Virtual 127'0'0'1 Security'' in a Virtualized World

1
Virtual 127.0.0.1Security.. in a
Virtualized World

• Bruce Cowper
• Senior Program Manager Security Initiative
• Microsoft Canada

2
Why should I worry?

• The number of virtual servers will rise to more
  than 1.7 million physical servers by 2010,
  resulting in 7.9 million logical servers.
  Virtualized servers will represent 14.6 percent
  of all physical servers in 2010 compared to just
  4.5 percent in 2005.
• 60 percent of production virtual machines will be
  less secure than their physical counterparts
  through to 2009.

Source IDC
Source Gartner
3
Common Myths

• I only have to patch my host OS / Kernel
• If I protect my Host machine, it will protect my
  virtual machines
• Virtual Hard Disk files are secure by default
• If you expose the virtual machine, you have to
  expose all virtual machines and the host
• All virtual machines can see each other

4
Virtualization Architecture
Host OS
Guest OS
Host
Virtual Server WebApp
Virtual Server Service
IIS
Guest Applications
Virtualisation layer
Guest App
Ring 3
Hardware
Ring 1
Ring 3
VS Additions
Windows (NT4, 2000, 2003)
Ring 0
Windows Server 2003 or XP
Ring 0
Kernel
VMM.sys
VMM.sys
Designed for Windows Server Hardware
5
Virtualization ArchitectureHypervisor
Primary Partition
Child Partitions
Applications
Virtualization Stack
VM Service
WMI Provider
VM Worker Processes
Ring 3
Virtualization Service Providers (VSPs)
MinWin
Virtualization Service Clients (VSCs)
Windows Kernel
Guest OS Kernel
IHV Drivers
VMBus
VMBus
Enlightenments
Ring 0
Windows hypervisor
Ring -1
Server Hardware
6
Attack Vectors
7
Common Host Attacks

• Host Compromise for
• Deployment, Duplication and Deletion
• Control of Virtual Machines
• Direct Code / File injection to Virtualization
  File Structure
• Virtual Hard Disks
• Virtual Configuration Files
• Time Sync
• Hardware
• Rootkits / Malware
• Drivers (Attack Surface / Stability)

8
Beneath the Host OS

• SubVirt (Samuel T. King, Peter M. Chen Michigan
  U)
• Kernel based Rootkit based on a commercial VMM,
  which creates and emulates virtual hardware.
• BluePill (AMD SVM) Joanna Rutkowska
• Moves the Host OS to a Virtual Machine at the
  hardware later (PoC on AMD, Theory on Intel)
• Detecting a Virtual Environment..
• RedPill / NoPill / scoopy_doo
• Determines if a current OS is running inside a
  Virtual Machine

9
Common Host AttacksPotential Solutions

• Hardening the Host Servers
• Where a Hypervisor or Specialist Kernel is used,
  the Host attack surface is smaller, however
  updating and patching is still required.
• Use single role servers and remove unwanted and
  un-necessary services / attack vectors
• Use a local firewall and only allow limited host
  control / management ports over encrypted and
  authenticated channels.
• Use limited scope admin accounts with strong
  passwords

10
Remote Control / Management

• All Virtualization Solutions include some form of
  remote control.
• Access to these tools should be limited.
• Limit scope of access / control
• Protecting the remote control mechanisms
• Use limited use accounts for control
• Make sure the connections are encrypted /
  authenticated
• Use logging

11
Using Remote Management Software
12
Common Host AttacksPotential Solutions

• Protecting the Virtual Machine files
• Access Control Lists (limited to the security
  context for the users who manage them and the
  services that control them.
• Encryption
• Disk / Volume / Folder / File
• Auditing
• file access, creation, deletion
• Dont forget the backup files / archives

13
File Types and Locations

• .vhd disk file
• In folder you specifyin settings
• .vhdd disk file
• In folder you specifyin settings
• .vud disk file
• In vmc-file folder
• .vsv disk file
• In vmc-file folder

14
Using Access Control Lists

• No rights / deny all
• If you configure a .VMC such that the user in
  question as no access rights to the .VMC file
  they will not see the virtual machine at all - or
  have any indication that it is there.
• Read only
• If a user has read permission on a .VMC (but not
  write) then they will see the virtual machine on
  the Master Status page. If the virtual machine
  is running they will also be able to interact
  with it. However - the user will not be able to
  power on / turn off the virtual machine as these
  operations require having write access to the
  .VMC file.
• Read / write
• If a user has read and write permissions for the
  .VMC file they will be able to interact with and
  control the virtual machine.

15
Common Guest Attacks

• Unpatched Virtual Machines
• Older Operating Systems
• Test or Development machines (these often are not
  managed in the same way as production machines)
• Un-managed or user deployed virtual machines
• Backups and archives

16
Common Guest AttacksPotential Solutions

• Hardening the Guest Operating Systems
• Treat the guest OS as if it was a physical
  machine
• Machine Isolation with Virtual Networks / VLANs
• Local Only Access
• NAT
• Segmented networks
• IPSec Isolation
• Physical Isolation (Separate NICs)

17
Common VirtualizationScenario
The Segmented Network (with DMZ)
Application Server
Web Server
VM
VM
Virtual NICS Virtual NICs
Bridged virtual network
Bridged virtual network
Hardware server
Virtual Switch
Physical NICs
Internal network 1
Internal network 2
18
Common VirtualizationScenario
The three leg network (DMZ and VPN)
Application Server
VM
Virtual NICS Virtual NICs
Bridged virtual network
Hardware server
Virtual Switch
Physical NICs
Private internal network
19
Patching a Virtual Machine
20
Guest Attacks

• The Virtualization File Structure
• Virtual Hard Disks
• File / Code Injection
• Can be Directly Mounted / accessed
• Virtual Configuration Files
• Base Configuration changes
• Redirection / addition of Virtual drives /
  Resoures
• BIOS

lthardwaregt ltmemorygt ltram_size
type"integer"gt256lt/ram_sizegt lt/memorygt
... ltpci_busgt ltethernet_adaptergt
ltcontroller_count type"integer"gt2lt/controller_co
untgt lt/ethernet_adaptergt
lt/pci_busgt lt/hardwaregt
21
Backup and DR
Host to Host
Guest to Guest
SAN or iSCSI connection
iSCSI connection
22
Conclusions

• Reduce the attack surface on the Host
• Use least privilege access
• Audit the deployment, maintenance, control and
  access to virtual machines
• Leverage backups, snapshots and redundancy to
  reduce impact of Host / Guest maintenance
• Secure your Virtual Machine Hard Disk and
  configuration files, including backups and
  archives
• Use Virtual Networks / VLANs / IPSec to Isolate
  machines, especially before they are exposed to
  the network.

23
Questions and Answers
Bruce Cowper Senior Program Manager Security
Initiative Microsoft Canada