CompTIA CYSA+ CS0-002 – Network Architecture and Segmentation Part 3

5. Virtualization (OBJ 2.1)

Virtualization. In this lesson we’re going to talk a little bit about virtualization. Now, I’m not going to go and rehash everything you learned in a plus or security plus about virtualization. I assume you already remember that. But I’m going to cover some of the highlights and then we’re going to talk about two specific types of virtualization. First, what is virtualization? This is a review. Virtualization is a host computer that’s installed with a hypervisor that can be used to install, install and manage multiple guest operating systems or virtual machines known as VMs. Now, what does this look like? Essentially, you have a piece of hardware that’s called the bare bones and then you install some sort of virtualization on it that would be called a hypervisor.

Now, that hypervisor can be either a barebones hypervisor or it can be an operating system with a hypervisor running on top of the operating system. For instance, on my laptop I have a MacBook. On that MacBook, I have the Mac operating system. And on that Mac operating system I have a hypervisor known as VMware that I can actually run Windows inside of that as a virtual machine. Now, as part of that hypervisor virtualization, I can then install the guest operating system shown here in yellow and then any applications I want. So on my particular system, even though I’m running a Mac system, I have one virtual machine with an operating system that’s Windows Ten and another one that’s running Ubuntu Linux.

And that way I have access to all three operating systems for whichever programs I need or whatever demonstrations I’m trying to do for my students. Now, when we talk about virtualization in this lesson, we’re going to focus on two main areas. We’re going to talk about VDI, which is virtual desktop infrastructure and we’re going to talk about containerization and how both of these affect you as a cybersecurity analyst. When we talk about VDI, this is virtual desktop infrastructure. This is a virtualization implementation that separates the personal computing environment from a user’s physical computer. So I have a Windows Ten machine that I can access and it’s actually part of a VDI network.

So when I want to use it, I will log into a piece of software on my Mac. It will reach out to the cloud and I will connect to that Windows Ten machine and then I have control over that virtual image that’s in the cloud being run. They have all the operating system, the applications and everything I need. And every time I try to run a command, it processes it on that cloud server. It doesn’t process it on my local machine. My local machine is just a dummy box to connect to it. And that’s the idea of VDI. So as you can see, you can have VDI on lots of different things. You can have it on a desktop, a laptop, a phone, a tablet. It doesn’t really matter because the device is just there to connect to the server and then run that virtual image which is being processed, all that data on the server.

Now, again, as I’ve been saying, the server is going to perform all the application processing and the data storage. So you can use a Chromebook, a MacBook, a Windows machine, it doesn’t matter because whatever that VDI environment is, that’s what you’re actually connecting to and that’s what’s actually processing the application for you. Now, a lot of companies can completely offload their entire It infrastructure by using third party services, by using this VDI concept. And so it’s a really tempting thing for CIOs to do because I don’t have to run the operating systems anymore.I don’t have to worry about patching them because my third party provider can do it all for me. That’s one of the big benefits of VDI and one of the main selling features.

Now, one of the bad things about it though, the big disadvantage of VDI is that users have no local processing ability. So if the server is down or the network is down or the connectivity is down, you can’t do any work. And so if there’s an outage on that server, everyone’s down. Whereas right now I’m sitting on my laptop and if my Internet connection went out I could still do work. But in VDI I couldn’t because if my network connection is down, I can’t reach the server. So these are the things you have to think about. Now, the next area we’re going to talk about is containerization and this is much more focused on servers. Instead of the end user, we talk about VDI, it’s really focused on your end users right when we talk about containerization.

This is a type of virtualization that’s applied by a host operating system to provision an isolated execution environment for an application. And a lot of people use these because they’re fairly secure. The nice thing about doing containers is that containers will enforce resource separation at the operating system level. So what this really looks like is you have a piece of hardware and then on top of that hardware you have some host OS and then you have a container manager, something like Kubernetes or Docker or something like that. And then it has these different containers that can be created. In this case I have three containers. I have the first environment which is based on the kernel of the host OS. So this is a Linux system and so in this case, container one is running Linux and it can run some applications there.

Now container two can do the same thing. Container three can do the same thing because we’re all sharing the same host operating system. This takes a lot less resources than doing pure virtualization using virtual machines because each virtual machine needs its own operating system, which could be eight or 10GB each. Here we’re all sharing the same operating system so it uses a lot less storage and a lot less processing power. This is the real benefit of using something like a container now, because these containers are logically isolated, they can’t actually interface with each other. If I wanted those two containers to talk, I actually would have to connect them through a virtual network and do the right routing and switching to allow them to talk because by default they have no way of talking to each other.

