WEBVTT

00:00.330 --> 00:03.570
Virtualization is utterly fantastic.

00:03.570 --> 00:08.630
And in this episode I want to talk about some of the security aspects about virtualization.

00:08.730 --> 00:13.900
But before we do that I want to make sure you get an idea of what I've got laying around here.

00:14.010 --> 00:19.800
Mainly to lock in from other episodes where we talk about type 1 Type 2 hypervisor that type of thing.

00:19.860 --> 00:22.120
Let me show you what's going on right here now.

00:22.140 --> 00:24.790
First of all here's my computer right here.

00:25.320 --> 00:27.700
And this machines running Windows 10.

00:27.740 --> 00:33.300
Now what I want to do for starters is show you a type 2 hypervisor that I have running on this particular

00:33.300 --> 00:35.550
system called Oracle's virtual box.

00:35.550 --> 00:36.860
Very very popular.

00:37.050 --> 00:40.250
So I'm going to come down to Oracle's virtual box.

00:40.250 --> 00:42.730
Now if you look really close you can see I've got two windows here.

00:42.730 --> 00:46.310
So first all this is the actual virtual box manager.

00:46.560 --> 00:50.790
And I have one two three four virtual machines already pre-installed here.

00:50.910 --> 01:00.570
And one of them is running and if you want to see that when I K'NEX here and here is one virtual machine

01:00.570 --> 01:04.980
and I don't remember the password right now but doesn't matter that terribly much.

01:05.890 --> 01:13.420
So that is a type 2 hypervisor it's running locally on this system and Virtual Box is a very very common

01:13.540 --> 01:15.640
type of type hypervisor and it's also free.

01:15.640 --> 01:16.830
I love it.

01:16.840 --> 01:21.820
Now the other thing I have running is a type 1 hypervisor So let's take a look at this network diagram

01:21.820 --> 01:22.820
one more time.

01:22.840 --> 01:25.380
So here's my computer running it's Type 2 hypervisor.

01:25.510 --> 01:31.810
Over here I've got a server system and on the server it is running an operating system called VM whereas

01:31.900 --> 01:33.710
e s x y.

01:33.910 --> 01:39.970
Now ESX is kind of the poor man's version of type 1 hypervisor but it works great.

01:39.970 --> 01:40.600
We love it.

01:40.600 --> 01:42.660
VM where we think you're fantastic.

01:42.670 --> 01:47.530
Now if I were to actually walk over to that system and plug a monitor into it it's kind of boring.

01:47.530 --> 01:53.410
I mean you just get this ugly boring screen that means absolutely nothing so other than the actual initial

01:53.410 --> 02:00.550
installation all the heavy lifting that's done with VM Ware is done through a client.

02:00.640 --> 02:06.370
So I happen to have the VM where Klein installed on this particular system they call this the VM manager.

02:06.370 --> 02:12.130
Now this is a slightly older version of ESX I but I like it and for the simple stuff we do here in total

02:12.130 --> 02:12.770
seminars.

02:12.910 --> 02:17.440
It works absolutely great for us the big things we're doing is testing software to make sure that it

02:17.440 --> 02:19.950
works on different operating systems.

02:19.960 --> 02:26.980
We also do some policy checking like if I set a policy that could mess everybody up we try it on a virtual

02:26.980 --> 02:28.640
machine first.

02:28.750 --> 02:34.000
We do patches on a virtual machine make sure the patch doesn't blow everybody up so we can do a lot

02:34.000 --> 02:34.710
of fun stuff with it.

02:34.720 --> 02:39.160
So but what you're looking at here is all the virtual machines we have in fact I'm going to show them

02:39.220 --> 02:41.990
all to you because I don't want you guys to have that kind of access.

02:42.160 --> 02:47.000
But these are all R&amp;D type systems that we keep around for one reason or another.

02:47.020 --> 02:51.500
Invariably someone's going to ask me like I'm running Vista Business and something happened.

02:51.550 --> 02:55.460
So we have examples of all the stuff that we turn to time and time again.

02:55.960 --> 02:59.520
Now to turn one on I just click one and turn on the on button.

02:59.650 --> 03:03.180
But you can see I think I've already got one running here yeah.

03:03.270 --> 03:12.060
So what I've got here is a copy of Ubuntu and if I ever need a new buntu box I can access through my

03:12.060 --> 03:16.280
VM where client and I can turn this on and do anything that I want.

03:20.480 --> 03:25.890
Now there is one more type of virtualization I want to talk about and that is cloud based.

03:25.910 --> 03:31.370
Now using infrastructure as a service is a very very powerful tool today.

