Reduced cost of hardware One physical server can support several VMs at the same time. The VMs can share the physical resources such as processor, memory, disk storage, network interface card (NIC), and power connections.This chapter will introduce you to the concepts of virtualization and is new to the Security+ certification. Virtualization is a very popular technology and many businesses are exploring it to reduce costs and maximize their server resources. There are several different types of virtualization all of which can be used to securely deliver applications and computing power to the end users. This technology is increasing in popularity and is accepted in both small business and enterprise data centers. It is very likely that you will encounter some form of virtualization in your career as an Information Technology (IT) professional at some point. This chapter will help you prepare for this exam and also give you a basic understanding of virtualization technology in general.
Virtualization gets a lot of attention for consolidating the number of physical servers in a data center on to a few more powerful physical servers. The ability to allow one physical computer to run multiple instances of an operating system or multiple operating systems on the same physical computer is a benefit of this technology, but we are going to look at how to apply these features with a security focus.
The basic concepts of virtualization are not new but come from the mainframe computing world. They were originally designed to maximize the resource utilization of expensive hardware and software, so businesses could get the best, most efficient utilization of their mainframe processing capacity. Today’s versions are not much different in their goals.
Today’s application of virtualization technologies allows computer owners to maximize the hardware and software resources available to them by running multiple virtual machines (VMs) on a single physical computer. This is not much different than the mainframe, but the cost of the computer is significantly less. This capability of the more modern servers also presents both security challenges and benefits. While the number of physical computers may drop, the number of VMs will grow at an even faster rate. This makes your job as a security administrator more critical to the organization.
With more VMs, there are more patches that need to be applied, more servers to be secured, VMs to be created and just as important removed, and users accessing both internal and external resources.
In addition to server virtualization, there is application virtualization technology. Virtual applications run on servers located remote from the users. These users do not need to have the application or data loaded on their desktop devices. Application virtualization allows applications that may be sensitive or not compatible with a user’s desktop to operate as if they were loaded locally. These virtual applications also do not leave a trace on the client machine, so they are safe to use from computers outside the trusted network.
There are many benefits of virtualization for both the IT professional and the organization. With the cost of servers remaining basically flat, the power and capabilities of these is ever increasing. This has created a situation where very little of the power and performance of the physical computers are actually used in running the process or application that has been tasked on that server. It has been shown in different white papers by VMware, www.vmware.com/pdf/Solution_Blueprint.pdf, and Computer-world articles like “RightSizing Program to Boost Vendor’s Server Utilization Rates” at www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9020679 that most modern servers are only running at 2 to 20 percent of their capacity. This is an inefficient use of the resources. Businesses want to get a better value for the money they spend on servers.
The way server consolidation is achieved is through a thin software layer called a hypervisor. The hypervisor sits between the operating system that controls the physical hardware and the VMs. The hypervisor isolates the VMs from the physical hardware and even each other. This isolation enables different operating systems and multiple VMs to be run on the same physical server at the same time.
One of the key benefits of a virtual infrastructure is that all the VMs have standard virtual hardware regardless of the physical platform they are currently running on. This feature creates a utility computing environment. The VMs simply work on whatever physical server the organization chooses. As long as you maintain the same hypervisor, the VMs can be run on any server supporting the hypervisor. If you are changing hypervisors, you may need to use a converter utility available from several vendors. This is the only type of change that is necessary to bring up a VM on different physical hardware. By leveraging the advanced features of many hypervisors, you can move running VMs to another physical server without interruption to the users accessing the virtual server. The old physical server can be upgraded, repaired, or replaced all without changing the VM.
This utility computing feature allows for rapid recovery in case of disaster or security breach. The virtual server configuration files and virtual disks can be copied or snapshots taken transferred to a remote facility or separate storage and then used to restart the VM in a different location without regard to drives or physical hardware differences. This feature allows for recovery of VMs in minutes instead of hours or days using traditional servers. If a server becomes compromised, a previous snapshot can be applied and the VM is back to that point in time. The corruption does not have to be removed because it was not present when the snapshot was taken. The same methods can be used when testing new software or a new patch. If the patch or software causes a problem, then the system can be rapidly restored to the previous condition without rebuilding it. This saves a significant amount of time in the development and testing of software and patches.
There are other side expenses related to consider when determining the value of virtualization such as the cost of network ports, power connections, heating and cooling, space requirements, maintenance and upgrades, replacement and disposal of equipment, and the amount of manpower it takes to manage and maintain a physical infrastructure. For the organization, the benefits can be as follows:
Reduced cost of hardware One physical server can support several VMs at the same time. The VMs can share the physical resources such as processor, memory, disk storage, network interface card (NIC), and power connections.
Reduced space requirements VMs don’t require any additional rack or floor space in the data center other than what their host server requires. With the demand for servers increasing, the available rack or floor space in a data center becomes a valuable commodity. If your servers are in a hosted facility, you pay for space by the rack unit or U. Virtualization reduces the number of rack units required to host your computing needs.
Rapid deployment of new servers VMs are nothing more than large files, so they can be rapidly copied or cloned from a previously configured VM. You do still need to perform the customizations on the copied or cloned VM.
High availability Because VMs are just files, they can be moved to a different host and restarted if the physical host server experiences a problem, needs an upgrade, or needs to be replaced. This makes updating your server hardware a much easier process than with a physical server.
Hosting multiple environments You may have configured a server before with a dual boot capability. While this will allow you to run multiple operating systems on a single computer, you can only run one of them at a time. With virtualization, you can run multiple operating systems on the same physical computer at the same time.
Separation of VMs Each VM is independent from the others running on the same physical server. If one VM fails, it does not affect the others. VMs can be stopped and started without impacting the other VMs.
Ability to maintain a test/development environment Virtualization enables the organization to have an environment that will closely match the production environment without the additional expense of duplicate physical servers. Developers can program on systems that will match the production servers, recover quickly from any program crashes, and be isolated from the production network.
For the security administrator You can create a template for the VMs to use as they are created. This will maintain the proper security settings and patches. The ability to set up virtual “honey pots” allows you to monitor any intrusion attempts and quickly isolate them and replace the server with a fresh one.
