Provided by SANS

About the course

One of today's most rapidly evolving and widely deployed technologies is server virtualization. SEC579: Virtualization and Software-Defined Security is intended to help security, IT operations, and audit and compliance professionals build, defend, and properly assess both virtual and converged infrastructures, as well as understand software-defined networking and infrastructure security risks.

Many organizations are already realizing cost savings from implementing virtualized servers, and systems administrators love the ease of deployment and management of virtualized systems. More and more organizations are deploying desktop, application, and network virtualization as well. There are even security benefits of virtualization: easier business continuity and disaster recovery, single points of control over multiple systems, role-based access, and additional auditing and logging capabilities for large infrastructure.

With these benefits comes a dark side, however. Virtualization technology is the focus of many new potential threats and exploits, and it presents new vulnerabilities that must be managed. There are also a vast number of configuration options that security and system administrators need to understand, with an added layer of complexity that has to be managed by operations teams. Virtualization technologies also connect to network infrastructure and storage networks, and require careful planning with regard to access controls, user permissions, and traditional security controls.

In addition, many organizations are evolving virtualized infrastructure into private clouds using converged infrastructure that employs software-defined tools and programmable stack layers to control large, complex data centers. Security architecture, policies, and processes will need to be adapted to work within a converged infrastructure, and there are many changes that security and operations teams will need to accommodate to ensure that assets are protected.

Course Syllabus

SEC579.1: Core Concepts of Virtualization Security

Overview

The first day of class will cover the foundations of virtualization infrastructure and different types of technology. We will define and clarify the differences between server, desktop, application, and storage virtualization, and we will lay out a simple architecture overview that sets the stage for the rest of the day. Then we will dissect the various virtualization elements that make up the architecture one by one, with a focus on the security configurations that will help you create or revise your virtualization design to be as secure as possible. We will start off with hypervisor platforms, covering the fundamental controls that can and should be set within VMware ESX and ESXi, Microsoft Hyper-V, and Citrix XenServer. We'll look at virtual machine settings, with an emphasis on VMware VMX files. We'll also cover some of the ways organizations can control access to and from these virtual machines.

Large-scale storage, one of the most overlooked security areas today, plays a critical role in virtualization and private cloud infrastructure. Some tips and tactics will be covered to help organizations better secure Fibre Channel, iSCSI, and NFS-based Network Attached Storage technology. Next we will tackle virtualization management. VMware vCenter, Microsoft System Center Virtual Machine Manager (SCVMM), and Citrix XenCenter will all be covered, with an emphasis on vCenter. Client connectivity and security will also be discussed, both from a configuration and design standpoint. The class then covers Virtual Desktop Infrastructure (VDI), with an emphasis on security principles and design. Specific security-focused use cases for VDI, such as remote access and network access control, will also be discussed.

CPE/CMU Credits: 6

Topics

• Virtualization components and architecture designs
• Different types of virtualization, ranging from desktops to servers and applications
• Hypervisor lockdown controls for VMware, Microsoft Hyper-V, and Citrix Xen
• Virtual machine security configuration options, with a focus on VMware VMX files
• Storage security and design considerations
• Locking down management servers and clients for vCenter, XenServer, and Microsoft SCVMM
• Security design considerations for VDI.

SEC579.2: Virtualization and Software-Defined Security Architecture and Design

Overview

Day 2 starts with several topics that round out our discussions on virtualization and infrastructure components, delving into container technology and converged infrastructure platforms and tools (along with security considerations for both). We'll then begin our discussion of virtualization and software-defined architecture and networking. We'll cover design concepts and models, with deep discussion of benefits and drawbacks throughout. We'll also cover network capabilities and models in virtual environments, with time devoted to virtual switches and other platforms, and look at how network security adapts to fit into a virtual infrastructure.

Do firewalls and network access controls work the same with virtual systems and cloud models? We will find out! Students will take an in-depth look at virtual firewalls and even set one up. Virtual switches will be revisited, as they pertain to segmentation and access controls. The topic of software-defined networking will be covered in-depth, with design examples, simple programming of SDN controllers, and discussion of security use cases that leverage OpenFlow and other technologies.

Students will also build a virtualized intrusion detection model, integrating promiscuous interfaces and traffic capture methods into virtual networks and then setting up and configuring a virtualized intrusion detection system (IDS) sensor. Some attention will also be paid to host-based IDS, taking into account multi-tenant platforms and the performance impact any agent-based product can have in a virtual environment.

CPE/CMU Credits: 6

Topics

• Container technology security considerations
• Converged Infrastructure security considerations
• Defining "software-defined" components and architectural models
• Designing security for software-defined environments
• Virtual network design cases with pros and cons of each
• Virtual switches and port groups, with security options available
• Commercial and open-source virtual switches available, with configuration options
• Segmentation techniques, including VLANs and PVLANs
• Software-defined networking and architecture
• Network isolation and access control
• Adapting firewalls, IPS, proxies, and more to virtual environments
• Products and capabilities available today

SEC579.3: Virtualization Threats, Vulnerabilities, and Attacks

Overview

This session will delve into the offensive side of security specific to virtualization and cloud technologies. While many key elements of vulnerability management and penetration testing are similar to traditional environments, there are also many differences, which will be covered here.

We will first examine a number of specific attack scenarios and models that represent the different risks organizations face in their virtual environments. Then we will go through the entire penetration testing and vulnerability assessment lifecycle, with an emphasis on virtualization tools and technologies. We'll progress through scanners and how to use them to assess virtual systems, then turn to virtualization exploits and attack toolkits that can be easily added into existing penetration test regimens. We will also cover some specific techniques that may help in cloud environments, providing examples of scenarios where certain tools and exploits are less effective or more risky to use than others.