03:31.580 --> 03:37.730
Things like Amazon Web Services or my current personal favorite Microsoft asor are really great places

03:37.730 --> 03:42.440
to go if you just need to spin up a web server or a game server or whatever it might be.

03:42.440 --> 03:45.910
And I've actually got a free trial version running right here.

03:46.990 --> 03:52.360
So if you take a look what I have right now is the free trial version of Microsoft Asor and I've got

03:52.360 --> 03:54.720
a bunch of stuff set up and running.

03:54.790 --> 03:59.630
But what I'm mainly interested in showing you right now is this guy right here.

04:02.750 --> 04:08.400
So what you're looking at in this particular case is an up and running server.

04:08.510 --> 04:10.880
You can actually see it's IP address.

04:11.290 --> 04:17.090
I haven't given it a DNS name yet but what I've done is using the Microsoft as your services and this

04:17.090 --> 04:19.430
is all done with their free trial by the way.

04:19.430 --> 04:20.780
I can set up a server.

04:20.780 --> 04:22.490
It will come with an IP address.

04:22.520 --> 04:28.880
It will get a default domain name usually something really boring name like portal or something like

04:28.880 --> 04:29.420
that.

04:29.480 --> 04:34.970
But the important thing is up and running I can configure the DNS I can set IP I can do all kinds of

04:34.970 --> 04:37.070
powerful powerful stuff like that.

04:37.070 --> 04:44.390
So here we're looking at three different types of virtualization the type 2 hypervisor type 1 hypervisor

04:44.660 --> 04:49.730
and a very much a classic cloud infrastructure as a service set up.

04:49.760 --> 04:55.970
So virtual machines are absolutely fantastic I mean obviously they save space.

04:55.980 --> 04:59.760
I can put a lot of computers onto a single physical computer.

04:59.820 --> 05:06.000
They save power for the exact same reason instead of running five or six boxes I just can run one but

05:06.090 --> 05:08.490
they also do a lot of really really important things.

05:08.490 --> 05:17.040
In fact if you really think about it to me virtualization is by itself a security feature with virtualization

05:17.090 --> 05:18.070
I can take care of.

05:18.070 --> 05:23.240
As I mentioned earlier patch management if I want to test a patch I can do it on a virtual machine before

05:23.240 --> 05:29.690
I push it out to all my big boxes if I have hardware issues with virtualization pretty much ex-special

05:29.690 --> 05:31.370
if I'm on one particular platform.

05:31.430 --> 05:35.960
All the hardware can be configured identically so things like do I have the right driver for that video

05:35.960 --> 05:41.630
card or whatever it might be kind of goes out the window availability if something goes down it's trivial

05:41.630 --> 05:48.380
for me to spit up another version of a particular VM so availability is very very important.

05:48.620 --> 05:54.350
And when it comes to testing the test every day I mean security controls.

05:54.440 --> 05:58.640
I want to put in a new type of security control that only allow certain people to log in.

05:58.700 --> 06:03.440
I can put this out on a virtual machine test it and then I can determine whether it's going to work

06:03.440 --> 06:04.950
or not in the real world.

06:04.970 --> 06:09.340
I can also use it for sandboxing in particular when I talk about sandboxing.

06:09.410 --> 06:14.540
I'm talking about making a virtual machine making something that's separate from my real world network

06:14.780 --> 06:17.030
and then doing something with that.

06:17.140 --> 06:20.630
And that way if there's a problem I don't have to risk everybody else.

06:20.660 --> 06:24.100
Software is being dispersed and I want to make sure there's no malware on it.

06:24.140 --> 06:29.150
I can set up a VM make sure it's not connected my network install it and see what happens.

06:29.150 --> 06:31.550
So it's incredibly powerful.

06:31.550 --> 06:37.340
The other big thing that we can do with virtual machines is network separation.

06:37.340 --> 06:39.810
So let's take a look at this little diagram.

06:39.860 --> 06:41.190
So here's my server.

06:41.300 --> 06:46.670
Now on that server is a whole bunch of virtual machines so I'm just going to make for little boxes here

06:46.670 --> 06:52.580
above the server to show the four virtual machines I'm running if I want to separate them from my main

06:52.580 --> 06:53.280
network.

06:53.300 --> 06:54.290
It's trivial.

06:54.290 --> 06:59.900
Pretty much all hypervisor is allow me to create a virtual switch so that I can do is I can create like

06:59.900 --> 07:05.210
a little pretend switch here that's between my real server and my four virtual machines I can connect

07:05.210 --> 07:11.030
the four virtual machines to that but I don't have to connected through the physical server to my real

07:11.030 --> 07:11.720
network.