Software testing and training Most training and testing can be done using a VM without the need to purchase additional hardware. This gives the organization the ability to test potential software or allow the security administrators to train on a production-like computer without the need to purchase multiple servers.
Head of the Class
This autonomy of VMs allows you to create secure virtual “data center in a box” environments. With additional NICs and using virtual local area networks (VLAN), you can create an Internet facing network connection to a firewall running on a Linux server with an internal connection to virtual servers running in a DMZ or connected to the production network.
Figure 5.1 shows this concept using three physical NICs and an internal switch with the physical server and seven VMs. The Firewall server is connected to the Internet using NIC 1 and is connected to the production using NIC 2. The production servers, domain controller, file server, and the application server are all sharing NIC 2 to access the production network. The Web server, mail server, and File Transfer Protocol (FTP) server are connected to the Firewall DMZ network using an internal switch. This effectively isolates that environment from the production network and the Internet. An additional management network is connected to NIC 3 to separate the physical server from the production network.
FIGURE 5.1
Data Center in a Box
Like most everything else there are different types of virtualization. While each type provides an isolated environment for the VMs, they go about it in different methods. The actual methods of virtualization are outside the scope of this book and the Security+ exam. We will go over the basics so you will be aware of the major differences. All four use a layer of software or firmware called a hypervisor. It is the hypervisor that isolates the VMs from the physical hardware or operating systems of the host and manages the system calls to the physical resources of the host computer.
There are basically four types of virtualization: hosted, binary translation, paravirtualization, and hardware assist.
Hosted This type of virtualization uses a base operating system to run the physical computer, and the hypervisor manages access to the physical resources through the operating system. The base operating system is normally Windows or Linux, but there are hosted virtualization versions for the Mac. Figure 5.2 shows the logical connections between the VMs and the physical resources. While this type of hypervisor is workable on a smaller scale, it still inherits the vulnerabilities and overheads of the host operating system. Hypervisors of this type are commonly used for running multiple VMs on desktops or laptops. VMware Workstation and Parallels Desktop along with Microsoft Virtual PC are examples of the desktop virtualization products. VMware Virtual Server and Microsoft Virtual Server 2005 are examples of a server-based hypervisor using a hosted design. The benefits of this type of hypervisor are that you can utilize most any additional hardware resources the host operating system can support.
FIGURE 5.2
Hosted Hypervisor
Binary Translation This type of virtualization has a very thin operating system below the hypervisor. The hypervisor captures all system calls for hardware resources and translates the virtual to physical calls. Figure 5.3 shows how this type of hypervisor works. By translating all system calls, each VM is completely isolated from the underlying hardware. All VMs have the same type of virtual hardware regardless of the underlining physical hardware. This allows VMs running on different physical hardware to be migrated to all hosts. The drawback to this type of hypervisor is that there is a performance cost as the hypervisor must translate all system calls for hardware resources. This requirement of complete translation severely limits the type of physical resources that can be presented to the VMs. VMware ESX server is an example of this type of hypervisor.
FIGURE 5.3
Binary Translation Hypervisor
Paravirtualization This design of hypervisor allows some specific system calls to be passed directly to the physical resources. The remaining system calls are still translated before passing to the physical resources. In a true paravirtualization hypervisor, small pieces of the guest operating system are changed to modify kernel operations. These changes are picked up by the hypervisor and translated to the physical resources. Some less disruptive hardware calls are allowed to pass directly to the physical resources. Figure 5.4 shows the paravirtualization hypervisor.
Hardware Assist This type of hypervisor leverages the benefits of the paravirtualization design and takes it a step further by adding specific CPU calls from the guest VMs. This allows for an even thinner hypervisor and increased performance of the VMs. Both Intel VT and AMD-V are examples of hardware assist in a paravirtualized hypervisor. Commercial versions of this type of hypervisor can be found in Citrix XenServer, Microsoft Hyper-V, and VMware ESX 3.5. Figure 5.5 shows how this additional feature can be used by the guest VMs. You must have specific hardware and a hypervisor that will support these features. Most modern servers will have hardware assist virtualization settings in the BIOS. You must enable these features to use them with your hypervisor. In many instances, your hypervisor will not successfully install unless these features are present and active.
FIGURE 5.4
Paravirtualization Hypervisor
The management application program interface is the interface into the physical computer and the underlying operating system that controls the physical resources and interfaces with the hypervisor. The guest VMs do not interact with this component. Microsoft, Citrix, and VMware make a separate piece of software that connects directly to this layer for creation and management of the physical and VM.
EXAM WARNING One of the benefits of virtualization is the rapid deployment and restoration of a compromised virtual server. Remember that you can use the snapshot features of the hypervisor to get a clean copy of the VM. If it becomes corrupted or compromised, the snapshot can be used to rapidly recover the virtual server to its original state.
FIGURE 5.5
Hardware Assist Hypervisor
The differences in hypervisors have now been explained and some of the benefits of a virtual environment explored. These new tools while very flexible and powerful can also present challenges to the security team if the environment is not well designed and manageable.
VMs are isolated both from the physical host computer and each other for the most part. It is important to remember that most of the physical resources are shared even though there is a separation between the VMs. You should take advantage of the physical capabilities of the hypervisor and add additional NICs and separate your storage and use the snapshot and backup features of the hypervisor. If you properly allocate your physical resources, you can create a robust and secure environment for your virtual infrastructure.
The virtual infrastructure is very similar to a physical infrastructure in what can be done. It is possible to connect VMs to internal switches, physical NIC bonds or teams, VLANs, and internal and external storage. These features allow you to design and connect the different VMs to the necessary resources and still maintain your security design.
Most modern processors are now multicore and have the hardware assist features for virtualization. They are mostly all x64-bit technology and will support both 64-bit and 32-bit guests. If you do run across an older processor, you may need to use a hosted hypervisor for your VMs. You would then be limited by the restrictions of the host operating system. There are hosted hypervisors for both Windows and Linux.
Multicore processors are like adding additional physical processors to your server. They appear as either a two or four processor system. Some hypervisors do require at least two physical processors. Once loaded, they will utilize each core as a separate processor.
There are some limitations you should be aware of when considering the processor selection for your virtual environment.
