One of today's most rapidly evolving and widely deployed technologies is server virtualization. SEC579: Virtualization and Software-Defined Security is intended to help security, IT operations, and audit and compliance professionals build, defend, and properly assess both virtual and converged infrastructures, as well as understand software-defined networking and infrastructure security risks.
Many organizations are already realizing cost savings from implementing virtualized servers, and systems administrators love the ease of deployment and management of virtualized systems. More and more organizations are deploying desktop, application, and network virtualization as well. There are even security benefits of virtualization: easier business continuity and disaster recovery, single points of control over multiple systems, role-based access, and additional auditing and logging capabilities for large infrastructure.
With these benefits comes a dark side, however. Virtualization technology is the focus of many new potential threats and exploits, and it presents new vulnerabilities that must be managed. There are also a vast number of configuration options that security and system administrators need to understand, with an added layer of complexity that has to be managed by operations teams. Virtualization technologies also connect to network infrastructure and storage networks, and require careful planning with regard to access controls, user permissions, and traditional security controls.
In addition, many organizations are evolving virtualized infrastructure into private clouds using converged infrastructure that employs software-defined tools and programmable stack layers to control large, complex data centers. Security architecture, policies, and processes will need to be adapted to work within a converged infrastructure, and there are many changes that security and operations teams will need to accommodate to ensure that assets are protected.
SEC579.1: Core Concepts of Virtualization Security
The first day of class will cover the foundations of virtualization infrastructure and different types of technology. We will define and clarify the differences between server, desktop, application, and storage virtualization, and we will lay out a simple architecture overview that sets the stage for the rest of the day. Then we will dissect the various virtualization elements that make up the architecture one by one, with a focus on the security configurations that will help you create or revise your virtualization design to be as secure as possible. We will start off with hypervisor platforms, covering the fundamental controls that can and should be set within VMware ESX and ESXi, Microsoft Hyper-V, and Citrix XenServer. We'll look at virtual machine settings, with an emphasis on VMware VMX files. We'll also cover some of the ways organizations can control access to and from these virtual machines.
Large-scale storage, one of the most overlooked security areas today, plays a critical role in virtualization and private cloud infrastructure. Some tips and tactics will be covered to help organizations better secure Fibre Channel, iSCSI, and NFS-based Network Attached Storage technology. Next we will tackle virtualization management. VMware vCenter, Microsoft System Center Virtual Machine Manager (SCVMM), and Citrix XenCenter will all be covered, with an emphasis on vCenter. Client connectivity and security will also be discussed, both from a configuration and design standpoint. The class then covers Virtual Desktop Infrastructure (VDI), with an emphasis on security principles and design. Specific security-focused use cases for VDI, such as remote access and network access control, will also be discussed.
CPE/CMU Credits: 6
SEC579.2: Virtualization and Software-Defined Security Architecture and Design
Day 2 starts with several topics that round out our discussions on virtualization and infrastructure components, delving into container technology and converged infrastructure platforms and tools (along with security considerations for both). We'll then begin our discussion of virtualization and software-defined architecture and networking. We'll cover design concepts and models, with deep discussion of benefits and drawbacks throughout. We'll also cover network capabilities and models in virtual environments, with time devoted to virtual switches and other platforms, and look at how network security adapts to fit into a virtual infrastructure.
Do firewalls and network access controls work the same with virtual systems and cloud models? We will find out! Students will take an in-depth look at virtual firewalls and even set one up. Virtual switches will be revisited, as they pertain to segmentation and access controls. The topic of software-defined networking will be covered in-depth, with design examples, simple programming of SDN controllers, and discussion of security use cases that leverage OpenFlow and other technologies.
Students will also build a virtualized intrusion detection model, integrating promiscuous interfaces and traffic capture methods into virtual networks and then setting up and configuring a virtualized intrusion detection system (IDS) sensor. Some attention will also be paid to host-based IDS, taking into account multi-tenant platforms and the performance impact any agent-based product can have in a virtual environment.
CPE/CMU Credits: 6
SEC579.3: Virtualization Threats, Vulnerabilities, and Attacks
This session will delve into the offensive side of security specific to virtualization and cloud technologies. While many key elements of vulnerability management and penetration testing are similar to traditional environments, there are also many differences, which will be covered here.
We will first examine a number of specific attack scenarios and models that represent the different risks organizations face in their virtual environments. Then we will go through the entire penetration testing and vulnerability assessment lifecycle, with an emphasis on virtualization tools and technologies. We'll progress through scanners and how to use them to assess virtual systems, then turn to virtualization exploits and attack toolkits that can be easily added into existing penetration test regimens. We will also cover some specific techniques that may help in cloud environments, providing examples of scenarios where certain tools and exploits are less effective or more risky to use than others.
CPE/CMU Credits: 6
SEC579.4: Defending Virtualization and Software-Defined Technologies
This session is all about defense! We will start off with an analysis of anti-malware techniques, looking at traditional antivirus, whitelisting, and other tools and techniques to combat malware, with a specific eye toward virtualization and cloud environments. New commercial offerings in this area will also be discussed to provide context. Then we will turn to intrusion detection, starting with a simple architecture refresher on how IDS and monitoring technologies fit into a virtual infrastructure. Students will then learn about monitoring traffic and looking for malicious activity within the virtual network. Numerous network-based and host-based tools will be covered and used in class. This topic will also be extended to the software-defined environment, with some special caveats to which all organizations should pay attention.
Students will learn about logs and log management in virtual environments. What kinds of logs do virtualization platforms produce, and what should organizations focus on? How can these logs (for both hypervisors and virtual machines) fit into a Security Information and Event Management solution? What should we look for to discover attacks and security issues?
The second half of this session will focus on incident response and forensics in a virtualized or cloud-based infrastructure. We will walk students through the six-step incident response cycle espoused by the National Institute of Standards and Technology (NIST) and SANS, and highlight exactly how virtualization fits into the big picture. Students will discuss and analyze incidents at each stage, again with a focus on virtualization and cloud. We will finish the incident response section by looking at processes and procedures that organizations can put to use right away to improve their awareness of virtualization-based incidents.
The final section of the day will focus on forensics and how students can adapt forensics processes to work in virtual and cloud environments. We will capture and duplicate virtual machines and ensure that they are sound and maintained in a best-practices format for proper chain-of-custody retention. The current landscape of forensics tools will be covered, with a focus on which tools work best to analyze virtual images and data from virtual infrastructure. Special emphasis will be given to the analysis of hypervisor platforms.
CPE/CMU Credits: 6
SEC579.5: Virtualization Operations, Auditing, and Monitoring
Today's session will start off with a lively discussion on virtualization assessment and auditing. You may be asking, how can you possibly make a discussion on auditing lively? Trust us! We will cover the top virtualization configuration and hardening guides from DISA, CIS, Microsoft, and VMware, and talk about the most critical information to take away from these guides and implement. Next, we'll really put our money where our mouth is: students will learn to implement audit and assessment techniques by scripting with the VI CLI, as well as some general shell scripting! Although not intended to be an in-depth class on scripting, some key techniques and ready-made scripts will be discussed and used in class to get students prepared for implementing these principles in their environments as soon as they get back to work.
The second half of the day will look at automation and orchestration tools and techniques that can help to streamline and manage configuration and auditing, as well as monitoring techniques that provide a feedback loop. The ideas in DevOps and DevSecOps environments will be described, and we'll look at how to best integrate into deployment pipelines, with tools and tactics along the way.
CPE/CMU Credits: 6
Who Should Attend
You Will Be Able To