VMworld 2014/Separating Fact from Fiction - ESXi Hypervisor Security

From Omnia
Jump to navigation Jump to search

INF2336 - Separating Fact from Fiction - ESXi Hypervisor Security

"VMware ESXi has been developed from the ground up to run virtual machines in a secure manner. ESXi addresses the security concerns of the most demanding datacenter environments for enterprises and government organizations. Get a better understanding of exactly how!"

  • Yuecel Karabulut - Product Line Manager, vSphere Platform Security, VMware
  • Mike Foley - Sr. Technical Marketing Manager, VMware

Virtualization Security: Fact vs Fiction Foundational Platform Security Solutions Operation Security - Where the REAL threat is

"What are you most concerned about?"

  • concerned about internal threats (eg. malicious privileged VI admin)
  • VM escape scenarios (guest to host attack)

More likely: VM escape or operational security threats? Operational is.

  • Cost vs Probability aka "sexy" vs "boring"

VM Escape is really hard to do - why?

  • proven vm isolation and evolving architecture
  • secure software development life cycle
  • minimum attack surface
  • world class systems security engineers

Isolation is the name of the game

7 Layers of Isolation and Protection:

  • Instruction
  • Memory
  • Device
  • Network
  • Noisy neighbor
  • Storage
  • Memory

To control hardware and memory, you need ring 0. VMs do not have access to ring 0, just a virtualized ring 0. Only the ESX kernel has ring 0 access. Requests are received trapped and securely executed.

Networking - vSwitches are not routers. To route packets between vSwitches you need something else.

VLAN and Switch vulnerabilities? None of these:

  • MAC flooding
  • 802.1q and ISL tagging
  • double-encapsulation attacks
  • multicast brute-force attacks
  • spanning tree attacks
  • random frame attacks
  • VLAN Hopping - native VLAN not used

google Folly Mitnick - "he hacked me back in 19??, and I got to have lunch with him and talk to him about that"

Doable: Walk by and capture people's RFID codes

Operational Security - where the REAL threat is

Least Privilege needs to be widely adopted

Patching ESXi is a priority

Compromising the ESX isolation is dang hard. Compromising your admin is much easier.

Compromise the Admin, and get access to the infrastructure

Least Privilege - Role Based Access Control (RBAC) Security Policy Enforcement

Should move to a Workflow-based Security Policy Enforcement

  • VMware Orchestrator and vCAC for workflow functionality

I can't help you if you don't patch - if you have an uptime of 4 years as a badge of honor, leave now!

  • evacuate VMs
  • patch ESXi
  • move back

"Security guys: you put the 'no' in innovation"

Isolate your vCenter Servers and your ESX servers

  • Limit access to vcenter and ESXi with a dedicated Management Network

"Defense in depth" - no one barrier should be the only barrier

Retrieved from "https://aznot.com/index.php?title=VMworld_2014/Separating_Fact_from_Fiction_-_ESXi_Hypervisor_Security&oldid=839"