Total number of processor cores Most hypervisors will only support up to 32 processor cores. Current versions will allow up to 256 or more, but you should check the limitations of the hypervisor you select. It sounds like a lot of capacity until you do the math. A standard dual core/dual processor server is four processor cores. If the same server has quad core processors, we have eight cores. If we have a four processor server with quad core processors, we have 16 cores. The eight core processors are coming out soon so it is not as difficult to hit the limits as it once was.
Pick a processor family Both Intel and AMD make multicore processors with hardware assist virtualization built in. Everyone has his own particular favorite, and each vendor will change position based on its latest release, so we won’t get into the debate on which is better. Just pick the one you prefer and stick with that processor family. Some hypervisors allow motion of running VMs between physical servers, but they must have processors from the same family. That means if you select one vendor as your processor of choice, you should stick with that family of processors. It is possible to move VMs between processor families, but it normally requires you to shut down the VM.
It is normally possible to support between 6 and 32 physical NIC cards on a host server depending on the version and vendor of your hypervisor. You should consult the Administrator Guide or Read ME notes of your selected version for specific limits. Each VM can have four or more virtual NIC cards. These NICs can be connected to internal switches or external port groups. As can be clearly seen, there is plenty of flexibility for the virtual infrastructure. Figure 5.6 shows a minimum network configuration recommendation. By adding or redistributing the physical NIC connection to a team, a wide variety of designs can be created. With the resources shown in Figure 5.6, you could create several groupings from four individual networks to two teams of two NICs or a team of three NICs and a second LAN of one NIC. Just remember that a physical NIC can only be part of a single team. A team can consist of one or more physical NIC cards. You can also configure internal only virtual switches that require no physical NIC cards. This flexibility allows you the ability to meet most any security or network need.
FIGURE 5.6
Recommended Network Configuration
TEST DAY TIP You can use VLANs for dividing your VMs and setting up different network connections. You can also use an internal switch to connect VMs without connecting them to an external network. Take the time and draw the connection maps to make sure you are meeting all the requirements of the questions.
For security, you could break up the NIC team into two groups of two NICs or four groups of one NIC and assign each to different VMs. You could assign a different set of VLANs or port group to each physical NIC and assign each VM to a separate port group to isolate them. You could even set an internal switch and connect the VMs to act as an internal firewall between different VLANs. As you can see, the configuration can get quite complicated, so it is recommended that you create and maintain good documentation for which physical NICs are connected to the port groups and assigned to specific VMs. Internal switches need to be documented as well.
Because the network cards are shared among VMs, it is recommended that you try to use gigabit NIC cards where possible. Your external switches should also be nonblocking or wire speed if possible for best performance.
Storage is where the VMs are kept along with their data. You can use the server’s local disk drives or Direct Attached Storage Devices (DASD), a Storage Area Network (SAN), or a Network Attached Storage (NAS), or a combination of each for this purpose. Remember that your VMs are really big files that must be managed by the physical server. While this is not normally a problem for the hypervisor, the type of storage you choose can make a big difference in the performance and availability of your VMs.
How you use your storage can also increase the security of your virtual infrastructure. Authentication protocols and encryption can be applied to the storage used to increase the security and control access to the shared storage.
The different storage types each have benefits, and the basic advantages will be shown here. There are more options than the ones listed, but these will give you a solid knowledge of what is available and how it can be used.
DASD This type is the most common and familiar. These are the local hard drives in the physical server. These may be connected to a Redundant Array of Inexpensive Disks (RAID) controller or just connected to the internal disk controller. Either way, this type of storage is normally exclusive to the physical server it is connected to and cannot be shared with other servers. This storage can have a very fast transfer rate and good read write speeds but can require the physical server to manage and send instructions to the disk controller for reads and writes. If you are using a hardware RAID controller, much of this management overhead is removed from the processor and handled by the RAID controller. Figure 5.7 shows a RAID controller design using DASD storage. There are several types of RAID configurations and each requires a minimum set of disk drives and provides a different level of data protection from none to multiple disk failures. In Figure 5.7, you can see we have two arrays configured. One is for the system containing the operating system and hypervisor. The second is configured for the VMs. The VM array may be much larger because VMs are actually large files themselves. It is not uncommon for the VM to be 20 to 100GB in size. Remember the VM files represent a complete server including the local storage for that server.
SAN The SAN is a standalone device that can share the storage among multiple physical servers. These connections are typically made using either Fiber Channel (FC) or Internet small computer system interface (iSCSI) connections. There are other connection protocols but these are the two we will discuss in this chapter. Figure 5.8 shows a typical SAN design. Notice the SAN switch in between the servers and the storage. This is the component that allows for multiple physical servers to connect to the storage. This switch must match the protocol of the SAN.
FIGURE 5.7
Direct Attached Storage Devices
EXAM WARNING You should know the different types of storage and any security associated with them. FC has the least storage because of the design and protocol. The FCSecurity Protocol (SP) is being adopted, but because this is a fiber network that only moves disk Input/Output (I/O) traffic and is typically local only to the data center, there is less opportunity for compromise of the data. iSCSI and NAS storage use Ethernet and Transmission Control Protocol (TCP)/Internet Protocol (IP) for communications and therefore are more vulnerable to compromise. iSCSI uses Challenge Handshake Authentication Protocol (CHAP) authentication and NAS devices use either Network File System (NFS) or New Technology File System (NTFS) and rely on a user name and password for access.
FC SAN connections can transfer data between 1 and 8 Gbps. They use a special interface card called a host bus adapter (HBA) and are typically connected using a fiber optic cable. FC-SP is designed to secure the transfer of data across the network between the storage and the server. It does not address the data stored on the SAN. Because of the protocol used, the data are not routed or sent across routers or outside the data center. The VMs would normally be loaded on the SAN and accessed by the physical server when they needed to be run. The fast data transfer rate and relatively large number of disks make this a very robust solution.
FIGURE 5.8
Storage Area Network
iSCSI SAN connections transfer data at 1 Gbps using normal Ethernet protocols. This disk traffic should be isolated on a separate VLAN to improve performance and security. The iSCSI protocol can take advantage of jumbo frames on an Ethernet network. This feature must be supported by the network switch before it can be used. It is also recommended that an iSCSI HBA be used instead of a normal server NIC. This iSCSI HBA will offload the network processing of the iSCSI traffic and generally improve the performance of the physical server. Because of the ability to transfer data over a normal network, security is built into the protocols. CHAP is a protocol that is used to authenticate the connection and is based upon sharing a security key that is similar to a password.
