Downloaded 47 times
Uploaded byKris Buytaert
VirtSec, and the Open Source impact
1) The document discusses the concepts of virtualization, virtualization security (VirtSec), open source virtualization, and cloud security (CloudSec). 2) It notes that virtualization changes the network stack and security approaches by putting the network inside machines and allowing live migration across VLANs. 3) It argues that security must focus on automation, configuration management, and avoiding proprietary lock-in to address challenges from virtualization like image sprawl and rapid redeployment.
More Related Content
Similar to VirtSec, and the Open Source impact
VirtSec, and the Open Source impact
- 1. INUITS The realvoyage of discovery consists in having new eyes . Marcel Proust
- 2. Kris Buytaert SeniorLinux and Open Source Consultant @inuits.be
- 3.
- 4. Surviving the 10th floor test
- 5.
- 6.
- 7. Guest Editor at Virtualization.com
- 8. Today What isVirtualization
- 9.
- 10.
- 11. VirtSec and OpenSource
- 12.
- 13. What is Virtualization? Running different operating systems together on one machine
- 14. Isolate Operating systemfrom the underlying hardware resources
- 15. Running multiple identicaloperating systems together on one machine
- 16. Why Virtualization MattersConsolidation
- 17. Saving Idle CPUCycles
- 18.
- 19.
- 20.
- 21.
- 22. All the coolkids are doing it
- 23. Why Virtualization isdangerous A vendor view of High availability
- 24. Live Migration isnot a HA Solution
- 25.
- 26.
- 27. Hardware dependencies &Live Migration
- 28.
- 29. Virtualization and OpenSource Leading the Pack
- 30.
- 31.
- 32. The core VirtualInfrastructure is open
- 33. Proprietary vendors tryto catch up
- 34. And Build theManagement FrameWorks
- 35. Virtualization to Me Xen KVM VirtualBox Linux Vserver OpenVZ Linux Containers LibVirt Convirt Qemu OpenQRM Enomaly UML
- 36. What is VirtSec? Securing Virtual Platforms , Hypervisors, Host OS
- 37. Securing the GuestOS in a Virtual Environment
- 38. Running Security toolsin a Virtual Environment
- 39. Isn't VirtSec justa way for the security people to jump on the Virtualization Hype ?
- 40.
- 41. What changes withVirtualization ? The Network stack System vs Network vs Virtualization
- 42. The network goesinside the machine Live Migration Across different VLAN's
- 43. Vlan Spaghetti Scale1 physical machine = MANY VM's
- 44. Legacy Apps Claim: Legacy Apps can't be secured properly That old badge logging app running on Win95
- 45. That old batchjob running on SCO Doesn't matter if they are virtual or not
- 46. The Virtual NetworkClaim: NIDS can't see Inter VM traffic
- 47. What about Inter App traffic on the same host , only now we've isolated app from eachother
- 48. Bridging / RoutingInterVM traffic rather than using proprietary sockets
- 49. Flux and ScaleClaim: Traditional HIDS can't follow the quick changing state of Hosts
- 50. My HA Clusters,are Active Passive, Active Active, or N+M too. Their state is in constant flux too
- 51. The role ConfigManagement and Platform Automation grows every second.
- 52. Static Security was DEAD before Virtualization High Availability Clusters
- 53. But the problemis still growing
- 54.
- 55.
- 56.
- 57. Multiple Instances ofa service
- 58. Thank you AppDeveloper Virtual Apliances are Awesome
- 59.
- 60. They save youtime
- 61. They give youa nice preview of technology
- 62. Virtual Appliance &Security Who build it ?
- 63. Is the appsecured
- 64. What about authenticationintegration ?
- 65. How to updateit ?
- 66. They KILL yourtime
- 67. Image Sprawl, yourupdate nightmare Image sprawl Copy VM, Deploy VM, Modify VM, Copy VM How do you patch 1 VM ?
- 68. Did you patchbefore or after that one was copied ?
- 69. How do youpatch 100 VM's ?
- 70. What about machinesthat are offline ?
