Introduction Slide 1

 SANS What Works in Virtualization Security Summit 2008  Hilton Washington & Towers, Washington, DC  User Panel : Notes from the field – Public and Private Sector Success Stories  Friday, August 8 11:00 am – 12:00 pm

 Last Updated – 8 August 2008

1

Presentation Overview – Slide 2

http://usmilitary.about.com/od/glossarytermso/g/o4535.htm What is Operational readiness? (DOD, NATO) The capability of a unit/formation, ship, weapon system or equipment to perform the missions or functions for which it is organized or

designed. May be used in a general sense or to express a level or degree of readiness.

See also combat readiness.

http://4basetech.com/casestudies/case_04.htm

Security - http://www.vmware.com/files/pdf/services/or_self_assessment.pdf 1. Does your normal Security staff understand virtual infrastructure and have signed-off the platform (ESX Servers, SAN, VLANs)? 2. Does your staff know how to implement the Security policy, and how to react to virtual infrastructure security incidents? 3. Is VMware ESX Server integrated into your normal Security governance and procedures? 4. Does your security team treat VMware ESX Server as a Linux server?

https://www.sans.org/webcasts/show.php?webcastid=90653 SANS Special Webcast: "Hacking the Sun Tzu Way: Applying the great master's ideas to penetration testing and defending your systems”

hhttp://www.elsevier.com/wps/find/bookdescription.cws_home/712202/description#description THE ART OF WAR FOR SECURITY MANAGERS

10 Steps to Enhancing Organizational Effectiveness By Scott Watson, Principal Consultant and CEO of S.A. Watson & Associates LLC, Dover, NH, USA

Security managers and other leaders who wish to remain relevant and vital to the organizations they serve will keep asking and answering the fundamental questions.

1. What is really important to the organization? 2. How does my department support those priorities? 3. How do other departments support those priorities? 4. How do I personally support those priorities? 5. What are my personal priorities and do they match the overall goals of the organization I serve?

Description The classic book The Art of War (or as it is sometimes translated, The Art of Strategy) by Sun Tzu is often used to illustrate principles that can apply to

the management of business environments. The Art of War for Security Managers is the first book to apply the time-honored principles of Sun Tzu?s theories of conflict to contemporary organizational security. Corporate leaders have a responsibility to make rational choices that maximize return on investment. The author posits that while conflict is inevitable, it need not be costly. The result is an efficient framework for understanding and dealing with conflict while minimizing costly protracted battles, focusing specifically on the crucial tasks a security manager must carry out in a 21st century organization.

Audience Public and private Security Directors, Security Managers and Security Supervisors. Risk Managers, Risk Analysts and Facility Managers (with security

responsibilities. Business Continuity Professionals and Emergency Management Professionals.

Contents Chapter 1: Introduction to The Art of War Chapter 2: Be a Leader! Chapter 3: Accepting the Inevitability of Conflict Chapter 4: Know Yourself and Know

Your Enemy Chapter 5: Strategic Assessments Chapter 6: Remember What is Really Important Chapter 7: Engage the Enemy Chapter 8: Maneuver Your Army Chapter 9: Adapt to the Battlefield Chapter 10: Avoid Predictability Chapter 11: Collect Intelligence Chapter 12: The Art of War & Homeland Security Appendix: The Armory

Unisys Enterprise Virtualization Services Unisys Virtualization Operational Readiness Assessment (VORA). http://www.unisys.com/products/solutions__infrastructure/enterprise__virtualization__services.htm

2

CIA-DAD Slide 3 Confidentiality

Confidentiality is the property of preventing disclosure of information to unauthorized individuals or systems. For example, a credit card transaction on the Internet requires the credit card number to be transmitted from the buyer to the merchant and from the merchant to a transaction processing network. The system attempts to enforce confidentiality by encrypting the card number during transmission, by limiting the places where it might appear (in databases, log files, backups, printed receipts, and so on), and by restricting access to the places where it is stored. If an unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.

Breaches of confidentiality take many forms. Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it could be a breach of confidentiality. If a laptop computer containing sensitive information about a company's employees is stolen or sold, it could result in a breach of confidentiality. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information.

Integrity

In information security, integrity means that data cannot be modified without authorization. (This is not the same thing as referential integrity in databases.) Integrity is violated when an employee (accidentally or with malicious intent) deletes important data files, when a computer virus infects a computer, when an employee is able to modify his own salary in a payroll database, when an unauthorized user vandalizes a web site, when someone is able to cast a very large number of votes in an online poll, and so on.