NAS This type of storage is similar to the SAN except it uses normal server NICs and a protocol called NFS. This type of shared storage was originally developed for sharing files to individual computers by allowing the storage to be mapped to the local system as a local disk drive. The transfer of data is limited to the speed of the network. Figure 5.9 shows the design of a NAS device connection. NAS devices use configuration files for security. The first is the /etc/exports file and lists the IP addresses of client machines allowed to connect to the NAS device. Further security is applied using file and directory level security. If your NAS device is a Linux-based device, you may be able to further edit the /etc/hosts.allow and /etc/host.deny file to allow or deny specific client server connections. You could also have a NAS that uses the NTFS. This type of file system is secured using your existing Active Directory or other workgroup permissions. Either way the VMs are accessed by connecting to the file shares and mapping the drive to the hypervisor before starting the VM. There is more overhead for this type of connection, so it is recommended that a separate VLAN or network be created for your NAS connections.
FIGURE 5.9
Network Attached Storage
As you can see, it is very easy to start using multiple NICs in a virtualized infrastructure. Planning the implementation and leveraging the features of the hypervisor will help you maintain the security policies while still providing a robust and flexible virtual environment.
Damage and Defense
In the real world, a shared storage model is the preferred design. Using shared storage is what enables all the advanced features of the hypervisor. To use the motion, load balancing, and high availability features, you must have a shared storage design.
Now that we know what the different components are and how to leverage them into the virtual infrastructure, we need to look at how to virtualize our systems. We need a method to virtualize both existing and any new systems we might need. We also want to be able to manage these systems once they are virtualized and we need to know how to remove the VMs when they have reached their end of life.
While each individual hypervisor has tools for performing all these functions and they all look a bit different, the functionality is common across all the major hypervisors. Each hypervisor may even have its own file format for the virtual systems. Some will read the different virtual file systems; others may even use other formats directly in some instances.
When a VM is created, there are at least two files created, a configuration file and a virtual hard drive. The format of the configuration file may vary from one hypervisor to the next, but it contains similar information such as the location of the virtual hard drive, the name of the VM, the amount of memory allocated to the VM, the number of virtual NICs, and any other virtual hardware or connections for this specific VM. Figure 5.10 shows an excerpt of a configuration file. It is best not to directly edit these files unless you are experienced with the specific formats used by your particular hypervisor. If you manage to corrupt the configuration file, you can always just create a new VM and attach a current virtual disk to it. The new VM will start up using the settings in the new VM.
TEST DAY TIP VMs consist of a configuration file and a virtual disk file. The configuration file is either text or XML and describes the virtual hardware and memory configurations. The virtual hard disk file is a specific format and is not directly readable. You need both files to start a VM.
<SwitchName type="string">60d80302-00e6-4256-91ee-ce8ca0ba449d</SwitchName>
</_lclf8081-393d-414e-bd89-9d4643810cd0_>
<_83f8638b-8dca-4152-9eda-2ca8b33039b4_>
<controllerO>
<driveO>
<pathnametype="string">C:\Users\Public\Documents\Hyper-V\Virtual Hard
DisksVTS Gateway.vhd</pathname>
<type type="string">VHD</type>
</driveO>
<drivel>
<pathname type="string"></pathname>
<type type="string">NONE</type>
</drivel>
</controllerO>
<controllerl>
<driveO>
<pathname type="string">C:\Windows\system32\vmguest.iso</pathname>
<type type="string">ISO</type>
</driveO>
FIGURE 5.10
Configuration File for a VM
This is only a small part of the total file and is shown as an illustration of the type of information contained in the configuration file.
The virtual disk file is where the operating system and data files are stored for the VMs. Depending on the specific features of the hypervisor, this file may be created all at once, a 20GB file or it may be allocated for the specified size and created in 2GB chunks. This makes the virtual hard disk much faster to create and does not use any space that it really doesn’t need. This saves storage space but still makes the operating system believe it has full access to the allocated storage.
You can mix operating systems, Windows and Linux, on most all hypervisors. Some will only allow multiple versions of the core operating system. Each VM can be started and stopped independently just like physical servers.
EXAM WARNING You can have VMs running different operating systems on the same physical machine. You can also have VMs with different virtual hardware configurations like multiple processor configurations or multiple NIC cards or additional virtual hard disks.
Creating VMs can be done one of two ways, physical to virtual conversion and creating a new system.
Physical to virtual conversion This method is best if you are moving from a physical infrastructure to a virtual infrastructure. The method of conversion can be done online or offline depending on the utility you are using to do the conversion. Most will allow an online conversion and are nondestructive to the physical machine. This feature helps maintain a recovery path should the VM encounter problems. Simply power the physical server back on and restore access to the users. Normally, once a server is virtualized, you will want to go through and remove any unnecessary device drivers. You may need to maintain an end of life operating system on a server that is experiencing hardware problems. There may not be a way to replace the failing hardware or find drivers for the old operating system that work with the new hardware. Virtualization can be used to maintain the failing server by migrating it to a virtual environment. You should check the supported operating systems of the chosen hypervisor to verify the end of life operating system is supported.
Creating new virtual servers This is the same process as loading a new physical server. The difference is that since it is a VM, it can be done faster and in many instances a clone or template can be used of an existing virtual server. This method makes the process of creating a new server a mostly automated and quick process. After loading the operating system, you should run the integration tools to set up the video, mouse, network, and other basic drivers to use the virtual drivers. Most hypervisors have virtual drivers for both Windows and Linux.
It is a recommended practice to create “golden masters” of each type of VM in your environment. You can use this VM to clone new VMs and they will startup with the latest patches and service packs. This will save a lot of time as you build your virtual infrastructure. Just remember to update this master machine on a regular basis.
Most hypervisors have a management console to control the virtual environment. This is typically loaded on a separate server beside the physical host. There is also a connection client for some that will allow you to connect to specific VMs for management of that VM. Usernames and specific roles can be assigned to functions and available VMs.
