Securitatea virtualizarii

Post on 24-May-2015

1,074 views 4 download

Preview:

Click to see full reader
Report this document
SHARE

description

Prezentarea exploreaza atat modalitati prin care putem securiza mediile virtualizate, cat si moduri prin care putem folosi virtualizarea pentru a spori securitatea infrastructurii IT existente, de la crearea de ”honeypots” sau ”application sandboxing”, pana la izolarea rolurilor pe servere.

transcript

despre mine

Tudor DamianIT Solutions Specialist

tudy

despre webcast

virtualizarea ca instrument și țintăîn securitatea sistemelor informatice

o scurtă istorie

un SO, un user, o aplicație

un SO, un user, mai multe aplicații

un SO, mai mulți useri, mai multe aplicații

mai multe SO, mai mulți useri, mai multe aplicații

”granițe” artificiale în securitate

securitatea nu poate fi impusă întotdeauna doar prin elemente fizice

separarea privilegiilor utilizatorilor la nivel de aplicație

separarea privilegiilor la nivel de SO prin intermediul kernel-ului

separarea SO prin intermediul separării fizice a hardware-ului

separarea la nivel de rețea prin intermediul unui firewall

ce este virtualizarea?

proces prin care o entitate fizică e făcută să se comporte ca mai multe

entități logice independente

ce se poate virtualiza?

platforme

resurse

aplicații

desktop

mituri de securitate

”dacă îmi protejez mașina gazdă, și mașinile virtuale vor fi protejate”

”fișierele .VHD/.VMDK sunt implicit sigure”

”dacă expun o mașină virtuală, trebuie să-mi expun toate mașinile

virtuale, și mașina gazdă”

”toate mașinile virtuale se <<văd>> între ele”

tipuri de atacuri

jailbreak attacks (escapes)

migration attacks

virtual/physical network service attacks

encryption attacks

exemple de atacuri raportate

feb 2007, apr 2009

VMware / ESX

VMware Workstation escape attack

oct 2007, Secunia

open-source Xen hypervisor

obținere de privilegii neautorizate

2007

Microsoft Virtual PC & Microsoft Virtual Server

vulnerabilitate care permitea unui guest săruleze cod pe host sau pe alt guest

câteva link-uri...

