2 - Vmware
15
VMware & Security: VMsafe Bob van der Werf Sr. Systems Engineer VMware
-
Upload
susantsahani -
Category
Documents
-
view
223 -
download
0
Transcript of 2 - Vmware
8/4/2019 2 - Vmware
http://slidepdf.com/reader/full/2-vmware 1/15
VMware & Security: VMsafe
Bob van der Werf
Sr. Systems Engineer
VMware
8/4/2019 2 - Vmware
http://slidepdf.com/reader/full/2-vmware 2/15
ApplicationServices
InfrastructureServices
VMware vSphere™ – Components
Scalability
Dynamic ResourceSizing
NetworkManagement
vSphere 4.0
Firewall
Anti-virus
Intrusion Prevention
Intrusion Detection
Security
Clustering
Data Protection
Availability
vNetwork
StorageManagement& Replication
Storage VirtualAppliances
vStorage
Hardware Assist
Enhanced LiveMigrationCompatibility
vCompute
8/4/2019 2 - Vmware
http://slidepdf.com/reader/full/2-vmware 3/15
Leveraging Virtualization To Solve Security Problems
Security solutions are facing a growing problem
Protection engines do not get complete visibility into the OS
Protection engines are running in the same context as the malwarethey are protecting against
Even those that are in a safe context, can’t see other contexts (e.g.network protection has no host visibility).
8/4/2019 2 - Vmware
http://slidepdf.com/reader/full/2-vmware 4/15
VMware VMsafe API’s
8/4/2019 2 - Vmware
http://slidepdf.com/reader/full/2-vmware 5/15
VMware VMsafe™
New approach to VM Security
Protect by inspection of virtualcomponents (CPU, Memory,Network and Storage)
Functionality provided in SecurityVirtual Appliance
Complete integration withVMware vSphere, e.g.
VmotionStorage Vmotion
HA
Better Context
Isolated from the malwareIn cooperation with the smaller,trustable codebase of thehypervisor
ESX
VMsafe
ESX with VMsafe
8/4/2019 2 - Vmware
http://slidepdf.com/reader/full/2-vmware 6/15
VMsafe CPU/Memory API
Can inspect memory locations and CPU registers
Hypervisor Extension implemented as VMX/VMM modules
VMsafe API Library
Capabilities:
Detect current application state in the protected VMs CPU fromgeneral purpose register values
Sense system configuration state from the control registers on theprotected VM
8/4/2019 2 - Vmware
http://slidepdf.com/reader/full/2-vmware 7/15
VMware vSphere™
ProtectedProtected
Virtual MachineVirtual Machine
SecuritySecurity
Virtual MachineVirtual MachineProtectedProtected
Virtual MachineVirtual Machine
Security
AgentVMsafeLibrary
VMsafe CPU/Memory Interface
VMsafeVMsafe
ExtensioExtensionn
VMXVMX
VMMVMM
VMXVMX
VMMVMM
VMsafeVMsafe
ExtensioExtensionn
VMXVMX
VMMVMM
8/4/2019 2 - Vmware
http://slidepdf.com/reader/full/2-vmware 8/15
VMsafe CPU/Memory API Use Cases
BIOS: Early Boot Security
Security Agents are up and running before the protected VM
powers onSystem Integrity Protection
The Security Agent can monitor the protected VMs physicalmemory accesses
Enforce Multiple Policies (verify-before-execute)
Defeats: Shellcode injection attack (overflow attack)
Defeats: Kernelcode injection attack (bypass driver-signingprocesses)
8/4/2019 2 - Vmware
http://slidepdf.com/reader/full/2-vmware 9/15
Vmsafe Network Packet Inspection API
Provides distributed virtual filter (DVFilter) solutions toprotect network packet streams
vNetwork Data Path Agent (Fast Agent)
Installs as a kernel module and directly intercepts packets in the
virtual network packet streamvNetwork Control Path Agent (Slow Agent)
Resides in a security virtual appliance and can be used for
further thorough processing
8/4/2019 2 - Vmware
http://slidepdf.com/reader/full/2-vmware 10/15
VMware vSphere™
ProtectedProtected
Virtual MachineVirtual Machine
SecuritySecurity
Virtual MachineVirtual MachineProtectedProtected
Virtual MachineVirtual Machine
Security Agent
DVFilterLibrary
VMsafe Net Data/Control Path Agents
Control Path
Agent
vNIC vNIC
Data PathAgent
Data PathAgent
DVFilters
pNICs
vNetworkDistributed
Switch
vSwitch
8/4/2019 2 - Vmware
http://slidepdf.com/reader/full/2-vmware 11/15
VMsafe Network Packet Inspection API Capabilities
Inspecting packets
Modifying packets
Passing a packet to the control path agent for further processing
Dropping packets from the packet stream
Injecting packets in the packet stream
8/4/2019 2 - Vmware
http://slidepdf.com/reader/full/2-vmware 12/15
VMsafe Virtual Disk Development Kit
Provides interfaces that allow for applications withpossibilities for direct manipulation of Virtual MachineDisk Format (VMDK) images
VDDK: Virtual Disk Development Kit
Read/write data anywhere in a VMDK file
Create and manage redo logs (parent-child disk chaining)
Read and write disk metadata
8/4/2019 2 - Vmware
http://slidepdf.com/reader/full/2-vmware 13/15
VMsafe Virtual Disk Development Kit: Use Cases
Read the VMDK image files offline, checking each sector for avirus signature
Perform a forensic analysis on the VMDK image files
Monitor compliance of configuration files on virtual disks
Scan for unauthorized content on virtual disks, such as creditcard or social security numbers
8/4/2019 2 - Vmware
http://slidepdf.com/reader/full/2-vmware 14/15
Current VMsafe Program Partnerships
8/4/2019 2 - Vmware
http://slidepdf.com/reader/full/2-vmware 15/15
Thank You
Bob van der Werf
http://www.vmware.com/go/securityhttp://www.vmware.com/go/compliance