CPE/CMU Credits: 6

Topics

• Threats and attack research related to virtualization infrastructure
• Attack models that pertain to virtualization and cloud environments
• Threat modeling for virtualization and software-defined technology
• Specific virtualization platform attacks and exploits
• Pen testing cycles with a focus on virtualization attack types
• Password attacks against virtualization and software-defined platforms
• How to modify vulnerability management processes and scanning configuration to get the best results in virtualized environments
• How to use attack frameworks like VASTO to exploit virtualization systems

SEC579.4: Defending Virtualization and Software-Defined Technologies

Overview

This session is all about defense! We will start off with an analysis of anti-malware techniques, looking at traditional antivirus, whitelisting, and other tools and techniques to combat malware, with a specific eye toward virtualization and cloud environments. New commercial offerings in this area will also be discussed to provide context. Then we will turn to intrusion detection, starting with a simple architecture refresher on how IDS and monitoring technologies fit into a virtual infrastructure. Students will then learn about monitoring traffic and looking for malicious activity within the virtual network. Numerous network-based and host-based tools will be covered and used in class. This topic will also be extended to the software-defined environment, with some special caveats to which all organizations should pay attention.

Students will learn about logs and log management in virtual environments. What kinds of logs do virtualization platforms produce, and what should organizations focus on? How can these logs (for both hypervisors and virtual machines) fit into a Security Information and Event Management solution? What should we look for to discover attacks and security issues?

The second half of this session will focus on incident response and forensics in a virtualized or cloud-based infrastructure. We will walk students through the six-step incident response cycle espoused by the National Institute of Standards and Technology (NIST) and SANS, and highlight exactly how virtualization fits into the big picture. Students will discuss and analyze incidents at each stage, again with a focus on virtualization and cloud. We will finish the incident response section by looking at processes and procedures that organizations can put to use right away to improve their awareness of virtualization-based incidents.

The final section of the day will focus on forensics and how students can adapt forensics processes to work in virtual and cloud environments. We will capture and duplicate virtual machines and ensure that they are sound and maintained in a best-practices format for proper chain-of-custody retention. The current landscape of forensics tools will be covered, with a focus on which tools work best to analyze virtual images and data from virtual infrastructure. Special emphasis will be given to the analysis of hypervisor platforms.

CPE/CMU Credits: 6

Topics

• Data protection in virtual and converged environments
• Identity and Access Management in virtual and software-defined environments
• How to implement intrusion detection tools and processes in a virtual environment
• What kinds of logs and logging are most critical for identifying attacks and live incidents in virtual environments?
• How anti-malware tools function in virtual environments
• How the six-step incident response process can be modified and adapted to work with virtual infrastructure
• What kinds of incidents to look for within virtual environments, and what the warning signs are
• Processes and procedures to build and grow incident response capabilities for virtual environments
• How forensics processes and tools should be used and adapted for virtual systems
• What tools are best to get the most accurate results from virtual machine system analysis?
• How to most effectively capture virtual machines for forensic evidence analysis
• What can be done to analyze hypervisor platforms, and what does the future hold for VM forensics?

SEC579.5: Virtualization Operations, Auditing, and Monitoring

Overview

Today's session will start off with a lively discussion on virtualization assessment and auditing. You may be asking, how can you possibly make a discussion on auditing lively? Trust us! We will cover the top virtualization configuration and hardening guides from DISA, CIS, Microsoft, and VMware, and talk about the most critical information to take away from these guides and implement. Next, we'll really put our money where our mouth is: students will learn to implement audit and assessment techniques by scripting with the VI CLI, as well as some general shell scripting! Although not intended to be an in-depth class on scripting, some key techniques and ready-made scripts will be discussed and used in class to get students prepared for implementing these principles in their environments as soon as they get back to work.

The second half of the day will look at automation and orchestration tools and techniques that can help to streamline and manage configuration and auditing, as well as monitoring techniques that provide a feedback loop. The ideas in DevOps and DevSecOps environments will be described, and we'll look at how to best integrate into deployment pipelines, with tools and tactics along the way.

CPE/CMU Credits: 6

Topics

• Key configuration controls from the leading DISA, CIS, VMware, and Microsoft hardening guides
• Sound configuration management and patching in virtual infrastructure
• Scripting techniques in VI CLI and PowerShell for automating audit and assessment processes
• Sample scripts that help implement key audit functions
• Automation and orchestration with Puppet, Chef, ManageEngine, etc.
• Full hardening-guide-scripted audit

Who Should Attend

• Security personnel who are tasked with securing virtualization and private cloud infrastructure
• Network and systems administrators who need to understand how to architect, secure and maintain virtualization and cloud technologies
• Technical auditors and consultants who need to gain a deeper understanding of VMware virtualization from a security and compliance perspective

You Will Be Able To

• Lock down and maintain a secure configuration for all components of a virtualization environment
• Design a secure virtual network architecture
• Evaluate virtual firewalls, intrusion detection and prevention systems, and other security infrastructure
• Evaluate security for converged and software-defined environments
• Perform vulnerability assessments and penetration tests in virtual and private cloud environments, and acquire forensic evidence
• Perform audits and risk assessments within a virtual or private cloud environment

Hands-on Training

• ESXi Lockdown
• vMotion Attack on Data Confidentiality
• Netflow in a Virtual Infrastructure