3 Days Left to Save $400 on SANS Scottsdale 2015

Anaheim 2013

Anaheim, CA | Wed, Jan 9 - Mon, Jan 14, 2013

SEC579: Virtualization and Private Cloud Security

One of today's most rapidly evolving and widely deployed technologies is server virtualization. Many organizations are already realizing the cost savings from implementing virtualized servers, and systems administrators love the ease of deployment and management for virtualized systems. There are even security benefits of virtualization - easier business continuity and disaster recovery, single points of control over multiple systems, role-based access, and additional auditing and logging capabilities for large infrastructures.

Server virtualization vulnerabilities

With these benefits comes a dark side, however. Virtualization technology is the focus of many new potential threats and exploits and presents new vulnerabilities that must be managed. In addition, there are a vast number of configuration options that security and system administrators need to understand, with an added layer of complexity that has to be managed by operations teams. Virtualization technologies also connect to network infrastructure and storage networks and require careful planning with regard to access controls, user permissions, and traditional security controls.

In addition, many organizations are evolving virtualized infrastructure into private clouds - internal shared services running on virtualized infrastructure. Security architecture, policies, and processes will need to adapt to work within a cloud infrastructure, as well, and there are many changes that security and operations teams will need to accommodate to ensure assets are protected.

Virtualization and private cloud security architecture and design

The class starts out with two days of architecture and security design for both virtualization and private cloud infrastructure. The entire gamut of components will be covered ranging from hypervisor platforms to virtual networking, storage security to locking down the individual virtual machine files. We'll describe how to secure the management interfaces and servers, delve into Virtual Desktop Infrastructure (VDI), and go in-depth on what to consider when building a private cloud from existing virtualization architecture. Finally, we'll look at integrating virtual firewalls and intrusion detection systems into the new architecture for access control and network monitoring.

Virtualization infrastructure, policy, and auditing

The next two days we'll go into detail on offense and defense - how can we assess virtualized environment using scanning and pen testing tools and techniques, and how do things change when we move to a cloud model? We'll cover a variety of scanners and vulnerability management tools and practices, and then take a hard look at virtualization vulnerabilities, exploits, and toolkits for pen testing that we can put to use in class.

Once we cover the offense, we'll take the opposite approach and go into detail on performing intrusion detection and logging within the virtual environment, as well as covering anti-malware advances and changes within virtual infrastructure. We'll wrap up the session with coverage of incident handling within virtual and cloud environments, as well as adapting forensics processes and tools to ensure we can maintain chain-of-custody and perform detailed analysis of virtualized assets.

Vulnerability management, pen testing, and intrusion detection

During day 5, we will help you adapt your existing security policies and practices to the new virtualized or cloud-based infrastructure. We'll show you how to design a foundational risk assessment program and then build on this with policies, governance, and compliance considerations within your environment. We'll cover auditing and assessment of your virtualized assets, with a session on scripting that will help you put this into practice right away. Then we'll go in-depth into data security within a private cloud environment, discussing encryption and data lifecycle management techniques that will help you keep up with data that is much more mobile than ever before. Identity and Access Management (IAM) within a virtualized/cloud environment will be touched on, and we'll wrap up with a thorough session on disaster recovery and business continuity planning that leverages and benefits from virtualization and cloud-based technology.

On day 6, we'll cover the top virtualization configuration and hardening guides from DISA, CIS, Microsoft, and VMware, and talk about the most important and critical things to take away from these to implement. We culminate with data security and encryption, and Identity and Access Management (IAM) and Disaster Recovery (DR) and Business Continuity Planning (BCP).

Notice:

*For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a Laptop will be provided for class use. However, for International events, Onsite Classes, and Online Students, a Hard Drive will be provided for class use.

Course Syllabus
Course Contents InstructorsSchedule
  SEC579.1: Virtualization Security Architecture and Design Paul A. Henry Wed Jan 9th, 2013
9:00 AM - 5:00 PM

*For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a Laptop will be provided for class use. However, for International events and Onsite Classes, a Hard Drive will be provided for class use.

