Presentation is loading. Please wait.

Presentation is loading. Please wait.

Virtualization and Cloud Computing

Published byMerilyn Oliver Modified over 9 years ago

Similar presentations

Presentation on theme: "Virtualization and Cloud Computing"— Presentation transcript:

1 Virtualization and Cloud Computing
Virtualization, Cloud and Security Michael Grafnetter

2 Agenda Virtualization Security Risks and Solutions
Cloud Computing Security Identity Management

3 Virtualization and Cloud Computing
Virtualization Security Risks and Solutions

4 Blue Pill Attack Joanna Rutkowska
nearly anything, including hardware interrupts, requests for data and even the system time could be intercepted (and a fake response sent) by the hypervisor Timing attack, Trap-and-Emulate

5 Blue Pill Attack Presented in 2006 by Joanna Rutkowska at Black Hat conference Traps running OS by starting a hypervisor and virtualizing the underlaying machine (needs right to run privileged instructions to achieve this) Could intercept nearly anything and send fake responses (hardware interrupts, requests for data, system time etc.)

6 Red Pill Blue Pill is detectable by timing attack
Trap-and-Emulate takes much longer than native instructions External time sources (NTP) need to be used, because system time could be spoofed

7 VMM Vulnerability By attacking a VMM, one could attack multiple servers at once

8 Datacenter Management SW
Virtualization infrastructure management software (VMware vCenter, Microsoft SC VMM) is used to control multiple hosts at once

9 Web Access to DCs Multiple datacenters can be managed from a central console. Therefore, its security has to be hardened.

10 One Ring to rule them all…
Management commands available using PowerShell or Web APIs Get-VM –Name * | Stop-VM Get-VM –Name * | Remove-VM Copy-VMGuestFile Invoke-VMScript –Type Bash

11 DoS attack on virtualization infrastructure
Demo DoS attack on virtualization infrastructure

12

13 Disabling Host-VM Communication

14 Physical vs. Virtual Firewall
8th ISO/OSI Layer: Politics and religion With virtualization, servers from different Trust Zones usually share the same physical resources (memory, network card, etc.)

15 Traffic isolation

16 Configuring traffic isolation on Vmware ESXi
Demo Configuring traffic isolation on Vmware ESXi

17 Other risks of virtualization
Introduction of yet another OS Reliance on traditional barriers Accelerated provisioning Security left to non-traditional security staff Audit scope creep

18 Security Solutions Virtual Firewall Agentless Antivirus
Live migration Stretched clusters Agentless Antivirus Extensible Switches Mobile Virtualization Platform Virtual Desktop Infrastructure (VDI) Virtual firewalls are aware of the virtualized environments

19 Agentless AV Update Storms/Scan Storms
Not always implementable: intrusion protection, packet analysis, browser protection, real time heuristics, application control, device control, NAC

20 Extensible Switch

21 Mobile Virtualization Platform

22 Mobile Virtualization Platform

23 Mobile Virtualization Platform
Supported devices

24 Virtual Desktop Infrastructure
+ Data ostavaju iba vo firme - Vyzadovane stabilne prispojenie

25 Virtualization and Cloud Computing
Cloud Computing Security Risks

26 Who has access to our data?

27 Physical Security

28 Hard Disk Crushers

29 Other Cloud Risks Unclear data location Regulatory compliance
Data segregation Lack of investigative support Disaster recovery Long-term viability, vendor lock-in

30 Virtualization and Cloud Computing
Identity Management

31 Identity Management Basic Concepts Identity Federation
External user DBs Two-factor authentication Role-Based Access Control (RBAC) Identity Federation OAuth OpenID SAML RADIUS Proxy Identity Bridges

32 External User DBs Typically Active Directory or generic LDAP is used as central identity store for virtualization infrastructures

33 Azure Active Directory

34 Two-Factor Authentication

35 Role-Based Access Control

36 Identity Federation

37 OAuth Used to delegate user authorization to a 3rd-party service provider

38 Demo Creating a web application with Facebook/Twitter/ Microsoft Account authentication

39 OpenID

40 OpenID

41 SAML Similar to OpenID, but targeted to the enterprise
Security Assertion Markup Language XML-based Supports Single sign-on Requires mutual trust between IdP and SP Multiple bindings, not just HTTP Supports Identity provider initiated authentication

