Title: Konrad Wrona Sabina Torrente, Rita Russo NATO C3 Agency Den Haag, Netherlands
1Konrad WronaSabina Torrente, Rita RussoNATO C3
AgencyDen Haag, Netherlands
Secure Virtual Infrastructure How to Implement
Virtualization in NATO
2Overview
- Background of the project
- Suported scenarios
- Network storage
- Security issues
- Related tools
- Future work
3Project background
- Goal Develop a technical guidance document for
NATO Computer Incident Response Capability -
Technical Centre (NCIRC TC) - Requested by NATO INFOSEC Technical Centre (NITC)
- Evaluation performed at NATO C3 Agency
- Work started in mid-2007
- Guidance approved and published in August 2008
4Content of the guidance
- NCIRC-TC Guidance for Securing Vmware ESX servers
3.x used on NATO Classified Systems (NR and
higher) NATO Unclassified - Configuration scripts
- NCIRC-TC Guidance for Securing Vmware ESX servers
3.x used on NATO Classified Systems (NR and
higher) Descriptions and Values NATO
Restricted
5Phase 1 Choice of virtualization software
- Evaluation started in the second quarter 2007
- Included several commercially available products
- Based on three categories of requirements
- Essential Security Requirements
- must be supported by the virtualization products
to be compliant with NATO Directives - Functional Requirements
- are of potential operational value to NATO.
- Desirable Requirements
- would improve the usability and integration of
the virtualization products in the NATO
environment.
6Examples of essential security requirements
- Any VM cannot access disk space of other VMs or
Host. - It must be possible to prevent a VMs network
adapter from running in promiscuous mode. - Remote management must use (at least) 2-factor
authentication. - Virtualization software must be able to set
minimum and maximum values for CPU load of each
VM. - A list of known bugs, problems, solutions, and
patches must be maintained and published.
7Examples of functional requirements
- Virtualization software must integrate with
Microsoft Active Directory for Host
authentication. - Virtualization software must support network card
teaming. - Virtualization software must be able to allocate
multiple CPUs to a single VM. - VMs must support USB mass storage devices.
- VM must be able to run a 64 bits operating system.
8Examples of desirable requirements
- Virtualization software should support high
availability features. - Virtualization software should support
consolidated backup of itself and all its VMs. - Virtualization software should support a
role-based model of user groups and privileges
assigned to administrators of VMs. - Virtualization software should support an
automated update service. - Mechanism for checking integrity of Hosts and
VMs data should be supported
9Results of evaluation
- VMware Virtual Infrastructure 3 best matches the
requirements - Recommended for operational use in NATO
Restricted and higher systems - Other products still can be used for software
development, testing and training
10Operational security requirements
- Only products that have been formally certified
by national certification authorities are
selected for operational use - e.g. VC 2.5 and ESX Server 3.5
- Product must be deployed in accordance with the
specific configuration parameters that are
compliant with the security certification, and
are adapted to the operating environment of the
computer network (i.e. NATO CIS).
11VMware Virtual Infrastructure
12Phase 2 Reference testbed
13Reference testbed components
- VC Server 2.5
- ESX Servers 3.5.1
- VC Database (Microsoft SQL Server 2005)
- Active Directory / DNS
- Firewall (Checkpoint NGX)
- Network Attached Storage (NFS) and/or Storage
Area Networks (iSCSI and Fibre Channel)
14Storage area network
- Internet Small Computer System Interface (iSCSI)
- Network File System (NFS)
- Fibre Channel (FC)
15Storage area network high level recommendations
- Separation of storage from production and
management traffic, e.g. by using VLAN
technology. - Separation of storage network for the VI3 from
storage used for other applications. - e.g. by using VLAN or VSAN technology.
- Firewalling functions in the hosts connected to
the storage network to deny the use of
non-storage protocols. - Redundancy measures to increase availability.
16Security related issues
- Misuse of PKI in default configuration of Virtual
Center up to version 2.0.1 Patch 1 - Default certificates should be replaced by
certificates generated for a particular setup - Manually generated
- Commercial PKI
- Specific organizational PKI
- If shared storage is not configured properly,
VMotion introduce new point of attack
17Security related issues
- ESX is Linux-based
- Proper security setup of service console is
required - ESXi removes service console all together
- Integration into Active Directory is challenging
- Scripting SDK is not well documented
- VM users and processes can abuse system logs to
perform DoS on service console - Virtual Center systems logs do not provide enough
information for troubleshooting
18Related work
- VMware Infrastructure 3 hardening recommendations
- Xtravirt VMware VI3 Security Risk Assessment
Template - Tripwire ConfigCheck utility
- Tripwire Enterprise for Vmware ESX server
- Can be also used to assess security configuration
of other VI3 componets Active Directory, Virtual
Center server, and NAS
19Future work and open issues
- Hypervisor-level IDS/IPS solution could offer a
potentially interesting alternative to host and
network-level IDS/IPS - Support for secure multi-domain and multi-level
virtualization - Continous evaluation of new products and more
complex system architectures - Integration with NATO PKI
20Thank you for your attention!
Konrad WronaSenior Scientist - Information
Assurance CAT 8 - NATO C3 Agency