Overview

The first day of class will cover the foundations of virtualization infrastructure and different technology types. We'll define and clarify the differences between server virtualization, desktop virtualization, application virtualization, and storage virtualization, and we'll lay out a simple architecture overview that sets the stage for the rest of the day. Then we'll start dissecting the various virtualization elements that comprise the architecture one-by-one, with a focus on the security configurations that will help you create or revise your virtualization design to be as secure as possible. We'll start off with hypervisor platforms, covering the fundamental controls that can and should be set within VMware ESX and ESXi, Microsoft Hyper-V, and Citrix XenServer.

Then students will spend considerable time analyzing and constructing virtual networks with security in mind. We'll compare and contrast various designs for internal networks and DMZs, with special attention paid to segmentation and physical network connectivity. Virtual switch types will be discussed, along with VLANs and PVLANs, and configuring these for the most robust network security possible will be discussed next. We'll finish the day with two additional sections. The first will cover virtual machine settings, with an emphasis on VMware VMX files. We'll look at some options organizations have to carefully control access to and from these VMs, and this will lead to the last section of the day - storage and storage security. One of the most overlooked security areas today, large-scale storage plays a critical role in virtualization and private cloud infrastructure, and some tips and tactics will be covered that help organizations to better secure Fibre Channel, iSCSI, and NFS-based NAS technology.

CPE/CMU Credits: 6

Topics

  • Virtualization components and architecture designs
  • Different types of virtualization, ranging from desktops to servers and applications
  • Hypervisor lockdown controls for VMware, Microsoft Hyper-V, and Citrix Xen
  • Virtual network design cases with pros and cons of each
  • Virtual switches and port groups, with security options available
  • Commercial and open-source virtual switches available, with configuration options
  • Segmentation techniques, including VLANs and PVLANs
  • Virtual machine (VM) security configuration options, with a focus on VMware VMX files
  • Storage security and design considerations

 
  SEC579.2: Virtualization and Private Cloud Infrastructure Security Paul A. Henry Thu Jan 10th, 2013
9:00 AM - 5:00 PM

*For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a Laptop will be provided for class use. However, for International events and Onsite Classes, a Hard Drive will be provided for class use.

Overview

Day 2 finishes the previous day's coverage of virtualization design elements, starting with virtualization management. VMware vCenter, Microsoft System Center Virtual Machine Manager (SCVMM), and Citrix XenCenter will all be covered, with an emphasis on vCenter. Client connectivity and security will also be discussed, both from a configuration and design standpoint. Next, Virtual Desktop Infrastructure (VDI) will be covered, with emphasis on security principles and design. Specific security-focused use cases for VDI, such as remote access and network access control, will also be mentioned.

Next, we'll design a secure private cloud architecture! There are many considerations for organizations migrating from virtualization to a private cloud, and a number of these affect security. We'll outline all the areas previously covered for virtualization, ranging from networks to hypervisors to virtual machine, and point out where security configuration and design differs for a cloud model. We'll also break down a number of different private cloud models for specific business use cases, and students will analyze security controls within these models.

The next section on Day 2 will delve into network security, adapted to fit into a virtual infrastructure. Do firewalls and network access controls work the same with virtual systems and cloud models? We'll find out! Students will take an in-depth look at virtual firewalls and will even set one up. Virtual switches will be revisited here, as they pertain to segmentation and access controls. Students will also build a virtualized intrusion detection model, integrating promiscuous interfaces and traffic capture methods into virtual networks, and then setting up and configuring a virtualized IDS sensor. Some attention will also be paid to host-based IDS, with considerations for multitenant platforms and the performance impact any agent-based product can have in a virtual environment.