This feature allows the security administrator to control administrative access to only the necessary level of access and specify the VMs a user can access or the administrative tasks that can be performed.
Figure 5.11 shows a management console. Although each one is different, the functions are all similar.
From this console, you can see which VMs are configured, which are running or stopped, which have a snapshot, and when it was taken, and you can edit the settings of both the VM and the physical host and hypervisor. If you want to create a new VM, you can use this console to perform the necessary functions. The ability to load a console manager on a separate desktop or server allows true remote management and a lights out environment.
With most hypervisors, you can create an International Organization for Standardization (ISO) file store. This is used to copy the installation media of operating systems and applications that are used for your VMs. Each VM can mount either the physical DVD of the host or an ISO image to the virtual DVD drive. By connecting the virtual DVD of the VM to an ISO image, you can have multiple installations going at the same time. You also want to make sure to disconnect the virtual DVD and the virtual floppy from each VM. This not only improves the performance of the VMs but prevents an inserted disk from autostarting and running any malicious code.
Another method of virtualization is to virtualize applications. This technology allows users to be presented either a desktop or a list of available applications for performing their tasks. The applications actually run on a server that may be located either on the local area network or across wide area links. Because the applications are executed on a server and only the display, key strokes, and mouse movements are presented across the network, performance is seen as if the application is being executed locally.
FIGURE 5.11
Hyper-V Management Console
There is a robust set of security options to control both what a user can do and what a user can see. Even the connection can be configured to support full encryption from end to end on the connections. There are two common types of application virtualization in the Windows environment, Microsoft Terminal Services (now called Remote Desktop Services), and Citrix XenApp. There are versions of XenApp that will run on UNIX and most versions of UNIX/Linux support Xwindow services.
Regardless of the method of application used, the principles are the same. The client connects to the server and is presented the application interface. While the client is entering information and operating the application from their desktop, the real work is actually being performed on the server in the data center. These are commonly referred to as a thin client solution because there is no application processing being performed on the client desktop.
TEST DAY TIP Application virtualization is the easiest method of deploying and updating applications to users. You just need to update the applications on the terminal servers and all the users will receive the new or updated version the next time they log on.
This is the multiuser feature of Windows that enables remote access and application virtualization. Users connect to the application server using the Remote Desktop Protocol (RDP). User key strokes and mouse movements are sent to the server and the display is sent back to the user. While user sessions are basically isolated from one another, they are subject to a shared server.
The Terminal Services Web interface allows users to access the terminal servers using a Web browser. This can have a Secure Sockets Layer (SSL) certificate attached to it for encryption of the channel between the user and the Web server. Microsoft has also supplied a Terminal Services Gateway service that provides a more secure connection between the end user and the terminal servers. Log-on authentication is provided by the internal Active Directory. Users connect using RDP over SSL on port 443 (see Figure 5.12). Once granted access, the connections are over the normal RDP port 3389. Users can connect to either an application being provided by a server running Terminal Services or a desktop or server allowing remote connections.
Even using the RDP client, a user can be prevented from downloading files or even printing to other than network resources. This prevents users from compromising the security policies and maintains the security of data within the data center.
A server-based desktop can be provided to users, but this desktop will need to be restricted using group policies to prevent improper actions from the users. Settings like removing the Shutdown option must be set to prevent a user from inadvertently shutting down the terminal server and dropping all the connected users.
FIGURE 5.12
Terminal Services Connection
Microsoft has developed a new option for application virtualization with Windows Server 2008 called RemoteApp. This feature creates an installer package that can be deployed like a normal application. It will create icons and Start menu items on a user’s desktop. When clicked on these, RemoteApps will initiate a connection to the remote terminal server and start the application on the server. This feature also allows the RemoteApp to be published from the Web server for clientless operations.
Citrix has developed additional functionality for Terminal Services for several years. Application servers are able to load balance, and policies that apply specifically to the terminal servers can be added. There is also a much more granular administrative permissions allowing for nonadministrators or users to perform specific functions like password resets and client connection management.
Users take advantage of Citrix’s Independent Computing Architecture (ICA) protocol to access the application server’s resources. This client allows for a full 128-bit encryption and supports TLS and SSL certificates. When used with SSL certificates the ICA protocol encrypts the entire connection from client to server.
The ICA protocol also channelizes different types of data streams. This allows security administrators to restrict file downloads to local disk drives or even printing to unauthorized printers. This all combines to make this a very secure protocol for remote users. This protocol is also optimized for low bandwidth and can provide a better multimedia experience to remote users.
Like Terminal Services a server-based desktop can be presented to users but careful application of group policies must be used to prevent access to server system drives, and folders by users. The use of roaming profiles and home drives is the recommended design for providing users their own flexible environments.
Like Terminal Services the Access Gateway provides secure remote access from remote users across the Internet. There are several versions of this Gateway ranging from a software-only-based solution to a fully load-balanced, hardware-based solution. The hardware-based solutions can also act as SSL virtual private network (VPN) access points.
EXAM WARNING The Terminal Services Gateway from either Microsoft or Citrix both use an SSL certificate from a trusted authority like Verisign or Thawte to secure their communications and the user connections. This makes the URL require the HyperText Transfer Protocol Secure (HTTPS) tag.
Application streaming is another method of application virtualization. This method uses a sequencer that monitors how an application starts up. It records the different program modules as they load and monitors when the application becomes functional. The application is sequenced so the most functional blocks are loaded first and the application can be used. As the user requests additional features those blocks are streamed to the application.
When the application is sequenced, the streaming file is stored on a file server. The application is presented to the user through XenApp, a RemoteApp, or even from an Active Directory installation file. When the user clicks on the application, the file server is contacted and the application is streamed to the user’s computer or session for processing. When the user closes the application, all files are removed from the computer executing the application. Figure 5.13 shows the process for application streaming.
It is possible with this technology to check out an application if a user is going to be working offline. The checked out application will fully stream to the user’s desktop and will function as if installed for a preset period of time. After that time, the application will not start back up. When the user reconnects back to the network, the files created will be synchronized back to their file server and the application can be checked back in or renewed for checkout.