Availability

For any information system to serve its purpose, the information must be available when it is needed. This means that the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly. High availability systems aim to remain available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades. Ensuring availability also involves preventing denial-of-service attacks.

The six principles of the Parkerian Hexad are:

* Confidentiality * Integrity * Availability * Possession * Authenticity * Utility

The principles composing the Parkerian Hexad are non-overlapping; meaning that each principle is absolutely necessary to ensure that security is maintained. In addition, each principle may be violated independently of each other principle. However, the principles can be relationally linked to each of the three components of the traditional C-I-A model.

* Confidentiality: Limited observation and disclosure of knowledge. An example of an incident where confidentiality is compromised would be the early unauthorized release (leak) of information related to our latest marketing strategies – thereby allowing our competitors to prepare counter strategies.

* Integrity: Completeness, wholeness, and readability of information and quality of being unchanged from a previous state. A simple example of a loss of integrity would be an employee modifying the body text of an email so as to create a false record of events (i.e. to show that Jane Doe said something that she did not really say).

* Availability: Usability of information for a purpose. The explicit aim of a Denial-of-Service (DOS) attack is to compromise the availability of systems/data.

* Possession: Holding, controlling, and having the ability to use information. Possession is the ability to truly own and control information and how it is used. We normally think of this as unauthorized or unintentional copying of information. If, for example, an employee emails company information to a non-corporate email account, we no longer have sole possession. In extreme cases, a loss of possession could result in total loss of the information (e.g. loss/theft of backup tapes for which there is no other copy of the data). Notable examples of a loss of possession usually include the loss of laptop computers or PDA’s containing customer or employee data (e.g. SSNs, credit card numbers, personal health information, etc.).

* Authenticity: Validity, conformance, and genuineness of information. The quality of authenticity is readily understood. As the above definition suggests, it is the quality of being “the real deal.” When something does not possess authenticity, it is said to be fraudulent. Examples of a lack of authenticity include the reproduction of employee ID badges, calling into a help-desk and posing as another individual, and modifying records.

* Utility: Usefulness of information for a purpose. Utility simply means that we can use the data, system, or device in the manner for which it exists. For example if a database, table, or other information is somehow altered in such a way as to remain accurate but unusable for its intended purpose, it has lost utility. Examples involve the use of encryption to “kidnap” data for ransom. This is accomplished via encrypting the data without the owner’s consent. In this, and similar cases, the victim maintains ownership of the data; and the data, technically, has integrity.

There is one exception to the general statement that these principles do not overlap; a breach of confidentiality will always result in a loss of sole possession. Once confidentiality is compromised, the organization is no longer fully in possession of the data because it is known by another party.

Understanding and communicating this new model for Information Security will likely result in greater depth and clarity within security related conversations.

______________________________

1. The “Parkerian Hexad” model was introduced by Donn B. Parker in his book Fighting Computer Crime (http://www.amazon.com/gp/product/0471163783/104-3218063-3795135).

3

 Overview of Security Best Practices - Slide 4  Just a few to Mention: •  CISSP - Certified Information Systems Security

Practitioner •  CIA - Confidentiality, Integrity, Availability Triad •  ITIL - Information Technology Infrastructure Library •  COBIT - COSO: Enterprise Risk Management

Framework •  International Organisation for Standardisation: ISO/IEC

27000 •  Information Security Forum - The Standard of Good

Practice •  IT Control Objectives for Sarbanes-Oxley •  Payment Card Industry Data Security Standard (PCI-

DSS) •  ISF - Standard of Good Practice for Information Security

4

Slide 5 Is the CISSP out of date? Deals with old technology? By design this provides a 20000 foot view level.

http://en.wikipedia.org/wiki/AWACS Used at a high altitude, the radars allow the operators to distinguish between friendly and hostile aircraft hundreds of miles away. Used for defensive and offensive air operations. The system is used offensively to direct fighters to their target locations, and defensively to counter

attacks.

