Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

greenpepperwhinnySecurity

Nov 3, 2013 (3 years and 5 months ago)

68 views

Architecting and Building a Secure
and Compliant Virtual
Infrastructure and Private Cloud

Rob Randell, CISSP, CCSK


Principal Systems Engineer


Security Specialist

Agenda


Security Perspective on Customer Journey to the Cloud


Whiteboard Overview of
How Virtualization and Cloud Affect Datacenter
Security


How to Secure our Cloud and Make it Compliant


Network Security and Secure Multi
-
tenancy in the Cloud




Security Perspective On Customer Deployment Architectures

Physical deployments are still considered to be most secure and remain in all enterprises

Air gapped pods are preferred by security teams for virtualized high risk assets (SOX, PCI, DMZ)

Mixed trust clusters typically have the M&M security model, blocking important asset migration to them

Private cloud is an extension of the mixed trust deployment, with more automation and self service


Dedicated Private Cloud SLAs make it virtually the same risk level as the on
-
premise deployments

Multi
-
tenant Public Cloud is just emerging, with concerns around visibility, audit, control and compliance

AIR

GAPPED

PODS

MIXED

TRUST

CLUSTERS

ON
-
PREMISE

PRIVATE
CLOUD

DEDICATED

PRIVATE

“CLOUD”

(eBay, CSC)

PUBLIC

MULTI
-
TENANT

CLOUD

(Terremark, EC2)

1

2

3

4

5

1

2

3

4

5

0

0

PHYSICAL

4

Segmentation

of applications, servers



VLAN or subnet based policies



Interior or Web application Firewalls



DLP, application identity aware policies

VLAN

1

VLANs

The Datacenter needs to be secured at different levels

Cost & Complexity

At the vDC Edge



Sprawl: hardware, FW rules, VLANs



Rigid FW rules



Performance bottlenecks

Keep the bad guys out



Perimeter security device (s) at the edge



Firewall, VPN, Intrusion Prevention



Load balancers

End Point Protection



Desktop AV agents,



Host based intrusion



DLP agents for privacy

Perimeter Security

Internal Security

End Point Security

5

Simple Definition of a Virtual Datacenter

DMZ

Tenant 1

App1

App2

DMZ

Tenant 2

App1

App2

DMZ

Tenant …

App1

App2


The isolated and secured share of a virtualized multitenant environment.


Like a physical datacenter shares the Internet for interconnectivity, the
tenants of a cloud (public or private) share the local network within the
private datacenter or in the service providers network, and also like a
physical datacenter, each tenant also has their own private, isolated, and
secured virtual networking infrastructure.

6

Securing virtual Data Centers (vDC) with legacy security
solutions

Legacy security solutions do not allow the
realization of true virtualization and cloud benefits

VIRTUALIZED DMZ WITH FIREWALLS

APPLICATION ZONE

DATABASE ZONE

WEB ZONE

ENDPOINT
SECURITY

INTERNAL
SECURITY

PERIMETER
SECURITY

Internet


vSphere


vSphere


vSphere


Air Gapped Pods with
dedicated physical
hardware


Mixed trust clusters
without internal security
segmentation


Configuration Complexity

o

VLAN sprawl

o

Firewall rules sprawl

o

Rigid network IP rules
without resource context



Private clouds (?)

Platform Sec.





Secure the Underlying Platform FIRST

Use the Principles of Information
Security


Hardening and Lockdown


Defense in Depth


Authorization, Authentication, and
Accounting to enforce Separation of
Duties and Least Privileges


Administrative Controls

For virtualization this means:


Harden the Virtualization layer


Setup Access Controls


Secure the Guests


Leverage Virtualization Specific
Administrative Controls





What Auditors Want to See:


Network Controls


Change Control and Configuration
Management


Access Controls & Management


Vulnerability Management

Protection of Management Interfaces is Key

Segment out all non
-
production
networks


Use VLAN tagging, or


Use separate vSwitch (see diagram)

Strictly control access to
management network, e.g.


