Konrad Wrona Sabina Torrente, Rita Russo NATO C3 Agency Den Haag, Netherlands

1
Konrad WronaSabina Torrente, Rita RussoNATO C3
AgencyDen Haag, Netherlands
Secure Virtual Infrastructure How to Implement
Virtualization in NATO
2
Overview

• Background of the project
• Suported scenarios
• Network storage
• Security issues
• Related tools
• Future work

3
Project background

• Goal Develop a technical guidance document for
  NATO Computer Incident Response Capability -
  Technical Centre (NCIRC TC)
• Requested by NATO INFOSEC Technical Centre (NITC)
  
• Evaluation performed at NATO C3 Agency
• Work started in mid-2007
• Guidance approved and published in August 2008

4
Content of the guidance

• NCIRC-TC Guidance for Securing Vmware ESX servers
  3.x used on NATO Classified Systems (NR and
  higher) NATO Unclassified
• Configuration scripts
• NCIRC-TC Guidance for Securing Vmware ESX servers
  3.x used on NATO Classified Systems (NR and
  higher) Descriptions and Values NATO
  Restricted

5
Phase 1 Choice of virtualization software

• Evaluation started in the second quarter 2007
• Included several commercially available products
• Based on three categories of requirements
• Essential Security Requirements
• must be supported by the virtualization products
  to be compliant with NATO Directives
• Functional Requirements
• are of potential operational value to NATO.
• Desirable Requirements
• would improve the usability and integration of
  the virtualization products in the NATO
  environment.

6
Examples of essential security requirements

• Any VM cannot access disk space of other VMs or
  Host.
• It must be possible to prevent a VMs network
  adapter from running in promiscuous mode.
• Remote management must use (at least) 2-factor
  authentication.
• Virtualization software must be able to set
  minimum and maximum values for CPU load of each
  VM.
• A list of known bugs, problems, solutions, and
  patches must be maintained and published.

7
Examples of functional requirements

• Virtualization software must integrate with
  Microsoft Active Directory for Host
  authentication.
• Virtualization software must support network card
  teaming.
• Virtualization software must be able to allocate
  multiple CPUs to a single VM.
• VMs must support USB mass storage devices.
• VM must be able to run a 64 bits operating system.

8
Examples of desirable requirements

• Virtualization software should support high
  availability features.
• Virtualization software should support
  consolidated backup of itself and all its VMs.
• Virtualization software should support a
  role-based model of user groups and privileges
  assigned to administrators of VMs.
• Virtualization software should support an
  automated update service.
• Mechanism for checking integrity of Hosts and
  VMs data should be supported

9
Results of evaluation

• VMware Virtual Infrastructure 3 best matches the
  requirements
• Recommended for operational use in NATO
  Restricted and higher systems
• Other products still can be used for software
  development, testing and training

10
Operational security requirements

• Only products that have been formally certified
  by national certification authorities are
  selected for operational use
• e.g. VC 2.5 and ESX Server 3.5
• Product must be deployed in accordance with the
  specific configuration parameters that are
  compliant with the security certification, and
  are adapted to the operating environment of the
  computer network (i.e. NATO CIS).

11
VMware Virtual Infrastructure
12
Phase 2 Reference testbed
13
Reference testbed components

• VC Server 2.5
• ESX Servers 3.5.1
• VC Database (Microsoft SQL Server 2005)
• Active Directory / DNS
• Firewall (Checkpoint NGX)
• Network Attached Storage (NFS) and/or Storage
  Area Networks (iSCSI and Fibre Channel)

14
Storage area network

• Internet Small Computer System Interface (iSCSI)
• Network File System (NFS)
• Fibre Channel (FC)

15
Storage area network high level recommendations

• Separation of storage from production and
  management traffic, e.g. by using VLAN
  technology.
• Separation of storage network for the VI3 from
  storage used for other applications.
• e.g. by using VLAN or VSAN technology.
• Firewalling functions in the hosts connected to
  the storage network to deny the use of
  non-storage protocols.
• Redundancy measures to increase availability.

16
Security related issues

• Misuse of PKI in default configuration of Virtual
  Center up to version 2.0.1 Patch 1
• Default certificates should be replaced by
  certificates generated for a particular setup
• Manually generated
• Commercial PKI
• Specific organizational PKI
• If shared storage is not configured properly,
  VMotion introduce new point of attack

17
Security related issues

• ESX is Linux-based
• Proper security setup of service console is
  required
• ESXi removes service console all together
• Integration into Active Directory is challenging
• Scripting SDK is not well documented
• VM users and processes can abuse system logs to
  perform DoS on service console
• Virtual Center systems logs do not provide enough
  information for troubleshooting

18
Related work

• VMware Infrastructure 3 hardening recommendations
• Xtravirt VMware VI3 Security Risk Assessment
  Template
• Tripwire ConfigCheck utility
• Tripwire Enterprise for Vmware ESX server
• Can be also used to assess security configuration
  of other VI3 componets Active Directory, Virtual
  Center server, and NAS

19
Future work and open issues

• Hypervisor-level IDS/IPS solution could offer a
  potentially interesting alternative to host and
  network-level IDS/IPS
• Support for secure multi-domain and multi-level
  virtualization
• Continous evaluation of new products and more
  complex system architectures
• Integration with NATO PKI

20
Thank you for your attention!
Konrad WronaSenior Scientist - Information
Assurance CAT 8 - NATO C3 Agency