TEST DAY TIP Application streaming is a way to make applications portable. The streamed application runs in an isolated memory space and does not conflict with other applications loaded on the desktop. When the application is closed, there are no traces left on the client desktop.
FIGURE 5.13
Application Streaming
Both Microsoft and VMware offer an application streaming product. Microsoft App-V, formerly SoftGrid, allows applications to be streamed to both a terminal service environment and a traditional PC desktop. The ThinApp from VMware lets an admin package an application so it can be run from a thumb drive or checked out to a physical or virtual desktop. Both types of application streaming present the application in an isolated environment and do not leave any residual traces on the client desktop. These can be very useful in deploying applications without actually doing an installation on a desktop. They both use the computing resources of the local desktop to run the application locally on the desktop.
In this chapter, we explored the following:
The purpose and application of virtualization technology Using virtual technologies, we can rapidly deploy servers of different operating systems on common physical hardware. These VMs are fully functional and present themselves as physical servers to users and the outside world. We can leverage the flexibility of a virtual environment to deploy security servers alongside normal production servers. It is possible to create a complete data center in a box by using virtualization.
The benefits of virtualization Leveraging virtual servers can reduce the overall number of physical servers that must be maintained in the data center. This reduces overall costs and decreases the cost of power, cooling, and rack space. All VMs on a hypervisor have the same virtual hardware, so they can be moved between physical servers without changes even if the physical servers are from different manufacturers or have different hardware. If a VM is compromised, it can be restored from a snapshot rapidly and the breach was never there.
Each VM is isolated from the others and is isolated from the physical host. If a VM crashes, it does not affect the other running VMs. Using multiple NICs and managing the connections of the VMs, complete isolated environments can be quickly created.
There are four types of virtualization: hosted (requires an underlying operating system), binary translation (all system calls to hardware are translated by the hypervisor), paravirtualization (some system calls are passed directly to the hardware), and hardware assisted (specific system calls are interpreted by the virtualization instructions in the host CPU).
Using multicore processors can add more processing horsepower to our host server, but the limits of the hypervisor need to be accounted for if we are using more than four physical processors. Leveraging multiple network cards allows us to design complete infrastructures that can isolate virtual servers to create security zones or connect different VMs to different VLANs as the needs of the organization dictate.
Selecting the type of storage used in a virtual infrastructure can provide a means of high availability and motion for the VMs between physical servers. Selecting between local disks (DASD), SAN using either FC or iSCSI, or NAS connecting to the data network, can provide a wide variety of solutions to the organization and meet the needs of most all requirements and budgets.
System virtualization Shows that the VMs are actually just files that are read by the hypervisor. A VM consists basically of two files: a configuration file (contains all the virtual hardware settings of the VM) and a virtual hard disk file (contains the hard disk information and data for the VM). These files can be moved between physical hosts or used as a template to create additional VMs.
You can use third-party tools or sometimes tools provided by the hypervisor vendor to migrate current physical servers to a virtual environment. A repository of ISO image files for operating systems and applications can be created to be used for creating new VMs or adding applications to one or many virtual servers at the same time.
Most hypervisors have a management console that allows an administrator to perform basic functions of starting, stopping, or pausing VMs. From the console, the administrator can take a snapshot of a VM or change the virtual hardware setting to add or modify the virtual hardware. The administrator can also remove VMs when they are no longer needed.
Application virtualization The virtualization of applications allows a user to access and run an application hosted on a server as if it were loaded locally on their desktop. Applications respond the same but are actually running on a server in a remote location. The permission of the connection can be adjusted, so files cannot be saved to the local device or printed to unauthorized printers. When the user disconnects from the application, there is nothing left on the client desktop.
Applications being hosted can be accessed securely from outside the network and from untrusted clients by using a gateway device or software. These gateways will establish a secure connection using SSL certificates and may allow complete encryption form the client to the application server.
Application streaming is a method of application virtualization that sends only the necessary application modules for the user to begin working, while waiting for a request for the remaining modules. When a user exits the applications, all traces of it are removed. This is a good method for deploying applications in an isolated environment where the streamed application may conflict with a locally loaded application. If a user needs the application in an offline mode, it can be checked out and performed as if loaded locally. After the specified time expires, the application will no longer work. This is a good feature if a desktop or laptop is stolen or lost because all applications will cease to run and the data are not recoverable.
Virtualization increases the availability of enterprise resources in a highly available, secure manner. Servers, desktops, and applications can all be accessed using virtualization.
Application virtualization lowers cost by increasing the lifespan of user desktops. Application virtualization can allow older client devices to run current software by leveraging the server resources and only presenting the application to the user.
Increasing the portability of enterprise resources reduces costs and increases reliability. Server virtualization converts physical servers into files on a host server. These files can be transferred between physical hosts and are isolated from each other, so if a virtual server fails, it does not affect the other VMs.
Virtualization of servers will increase the overall utilization of server resources. High performance servers support many VMs and different operating systems on the same physical host.
Virtualization of storage makes better use of resources among the physical hosts by eliminating silos of underutilized disk storage.
Virtualization of applications allows for lower powered desktops to run current applications by leveraging server resources.
Operating costs are lower because virtual servers use less power, network, and storage connections. They also produce less heat and require fewer physical servers and rack space.
Server virtualization allows for multiple VMs to be run at the same time to maximize the utilization of the physical hardware resources.
VMs can have different operating systems all running at the same time.
A hypervisor is a thin layer of software that allows VMs to run on the same server.
The four types of hypervisor are hosted, binary translation, paravirtualization, and hardware assist.
Virtualized applications can be published or streamed.
Published applications use the power of the server’s resources to run the applications and merely present the screens to the user and accept the mouse and keyboard inputs.
Streamed applications can be run locally on the client desktop without being installed on the desktop. When the user closes the application, all traces disappear.
Streamed applications can be checked out so users can run them without being connected to the network.
Virtualized applications can be updated centrally for all users. When users access them the next time, the updated application is what will be presented.
Q: What kinds of servers can be virtualized?
