Virtualization Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> When we talk about virtualization,
00:00
we really have to talk about the heart and
00:00
soul of a virtualized environment,
00:00
and that's the hypervisor.
00:00
The hypervisor is what allows
00:00
OS isolation into Virtual Machines.
00:00
It's going to provide communication
00:00
from what's happening in Virtual Machine,
00:00
either through the operating system
00:00
or directly to the hardware.
00:00
That depends on whether or not we have
00:00
a type I or type II Hypervisor.
00:00
A type I Hypervisor,
00:00
sometimes referred to as the "bare metal" Hypervisor,
00:00
meaning that it sits directly on top of
00:00
the hardware so you don't
00:00
install an operating system first.
00:00
You install the hypervisor,
00:00
and it has direct access to the hardware
00:00
through the commands within the virtual software.
00:00
With this, you have a more secure system.
00:00
It's hardware-based.
00:00
It's just a Virtual Machine,
00:00
and because of that, you get better performance.
00:00
You cut out the middleman that comes
00:00
with a type II Hypervisor.
00:00
With a type II Hypervisor,
00:00
you first install a host-based operating system
00:00
like Windows or Linux,
00:00
then on top of that,
00:00
you install a Virtual Machine through
00:00
an application like Oracle VBox.
00:00
That's the one I've been using a lot lately.
00:00
>> I like that.
00:00
>> There's a Virtual Machine on your VM workstation.
00:00
Those are the ones that most users
00:00
may have more experience with.
00:00
This is considered to be software-based because it's
00:00
software that you install on
00:00
>> top of an operating system,
00:00
>> but here's the deal with that.
00:00
All of your commands from the VM are
00:00
running through the guest operating system,
00:00
so you've got that middleman.
00:00
Keep in mind, if you're running this on
00:00
Windows and Linux operating systems,
00:00
you have the vulnerabilities of
00:00
those operating systems introduced to the mix.
00:00
When we use these,
00:00
you might be using them in a lab environment.
00:00
We might be using them on
00:00
an individual system to do things with
00:00
application virtualization or for testing devices.
00:00
But when we're talking about
00:00
>> really virtualizing servers,
00:00
>> that's when we're going to do
00:00
this bare metal type I Hypervisor.
00:00
Any Cloud-based service providers going to
00:00
be running type I?
00:00
If hypervisors are compromised,
00:00
everything in the virtual environment is compromised,
00:00
and there are rootkits for hypervisors.
00:00
There are types of malware
00:00
that specifically target hypervisors.
00:00
We need to make sure that our hypervisor,
00:00
like any other piece of software, is hardened.
00:00
It's up to date pass just
00:00
like any other operating system or
00:00
application that does reduce
00:00
the likelihood of having malicious code introduced.
00:00
As a general rule,
00:00
if we're accessing our resources through
00:00
the Cloud and we have a virtualized environment,
00:00
the hypervisor is usually
00:00
the Cloud services provider's responsibility.
00:00
We need to make sure that we know
00:00
how that's protected and be
00:00
aware of any mitigating strategies to keep that safe.
00:00
If we're running the type II Hypervisor,
00:00
then, of course,
00:00
we're responsible for making sure
00:00
this software is patched and running correctly.
00:00
Lots of concerns here.
00:00
Again, virtualization doesn't fix
00:00
every problem and it certainly
00:00
doesn't make your typical problems go away.
00:00
One of the first issues that we have to think
00:00
about is an issue called VM escape,
00:00
which is exactly what it sounds like.
00:00
Virtualization is supposed to be
00:00
true isolation for these applications and systems.
00:00
In a multi-union environment,
00:00
our visual system should be truly
00:00
isolated from other virtual systems.
00:00
However, VM escape is when some entity,
00:00
whether it's a process or an individual,
00:00
hops from one Virtual Machine to another.
00:00
Shouldn't happen, but again,
00:00
there are attacks specifically
00:00
geared towards virtualized environments.
00:00
Another concern.
00:00
You may have maybe 15 different services
00:00
running on a single physical machine.
00:00
That means that one network card
00:00
>> on that system provides
00:00
>> a pathway into the system for all those 15 services.
00:00
From a physical perspective as well,
00:00
if you have failure of that physical machine then
00:00
services are gone from the time
00:00
being until we can get it restored.
00:00
Other ideas like anti-malware.
00:00
A lot of times we slap anti-malware on
00:00
a machine and we say we're good.
00:00
That's all taken care of.
00:00
But what you have is you have
00:00
numerous Virtual Machine running on a system.
00:00
You have to have anti-malware on the host.
00:00
But for each additional guest operating system
00:00
that has to be scanned for malware as well.
00:00
It really is like a separate physical machine.
00:00
The same thing with monitory.
00:00
You're not going to get monitoring of
00:00
those virtual machines from
00:00
one tool and just scanning the host.
00:00
We have to make
00:00
these considerations and make sure we have
00:00
the right tools and each of
00:00
>> the guest operating systems.
00:00
>> Last but not least, unintentional bridging.
00:00
Like we said, you've got
00:00
one network care connecting
00:00
you out to the public network.
00:00
You've got an internal network
00:00
and your virtual network cards.
00:00
You can build a virtual network,
00:00
connect everybody through
00:00
virtual switches, and all that's great.
00:00
But if we misconfigured our network cards,
00:00
they may be bridged out to the network,
00:00
which is exactly how things like VM escapes happiness.
00:00
I've accidentally got a pathway to
00:00
the network through my host machine.
00:00
We need to make sure that those are limited to
00:00
the virtual land as opposed
00:00
to being bridged to the outside world.
00:00
We wrap up the discussion, virtualization.
00:00
There's no doubt that it has numerous benefits.
00:00
Virtualization saves us space,
00:00
saves our hardware,
00:00
saves on heating and cooling and allows us to
00:00
run multiple services on a single physical machine,
00:00
making it more cost-effective.
00:00
All that's great. We get
00:00
Virtual Desktop Interfaces where
00:00
we take that golden image,
00:00
that's a configuration of
00:00
exactly what we want on those host computers,
00:00
and then even if our clients or end-users make changes,
00:00
it's still going to refer back to
00:00
the golden image of the end of the day.
00:00
We have to think about our hypervisors.
00:00
Our hypervisors are either type I or type II.
00:00
Type 1 is a bare metal hypervisor,
00:00
that's directly on top of the hardware.
00:00
That's where you're going to get the best performance
00:00
and the best security because there is no middleman.
00:00
Now, with the hypervisor,
00:00
there's type II,
00:00
install the hypervisor on top of the operating system,
00:00
for the hypervisor to interact with
00:00
the hardware has to go through the OS.
00:00
That OS has its own set of vulnerabilities.
00:00
Then last, we discussed some security concerns.
00:00
We said no environment is perfect.
00:00
You have to watch for things like
00:00
VM escape or process might move from
00:00
one VM to another and
00:00
perhaps malware or worm might spread.
00:00
We have to think about things like hyper jacking,
00:00
which is where a rootkit gets
00:00
installed in the hypervisor.
00:00
We have to be concerned with multi-tenancy.
00:00
There are a lot of areas for
00:00
security concerns of hypervisors and virtualization.
00:00
But with our due diligence and a little bit of effort,
00:00
we can secure these environments and reap the benefits.
Up Next