https://www.isc2.org/cgi-bin/content.cgi?category=97

http://en.wikipedia.org/wiki/CISSP#Certification_subject_matter

* Access Control o Categories and Controls o Control Threats and Measures * Application Security o Software Based Controls o Software Development Lifecycle and Principles * Business Continuity and Disaster Recovery Planning o Response and Recovery Plans o Restoration Activities * Cryptography o Basic Concepts and Algorithms o Signatures and Certification o Cryptanalysis * Information Security and Risk Management o Policies, Standards, Guidelines and Procedures o Risk Management Tools and Practices o Planning and Organization * Legal, Regulations, Compliance and Investigations o Major Legal Systems o Common and Civil Law o Regulations, Laws and Information Security * Operations Security o Media, Backups and Change Control Management o Controls Categories * Physical (Environmental) Security o Layered Physical Defense and Entry Points o Site Location Principles * Security Architecture and Design o Principles and Benefits o Trusted Systems and Computing Base o System and Enterprise Architecture * Telecommunications and Network Security o Network Security Concepts and Risks o Business Goals and Network Security

5

Slide 6 - COBIT http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/COBIT6/Obtain_COBIT/Obtain_COBIT.htm

ISACA Overview and History

ISACA got its start in 1967, when a small group of individuals with similar jobs—auditing controls in the computer systems that were becoming increasingly critical to the operations of their organizations—sat down to discuss the need for a centralized source of information and guidance in the field. In 1969, the group formalized, incorporating as the EDP Auditors Association. In 1976 the association formed an education foundation to undertake large-scale research efforts to expand the knowledge and value of the IT governance and control field.

Today, ISACA’s membership—more than 75,000 strong worldwide—is characterized by its diversity. Members live and work in more than 160 countries and cover a variety of professional IT-related positions—to name just a few, IS auditor, consultant, educator, IS security professional, regulator, chief information officer and internal auditor. Some are new to the field, others are at middle management levels and still others are in the most senior ranks. They work in nearly all industry categories, including financial and banking, public accounting, government and the public sector, utilities and manufacturing. This diversity enables members to learn from each other, and exchange widely divergent viewpoints on a variety of professional topics. It has long been considered one of ISACA’s strengths. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.

ISACA recognized a shift in emphasis in 1998, and formed the IT Governance Institute (ITGI) to focus on original research, publications, resources and symposia on IT governance and related topics.

For COBIT update 4.1, six of the major global IT-related standards, frameworks and practices were focused on as the major supporting references to ensure appropriate coverage, consistency and alignment. These are:

• COSO: Internal Control—Integrated Framework, 1994 Enterprise Risk Management—Integrated Framework, 2004

• Office of Government Commerce (OGC®): IT Infrastructure Library® (ITIL®), 1999-2004

• International Organisation for Standardisation: ISO/IEC 27000

• Software Engineering Institute (SEI®): SEI Capability Maturity Model (CMM®), 1993 SEI Capability Maturity Model Integration (CMMI®), 2000

• Project Management Institute (PMI®): A Guide to the Project Management Body of Knowledge (PMBOK®), 2004

• Information Security Forum (ISF): The Standard of Good Practice for Information Security, 2003

Additional references used in the development of COBIT 4.1 include: • IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting, 2nd Edition, IT Governance Institute, USA, 2006 • CISA Review Manual, ISACA, 2006

Control Objectives for Information and related Technology (COBIT®) provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT’s good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help optimise IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong. IT good practices have become significant due to a number of factors: • Business managers and boards demanding a better return from IT investments, i.e., that IT delivers what the business needs to enhance stakeholder value • Concern over the generally increasing level of IT expenditure • The need to meet regulatory requirements for IT controls in areas such as privacy and financial reporting (e.g., the US Sarbanes-Oxley Act, Basel II) and in specific sectors such as finance, pharmaceutical and healthcare • The selection of service providers and the management of service outsourcing and acquisition • Increasingly complex IT-related risks, such as network security • IT governance initiatives that include adoption of control frameworks and good practices to help monitor and improve critical IT activities to increase business value and reduce business risk • The need to optimise costs by following, where possible, standardised, rather than specially developed, approaches • The growing maturity and consequent acceptance of well-regarded frameworks, such as COBIT, IT Infrastructure Library (ITIL), ISO 27000 series on information security-related standards, ISO 9001:2000 Quality Management Systems—Requirements, Capability Maturity Model® Integration (CMMI), Projects in Controlled Environments 2 (PRINCE2) and A Guide to the Project Management Body of Knowledge (PMBOK) • The need for enterprises to assess how they are performing against generally accepted standards and their peers (benchmarking)