A: Most servers running Windows or Linux can be virtualized. Each hypervisor has a specific list of all supported operating systems. The biggest challenge to virtualizing a server is the workload the server is performing. Servers with CPU, memory, or input/output (I/O) intensive workloads may not make good candidates for virtualization. Servers requiring peripherals like FAX boards or USB dongles may not be good candidates for virtual servers. Alternatives for some of these restrictions can usually be found. Typical good candidates are file and print servers, domain controllers, application servers, firewalls, management servers, proxy servers, Web servers, and remote access servers.
Q: Can VMs have different operating systems when running on the same physical host servers?
A: Yes, you can mix supported operating systems for VMs on the same physical host server. This is a key feature of virtualization and makes this technology a desirable choice for server consolidation and remote office deployments. It is also possible to run a mix of 64-bit and 32-bit operating systems on the same physical host as long as the host is loaded with a 64-bit hypervisor.
Q: What makes a good candidate for a VM?
A: Most servers are underutilized. These servers are the prime targets for virtualization. Servers used in test and development that must be rapidly deployed or easily recovered to a known state are good candidates. In the security world, all types of support servers for proxy, firewall, or intrusion detection are good choices. The ability of the physical host to support multiple NICs allows for segmentation of the network to fit most any design.
Q: Is shared storage required for VMs?
A: Shared storage is not required for virtualization. It is desired if there is more than one physical host and a requirement for high availability or motion of the VMs between the hosts. Additional benefits are gained by using shared storage by eliminating unused storage islands of local disks.
Q: What type of shared storage is supported on a physical host?
A: Most hypervisors will support local disks and RAID controllers (DASD), SANs using either iSCSI or FC connections, or NAS using either NFS or NTFS connections. Each type has its own benefits and weaknesses. You should make sure your selected storage type is supported before purchasing a solution. Using hardware HBAs for FC and iSCSI will improve performance of the host servers and access to the shared storage.
Q: What are the benefits of a NIC team on the physical host?
A: Using a NIC team allows multiple network cards to be joined together to increase the bandwidth to the VMs attached to that team. The team can also be configured to be fault tolerant; in the event a NIC or switch port fails, the VMs will maintain their network connections.
Q: How can I tell if my physical server can support hardware assisted virtualization?
A: If you are running a modern processor from Intel or AMD, it is likely you have the hardware assisted features built into your processor. You can check the manufacturer Web site for your model, check the BIOS for an enable feature, or look for the AMD-V or Intel VT logos.
Q: What applications can be virtualized using Terminal Services or XenApp?
A: Most any application that can be run locally on a server can be virtualized for users to access using Terminal Services or XenApp. This does not mean every application is capable, but as these technologies have evolved, the number of noncompliant applications has diminished. Most applications published using application virtualization are user applications and not server applications. Examples of user applications are Microsoft Office, Adobe Acrobat, or FrontRange GoldMine. These are applications that users access to perform their jobs everyday. Server applications are the back-office applications like database servers or messaging servers. Users do not normally interact directly with this type of application. Once the application is virtualized, it can support multiple users and removes the processing of the application from the client device. User connections can be configured to use encryption and prevent access to local disk drives or printers to protect the data security.
Q: When would I need to use application streaming?
A: Application streaming is a useful feature if it is necessary to run two different versions of the same application on a client device. The application stream is running in an isolated environment and will not conflict with the other applications on the client device. Another good use is to deploy applications to roaming users. These users can check out an application and use it when disconnected from the network for a specified period of time. If they do not connect to the network to check in or renew their application checkout, the application will cease to function. If a laptop is lost or stolen, the application will only work for a short time before being rendered inoperable.
Q: How are virtual applications accessed securely over the Internet?
A: Both Terminal Services and XenApp have a gateway server that allows secure connection using SSL certificates. This allows users to connect over the Internet using any device and maintain a secure connection while not leaving anything behind on the client machine. The different products have similar features and differences to fit your specific needs.
1. You are the security administrator for Versa Corp. You have been assigned the task of creating a “honey pot” server on the company’s Internet DMZ. You have decided to use virtualization and a VM for this purpose. One of the best reasons for using a VM is
A. VMs run Windows only and cannot have security template applied to them
B. VMs can be rapidly restored when breached
C. VMs cannot join the production Active Directory
D. VMs are not vulnerable to viruses
2. Which is a benefit of virtualization?
A. Lower operating system costs
B. Reduced bandwidth requirements
C. Reduced hardware costs
D. Reduced need for backups
3. You are the security administrator for Versa Corp. You need to have three VMs running on HP DL380 servers. There are IBM x3350 servers also running the same hypervisor and processor family with available resources. You have moved your VMs to the IBM servers. What should you do to configure your VMs to run on the IBM servers?
A. Replace the network and RAID controller drivers on all the servers immediately after powering them up
B. Replace only the RAID controller drivers
C. Replace only the network drivers
D. Nothing
4. You are the security administrator for Versa Corp. You have been tasked with designing a single server solution for the remote branch offices. You must have in your solution:
A. A Linux-based firewall
B. A mail server in a DMZ
C. A domain controller
D. A file server
5. A VM is hosted on a server you are going to retire. The host server is not connected to a SAN but is connected to a network. You have access to the administrator account. You need to move it to another host. The fastest way to accomplish this task is to
A. Locate the VM configuration file and the virtual hard disk file; use Service Control Point (SCP) to copy these files to the new server
B. Locate the virtual disk file for the VM and use the backup solution to back up this file to tape; restore this file to the new server
C. Locate the configuration file for the VM and use the backup solution to backup this file to tape; restore the configuration file to the new server
D. Use SFTP to create a snapshot of the VM and copy it to the new server
6. You are the security administrator of Versa Corp. You have several “honey pot” virtual servers running on a physical host along with production virtual servers. You notice that one of them has been breached. You must move quickly to isolate this server. You need to maintain the server intact so it can be analyzed but must maintain the security of the organization. Which action will accomplish the required goals?
A. Immediately log on to the affected server and shut it down; once shutdown, make a copy of the virtual hard disk file and export it to your laptop for analysis
B. Immediately log on to the hypervisor console and disconnect the virtual network card; mount the ISO file for the analysis tools to the virtual DVD drive and install the analysis tools
C. Immediately shut down the physical host; disconnect all NICs from the physical host and load your security analysis tool to this server
D. Immediately log on to the affected server and shut it down; disconnect the virtual hard disk from the virtual server and mount it to another virtual server running the analysis tools
7. You are the security administrator of Versa Corp. You have recently noticed a lot of VMs on your physical hosts that are powered off or have not been accessed in over two weeks. You have decided to remove the powered down VMs. What is the best method of removing these VMs?
