Post on 10-Jun-2015
04/13/23 1
Benefits of Virtualization for
IT SecurityClay Calvert
Director of IT SecurityUniversity of Mary Washington
04/13/23 2
Vocabulary VM / Guest – Virtual Machine
Host – Physical machine
VMDK – Virtual Disk
VMX – Virtual Machine Config File
Recent Vendor Progress in Virtualization Microsoft released Hyper-V
Steve Ballmer said "It's virtualization time for Microsoft. We're gonna make sure we democratize virtualization."
Apple (finally) allows virtualization of OS-X Leopard, but only the server version and only on Mac Hardware (of course).
Sun buys VirtualBox for i386 and will be virtualizing SPARC hardware using a customized Xen.
04/13/23 3
04/13/23 4
What is Virtualization? Per Wikipedia: In computing, virtualization is
a broad term that refers to the abstraction of computer resources.
Virtualization is more than emulation. Virtual machines have near ‘real-time’ access to many of resources on the physical computer.
04/13/23 5
What is Virtualization? (Continued) Virtualization from an application perspective
is fairly easy. The hard part, for many, are the concepts behind a virtual machine.
In most cases, a VM can be treated the same as a physical computer How do you back up a Virtual Machine? How do you monitor a VM?
How can a VM act like a real computer? Is it “Voodoo”?
04/13/23 6
Vmware Bridge Protocol is a “layer 2” device. VMs can have completely different network protocols installed then the host. If fact, no layer three networking even needs to be on the host.
04/13/23 7
What is a Virtual Machine? A virtual machine is primarily a folder
containing small configuration files and large virtual disk files. These folders, just like regular directories, can be copied.
RAM, is a value in a config file.
Optical drives are passed through from the physical host. ISO files can also be used.
Virtual Machine Files Example
04/13/23 8
Sample Virtual Machine Config File config.version = "8“ sanbarrow.com virtualHW.version = "4” is a great site memsize = "384” for .VMX file info ide1:0.present = "TRUE" ide1:0.fileName = "auto detect" ide1:0.deviceType = "cdrom-raw" ide0:0.present = "TRUE" ide0:0.fileName = "MAIN.vmdk" ide0:1.present = "TRUE" ide0:1.fileName = "IMAGES.vmdk“ ethernet0.present = "TRUE”
04/13/23 9
So, VMs can be copied, you say? What about different physical hardware
For the most part, the same virtual hardware is used VMs can be run from Windows, Linux and even Mac
physical machines. Can you say “portable”?
Disaster Recovery / CooP Have copies of VMs at alternate data center Keep previous versions at the ready Better yet, automatic data synchronization. $$$
04/13/23 10
What else can I do with a copied VM?
Part of IT security is separating production from development and testing. CISSP Domain: Applications and System
Development Security
Copies of production can be used for nearly bit-to-bit identical servers for testing. Be careful not to have name conflicts on network Rename VM server names or sandbox.
04/13/23 11
Cloning Physical Servers into VMs VMware has a converter tool
Can clone Windows machines while they are running Drivers, etc., can be automatically installed.
Can use Ghost and other imaging tools VMware can mount Ghost and Acronis image files
Newer versions only
Production may run physically, but Dev and Test can be virtualized through cloning.
04/13/23 12
Benefits to Testing and Development Cost of physical servers
Do we all have exact copies of production in our development and testing labs?
What about for each developer/team that needs a separate environment?
Testing migrations, e.g., Novell to AD
Build new servers in Dev., then copy to Prod.04/13/23 13
Testing and Development Benefits, Cont. Snapshots (One of the coolest features, ever!)
Original VMDKs become read-only Disk changes are stored in separate file Reverting to previous state erases all changes
“Will this service pack break my application?” How do you uninstall MDAC updates?
04/13/23 14
Non-Linear Snapshots
04/13/23 15
“Boss, I need 10 PCs so I can test out the web page with different browsers.”
This feature is not on all virtualization applications.
High Availability (More Voodoo)
04/13/23 16
Certain virtualization products can move running VMs from one physical server to another while running. Usually require connecting to same SAN Newer software can copy between SANs
VMs shut down on one host can be powered up on another physical machine.
High Availability, cont.
04/13/23 17
Training / Playground Anyone been to a SANS class?
One can do quite a bit of damage to a VM, and be able to revert it to the original state.
Multiple Operating Systems Linux, Windows, Solaris, DOS, even Novell & more. Can even run 64-bit VMs on 32-bit Host Oses
Need 64-bit, VT enabled CPU Turn on hardware virtualization in BIOS
04/13/23 18
Forensics benefits with virtualization Malware Analysis
“Sandbox” the VM, i.e., disable network Take snapshots Can use debuggers ‘externally’
Visual Studio and Eclipse, for example
Mount captured disk images as VMs Conversely, how do you image a VM? What about RAM imaging?
Keep multiple tools handy. Helix, Backtrack, etc.
04/13/23 19
Network Forensics Fairly easy to capture traffic without needing
software or in-line sniffer. Capture from Host.
VMs can be set to revert to previous state on reboot.
VMs can be easily deployed. Small. Cheap.
Honeypots
Honeynets
04/13/23 20
How do you do honeynets? Multiple virtual switches can be created
There is no built-in router or firewall but small VMs, such as M0n0wall, work great
VMs can be can assigned multiple NICs
Different NICs can be assigned to the virtual switches
04/13/23 21
VMware Virtual Network Editor
04/13/23 22
Custom Virtual Network Diagram
04/13/23 23
VMware’s and NSA’s NetTop
04/13/23 24
Vmware’s NetTop, cont. Laptop running trusted Linux
No TCP/IP installed at this level
One Linux VM is a packet filtering router Other Linux VM’s are IPSEC firewalls Different security postures are allowed on
same physical computer. Top Secret and Confidential living together… Oh, my!
If the NSA can trust virtualization…
04/13/23 25
04/13/23 26
Some Uses of Virtualization
Virtual machines allow for great flexibility in a wide range of topics
Call Centers / Help Desks 16-bit on 64-bit Old software
No drivers USB, etc., pass through
Screen shots/casts
Security
Testing
Docu-menting
Disaster Recovery
COOP
Development
Labs
TrainingMultipleOSes
“Impossible” Screen Shot. TrueCrypt pre-boot password prompt.
04/13/23 27
Disadvantages of Virtualization Did I mention that the whole computer is a set
of files? Hmm, can you say physical security?
Shared resources can slow down other VMs.
One physical server outage can down several production ‘servers’.
Vulnerabilities in Host can compromise VMs
Management Virtual Machine Sprawl Where is it? What Host houses this VM?
04/13/23 28
Giving .EDUs a break VMware Academic Program
Most software can be used free of charge for IT, computer science and engineering programs.
Discount for other software purchased.
VirtualBox Commercial version can be used in academic
institutions. FYI, only decent freeware solution for Mac
04/13/23 29