Using Virtualization to Improve Security

Jay JudkowitzProduct Manager, ESX Server

VMware, Inc.

This presentation may contain VMware confidential information.

Copyright © 2005 VMware, Inc. All rights reserved.All other marks and names mentioned herein may be trademarks

of their respective companies.

AgendaIntroductionVirtualization IntroductionGame Changing TechniquesApplication ExamplesQ & A

VMware and SecurityKey personnel with rich security backgrounds in secure operating systems and applicationsPapers and books attributed in security to VMware employeesFundamental research projects with leading universities to further enhance the possibilities of securityInternal processes including third-party source code audits, internal vulnerability assessment of code and recognized certifications (including Common Criteria by Q4 2005)Affiliations with various standards bodies to ensure we guide and adhere to industry set security standards

AgendaIntroductionVirtualization IntroductionSecurity Properties of VirtualizationApplication ExamplesQ & A

Security ChallengesMust deal with larger and larger numbers of systemsKeep up with regulatory and departmental policiesEnforcing system uniformity across all servers and desktops

Before Virtualization:Single OS image per machineSoftware and hardware tightly coupled Running multiple applications on same machine often creates conflictUnderutilized resourcesInflexible and costly infrastructure

After Virtualization:Break dependencies between OS and hardwareVirtual machines are hardware-independent: they can be provisioned anywhereManage OS and application as single unit by encapsulating them into virtual machines

Virtualization Basics

AgendaIntroductionVirtualization IntroductionGame Changing TechniquesApplication ExamplesQ & A

deflect.Don’t defend,

IsolationAttack MitigationPolicy EnforcementDefense-in-depth(cheaper)Encapsulation

Game Changing

IsolationDon’t make your problems mine

Virtual machine can be started/stopped/crashed without affecting other virtual machines and host systemPatches, configurations, and differing versions of software can be maintained throughout the networkImmediate virus containment

Abstraction from physical hardwareControl access to hardware, including writeable devices (such as floppies, USB, etc…)

IsolationKeep data, network, or memory separate and secure.Maintain isolated security testing groundHoneypotsIsolation of:

MemoryNetwork – virtual switches

AppApp

Exch angeExch ange DNSDNSExch angeExch ange

AppApp

Attack MitigationQuicker quarantine of system or entire network

Turn off virtual switches/routersExecute state change across multiple virtual machines at the same time (potentially entire network)

Failure of single virtual machine does not affect physical host or other virtual machines

Robust DoS, DDoS protection possible

Virtual Switch

Recover quicker from attacksBuild new production system from saved clone (with merged changes)Use ongoing snapshots (rollbacks) to automate recovery

Create forensics copy for later reviewMove production system back into service as quickly as possibleCreate forensics copy for technical or legal review

Attack Mitigation, cont.

Policy EnforcementDevelop template virtual machine

Replicate policies and configurationsEnforce security configurations (including DRM)Application specific templates (virtual machines for databases, for business applications, for security components, etc…)

OS + Apps Policies

&

Defense-in-depthEach virtual machine can contain security protection (application firewall/endpoint security)Firewall virtual machines (virtual firewalls) can be placed between virtual machines and/or subnetsDifferent security components/vendors can be quickly deployed

Production

ApacheApache

RH 7.3RH 7.3

AppApp

NT4NT4

DBDB

NT4NT4

ApacheApache

RH 7.3RH 7.3 Exch angeExch ange

NT4NT4

DNSDNS

RH 7.3RH 7.3

Exch angeExch ange

NT4NT4

Internet

Intranet

Firewall

Defense-in-Depth (Cheaper)

AgendaIntroductionVirtualization IntroductionGame Changing TechniquesApplication ExamplesQ & A

Monitor “health” of systems:Virus detectedvirtual machine isolated and crashesVirtual switch isolates virtual machine to prevent further damage

AppApp DBDB

Physical Server 1

Exch angeExch ange DNSDNSExch angeExch ange

LAN

AppApp DBDB

Exch angeExch ange DNSDNSExch angeExch ange

OK

OK OK OK

OK

BAD

Physical Server 2

OK OK

OK OK

Attack Example

AgendaIntroductionVirtualization IntroductionGame Changing TechniquesApplication ExamplesQ & A

Questions?

Jay Judkowitzjay@vmware.com