A. Use the console for your hypervisor and delete the VM and its associated virtual hard disk
B. Use the SAN console to remove the logical unit number (LUN) associated with each VM
C. Notify the owners of the VM that you are going to remove them from the physical server; remove the virtual hard drive but leave the virtual server configuration file in case they need the server again later
D. Use the hypervisor console to convert the VMs to templates in case they are needed again at a later date
8. You are the security administrator for Versa Corp. You have been asked to virtualize 10 security servers without altering their configurations. Your manager wants to retain the physical servers just in case there is a problem later. What is your best course of action to accomplish the assigned tasks?
A. Build new VMs on the physical host to match the security servers, and once loaded, you copy the data files from each of the original servers to the virtual servers; you leave the original servers online until the new servers are verified as working
B. You copy the disk drives of the original servers to the SAN; once completed you create new VMs and attach the data on the SAN to the VM; you shut down the original servers
C. You use a physical to virtual migration tool to copy the disk drives of the physical servers to the new VMs; once completed, you shut down the original server and power on the new virtual server
D. You create a new VM and use a bulk copy utility to copy all the data from the source servers to the new VMs; when complete, you leave the original servers online until the new servers are verified
9. You are the security administrator for Versa Corp. You have recently moved the virtual hard disk file for the virtual firewall to the D drive on your physical host. When you try to start the VM you receive the message, “The virtual hard disk cannot be found.” What action should you take to correct the problem?
A. Rename the virtual hard drive and try to restart the VM
B. Edit the boot.ini file of the VM to point to the D drive
C. Mount the virtual hard disk file to another VM and edit the /etc/ hosts.allow file
D. Edit the VM configuration file to point the path of the virtual hard disk to the D drive
10. You are the security administrator for Versa Corp. Your manager has given you a new server to develop and test a new security design. You want to be able to test the performance and capabilities of both Windows- and Linux-based servers. You want to minimize the amount of time you spend building and rebuilding servers for testing. What is your best course of action to accomplish your goals?
A. Build a physical virtualization host server and create the necessary number of Windows and Linux VMs; configure each VM for your test; after the test, delete the VMs and recreate them for the next round of tests
B. Build a physical virtualization host server and create the necessary number of Windows and Linux VMs; take snapshots of each server; configure each VM for your test; after the test, restore the VMs using the snapshots before the next round of tests
C. Build a physical virtualization host server and create the necessary number of Windows and Linux VMs; configure each VM for your test; convert each configured VM to a template; after the test, use the templates to recreate the VMs for the next round of tests
D. Build a physical virtualization host server and create the necessary number of Windows and Linux VMs; configure each VM for your test; after the test clone the VMs for the next round of tests
11. What is a benefit of application virtualization?
A. Applications are executed on the local clients instead of the application server
B. Applications are all Web based
C. Only Windows clients can access the published applications
D. Any device that can run the client can access the applications
12. You are the security administrator for Versa Corp. You have several executives that travel with laptops. Your internal applications servers publish applications for all users and are maintained in a secure fashion. Your executives complain that they cannot run a necessary financial application while disconnected from the corporate network. These executives are rarely disconnected longer than 10 days at a time. What action can you perform to satisfy the executive request and still maintain security?
A. Enable the Terminal Services Gateway and allow the executives to connect remotely using RDP over HTTPS
B. Enable application streaming for the financial application and set a timeout on checked out applications for 2 weeks
C. Load the financial application on the executive laptops and set a group policy to enable encryption on the data files
D. Load the latest XenApp client and configure it to use the highest level of encryption when connecting to the application server
13. You are the security administrator for Versa Corp. The company has decided to terminate the leased line T-1 between branch offices and the home office. All users use virtualized applications running on a terminal server to perform their daily work. All user files are located near the application servers. Each branch office is connected to the Internet using either a DSL line or a cable connection. Which action will allow users to continue working with the least amount of effort and still maintain the company’s security policy?
A. Set up a Terminal Server Gateway with a SSL certificate; direct all users to connect using the URL of the gateway to access the application servers
B. Have users create an Internet Protocol Security (IPSEC) tunnel to the application servers to continue working
C. Have the users generate personal certificates and use them to access the firewall to gain access to the application servers
D. Have the users load and configure the VPN client software for your firewall; then create a VPN connection to access the application servers to continue working
14. You are the security administrator for Versa Corp. You have been asked to create 10 new VMs for a new development project. Each new VM needs to have identical resources and configurations. You have a physical host running a hypervisor and connected to a SAN. What is the best method for accomplishing this task?
A. Create a new VM and load and configure the operating system; take careful notes and configure each identically until you have all 10 VMs
B. Create a new VM and load and configure the operating system; clone this VM nine more times and apply system customizations to each new VM
C. Create a new VM and load and configure the operating system; copy the virtual hard drive to create the other nine servers
D. Create a new VM and load and configure the operating system; use the SAN features to replicate the LUN to create the remaining servers
15. You are the security administrator for Versa Corp. You currently have a physical host running a hypervisor. You have a VM running a firewall application. You have received a new version of the software and need to set it up and configure it with a minimum of disruption to the users. The best method to accomplish the task would be to
A. Create a new VM and load the operating system and the new firewall software; connect it to the Test network; configure the software to match the production firewall; when testing is complete disconnect the virtual NIC on the production firewall from the Internet network and connect the new firewall to the Internet network
B. Create a new VM and load the operating system and the new firewall software; connect it to the Internet network; disconnect the virtual NIC on the production firewall from the Internet network and shut down the old firewall; configure the new firewall software
C. Load the new firewall software on the production firewall; configure the software
D. Create a snapshot of the production firewall; load the new firewall software on the production firewall; configure the software; if testing fails, you can reload the snapshot to restore the old configuration.
1. B
2. C
3. D
4. D
5. A
6. B
7. A
8. C
9. D
10. B
11. D
12. B
13. A
14. B
15. A