42 SAML

43 SAML (Google Apps) The user attempts to reach a hosted Google application, such as Gmail, Start Pages, or another Google service. Google generates a SAML authentication request. The SAML request is encoded and embedded into the URL for the partner's SSO service. The RelayState parameter containing the encoded URL of the Google application that the user is trying to reach is also embedded in the SSO URL. This RelayState parameter is meant to be an opaque identifier that is passed back without any modification or inspection. Google sends a redirect to the user's browser. The redirect URL includes the encoded SAML authentication request that should be submitted to the partner's SSO service. The partner decodes the SAML request and extracts the URL for both Google's ACS (Assertion Consumer Service) and the user's destination URL (RelayState parameter). The partner then authenticates the user. Partners could authenticate users by either asking for valid login credentials or by checking for valid session cookies. The partner generates a SAML response that contains the authenticated user's username. In accordance with the SAML 2.0 specification, this response is digitally signed with the partner's public and private DSA/RSA keys. The partner encodes the SAML response and the RelayState parameter and returns that information to the user's browser. The partner provides a mechanism so that the browser can forward that information to Google's ACS. For example, the partner could embed the SAML response and destination URL in a form and provide a button that the user can click to submit the form to Google. The partner could also include JavaScript on the page that automatically submits the form to Google. Google's ACS verifies the SAML response using the partner's public key. If the response is successfully verified, ACS redirects the user to the destination URL. The user has been redirected to the destination URL and is logged in to Google Apps.

44 SAML Example <saml:Assertion ID="b07b804c-7c29-ea f3d6f7928ac“ Version="2.0" IssueInstant=" T09:22:05"> <saml:Issuer> <ds:Signature>...</ds:Signature> … <saml:Conditions NotBefore=" T09:17:05" NotOnOrAfter=" T09:27:05"> </saml:Conditions> <saml:AttributeStatement> <saml:Attribute x500:Encoding="LDAP" Name="urn:oid: " FriendlyName="eduPersonAffiliation"> <saml:AttributeValue xsi:type="xs:string">member</saml:AttributeValue> <saml:AttributeValue xsi:type="xs:string">staff</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion>

45 Microsoft Active Directory Federation Services
SAML-based Typically used to give access to intranet portals to business partners

46 Shibboleth SAML-based federation portal Open Source

47 Signing in to a federated web application
Demo Signing in to a federated web application

48 RADIUS Proxy (Eduroam)

49 Identity Bridges

50 Identity Bridges: Azure Access Control Service

Download ppt "Virtualization and Cloud Computing"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
1 Dell World 2014 Dell & Trend Micro Boost VM Density with AV Designed for VDI TJ Lamphier, Sr. Director Trend Micro & Aaron Brace, Solution Architect.

1 Dell World 2014 Dell & Trend Micro Boost VM Density with AV Designed for VDI TJ Lamphier, Sr. Director Trend Micro & Aaron Brace, Solution Architect.
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
Securing Insecure Prabath Siriwardena, WSO2 Twitter

Securing Insecure Prabath Siriwardena, WSO2 Twitter
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
A SOLUTION: 2X REMOTE APPLICATION SERVER. 2X REMOTE APPLICATION SERVER.

A SOLUTION: 2X REMOTE APPLICATION SERVER. 2X REMOTE APPLICATION SERVER.
TechNet and Community Tour - Dynamic IT Dynamic Desktop Deployment Level 300 - Advanced.

TechNet and Community Tour - Dynamic IT Dynamic Desktop Deployment Level Advanced.
Architecting a Complete Solution for the Cloud Economy Delivering Standards-Based Access Control Marc Chanliau Oracle Identity Management Bernard Diwakar.

Architecting a Complete Solution for the Cloud Economy Delivering Standards-Based Access Control Marc Chanliau Oracle Identity Management Bernard Diwakar.
6 Hypervisor Management OS Guest VM 1 Guest VM n Hardware User Mode Kernel Mode User Mode … Kernel Mode User Mode.

6 Hypervisor Management OS Guest VM 1 Guest VM n Hardware User Mode Kernel Mode User Mode … Kernel Mode User Mode.
Virtualization for Cloud Computing

Virtualization for Cloud Computing
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
5205 – IT Service Delivery and Support

5205 – IT Service Delivery and Support
Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.

Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.
Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.

Federated Shibboleth, OpenID, oAuth, and Multifactor | 1 Federated Shibboleth, OpenID, oAuth, and Multifactor Russell Beall Senior Programmer/Analyst University.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
CIS 2200 Kannan Mohan Department of CIS Zicklin School of Business, Baruch College.

CIS 2200 Kannan Mohan Department of CIS Zicklin School of Business, Baruch College.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Data Center Network Redesign using SDN

Data Center Network Redesign using SDN

Similar presentations

Ads by Google