Virtualization and Cloud Computing Virtualization, Cloud and Security Michael Grafnetter
Agenda Virtualization Security Risks and Solutions Cloud Computing Security Identity Management
Virtualization and Cloud Computing Virtualization Security Risks and Solutions
Blue Pill Attack Joanna Rutkowska http://en.wikipedia.org/wiki/Blue_Pill_%28software%29 http://virtualization.info/en/news/2006/08/debunking-blue-pill-myth.html nearly anything, including hardware interrupts, requests for data and even the system time could be intercepted (and a fake response sent) by the hypervisor Timing attack, Trap-and-Emulate
Blue Pill Attack Presented in 2006 by Joanna Rutkowska at Black Hat conference Traps running OS by starting a hypervisor and virtualizing the underlaying machine (needs right to run privileged instructions to achieve this) Could intercept nearly anything and send fake responses (hardware interrupts, requests for data, system time etc.)
Red Pill Blue Pill is detectable by timing attack Trap-and-Emulate takes much longer than native instructions External time sources (NTP) need to be used, because system time could be spoofed
VMM Vulnerability By attacking a VMM, one could attack multiple servers at once
Datacenter Management SW Virtualization infrastructure management software (VMware vCenter, Microsoft SC VMM) is used to control multiple hosts at once
Web Access to DCs Multiple datacenters can be managed from a central console. Therefore, its security has to be hardened.
One Ring to rule them all… Management commands available using PowerShell or Web APIs Get-VM –Name * | Stop-VM Get-VM –Name * | Remove-VM Copy-VMGuestFile Invoke-VMScript –Type Bash …
DoS attack on virtualization infrastructure Demo DoS attack on virtualization infrastructure
Disabling Host-VM Communication
Physical vs. Virtual Firewall 8th ISO/OSI Layer: Politics and religion With virtualization, servers from different Trust Zones usually share the same physical resources (memory, network card, etc.)
Traffic isolation
Configuring traffic isolation on Vmware ESXi Demo Configuring traffic isolation on Vmware ESXi
Other risks of virtualization Introduction of yet another OS Reliance on traditional barriers Accelerated provisioning Security left to non-traditional security staff Audit scope creep
Security Solutions Virtual Firewall Agentless Antivirus Live migration Stretched clusters Agentless Antivirus Extensible Switches Mobile Virtualization Platform Virtual Desktop Infrastructure (VDI) Virtual firewalls are aware of the virtualized environments
Agentless AV Update Storms/Scan Storms Not always implementable: intrusion protection, packet analysis, browser protection, real time heuristics, application control, device control, NAC
Extensible Switch
Mobile Virtualization Platform
Mobile Virtualization Platform
Mobile Virtualization Platform Supported devices
Virtual Desktop Infrastructure + Data ostavaju iba vo firme - Vyzadovane stabilne prispojenie
Virtualization and Cloud Computing Cloud Computing Security Risks
Who has access to our data?
Physical Security
Hard Disk Crushers
Other Cloud Risks Unclear data location Regulatory compliance Data segregation Lack of investigative support Disaster recovery Long-term viability, vendor lock-in
Virtualization and Cloud Computing Identity Management
Identity Management Basic Concepts Identity Federation External user DBs Two-factor authentication Role-Based Access Control (RBAC) Identity Federation OAuth OpenID SAML RADIUS Proxy Identity Bridges
External User DBs Typically Active Directory or generic LDAP is used as central identity store for virtualization infrastructures
Azure Active Directory
Two-Factor Authentication
Role-Based Access Control
Identity Federation
OAuth Used to delegate user authorization to a 3rd-party service provider
Demo Creating a web application with Facebook/Twitter/ Microsoft Account authentication
OpenID
OpenID http://someopenid.provider.com/john.smith
SAML Similar to OpenID, but targeted to the enterprise Security Assertion Markup Language XML-based Supports Single sign-on Requires mutual trust between IdP and SP Multiple bindings, not just HTTP Supports Identity provider initiated authentication
SAML
SAML (Google Apps) The user attempts to reach a hosted Google application, such as Gmail, Start Pages, or another Google service. Google generates a SAML authentication request. The SAML request is encoded and embedded into the URL for the partner's SSO service. The RelayState parameter containing the encoded URL of the Google application that the user is trying to reach is also embedded in the SSO URL. This RelayState parameter is meant to be an opaque identifier that is passed back without any modification or inspection. Google sends a redirect to the user's browser. The redirect URL includes the encoded SAML authentication request that should be submitted to the partner's SSO service. The partner decodes the SAML request and extracts the URL for both Google's ACS (Assertion Consumer Service) and the user's destination URL (RelayState parameter). The partner then authenticates the user. Partners could authenticate users by either asking for valid login credentials or by checking for valid session cookies. The partner generates a SAML response that contains the authenticated user's username. In accordance with the SAML 2.0 specification, this response is digitally signed with the partner's public and private DSA/RSA keys. The partner encodes the SAML response and the RelayState parameter and returns that information to the user's browser. The partner provides a mechanism so that the browser can forward that information to Google's ACS. For example, the partner could embed the SAML response and destination URL in a form and provide a button that the user can click to submit the form to Google. The partner could also include JavaScript on the page that automatically submits the form to Google. Google's ACS verifies the SAML response using the partner's public key. If the response is successfully verified, ACS redirects the user to the destination URL. The user has been redirected to the destination URL and is logged in to Google Apps.
SAML Example <saml:Assertion ID="b07b804c-7c29-ea16-7300-4f3d6f7928ac“ Version="2.0" IssueInstant="2004-12-05T09:22:05"> <saml:Issuer>https://idp.example.org/SAML2</saml:Issuer> <ds:Signature>...</ds:Signature> … <saml:Conditions NotBefore="2004-12-05T09:17:05" NotOnOrAfter="2004-12-05T09:27:05"> </saml:Conditions> <saml:AttributeStatement> <saml:Attribute x500:Encoding="LDAP" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" FriendlyName="eduPersonAffiliation"> <saml:AttributeValue xsi:type="xs:string">member</saml:AttributeValue> <saml:AttributeValue xsi:type="xs:string">staff</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion>
Microsoft Active Directory Federation Services SAML-based Typically used to give access to intranet portals to business partners
Shibboleth SAML-based federation portal Open Source
Signing in to a federated web application Demo Signing in to a federated web application
RADIUS Proxy (Eduroam)
Identity Bridges
Identity Bridges: Azure Access Control Service