Plan and Organise (PO)—Provides direction to solution delivery (AI) and service delivery (DS) • Acquire and Implement (AI)—Provides the solutions and passes them to be turned into services • Deliver and Support (DS)—Receives the solutions and makes them usable for end users • Monitor and Evaluate (ME)—Monitors all processes to ensure that the direction provided is followed

PLAN AND ORGANISE (PO) This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. A proper organisation as well as technological infrastructure should be put in place. This domain typically addresses the following management questions: • Are IT and the business strategy aligned? • Is the enterprise achieving optimum use of its resources? • Does everyone in the organisation understand the IT objectives? • Are IT risks understood and being managed? • Is the quality of IT systems appropriate for business needs? ACQUIRE AND IMPLEMENT (AI) To realise the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure the solutions continue to meet business objectives. This domain typically addresses the following management questions: • Are new projects likely to deliver solutions that meet business needs? • Are new projects likely to be delivered on time and within budget? • Will the new systems work properly when implemented? • Will changes be made without upsetting current business operations? DELIVER AND SUPPORT (DS) This domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It typically addresses the following management questions: • Are IT services being delivered in line with business priorities? • Are IT costs optimised? • Is the workforce able to use the IT systems productively and safely? • Are adequate confidentiality, integrity and availability in place for information security? MONITOR AND EVALUATE (ME) All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance. It typically addresses the following management questions: • Is IT’s performance measured to detect problems before it is too late? • Does management ensure that internal controls are effective and efficient? • Can IT performance be linked back to business goals? • Are adequate confidentiality, integrity and availability controls in place for information security?

6

Slide 7 CobiT Version 4.1 is 197 pages long!

http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/COBIT6/Obtain_COBIT/Obtain_COBIT.htm

ISACA Overview and History

ISACA got its start in 1967, when a small group of individuals with similar jobs—auditing controls in the computer systems that were becoming increasingly critical to the operations of their organizations—sat down to discuss the need for a centralized source of information and guidance in the field. In 1969, the group formalized, incorporating as the EDP Auditors Association. In 1976 the association formed an education foundation to undertake large-scale research efforts to expand the knowledge and value of the IT governance and control field.

Today, ISACA’s membership—more than 75,000 strong worldwide—is characterized by its diversity. Members live and work in more than 160 countries and cover a variety of professional IT-related positions—to name just a few, IS auditor, consultant, educator, IS security professional, regulator, chief information officer and internal auditor. Some are new to the field, others are at middle management levels and still others are in the most senior ranks. They work in nearly all industry categories, including financial and banking, public accounting, government and the public sector, utilities and manufacturing. This diversity enables members to learn from each other, and exchange widely divergent viewpoints on a variety of professional topics. It has long been considered one of ISACA’s strengths. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.

ISACA recognized a shift in emphasis in 1998, and formed the IT Governance Institute (ITGI) to focus on original research, publications, resources and symposia on IT governance and related topics.

For COBIT update 4.1, six of the major global IT-related standards, frameworks and practices were focused on as the major supporting references to ensure appropriate coverage, consistency and alignment. These are:

• COSO: Internal Control—Integrated Framework, 1994 Enterprise Risk Management—Integrated Framework, 2004

• Office of Government Commerce (OGC®): IT Infrastructure Library® (ITIL®), 1999-2004

• International Organisation for Standardisation: ISO/IEC 27000

• Software Engineering Institute (SEI®): SEI Capability Maturity Model (CMM®), 1993 SEI Capability Maturity Model Integration (CMMI®), 2000

• Project Management Institute (PMI®): A Guide to the Project Management Body of Knowledge (PMBOK®), 2004

• Information Security Forum (ISF): The Standard of Good Practice for Information Security, 2003

Additional references used in the development of COBIT 4.1 include: • IT Control Objectives for Sarbanes-Oxley: The Role of IT in the Design and Implementation of Internal Control Over Financial Reporting, 2nd Edition, IT Governance Institute, USA, 2006 • CISA Review Manual, ISACA, 2006