07:11.840 --> 07:16.700
So if you've got a bunch of virtual machines and you need them segregated it's trivial to do because

07:16.700 --> 07:22.910
of virtual switches on top of that virtual machines handle the lands or anything else just like a real

07:22.910 --> 07:24.570
world computer would do as well.

07:25.510 --> 07:29.530
The last one the big one for me are snapshots and backups.

07:29.530 --> 07:35.890
If I shut down a virtual machine it manifests as a file just one file and backing up becomes trivial.

07:35.890 --> 07:42.760
I can simply make a backup copy of that very large file and I'm talking in many many gigabyte size and

07:42.760 --> 07:44.620
send it off to the side of something blows up.

07:44.620 --> 07:50.600
I can simply bring that file back bring that virtual machine up and it's as though nothing ever happened.

07:50.620 --> 07:55.370
What we tend to do more often though with virtual machines is what we call a snapshot.

07:55.570 --> 07:58.380
So I've actually got that capability right here.

07:59.280 --> 08:04.140
So I'm going to do is I'm going to show you this is the virtual machine I'm running on my oracle virtual

08:04.140 --> 08:04.810
box.

08:04.920 --> 08:11.790
And one of the things I can do if I need to is I can just take a quick snapshot and

08:15.290 --> 08:18.210
I can type in anything I want that helps me describe what's going on.

08:18.280 --> 08:19.270
OK.

08:19.370 --> 08:26.000
And what's happened is a perfect example of the state of this system as it is up and running right now

08:26.330 --> 08:28.700
is stored snapshots are amazing.

08:28.700 --> 08:32.600
If I'm going to be testing a piece of software for example usually where I'm going to do is I'm going

08:32.600 --> 08:38.660
to have this virtual machine I'm going to go ahead take a snapshot install the software and then see

08:38.780 --> 08:42.010
what the differences if something happens that blows up the application.

08:42.110 --> 08:44.540
I can restore instead of having to copy a whole file.

08:44.570 --> 08:46.850
I can just go back to a previous snapshot.

08:46.850 --> 08:49.400
So that is an incredibly powerful tool.

08:49.460 --> 08:51.610
And when you're going to be seen on the exams.

08:51.950 --> 08:56.890
So virtualization is in of itself a security feature.

08:56.900 --> 09:02.750
However there are things that take place within the virtual world that can be a problem.

09:02.840 --> 09:05.090
And I want to just call that virtual threats

09:09.930 --> 09:12.150
when we're talking about threats to virtual machines.

09:12.150 --> 09:17.010
The number one thing you need to remember is that anything that can happen to a virtual machine is the

09:17.010 --> 09:19.050
same stuff that can happen to a physical machine.

09:19.050 --> 09:26.130
So when we're talking about stuff like now where or not patching the machine properly or having a host

09:26.130 --> 09:33.180
firewall although usually a virtual machine will take advantage of whatever network firewalls provided.

09:33.180 --> 09:39.300
But the host is up to you setting up policies so specially if you've got a type 1 or Type 2 hypervisor

09:39.300 --> 09:41.070
that you're directly in control of.

09:41.070 --> 09:43.110
You have to take care of all this stuff.

09:43.110 --> 09:44.840
This is all your job now.

09:44.850 --> 09:51.600
Luckily when you get into the cloud most I S type of setups provide a lot of this stuff.

09:51.600 --> 09:53.260
So take a look right here.

09:53.430 --> 10:00.380
So here in my asor even got a whole big security center and you can see I'm getting lots of red bars

10:00.380 --> 10:02.960
mainly because I haven't said anything up yet.

10:02.960 --> 10:06.140
So if I take a look at this I believe I click on recommendations.

10:06.140 --> 10:08.220
It's got all kinds of stuff.

10:08.270 --> 10:09.920
It's recommending that I do.

10:09.980 --> 10:13.880
So for example add a next generation firewall so if I click on that

10:18.970 --> 10:20.510
I'm going to create a solution.

10:22.540 --> 10:28.060
And lookee here they've got three different companies that are more than glad for a small consideration

10:28.300 --> 10:33.850
to provide all of these tools so when we see stuff like this particularly when it's done on the cloud

10:34.090 --> 10:39.730
we tend to call this security as a service so this is a very very powerful thing.

10:39.730 --> 10:47.670
Now there are two other security aspects that are very unique to virtualization.

10:47.800 --> 10:51.770
So let me talk about both of these and we'll do it through a diagram.

10:52.330 --> 10:57.730
So let's imagine the circle right here is my entire infrastructure all of my computers and everything.

