Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECURING AND LEVERAGING THE POWER OF VIRTUAL SERVERS AND DESKTOPS Conrado Wang Cheng Niemeyer Information Security Officer, Sacred Heart University.

Published byStephen Boyd Modified over 9 years ago

Similar presentations

Presentation on theme: "SECURING AND LEVERAGING THE POWER OF VIRTUAL SERVERS AND DESKTOPS Conrado Wang Cheng Niemeyer Information Security Officer, Sacred Heart University."— Presentation transcript:

1 SECURING AND LEVERAGING THE POWER OF VIRTUAL SERVERS AND DESKTOPS Conrado Wang Cheng Niemeyer Information Security Officer, Sacred Heart University

2 Virtualization Advantages  Virtualization?  “Cheap”, fast, easy to setup Application isolation  Template Deployment  Disaster Recovery  High Availability  Forensic Analysis w/P2V & in place with memory snapshots  Honeypotting

3 Virtualization Disadvantages  Using a template image  One vulnerability is shared by all  Same admin/root passwords??!!  Possibly sequential IP range  Single file Servers & Workstations  Just copy one file and you’re done!  Poor multimedia support  Many eggs in fewer baskets  Virtual Machine Sprawl

4 Virtualization Vulnerabilities  Guest to Guest Attacks  Guest to Host Attacks  Guest Client Vulnerabilities  Management Console/Host OS Vulnerabilities  Hypervisor Vulnerabilities  Not well developed and widespread, YET…

5 VM Security Best Practices  Security Best Practices (Firewalls, IPS, Patching, Patching, Patching, Patching)  Secure your VMs as you would physical machines  Secure the Network  Use Separate Private backup and SAN network  Use Separate Private Management Console network  Favor Type 1 Hypervisors for Production and Testing Servers  VMWare ESX Server, Citrix XenServer, MS Hyper-V, etc.  Favor Type 2 use in Security applications  Disable Hardware Acceleration  Use QEmu (full emulation mode w/out kqemu)  Disable all sharing features  Favor Type 2 for Development environments  Run different security zones VMs on separate physical hosts  Use separate physical switches or VLANs in physical switches  Run different Management stations  Disable/remove unnecessary virtual hardware

6 Monitoring in a vSwitch

7 VMWare ESX Specific  VMWare Update (ESX 3.5 & VC 2.5)  Fix maximum size and rotation for Log Files  Use Resource Management  Secure the VI Console Access  Verify the ESX Console Firewall rules  Use SSL Certificates Encrypt Access to Virtual Center  Secure Console’s Linux environment

8 Virtualization Applications  Setting up Development Environments  Setting up Testing Environments  Setting up Research Environments  Honeypotting  Consolidate Physical Servers  Virtual Secure Desktops…  Provide a desktop environment for users Quickly deployed Secured Easily maintained  Provide access from those environments to all work tools, systems, and services

9 Secure Desktop Advantages  Secured Access to Sensitive Systems   Separation of Critical Business data from User data  Quick and Easy Deployment  Stand a new VM(s) in under 2mins  Ease of Policy Enforcement  Can Provide local admin elevation when necessary  Anywhere anytime access (or not)  Easy Integration into Identity Management  Currently  ERP (Datatel Colleague R17, R18) Registrar’s Human Resources Business Office  Admissions (Recruitment Plus)  Financial Aid (PowerFAIDS, EDConnect)  Institutional Advancement (Raiser’s Edge)  Payroll (ADP)  Future Expansion  Document Imaging  Department Shares  MicroFAIDS (MS-DOS!!!!!)

10 Secure Desktop Disadvantages  Poor Multimedia Support  ACL/Firewall Rule Maintenance  Vulnerable to Screen Scrapping  Increased Disaster Recovery Complexity  SSL Gateway  Connection Broker  Provisioning Server  ESX Servers  SAN & Blade Infrastructure  “Quality of Life” Issues  Cannot browse the web  Cannot persist software changes  Cannot connect certain USB devices  Coming Soon Cannot access e-mail Cannot copy & paste to host Cannot connect any USB devices

11 Secure Desktop Backend at SHU  HP c7000 Blade Enclosure  HP BL460c 2 x Quad Core 2.3Ghz (Intel E5345) 16 GB RAM 4 x 1Gb Ethernet (on 2 separate boards)  Netapp 3020c Filers  7TB (4TB Usable ??!!) for VMs  12TB for User/Department Data  iSCSI all the way baby!!!  Cisco Catalyst 3750 Switches  1Gb Ethernet (Copper)  10Gb Uplink  VMWare VI3 (ESX 3.5 and Virtual Center 2.5)  Provision Networks Virtual Access Suite 5.9  SSL Gateway  RDP Connection Broker  Citrix Provisioning Server Desktops v4.5 Sp1  PXE Boot  HDD Streaming  Microsoft DHCP Server  Microsoft Windows XP Sp2 HardwareSoftware

12 Connection Broker Architecture

13 SSL Gateway Architecture

14 HDD Streaming Architecture

15 Physical vs. Virtual Hardware  Dell OptiPlex 755  Intel Core2 2.4Ghz  2GB RAM  160GB HDD  Integrated Graphics  1Gb Ethernet  ~$1,000  VMWare ESX 3.5  Virtual Dual to Quad Core 2.3Ghz  256MB RAM  1MB HDD  RDP Graphics  1Gb Ethernet  ~$290 w/existing hardware PhysicalVirtual