Control Objectives for Information and related Technology (COBIT®) provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT’s good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help optimise IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong. IT good practices have become significant due to a number of factors: • Business managers and boards demanding a better return from IT investments, i.e., that IT delivers what the business needs to enhance stakeholder value • Concern over the generally increasing level of IT expenditure • The need to meet regulatory requirements for IT controls in areas such as privacy and financial reporting (e.g., the US Sarbanes-Oxley Act, Basel II) and in specific sectors such as finance, pharmaceutical and healthcare • The selection of service providers and the management of service outsourcing and acquisition • Increasingly complex IT-related risks, such as network security • IT governance initiatives that include adoption of control frameworks and good practices to help monitor and improve critical IT activities to increase business value and reduce business risk • The need to optimise costs by following, where possible, standardised, rather than specially developed, approaches • The growing maturity and consequent acceptance of well-regarded frameworks, such as COBIT, IT Infrastructure Library (ITIL), ISO 27000 series on information security-related standards, ISO 9001:2000 Quality Management Systems—Requirements, Capability Maturity Model® Integration (CMMI), Projects in Controlled Environments 2 (PRINCE2) and A Guide to the Project Management Body of Knowledge (PMBOK) • The need for enterprises to assess how they are performing against generally accepted standards and their peers (benchmarking)

Plan and Organise (PO)—Provides direction to solution delivery (AI) and service delivery (DS) • Acquire and Implement (AI)—Provides the solutions and passes them to be turned into services • Deliver and Support (DS)—Receives the solutions and makes them usable for end users • Monitor and Evaluate (ME)—Monitors all processes to ensure that the direction provided is followed

PLAN AND ORGANISE (PO) This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. A proper organisation as well as technological infrastructure should be put in place. This domain typically addresses the following management questions: • Are IT and the business strategy aligned? • Is the enterprise achieving optimum use of its resources? • Does everyone in the organisation understand the IT objectives? • Are IT risks understood and being managed? • Is the quality of IT systems appropriate for business needs? ACQUIRE AND IMPLEMENT (AI) To realise the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure the solutions continue to meet business objectives. This domain typically addresses the following management questions: • Are new projects likely to deliver solutions that meet business needs? • Are new projects likely to be delivered on time and within budget? • Will the new systems work properly when implemented? • Will changes be made without upsetting current business operations? DELIVER AND SUPPORT (DS) This domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It typically addresses the following management questions: • Are IT services being delivered in line with business priorities? • Are IT costs optimised? • Is the workforce able to use the IT systems productively and safely? • Are adequate confidentiality, integrity and availability in place for information security? MONITOR AND EVALUATE (ME) All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance. It typically addresses the following management questions: • Is IT’s performance measured to detect problems before it is too late? • Does management ensure that internal controls are effective and efficient? • Can IT performance be linked back to business goals? • Are adequate confidentiality, integrity and availability controls in place for information security?

7

 Slide 8  Payment Card Industry Data Security Standard version 1.1  PCI Security Standards Council  The PCI DSS version 1.1 is a set of comprehensive requirements for enhancing payment account data

security.  https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

 Build and Maintain a Secure Network  Requirement 1: Install and maintain a firewall configuration to protect cardholder data  Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

 Protect Cardholder Data  Requirement 3: Protect stored cardholder data  Requirement 4: Encrypt transmission of cardholder data across open, public networks

 Maintain a Vulnerability Management Program  Requirement 5: Use and regularly update anti-virus software  Requirement 6: Develop and maintain secure systems and applications

 Implement Strong Access Control Measures  Requirement 7: Restrict access to cardholder data by business need-to-know  Requirement 8: Assign a unique ID to each person with computer access  Requirement 9: Restrict physical access to cardholder data

 Regularly Monitor and Test Networks  Requirement 10: Track and monitor all access to network resources and cardholder data  Requirement 11: Regularly test security systems and processes

 Maintain an Information Security Policy  Requirement 12: Maintain a policy that addresses information security

8

 Slide 9  3 Examples – Secure Virtualization Solutions

 Solution 1 - Backups: Production Applications run on Virtual Machines hosted on Production ESX Servers, backed up to disk, replicated over WAN in real time to remote site, restored to test ESX Servers.

 Solution 2 - Software Updates: Automated, reliable, safe, operating system patching and application updates, bug fixes, security patches.

 Solution 3 - VDI: Contain sensitive data within centralized Virtual Desktops for local and remote workers. Provide secure and seamless access.

 Quote: Benjamin Franklin – “He that is secure is not safe”

 Never let down your guard and feel you are “secure”.