http://searchsecurity.bitpipe.com/detail/RES/1213273947_134.html

http://www.foolmoon.net/cgi-bin/blog/index.cgi?mode=viewone&blog=1185593255

http://www.securityfocus.com/bid/29183/info

http://secunia.com/advisories/29129/

http://seclists.org/fulldisclosure/2007/Sep/0355.html

http://lists.vmware.com/pipermail/security-announce/2009/000055.html

http://www.immunityinc.com/documentation/cloudburst-vista.html

http://taviso.decsystem.org/virtsec.pdf

http://www.eecs.umich.edu/techreports/cse/2007/CSE-TR-539-07.pdf

http://www.stanford.edu/~talg/papers/HOTOS05/virtual-harder-hotos05.pdf

http://searchsecurity.bitpipe.com/detail/RES/1213273947_134.html
http://searchsecurity.bitpipe.com/detail/RES/1213273947_134.html
http://searchsecurity.bitpipe.com/detail/RES/1213273947_134.html
http://www.foolmoon.net/cgi-bin/blog/index.cgi?mode=viewone&blog=1185593255
http://www.foolmoon.net/cgi-bin/blog/index.cgi?mode=viewone&blog=1185593255
http://www.foolmoon.net/cgi-bin/blog/index.cgi?mode=viewone&blog=1185593255
http://www.foolmoon.net/cgi-bin/blog/index.cgi?mode=viewone&blog=1185593255
http://www.foolmoon.net/cgi-bin/blog/index.cgi?mode=viewone&blog=1185593255
http://www.securityfocus.com/bid/29183/info
http://www.securityfocus.com/bid/29183/info
http://www.securityfocus.com/bid/29183/info
http://secunia.com/advisories/29129/
http://seclists.org/fulldisclosure/2007/Sep/0355.html
http://seclists.org/fulldisclosure/2007/Sep/0355.html
http://seclists.org/fulldisclosure/2007/Sep/0355.html
http://lists.vmware.com/pipermail/security-announce/2009/000055.html
http://lists.vmware.com/pipermail/security-announce/2009/000055.html
http://lists.vmware.com/pipermail/security-announce/2009/000055.html
http://lists.vmware.com/pipermail/security-announce/2009/000055.html
http://lists.vmware.com/pipermail/security-announce/2009/000055.html
http://www.immunityinc.com/documentation/cloudburst-vista.html
http://www.immunityinc.com/documentation/cloudburst-vista.html
http://www.immunityinc.com/documentation/cloudburst-vista.html
http://www.immunityinc.com/documentation/cloudburst-vista.html
http://www.immunityinc.com/documentation/cloudburst-vista.html
http://taviso.decsystem.org/virtsec.pdf
http://taviso.decsystem.org/virtsec.pdf
http://taviso.decsystem.org/virtsec.pdf
http://www.eecs.umich.edu/techreports/cse/2007/CSE-TR-539-07.pdf
http://www.eecs.umich.edu/techreports/cse/2007/CSE-TR-539-07.pdf
http://www.eecs.umich.edu/techreports/cse/2007/CSE-TR-539-07.pdf
http://www.eecs.umich.edu/techreports/cse/2007/CSE-TR-539-07.pdf
http://www.eecs.umich.edu/techreports/cse/2007/CSE-TR-539-07.pdf
http://www.eecs.umich.edu/techreports/cse/2007/CSE-TR-539-07.pdf
http://www.eecs.umich.edu/techreports/cse/2007/CSE-TR-539-07.pdf
http://www.eecs.umich.edu/techreports/cse/2007/CSE-TR-539-07.pdf
http://www.eecs.umich.edu/techreports/cse/2007/CSE-TR-539-07.pdf
http://www.stanford.edu/~talg/papers/HOTOS05/virtual-harder-hotos05.pdf
http://www.stanford.edu/~talg/papers/HOTOS05/virtual-harder-hotos05.pdf
http://www.stanford.edu/~talg/papers/HOTOS05/virtual-harder-hotos05.pdf
http://www.stanford.edu/~talg/papers/HOTOS05/virtual-harder-hotos05.pdf
http://www.stanford.edu/~talg/papers/HOTOS05/virtual-harder-hotos05.pdf
http://www.stanford.edu/~talg/papers/HOTOS05/virtual-harder-hotos05.pdf
http://www.stanford.edu/~talg/papers/HOTOS05/virtual-harder-hotos05.pdf

soluții de securitate bazate pe virtualizare

sandboxing

http://en.wikipedia.org/wiki/Sandbox_(computer_security)

http://en.wikipedia.org/wiki/Sandbox_(computer_security)
http://en.wikipedia.org/wiki/Sandbox_(computer_security)
http://en.wikipedia.org/wiki/Sandbox_(computer_security)

high availability

disaster recovery

forensic analysis

honeypots / honeynets

http://en.wikipedia.org/wiki/Honeypot_(computing)

http://en.wikipedia.org/wiki/Honeypot_(computing)
http://en.wikipedia.org/wiki/Honeypot_(computing)

soluțiile de virtualizare sunt într-o continuă evoluție

exemplu concret:Hyper-V R2 și SCVMM R2

Hyper-V Server 2008 R2 vs. Windows Server 2008 R2

CapabilitiesMicrosoft

Hyper-V Server 2008 Microsoft

Hyper-V Server 2008 R2

Windows Server 2008 R2 EE, DC

(Hyper-V)

Number of Logicalprocessors supported

24 64 64

Number of Sockets (Licensing)