RDP to jump box, or


VPN through firewall

9

vSwitch1

vmnic1

2

3

4

Production

vSwitch2

VMkernel

Mgmt

Storage

vnic

vnic

vnic

vCenter

IP
-
based
Storage

Other ESX/ESXi
hosts

Mgmt
Network

Prod

Network

VMware vSphere 4
Hardening
Guidelines

http
://
www.vmware.com
/resources/
techresources
/10109

More Power

Less

Power

Super

Cloud


Admin

Cloud

Networking
Admin

Cloud

Server Admin

Tenant A
Admin

VM Admin

VM Admin

Tenant B
Admin

VM Admin

VM Admin

Tenant C
Admin

VM Admin

VM Admin

Cloud

Storage Admin

Separation of Duties Must Be Enforced

11

Air Gapped Design


Costly and Inefficient

Company Z

Firewall

Load Balancer

Switch

Company Y

Company X

Aggregation

Access

Internet

L2
-
L3 Switch

Firewall

Load Balancer

L2
-
L3 Switch

Firewall

Load Balancer

L2
-
L3 Switch

Switch

Switch

vSphere

vSphere

vSphere

vSphere

vSphere

vSphere

VPN Gateway

VPN Gateway

VPN Gateway

Remote

Access

12

VLAN 1002

VLAN 1001

VLAN1000

Multi
-
tenancy


Physical Firewall and VLAN

Company Z

Company Y

Company X

Access
-
Aggregation

Internet

L2
-
L3 Switch

VMware vSphere + vShield



PG
-
X (vlan1000)

PG
-
Y (
vlan

1001)

PG
-
Z (vlan 1002)

PG
-
Z

PG
-
X

Port group Company X n/w

PG
-
Y

Port group Company Y n/w

Port group Company Z n/w

Legend :

Port group to VM Links

VLAN 1000

VLAN 1001

VLAN 1002

VLAN 1000

VLAN 1001

VLAN 1002

Virtual to Ext. Switch Links

Firewalls

vDS/
vSS

13

Multi
-
tenancy Virtualization Aware

Company Z

Company Y

Company X

Access
-
Aggregation

Internet

L2
-
L3 Switch

VMware vSphere + vShield



PG
-
X(vlan1000)

PG
-
Y(vlan1000)

PG
-
Z(vlan1000)

PG
-
Z

PG
-
X

Port group Company X n/w

PG
-
Y

Port group Company Y n/w

Port group Company Z n/w

Legend :

PG
-
C

External uplink Port group

PG
-
C(vlan100)

Internal Company Links

External Up Link

Infrastructure VLAN (VLAN 1000)

VLAN1000

VLAN1000

VLAN1000

vShield Edge VM

Provider VLAN (VLAN 100)

vDS to Ext. Switch Links

Traffic flow not allowed

vDS

14

Virtual Datacenter 2

ESX Hardening

Cluster A

Cluster B

VMware vSphere + vCenter

Enforce
Microsegmentation

Inside the vDC


Protect applications against
Network Based Threats


Application
-
Aware
Full Stateful
Packet Inspection
FW


Control on
per
-
VM/per vNIC
level


See
VM
-
VM traffic
within the
same host


Security groups
enforced with
VM movement


CIS & PCI

Virtual Datacenter 1

DISA & PCI

Database

App

Web

15

Offload Endpoint Based Security Functions with VM
Introspection Techniques

Improves performance and
effectiveness of existing endpoint
security solutions


Offload Functions


AV


File Integrity Monitoring


Application Whitelisting

16

Virtualized Security and Edge Services

Internal Security and
Compliance

Endpoint Security

Edge/Perimeter Protection

Elastic

Logical

Efficient

Automated

Programmable

Security as a Service

Cloud Aware Security


Micro
-
segmentation


Discover and report regulated
data in the Datacenter and Cloud


Secure the edge of the virtual
datacenter


Security and Edge networking
services gateway


Efficient
o
ffload of endpoint
based security into the cloud
infrastructure


i.e.
-

anti
-
virus and
file integrity monitoring

17

Continuous and Automated Compliance

Ongoing Change and Compliance Management


Understand Pervasive Change


Capture in
-
band and out
-
of
-
band changes


Are you still Compliant?


Remediate


Exceptions


Fit within current enterprise change
mgmt

workflow process

Protect against vulnerabilities


Hypervisor
-
based anti
-
virus provides
superior protection


Patch Management guards against

known attacks


Software provisioning tied to compliance


Day to day vulnerability checks

Deployed from
Gold Standard

Compliant

State

Noncompliant

State

Compliant

State

Mark as

Exception

Remediate

(RFC Optional)

Planned Change

Unplanned Change

18

Confidential

Conclusion


The Cloud Had Great Benefits and like any Technology its Associated Risks


These Risks Can Be Mitigated With Proper Controls


The Classic Principles of Information Security Should be Applied


Key Architecture Decisions must be made for Security


Tools Designed for the Cloud Must Be Utilized




Questions?

Rob Randell, CISSP, CCSK

Principal Security and Compliance Specialist