Hmm, can you say physical security? Shared resources can

1
Benefits of Virtualization forIT Security

• Clay Calvert
• Director of IT Security
• University of Mary Washington

2
Vocabulary

• VM / Guest Virtual Machine
• Host Physical machine
• VMDK Virtual Disk
• VMX Virtual Machine Config File

3
Recent Vendor Progress in Virtualization

• Microsoft released Hyper-V
• Steve Ballmer said "It's virtualization time for
  Microsoft. We're gonna make sure we democratize
  virtualization."
• Apple (finally) allows virtualization of OS-X
  Leopard, but only the server version and only on
  Mac Hardware (of course).
• Sun buys VirtualBox for i386 and will be
  virtualizing SPARC hardware using a customized
  Xen.

4
What is Virtualization?

• Per Wikipedia In computing, virtualization is a
  broad term that refers to the abstraction of
  computer resources.
• Virtualization is more than emulation. Virtual
  machines have near real-time access to many of
  resources on the physical computer.

5
What is Virtualization? (Continued)

• Virtualization from an application perspective is
  fairly easy. The hard part, for many, are the
  concepts behind a virtual machine.
• In most cases, a VM can be treated the same as a
  physical computer
• How do you back up a Virtual Machine?
• How do you monitor a VM?

6
How can a VM act like a real computer? Is it
Voodoo?
Vmware Bridge Protocol is a layer 2 device.
VMs can have completely different network
protocols installed then the host. If fact, no
layer three networking even needs to be on the
host.
7
What is a Virtual Machine?

• A virtual machine is primarily a folder
  containing small configuration files and large
  virtual disk files. These folders, just like
  regular directories, can be copied.
• RAM, is a value in a config file.
• Optical drives are passed through from the
  physical host. ISO files can also be used.

8
Virtual Machine Files Example
9
Sample Virtual Machine Config File

• config.version "8
  sanbarrow.com
• virtualHW.version "4
  is a great site
• memsize "384
  for .VMX file info
• ide10.present "TRUE"
• ide10.fileName "auto detect"
• ide10.deviceType "cdrom-raw"
• ide00.present "TRUE"
• ide00.fileName "MAIN.vmdk"
• ide01.present "TRUE"
• ide01.fileName "IMAGES.vmdk
• ethernet0.present "TRUE

10
So, VMs can be copied, you say?

• What about different physical hardware
• For the most part, the same virtual hardware is
  used
• VMs can be run from Windows, Linux and even Mac
  physical machines. Can you say portable?
• Disaster Recovery / CooP
• Have copies of VMs at alternate data center
• Keep previous versions at the ready
• Better yet, automatic data synchronization.

11
What else can I do with a copied VM?

• Part of IT security is separating production from
  development and testing.
• CISSP Domain Applications and System
  Development Security
• Copies of production can be used for nearly
  bit-to-bit identical servers for testing.
• Be careful not to have name conflicts on network
• Rename VM server names or sandbox.

12
Cloning Physical Servers into VMs

• VMware has a converter tool
• Can clone Windows machines while they are running
• Drivers, etc., can be automatically installed.
• Can use Ghost and other imaging tools
• VMware can mount Ghost and Acronis image files
• Newer versions only
• Production may run physically, but Dev and Test
  can be virtualized through cloning.

13
Benefits to Testing and Development

• Cost of physical servers
• Do we all have exact copies of production in our
  development and testing labs?
• What about for each developer/team that needs a
  separate environment?
• Testing migrations, e.g., Novell to AD
• Build new servers in Dev., then copy to Prod.

14
Testing and Development Benefits, Cont.

• Snapshots (One of the coolest features, ever!)
• Original VMDKs become read-only
• Disk changes are stored in separate file
• Reverting to previous state erases all changes
• Will this service pack break my application?
• How do you uninstall MDAC updates?

15
Non-Linear Snapshots
Boss, I need 10 PCs so I can test out the web
page with different browsers. This feature is
not on all virtualization applications.
16
High Availability (More Voodoo)

• Certain virtualization products can move running
  VMs from one physical server to another while
  running.
• Usually require connecting to same SAN
• Newer software can copy between SANs
• VMs shut down on one host can be powered up on
  another physical machine.

17
High Availability, cont.
18
Training / Playground

• Anyone been to a SANS class?
• One can do quite a bit of damage to a VM, and be
  able to revert it to the original state.
• Multiple Operating Systems
• Linux, Windows, Solaris, DOS, even Novell more.
• Can even run 64-bit VMs on 32-bit Host Oses
• Need 64-bit, VT enabled CPU
• Turn on hardware virtualization in BIOS

19
Forensics benefits with virtualization

• Malware Analysis
• Sandbox the VM, i.e., disable network
• Take snapshots
• Can use debuggers externally
• Visual Studio and Eclipse, for example
• Mount captured disk images as VMs
• Conversely, how do you image a VM?
• What about RAM imaging?
• Keep multiple tools handy. Helix, Backtrack, etc.

20
Network Forensics

• Fairly easy to capture traffic without needing
  software or in-line sniffer. Capture from Host.
• VMs can be set to revert to previous state on
  reboot.
• VMs can be easily deployed. Small. Cheap.
• Honeypots
• Honeynets

21
How do you do honeynets?

• Multiple virtual switches can be created
• There is no built-in router or firewall but small
  VMs, such as M0n0wall, work great
• VMs can be can assigned multiple NICs
• Different NICs can be assigned to the virtual
  switches

22
VMware Virtual Network Editor
23
Custom Virtual Network Diagram
24
VMwares and NSAs NetTop
25
Vmwares NetTop, cont.

• Laptop running trusted Linux
• No TCP/IP installed at this level
• One Linux VM is a packet filtering router
• Other Linux VMs are IPSEC firewalls
• Different security postures are allowed on same
  physical computer. Top Secret and Confidential
  living together Oh, my!
• If the NSA can trust virtualization

26
Some Uses of Virtualization

• Virtual machines allow for great flexibility in a
  wide range of topics
• Call Centers / Help Desks
• 16-bit on 64-bit
• Old software
• No drivers
• USB, etc., pass through
• Screen shots/casts

Training
Multiple OSes
Labs
Disaster Recovery
Security
COOP
Docu-menting
Development
Testing
27
Impossible Screen Shot. TrueCrypt pre-boot
password prompt.
28
Disadvantages of Virtualization

• Did I mention that the whole computer is a set of
  files? Hmm, can you say physical security?
• Shared resources can slow down other VMs.
• One physical server outage can down several
  production servers.
• Vulnerabilities in Host can compromise VMs
• Management
• Virtual Machine Sprawl
• Where is it? What Host houses this VM?

29
Giving .EDUs a break

• VMware Academic Program
• Most software can be used free of charge for IT,
  computer science and engineering programs.
• Discount for other software purchased.
• VirtualBox
• Commercial version can be used in academic
  institutions.
• FYI, only decent freeware solution for Mac

30
Questions?Comments?
ccalvert_at_umw.edu 540-286-8122