CPE/CMU Credits: 6

Topics

  • How to lock down management servers and clients for vCenter, XenServer, and Microsoft SCVMM
  • Security design considerations for Virtual Desktop Infrastructure (VDI)
  • Security-focused use cases for VDI
  • Private cloud security architecture
  • Configuration options for securing private cloud components
  • Specific private cloud models, and how security applies to each of them
  • Virtual firewalls and network access controls
  • Commercial and open-source virtual firewalls
  • Designing intrusion detection for virtual environments and the private cloud
  • Setting up promiscuous interfaces and traffic capture in a virtual environment
  • Host-based IDS/IPS for virtualization

 
  SEC579.3: Virtualization Offense and Defense (Part I) Paul A. Henry Fri Jan 11th, 2013
9:00 AM - 5:00 PM

*For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a Laptop will be provided for class use. However, for International events and Onsite Classes, a Hard Drive will be provided for class use.

Overview

In this session, we'll delve into the offensive side of security specific to virtualization and cloud technologies. While many key elements of vulnerability management and penetration testing are similar to traditional environments, there are many differences that we will cover.

First, we'll cover a number of specific attack scenarios and models that represent the different risks organizations face in their virtual environments. Then we'll go through the entire penetration testing and vulnerability assessment lifecycle, with an emphasis on virtualization tools and technologies. We'll progress through scanners and how to use them for assessing virtual systems, as well as virtualization exploits and attack toolkits that can be easily added into existing pen test regimens. We'll also cover some specific techniques that may help in cloud environments and provide examples of scenarios where certain tools and exploits are less effective or more risky to use than others.

After covering the offensive side of things, we'll turn to intrusion detection, starting with a simple architecture refresher on how IDS and monitoring technologies fit into a virtual infrastructure. Students will then learn about monitoring traffic and looking for malicious activity within the virtual network, and numerous network-based and host-based tools will be covered and implemented in class. This topic will also be extended to the private cloud environment, with some special caveats that all organizations should pay attention to.

Finally, students will learn about logs and log management in virtual environments. What kinds of logs do virtualization platforms produce, and what should organizations focus on? How can these logs (for both hypervisors and VMs) fit into a Security Information and Event Management (SIEM) solution? What should we look for to find attacks and security issues? We'll cover all this, and more, in this session

CPE/CMU Credits: 6

Topics

  • Attack models that pertain to virtualization and cloud environments
  • Pen testing cycles with a focus on virtualization and cloud attack types
  • Specific virtualization platform attacks and exploits
  • How to modify vulnerability management processes and scanning configuration to get the best results in virtualized environments
  • How to use attack frameworks like VASTO, Virtualization Assessment Toolkit, to exploit virtualization systems
  • How to implement intrusion detection tools and processes in a virtual environment
  • What kinds of logs and logging are most critical for identifying attacks and live incidents in virtual and cloud environments

 
  SEC579.4: Virtualization Offense and Defense (Part II) Paul A. Henry Sat Jan 12th, 2013
9:00 AM - 5:00 PM

*For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a Laptop will be provided for class use. However, for International events and Onsite Classes, a Hard Drive will be provided for class use.

Overview

This session is all about defense! We'll start off with an analysis on anti-malware techniques. We'll look at traditional antivirus, whitelisting, and other tools and techniques for combating malware, with a specific eye toward virtualization and cloud environments. New commercial offerings in this area will also be discussed to provide context, as well.

The majority of this session will focus on incident response and forensics in a virtualized or cloud-based infrastructure. We'll walk students through the 6-step incident response cycle espoused by NIST and SANS, and highlight exactly how virtualization fits into the "big picture." Students will discuss and analyze incidents at each stage, again with a focus on virtualization and cloud. We'll finish the incident response section with processes and procedures organizations can put to use right away to improve their awareness of virtualization-based incidents.

The final section of the day will focus on forensics, and how students can adapt forensics processes to work in virtual and cloud environments. We'll capture and duplicate VMs, and ensure these VMs are sound and maintained in a "best practices" format for proper chain-of-custody retention. The current landscape of forensics tools will be covered, with a focus on which work best to analyze virtual images and data from virtual infrastructure. A special focus will be given to the analysis of hypervisor platforms, as well.