10:57.730 --> 11:03.670
Now over time here the accounting department sets up a virtual machine with Amazon Web Services and

11:03.670 --> 11:09.960
then over here the sales department sets up something on Zaur and somebody else sets up a private cloud

11:09.970 --> 11:16.020
and even with in my own infrastructure people start setting up type 1 hypervisor and stuff like this.

11:16.030 --> 11:19.830
This is known generically as VM sprawl.

11:19.840 --> 11:23.740
Now the sprawl is a bad thing and it's something that we want to avoid.

11:23.740 --> 11:25.590
Unfortunately it can be tricky.

11:25.600 --> 11:29.590
The other one I want to talk about is called V.M. escape.

11:29.590 --> 11:35.770
Now here's a type 1 hypervisor and we're going to say he's got four virtual machines running on like

11:35.770 --> 11:37.000
we talked about earlier.

11:37.150 --> 11:42.430
There are situations this happened 10 12 times over the last 10 years where people have come up with

11:42.430 --> 11:48.460
tricky ways to be able to punch out on the virtual machine and get to the hypervisor itself and the

11:48.460 --> 11:52.880
host system and caused naughty naughty things in general.

11:52.900 --> 11:55.220
These are the types of things we need to avoid.

11:55.240 --> 12:02.530
So let's talk about hardening virtualization.

12:02.540 --> 12:06.410
There's a number of issues to consider when it comes to hardening virtualization.

12:06.440 --> 12:09.680
Probably one of the biggest ones is cleaning data Redmond's.

12:09.680 --> 12:14.750
When you have a virtual ised hypervisor Well when you have hybridize with it's running virtualization

12:15.110 --> 12:18.660
he's going to have a lot of data that's sitting on its drives.

12:18.770 --> 12:23.360
If you ever want to recycle these drives or anything you've got to make sure to clean them out.

12:23.660 --> 12:28.370
Even if you're in a situation where you're taking out one virtual machine it's usually a good idea to

12:28.370 --> 12:34.130
take the time to wipe out all the data that is associated with that one virtual machine.

12:34.730 --> 12:39.900
The biggest thing you can do when it comes to virtualization is make good policies.

12:39.920 --> 12:44.530
You've got to let people know what they can and can't do when it comes to virtualization.

12:44.540 --> 12:49.790
If the accounting department is going over to Amazon Web Services and setting up their own servers that's

12:49.790 --> 12:52.570
because you haven't set up good policies.

12:52.700 --> 12:54.750
So make sure people are aware of that.

12:54.800 --> 13:00.170
Also understand that all hypervisor is come with some type of user privileges built into all of these

13:00.170 --> 13:05.210
and you can decide what users can create virtual machines when you copy virtual machines who can make

13:05.220 --> 13:11.150
snapshots who can just view them and take advantage of these controls so that you have good tight control

13:11.240 --> 13:15.390
on your Vienna's next patch everything.

13:15.520 --> 13:20.330
And I'm not just talking about the virtual machines themselves I'm not talking about just the application

13:20.330 --> 13:21.260
running with virtual machines.

13:21.260 --> 13:25.370
I'm not talking about just the operating system even hypervisor need patching.

13:25.370 --> 13:32.030
So you've got to stay on top of all of these last and this is something that runs into when things get

13:32.030 --> 13:33.370
a little bit more complicated.

13:33.440 --> 13:36.910
The something called Cloud Access security brokers.

13:36.920 --> 13:38.440
Let me show you what that means.

13:38.480 --> 13:44.390
So here's my infrastructure and let's say I've got one particular infrastructure as a service that I'm

13:44.390 --> 13:51.170
using out there for my own websites or whatever it might be a Cloud Access security broker acts as an

13:51.170 --> 13:56.940
intermediary between your infrastructure your in-house stuff and the cloud.

13:57.010 --> 14:03.650
It will either manifest as some type of device that's running locally although that's fairly rare and

14:03.650 --> 14:08.810
it usually shows up as a service that's running up on the cloud itself.

14:08.870 --> 14:13.660
Its job is to make sure that policies are controlled at watches for malware.

14:13.730 --> 14:20.270
It does everything you need to in order to take advantage of the best in security as a service.

14:20.270 --> 14:25.640
The big thing you're going to be running into on the exam when it comes to virtualization is when you

14:25.640 --> 14:29.900
use this type of virtualization do you need a virtual switch or not.

14:29.960 --> 14:33.430
Do you need Cloud Access security brokers.

14:33.470 --> 14:36.110
You're not going to be really running into long questions.

14:36.110 --> 14:43.160
More a matter of you know the network guy needs to do this is virtualization an option and what type

14:43.160 --> 14:54.890
of virtualization do you need to use.