9

 Slide 10 – Solution 1  Virtual Machine Guests on ESX to local Disk to remote Disk and recovered on ESX  VMware Consolidated Backups (VCB) of ESX machines to deduplicated disk,

replicate off site, restore from backup, test.  Faster, cheaper, more reliable than tape.  Real world testing of recovery actually possible.  Procedures developed on site and validated remotely.  Third party service provider is used to ensure procedures result desired functionality

at off-site location.  All activity under RBAC via distributed yet centralized managed MSAD Authentication

system.  All activity (copy, read, write, etc) logged centrally.  Exceptions are reviewed and alerted on so procedures or systems can be modified.

 RBAC – Role Based Access Contol  Deduplicated Disk – www.datadomain.com model 565 Appliance  3rd Party – www.simplycontinuous.com  MSAD – Microsoft Active Directory – LDAP  Loghost – SyslogNG –  www.groundworkopensource.com  VCB - VMware Consolidated Backup

10

 Slide 11  - Many Stolen and Lost Tapes  You get an idea of the risk of data loss from tape backups by going to http://

www.datalossdb.com and seeing how many incidents there are of stolen and “lost” tapes from sensitive backups. As a reference there are links to newspapers and company web sites.

11

 Slide 12  E2D2D2E  DD565 Hardware:  3U 19-inch, four-post, rack-mount enclosure, hot-plug disks, redundant fans, N+1

power supplies, 2 copper 10/100/1000 Ethernet ports (optional dual add-on GB Ethernet, copper or fiber), serial port, Optional PCIe NICS

 NFS v3 over TCP, CIFS, NDMP v2 and FC VTL supported connectivity protocols  2 x 2.0GHz Dual Core w/16GB Memory  Physical Capacity Raw – 15 x 500GB (3Gbs) hot plug disk drives 7.8TB  Addressable Capacity (Useable) – 5.4TB  Virtual Capacity – up to 100TB’s per shelf  Throughput Maximum – up to 630GB/Hr up to 170Mb/s  Storage expansion (ability to grow to 47 drives or 2 additional shelves)  Increased capabilities; Identical price points  DD565 – System DD565, base unite NFS, CIFS, (ROHS)  S-INSTALL-500 – DD565 installation and configuration  S-GOLD-565 – Gold support 1 yr  Improved storage resiliency  Hot spare + RAID 6  Hot plug drives  Snapshots

12

 Use Update Manager to Audit and Remediate Patches  Update Manager Automates enforcement of patch standards  Infrastructure based scan of all virtual machine guests (Windows and Linux) and ESX

Server (and ESXi) hosts.  Patches both operating systems and applications.  An optional pre-change snapshot is automatically taken and stored for few days in

case a roll back is needed.  Off-line machines are turned on with NIC disabled for patching.  Easy creation of test environment facilitates testing of major updates. Clone

production environment with no downtime.  Eliminates manual tracking of patch levels of ESX Server hosts and virtual machines.

Alerts are triggered for unpatched hosts.  To reduce risk, use both snapshots and offline patching options

 What is VMware Update Manager?  It is an automated patch management solution for VMware ESX hosts as well as

Microsoft and Linux virtual  machines  Two main benefits compared to traditional patching solutions :  1. patching of offline /suspended machines is done securely. Noncompliant machines

are patched in a  quarantined state so that the rest of the network is not exposed to them  2. Can patch and update ESX server and ESXi Hosts and VM Guests

 MORE DETAIL FOR INTERESTED CUSTOMERS:  VMware Update Manager is used to enforce compliance to patch standards in four

steps:  1. Getting information on the latest patches:  VMware Update Manager automatically gathers the latest patch data from VMware as

well as application vendors such as Microsoft, Adobe and Mozilla via the Internet.