CPE/CMU Credits: 6

Topics

  • How anti-malware tools function in virtual and cloud environments
  • What kinds of new tools and tactics are available for effective anti-malware operations in the cloud and virtual machines
  • How the 6-step incident response process can be modified and adapted to work with virtual infrastructure
  • What kinds of incidents to look for within virtual environments, and what the warning signs are
  • Processes and procedures to build and grow incident response capabilities for virtual environments
  • How forensics processes and tools should be used and adapted for virtual systems
  • What tools are best to get the most accurate results from virtual machine system analysis
  • How to most effectively capture virtual machines for forensic evidence analysis
  • What can be done to analyze hypervisor platforms, and what the future of VM forensics holds

 
  SEC579.5: Virtualization and Cloud Integration: Policy, Operations, and Compliance Paul A. Henry Sun Jan 13th, 2013
9:00 AM - 5:00 PM

*For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a Laptop will be provided for class use. However, for International events and Onsite Classes, a Hard Drive will be provided for class use.

Overview

This session will explore how traditional security and IT operations changes with the addition of virtualization and cloud technology in the environment. Our first discussion will be a lesson on contrast! First, we'll present an overview of integrating existing security into virtualization. Then, we'll take a vastly different approach, and outline how virtualization actually creates new security capabilities and functions! This will really provide a solid grounding for students to understand just what a paradigm shift virtualization is, and how security can benefit from it, while still needing to adapt in many ways.

Our first step in integrating virtualization into the existing environment will be to lay out a sound risk assessment process that security professionals can use to determine where the threats, vulnerabilities, and impacts are. With virtualization and cloud technologies, risk profiles are very different, and security teams will need to evaluate technology and infrastructure differently in order to adequately advise the business where to focus and how to allocate resources to best protect itself. A more in-depth treatise will be covered for cloud technologies, as well, with a description of the Jericho Forum Cloud Cube model and how it can be leveraged by organizations to assess risk for their internal clouds.

We'll then spend some time on policy and governance for both virtualization and cloud technologies. What kinds of new policies are needed? What existing policies need to be updated? We'll cover that! We'll also provide guidance for information security managers who need to answer some tough questions from organizational leadership about how and why cloud and virtualization security measures should be implemented.

Next we'll dive into change and configuration management tactics and processes for virtualization and cloud. These are critical elements of a sound operations strategy with these technologies, but most organizations do not update existing change and configuration processes substantially to accommodate them! There are many pieces to this, ranging from patching to application development specifics, and we'll touch on all of them. We'll wrap up the day with some general compliance guidelines that address specific controls needed for some of the major compliance mandates, including PCI DSS, HIPAA, and SOX.

CPE/CMU Credits: 6

Topics

  • How security can adapt to accommodate virtualization infrastructure
  • How virtualization tools and technology can augment and facilitate security!
  • A simple, bulletproof risk assessment strategy for virtualization and private cloud environments
  • Threats, vulnerabilities, and impacts to consider when evaluating virtualization and private cloud technologies
  • New and updated policies needed for virtualization and cloud environments
  • Service Level Agreements (SLAs) and performance considerations for cloud operations
  • Governance models for private clouds
  • Patch and configuration management processes and techniques for virtualization and cloud
  • Change management, and how it needs to change to accommodate virtualization
  • Compliance mandates, and how you can institute controls in both virtualization and cloud infrastructure to satisfy requirements

 
  SEC579.6: Confidentiality, Integrity, and Availability with Virtualization and Cloud Paul A. Henry Mon Jan 14th, 2013
9:00 AM - 5:00 PM

*For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a Laptop will be provided for class use. However, for International events and Onsite Classes, a Hard Drive will be provided for class use

Overview

Today's session will start off with a lively discussion on virtualization assessment and audit. You may be asking - how will you possibly make a discussion on auditing lively? Trust us! We'll cover the top virtualization configuration and hardening guides from DISA, CIS, Microsoft, and VMware, and talk about the most important and critical things to take away from these to implement. We'll really put our money where our mouth is next - students will learn to implement audit and assessment techniques by scripting with the VI CLI, as well as some Powershell and general shell scripting! Although not intended to be an in-depth class on scripting, some key techniques and ready-made scripts will be discussed to get students prepared for implementing these principles in their environments as soon as they get back to work.