Up to 4 Up to 8 Up to 8 = EE | Up to 64 = DC

Memory Up to 32 GB Up to 1 TB Up to 1TB

VM Migration None Quick and Live migration Quick and Live Migration

Number of VM’s per node in a cluster

Not applicable 32 (server workloads)64 (VDI workloads)

32 (server workloads)64 (VDI workloads)

Virtualization Rights for Windows Server 2008

guests0 0

EE = 4 VMDC = unlimited VM’s

Number of running VMGuests

Up to 192, or as many as physical resources allow

Up to 384 or as many as physical resources allow

Up to 384, or as many as physical resources allow

Windows Server 2008 CALs Required for Guest Server

OSNo No Yes

Guest OS supportWindows Server 2008 R2, Windows Server 2008 & SP2, Windows Server 2003 SP2, Windows 2000 Server, SLES

10, SLES 11, Red Hat Enterprise 5.2/5.3, Windows 7, Windows Vista SP1, SP2 & Windows XP SP3/SP2

odată cu R2, Hyper-V™ devine cu adevărat competitiv

Hyper-V R2 - scalabilitate în producție• Microsoft.com: ~50% Hyper-V (în creștere)

– ~1.2 miliarde de hit-uri pe lună

• MSDN/TechNet: 100% Hyper-V– ~1 milion de hit-uri pe zi, fiecare

• Connect, Codeplex, Social: 100% Hyper-V

• Microsoft IT (4 clustere, incluzând unul cu 16 noduri)

• Microsoft Global Foundation Services

– peste 1300 VM-uri pentru Windows Live games

tehnic, soluțiile de virtualizare existente sunt oarecum echivalente

diferența o fac instrumentele de administrare / management

System Center Virtual Machine Manager

http://www.microsoft.com/systemcenter/virtualmachinemanager/en/us/features.aspx

http://www.microsoft.com/systemcenter/virtualmachinemanager/en/us/features.aspx
http://www.microsoft.com/systemcenter/virtualmachinemanager/en/us/features.aspx

în final, un feedback din industrie (hosting / VPS)

”From a hosting perspective, virtualization is all about control. Servers multiply fast and you

need to keep track of who has them and what they are doing with them. Customer data,

resource data and usage data are essential.”

Ross Brouse, CEO

”I knew that would be the biggest hurdle when I started this thing, that's why I chose Parallels. Not

because the software was insecure and unstable, but because I needed to automate. Automation is what

Xen, Hyper-V, VMWare and all the other solutions out there lack. All of their solutions are built for the

enterprise, which in this day and age is a mistake. Not that its a bad market, but these companies have such

poor focus on the service provider.”

Ross Brouse, CEO

întrebări

mulțumesc.

Tudor DamianIT Solutions Specialist

tudy

Top related

Securitatea la incendiu
Documents
norme securitatea muncii
Documents
Securitatea Informatiei
Technology
Securitatea Retelei
Documents
Securitatea muncii
Documents
Securitatea Activitatii Vitale
Documents
Tendinţe actuale în securitatea Linux - unixinside.org in securitatea Linux.pdf · Utilizarea SSL/TLS pentru securitatea informatiilor vehiculate de aplicatii Criptarea informatiilor,
Documents
Securitatea Informatiilor
Documents
securitatea alimentatiei
Food
Securitatea Vol 1
Documents
Securitatea Datelor
Documents
Securitatea bazelor
Documents
Teza Securitatea muncii.doc
Documents
Securitatea Obiectivelor Industriale
Documents
Securitatea Informationala
Documents
Intelligence si securitatea
Documents
Cultura recunoasterii si securitatea umana · 2019-06-28 · Title: Cultura recunoasterii si securitatea umana - Author: Anton Carpinschi Keywords: Cultura recunoasterii si securitatea
Documents
Securitatea comunicatiilor
Documents
Securitatea la frontiere
Documents
SECURITATEA ALIMENTARĂ DURABILĂ (+)
Documents

Copyright © 2018 DOCUMENTE