- 71. Image Sprawl, yourupdate nightmare The biggest challenges we have in virtualization are operational and organizational rather than technical. Christofer Hoff
- 72. Image Sprawl, yourupdate nightmare Automate Deployment
- 73.
- 74. Map Security managementto Config Mgmt Prepare to Survive the 10 th floor test !
- 75.
- 76. Deus Ex Machina Remember the E10K fiasco ? No you won't be able to get from one VM to another VM ?
- 77. You bet theywill ! Buffer overflow in Management soft ?
- 78. Ballooning Critical featurefrom a proprietary vendor
- 79. Not available inoff the shelf Xen/OracleVM Go away or I will replace you with a small shellscript
- 80. Blue Pill vs Red Pill Blue Pill by Invisible Labs
- 81. Placing a Hypervisorunder an OS
- 82. Hoping no onerealizes it Existing Source for POC
- 83. Ignorance vsTruth
- 84. Blue Pill, areal threat ? POC vs Real Life Become root first
- 85. Then exploit theVM vulnerability ?
- 86. Managing Virtual Machines Early Management Frameworks
- 87. Any client canconnect ... An example ..
- 88. What is openQRMopen-source project at sourceforge.net (GPL)
- 89.
- 90. Not just yourvirtual platforms
- 91.
- 92.
- 93. Support for physical , Xen, VMWare, Vserver, KVM
- 94. OpenQRM 4 isa full rewrite
- 95.
- 96. OpenQRM & SecurityAuthentication based on IP
- 97.
- 98.
- 99. Anyone who canspoof the openQRM server IP can reboot / redeploy your infrastructure
- 100.
- 101. Open Source Not Marketing Driven
- 102. Written because thereis a need
- 103. To scratch anitch
- 104.
- 105. Typically more securethan Proprietary
- 106. Leading Innovation inVirtualization
- 107. Open Source &VirtSec No known projects
- 108. No Need forspecialized projects / tools
- 109. The VirtSec Vendorsclaim First proprietary -> Then Open Source
- 110. Open Source doesn'tinnovate The Open Source Experts claim Better Architectures
- 111. No need forbloated hyped tools
- 112. Is VirtSec amarket? It's an instantiation of technology, practice and operational adjustment brought forth as a derivative of a disruptive technology and prevailing market conditions. Does that mean it's a feature as opposed to a market? No. In my opinion, it's an evolution of an existing market, rife with existing solutions and punctuated by emerging ones. The next stop is how "security" will evolve from VirtSec to CloudSec... Christofer Hoff
- 113. Isn't CloudSec justa way for the security people to jump on the Cloud Hype ?
- 114. The Cloud ?Cloud computing refers to the use of Internet ("cloud") based computer technology for a variety of services. It is a style of computing in which dynamically scalable and often virtualised resources are provided as a service over the Internet. The concept incorporates software as a service (SaaS), Web 2.0 and other recent, well-known technology trends, in which the common theme is reliance on the Internet for satisfying the computing needs of the users.
- 115.
- 116.
- 117. Full control over His application
- 118. His application stackSupposed to manage his platform in Secure Fashion
- 119. But do youTRUST him ?
- 120. CloudSec Deploying inan untrusted domain This is not your average DMZ
- 121. You don't evenown the Vhost Cloud Datacenters Attrackt Attackers Identical Hypervisors => Only 1 exploit needed
- 122. Cloud Hijacking Preand Post Deployment What was there and what stays behind ?
- 123. CloudSec Increase securityas never before
- 124. Encrypt all interVhost traffic
- 125. FireWall as Neverbefore
- 126. Don't store criticaldata in the cloud Use it for analytics
- 127.
- 128. Volatile data Buildyour own Private Cloud
- 129.
- 130.
- 131.
- 132. Complexity is theEnemy of Reliability
- 133. Watch out forFUD Specially in the closed world
- 134. Security still isn'ta product you can buy It's not even a process It's a lifestyle
- 135. ` Kris Buytaert < [email_address] > Further Reading http://www.krisbuytaert.be/blog/ http://www.inuits.be/ http://www.virtualization.com/ http://www.oreillygmt.com/ ? !