Next we'll cover two critical topics for private cloud implementations (and virtual machines in general): data security and encryption, and Identity and Access Management (IAM). As organizations have more and more mobile VMs moving through their data centers and as they extend private clouds to cloud providers, partners, and others, the need to protect the entire VM is more paramount than ever.

Encryption techniques and data lifecycle processes can help improve the security of virtual and cloud environments enormously, and we'll delve into the key things security and operations teams need to know, including PKI infrastructure, commercial tools for implementing data protection, and a method for evaluating and updating data lifecycle management policies and processes that's easy to implement. Identity and Access Management (IAM) is a key component of many cloud infrastructures, especially those that need to integrate with partners and other external parties. We'll take a look at the key things organizations need to know when implementing and evaluating IAM tools and capabilities in private clouds.

The last major section of this day's session will cover something critical to all enterprises - Disaster Recovery (DR) and Business Continuity Planning (BCP). Virtualization and cloud technology and architecture can help organizations implement much more robust DR and BCP strategies, and we'll go into some real depth on what tools are available to help with this. In addition, students will learn about updates they'll need to make to policies and evaluation techniques for DR and BCP that more accurately take the new virtualized infrastructure into account.

CPE/CMU Credits: 6

Topics

  • Assessment and audit plans for virtualization and private cloud components
  • Key configuration controls from the leading hardening guides from DISA, CIS, VMware, and Microsoft
  • Scripting techniques in VI CLI and Powershell for automating audit and assessment processes
  • Sample scripts that help implement key audit functions
  • Encryption tools and techniques for securing mobile VMs
  • Data lifecycle policies and processes to ensure VMs and their data are monitored and updated
  • Identity and Access Management (IAM) fundamentals for private clouds
  • In-depth DR and BCP processes and capabilities that virtualization and private clouds can augment

 
Additional Information
 
  Laptop Required

Laptops for SEC579 lab exercises will be provided for students to use during class.* Students will be given CDs with labs loaded to take home after class.

*For SEC579 Virtualization and Private Cloud Security courses conducted in the United States, a laptop will be provided for class use. However, for International events and Onsite Classes, a Hard Drive will be provided for class use.

For those classes where students are required to provide their own laptop, students will need a laptop with:

  • 250 GB hard drive (with a minimum of 100GB of free space)
  • Windows Vista/7
  • 64-bit OS required
  • VMware Workstation 7 or above
  • Optical drive to read the DVDs
  • 8 GB RAM or more
  • Intel i5/i7 or equivalent processor
  • Also, be sure to use Intel's CPU Processor Identification utility to verify VT-x support in your chipset.
  • Students must be able to disable AV, firewall, and any media - usb protections.

All OnDemand and Self Study students only: You will receive access to VMware software and licenses for performing the labs in this course.

Please see your event description for more details.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend

  • Security personnel who are tasked with securing virtualization and private cloud infrastructure.
  • Network and systems administrators who need to understand how to architect, secure, and maintain virtualization and cloud technologies.
  • Technical auditors and consultants who need to gain a deeper understanding of VMware virtualization from a security and compliance perspective.

 
  What You Will Receive

All OnDemand and Self Study students only: You will receive access to VMware software and licenses for performing the labs in this course.

 
  You Will Be Able To
  • Lock down and maintain a secure configuration for all components of a virtualization environment
  • Design a secure virtual network architecture
  • Evaluate virtual firewalls, intrusion detection and prevention systems, and other security infrastructure
  • Evaluate security for private cloud environments
  • Perform vulnerability assessments and pen tests in virtual and private cloud environments, and ac- quire forensic evidence
  • Perform audits and risk assessments within a virtual or private cloud environment