security Solutions for Physical and Virtual Systems
Common identity platform
YesActive Directory® for physical and virtual IT
NoRequires separate identity store
Infrastructure solutions
Forefront™, System Center, Identity Lifecycle Manager Management only
Readily enables security
ecosystem?
YesAdd VHD context to current AV products
Broad Windows security ecosystem
Yes, to a degreeFirst set of APIs (VMSafe); requires more AV software
adjustments
Security Solutions Specific to Virtual Complementary
technologiesNAP, Server & Domain Isolation (WS08)
Offline VM Servicing Kit Acquired Determina for HIPS
Comparison: Virtualization Security
25
Customer: Rijksmuseum AmsterdamCompany Size: Industry: Education – MuseumsCountry: The NetherlandsProfile: The Rijksmuseum Amsterdam is a museum in The Netherlands. Established in 1800, the museum’s collection includes paintings by Rembrandt, Vermeer, and other Dutch masters.
Benefits:• Strengthens security• Improves management and flexibility• Enables growth
Virtualization Security Solution Evidence
26
“Implementing Windows Server® 2008 with Network Access Protection will improve my peace of mind. I will be more confident that only managed clients can get access to corporate network resources.”
Paul van KootenNetwork ManagerRijksmuseum Amsterdam
Next Steps to Enhance Business with Microsoft Virtualization
Microsoft® Windows Server ® 2008 Hyper-V™ o http://www.microsoft.com/windowsserver2008/en/us/hyperv.aspx
Microsoft® System Centero http://www.microsoft.com/systemcenter/en/us/default.aspx
ROI Calculatoro https://roianalyst.alinean.com/msft/AutoLogin.do?d=307025591178580657
Microsoft Assessment and Planning (MAP) Toolo http://technet.microsoft.com/en-us/library/bb977556.aspx
Microsoft Virtualization
Solutions
Product Resources
Virtualization Assessment and
Planning
27
Microsoft Virtualization Solutionso http://www.microsoft.com/virtualization/solutions
Microsoft Virtualization Solution Partnerso http://www.microsoft.com/virtualization/partners
Appendix
When best practices are followed, the Microsoft® Hyper-V™ will provide increased security.
Best Practice to Secure Windows Server® Hyper-V™ and Root Partition
29
Enable NX and virtualization in BIOS Networking
o Virtual Switcheso VLANso Dedicated NIC for root partition
Storageo BitLocker o Storage CDB filtering
Device LockdownDeployment ConsiderationsPatching the hypervisor
o Windows updateMinimize risk to the root partition
o Utilize Server Core Do not run arbitrary applications, no web
surfing Run your applications and services in
guestso Use Authorization Manager (AzMan) to
reduce administrative privilegeConnect to back-end management network
o Only expose guests to internet traffic
Secure Platform
Security Solutions for Physical/Virtual System
Virtualization Specific Security
Easy user provisioning reduces high costs and risks associated with manual provisioning
Simplify management of new security initiatives
Reduce help desk costs for simple tasks like password resets
Microsoft® Identity Lifecycle Manager “2” can run on Hyper-V™ and enables you to manage identities across both virtual and physical environments
Identity Lifecycle Manager 2007 provides a single view of a user's identity across heterogeneous enterprises and enables the automation of common tasks.
Authentication: Easy User Provisioning
30
Full Certificate and Smart Card
Lifecycle Management
Active Directory
Mainframe Systems
HR SystemEmail System
Identity Synchronization
Secure Platform
Security Solutions for Physical/Virtual System
Virtualization Specific Security