VMworld 2014/Separating Fact from Fiction - ESXi Hypervisor Security

INF2336 - Separating Fact from Fiction - ESXi Hypervisor Security

"VMware ESXi has been developed from the ground up to run virtual machines in a secure manner. ESXi addresses the security concerns of the most demanding datacenter environments for enterprises and government organizations. Get a better understanding of exactly how!"
 * Yuecel Karabulut - Product Line Manager, vSphere Platform Security, VMware
 * Mike Foley - Sr. Technical Marketing Manager, VMware

Virtualization Security: Fact vs Fiction Foundational Platform Security Solutions Operation Security - Where the REAL threat is

"What are you most concerned about?"
 * concerned about internal threats (eg. malicious privileged VI admin)
 * VM escape scenarios (guest to host attack)

More likely: VM escape or operational security threats? Operational is.
 * Cost vs Probability aka "sexy" vs "boring"

VM Escape is really hard to do - why?
 * proven vm isolation and evolving architecture
 * secure software development life cycle
 * minimum attack surface
 * world class systems security engineers

Isolation is the name of the game

7 Layers of Isolation and Protection:
 * Instruction
 * Memory
 * Device
 * Network
 * Noisy neighbor
 * Storage
 * Memory

To control hardware and memory, you need ring 0. VMs do not have access to ring 0, just a virtualized ring 0. Only the ESX kernel has ring 0 access. Requests are received trapped and securely executed.

Networking - vSwitches are not routers. To route packets between vSwitches you need something else.

VLAN and Switch vulnerabilities? None of these:
 * MAC flooding
 * 802.1q and ISL tagging
 * double-encapsulation attacks
 * multicast brute-force attacks
 * spanning tree attacks
 * random frame attacks
 * VLAN Hopping - native VLAN not used

google Folly Mitnick - "he hacked me back in 19??, and I got to have lunch with him and talk to him about that"

Doable: Walk by and capture people's RFID codes

Operational Security - where the REAL threat is

Least Privilege needs to be widely adopted

Patching ESXi is a priority

Compromising the ESX isolation is dang hard. Compromising your admin is much easier.

Compromise the Admin, and get access to the infrastructure

Least Privilege - Role Based Access Control (RBAC) Security Policy Enforcement

Should move to a Workflow-based Security Policy Enforcement
 * VMware Orchestrator and vCAC for workflow functionality

I can't help you if you don't patch - if you have an uptime of 4 years as a badge of honor, leave now!
 * evacuate VMs
 * patch ESXi
 * move back

"Security guys: you put the 'no' in innovation"

Isolate your vCenter Servers and your ESX servers
 * Limit access to vcenter and ESXi with a dedicated Management Network

"Defense in depth" - no one barrier should be the only barrier