16 Getting Buy-in  Initial deployment as test environments  Clarifying the difference between a purely work environment and a hybrid work/personal one  No other alternatives with new versions  Ease of use and virtually no training required  Unreliability of VPN and Citrix  Ability to access legacy environments with new simultaneously

17 Demo  https://securedesk.sacredheart.edu/ https://securedesk.sacredheart.edu/

18 New Developments  Embedded Hypervisors  ESX 3i, XenServer OEM, etc.  VMSafe  VDI  SAN Snapshot Clones  Netapp FlexClone  Sophisticated Virtual Machine Detection

19 Resources, Q & A  http://www.cisecurity.org/ http://www.cisecurity.org/  http://www.securityfocus.com/ http://www.securityfocus.com/  http://www.vmware.com/resources/techresources/c at/91 http://www.vmware.com/resources/techresources/c at/91  http://www.citrix.com/ http://www.citrix.com/  http://www.provisionnetworks.com/ http://www.provisionnetworks.com/

Download ppt "SECURING AND LEVERAGING THE POWER OF VIRTUAL SERVERS AND DESKTOPS Conrado Wang Cheng Niemeyer Information Security Officer, Sacred Heart University."

Similar presentations

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
Ed Duguid with subject: MACE Cloud

Ed Duguid with subject: MACE Cloud
Wyse.com 2010 Cameron Smith Sales Engineer for IN, KS, and MO Desktop Virtualization.

Wyse.com 2010 Cameron Smith Sales Engineer for IN, KS, and MO Desktop Virtualization.
Adam Duffy Edina Public Schools.  The heart of virtualization is the “virtual machine” (VM), a tightly isolated software container with an operating.

Adam Duffy Edina Public Schools.  The heart of virtualization is the “virtual machine” (VM), a tightly isolated software container with an operating.
Antony Jo The University of Montana. Virtualization  The process of abstraction; making something more abstract  Many types: Server Desktop Application.

Antony Jo The University of Montana. Virtualization  The process of abstraction; making something more abstract  Many types: Server Desktop Application.
Understand Virtualized Clients 10753 Windows Operating System Fundamentals LESSON 2.4.

Understand Virtualized Clients Windows Operating System Fundamentals LESSON 2.4.
-How To leverage Virtual Desktop for Manageability & Security -Desktop Computing “as a service” Andreas Tsangaris CTO, PERFORMANCE

-How To leverage Virtual Desktop for Manageability & Security -Desktop Computing “as a service” Andreas Tsangaris CTO, PERFORMANCE
Deliver your Technology-Based Labs with VMware Lab Manager 5/6/2010 Michael Fudge.

Deliver your Technology-Based Labs with VMware Lab Manager 5/6/2010 Michael Fudge.
Virtual techdays INDIA │ 9-11 February 2011 Cross Hypervisor Management Using SCVMM 2008 R2 Vikas Madan │ Partner Consultant II, Microsoft Corporation.

Virtual techdays INDIA │ 9-11 February 2011 Cross Hypervisor Management Using SCVMM 2008 R2 Vikas Madan │ Partner Consultant II, Microsoft Corporation.
VMware Update 2009 Daniel Griggs Solutions Architect, Virtualization Servers & Storage Solutions Practice Dayton OH.

VMware Update 2009 Daniel Griggs Solutions Architect, Virtualization Servers & Storage Solutions Practice Dayton OH.
Server Virtualization Gina Myers. Definition Creating virtual machines (VMs) “VMs are software entities that emulate a real machine’s functionality” ◦

Server Virtualization Gina Myers. Definition Creating virtual machines (VMs) “VMs are software entities that emulate a real machine’s functionality” ◦
TechNet and Community Tour - Dynamic IT Dynamic Desktop Deployment Level 300 - Advanced.

TechNet and Community Tour - Dynamic IT Dynamic Desktop Deployment Level Advanced.
Introduction to XTMv WatchGuard Training.

Introduction to XTMv WatchGuard Training.
Do MUCH More with Less Presented by: Jon Farley 2W Technologies.

Do MUCH More with Less Presented by: Jon Farley 2W Technologies.
European Organization for Nuclear Research Virtualization Review and Discussion Omer Khalid 17 th June 2010.

European Organization for Nuclear Research Virtualization Review and Discussion Omer Khalid 17 th June 2010.
Virtualization 101.

Virtualization 101.
Copyright © 2005 VMware, Inc. All rights reserved. VMware Virtualization Phil Anthony Virtual Systems Engineer

Copyright © 2005 VMware, Inc. All rights reserved. VMware Virtualization Phil Anthony Virtual Systems Engineer
5205 – IT Service Delivery and Support

5205 – IT Service Delivery and Support
NetApp Rapid Cloning Utility (RCU) Internal Training August, 2009

NetApp Rapid Cloning Utility (RCU) Internal Training August, 2009
Virtualization 101.

Virtualization 101.

Similar presentations

Ads by Google