13

 http://www.virtualization-symposia2008.com/files/File/vmware_virtualization_symposia_estonia_vdi_thuber.ppt

 The differences between persistent and non-persistent pools are; persistent pools direct the authorized user to the same VM, whereas the non-persistent pools will fetch the next available machine in the pool. Persistent pools can not be configured to delete Virtual Machines upon log off.

 http://www.scriptlogic.com/whitepapers/Virtualizing-the-Desktop-with-ScriptLogic-Desktop-Authority.pdf

 Enforcing Security  The last aspect of establishing the virtual desktop takes the last two covered and applies them  to security. Providing a mechanism to lock down policies, patches, protection from malware, etc all  cannot simply be done across the board; each environment (physical, virtual and terminal) has its own  needs and requirements. For example, you would not initiate patching while connected to a Citrix  session. Nor would you give internal users running a physical desktop the same restrictions as  contractors using a VMware‐based guest OS running on the contractor’s laptop when outside the  building. So to bring this around full circle, you need to be able to a) comprehensively deploy security‐  related settings, but b) be able to easily differentiate between users logged on in a physical, virtual or  terminal environment.

 http://www.scriptlogic.com/news/pressrelease.aspx?id=670  Validation Logic enhancements in Desktop Authority 7.6 now provide for improved control of desktops

running in a VMware-based virtual environment by detecting whether a desktop is running on a physical or a VMware virtual machine and applying the appropriate configuration. Many enterprises are investigating the cost efficiencies and security enhancements created by virtual desktops, either by running Windows inside a virtual machine on each desktop, or by hosting multiple virtual machines within a single server and remotely displaying each desktop on a thin client – a platform referred to by VMware as Virtual Desktop Infrastructure (VDI). This practice places each Windows desktop session in a secure “virtual sandbox,” and also allows for easy disaster recovery. At the same time, it presents new management challenges.

 With enhancements to Desktop Authority 7.6, IT administrators can apply different settings to Windows sessions according to whether they are running in a physical or virtual environment. With one centralized, consistent policy across all desktops and physical/virtual systems, management costs are lower, migrations are faster, and users can freely move between workstations without consideration for the underlying operating environment.

14

 http://www.ahis.ca/presentations/2007/Virtual_Desktop.ppt

 Single Click Subscription  A user can subscribe to a LivePC by clicking on (i) a URL in our LivePC library, (ii) a

URL that he receives in an email, or (iii) a LivePC URL on any other web page. Subscription adds the LivePC to the list of LivePCs in the user’s MokaFive Player and schedules the LivePC for download.

 Streaming Fetch  A few minutes after a user subscribes to a LivePC, he can start using it even though

not all of it has been downloaded; the required bits to run the LivePC are fetched by the MokaFive Player on demand.

 Predictive Fetch  In the background, the MokaFive Player also predictively fetches bits that are likely to

be used in the near future, to improve future performance for the user.

 Caching  After fetching the LivePC bits once, they are cached on the local disk so that future

runs of the LivePC do not need to download the LivePC again. The MokaFive Player does automatic cache management and evicts LivePC bits that are not in use anymore. A user can specify a LivePC to be cached for offline use so that its bits are never evicted.

 User Data Separation and Storage  The state of a LivePC is divided into system state and user state. System state

typically consists of the Operating System and all the software installed in the LivePC. The user state consists of the data that is generated by the user (e.g., Office documents). User data in a LivePC can be stored in one of the following ways:

 User Disks

15

 Slide 16 – Conclusion

 here are two interesting blog posts regarding CIS security hardening paper  http://cio.com/article/422513/CISecurity_Guide_to_VMware_Security_Falls_Far_Short

explains shortcomings  http://rationalsecurity.typepad.com/blog/2008/07/on-the-utility.html a counter point

illustrating that security is a journey not a destination.  Role Based Access Control – create roles by job function.  Resource pools mapped to separation of duties least privilege.  All access and changes logged to central server.  Space: 200 1U Servers in 5 racks consolidated to 10 blades.  5 racks, 5 PDUs, 10 switches down to 1 rack, 1 PDU, 2 switches.  Data centralized in tightly controlled SAN, not distributed loose in servers. SAN more

reliable and secure than local disk.  Typically SAN has call home and alerting for drive removals.  Simple to integrate with ITIL Based Service Desk  Virtual Firewall and IDS/IPS appliances are more cost effective to deploy than their

physical counterparts, making it more likely that you will start to monitor that deeply into the network.

 Defined Privileges - Roles  FILENAME: VI3_35_25_admin_guide.pdf  Appendix A – 22 pages long, 22 sections, hundreds of elements  Basic System Administration  Pages 327 to 349  VMware, Inc.

 The following tables list the default privileges that, when selected for a role, can be  paired with a user and assigned to an object. The following tables use VC to indicate  Virtual Center Server and HC to indicate host client, a standalone ESX Server.

16