That’s a great thing for security. But here’s your big warning when you’re dealing with containers. If an attacker compromises that host OS underneath that Linux operating system, for instance, guess what? That means? They have access to all the containers as well. And so this is one of the big vulnerabilities. I can have a container system that’s running 50 different servers right now because I’m running all these different servers and services using containers. But if somebody gets that one server that’s underneath, they now have access to all 50. This is the things you have to weigh when you start figuring out, am I going to virtualize? Am I going to use VDI? Am I going to use containers? What is the risk versus reward? There’s a balancing act here. It’s a business decision and it’s a cybersecurity decision. And so you have to measure these things to decide what is the best thing for you.

6. Virtualized Infrastructure (OBJ 2.1)

Virtualized infrastructure. In the last lesson, we started talking about virtualization and in this lesson, I want to dig a little bit deeper and talk about three main areas. We’re going to talk about virtual hosts, virtual networks and management interfaces. Now, when I talk about virtual hosts, this is a virtualized computer that allows the installation and configuration of its own operating system. I mentioned that I have a MacBook Pro here and I have Windows running inside a virtualized environment. So when I use something like VMware, it gives me all the virtual hardware I need. So a virtual host, like a physical host, has to be patched and hardened because when I install Windows Ten in there, it now is vulnerable to all the things that Windows Ten is vulnerable to.

So I have to make sure I keep up to date with my patches. I need to make sure I have the right configurations and hardening and then I can create a good image of that and that becomes my image moving forward for all of my virtual hosts. Now, the great, great thing about this is it makes it really easy to deploy new hosts. The bad thing about that is that can lead to VM sprawl. Now, what is VM sprawl? Well, this is an expansion of VMs being provisioned without proper change control procedures. Again, because it’s really easy and quick to remove and replace a virtual machine. A lot of times people will replace virtual machines, but they’ll never turn off the old ones. And so you might have 50 that are approved. And now you look up another day and you’ve got 60 or 70 or 80.

I’ve seen some networks where there are hundreds and thousands of these virtual machines all over the place and nobody really realizes they’re there. Now, all of those are now expanding your attack surface because those are all machines that have an operating system that may be communicating with the outside world. So you need to keep track of all this stuff because it is something that is a big vulnerability for you. Now, when you start dealing with security fixes, one of the things you have to realize is there’s actually two places you have to focus on. There’s the operating system and the applications at the top layer within the virtual machines and within those virtual hosts. Those all have to be patched and hardened, but so does the physical hardware and firmware and the hypervisor that’s running all of this stuff.

So if you’re using something like VMware’s ESXi, there are versions of that that is essentially software. And so you need to make sure you’re running a good version that is secure and hardened. These are all the different things you have to think about when you’re dealing with virtualization. It’s a lot more complex than just having one physical machine because after all, I can have an ESXi server and it’s a small little box server that’s maybe a one U unit. That one U unit might have eight or ten or twelve different servers running on it. And because of that, those are all different hosts that are virtualized inside the one physical server. That’s ten or twelve or 15 different things that I have to patch in addition to the physical server server.

So you have to keep track of that as you’re going through and doing your patch management and make sure that when you’re doing your vulnerability scans, you’re keeping that stuff into the scope as well. Now, the next thing we want to talk about is virtual networks because if you have hosts you need to connect them some way. Well, a virtual network takes those virtual hosts and interconnects them using virtual switches, routers and other virtualized networking equipment as part of your hypervisor. Now again, these virtual networks are created with code. It’s just software and so there can be bugs in the code, there can be security holes in the code and that’s things you have to think about as well.

Now, when you start taking your virtual hosts and you put them on different systems and you want to start connecting them, you need to be careful here and you need to figure out how you’re going to map these. Virtual hosts to the physical hardware because you want to make sure you don’t expose data or system access to different risks that could be associated with it. Now, what am I really saying here? Let’s say I have this one server that’s going to run all my virtualization for me. Now, do I want to put on my internal network virtualized servers in there like my Active Directory and my external network or DMZ stuff like web servers and email? No, I want to keep those on two physically different servers. So I might have two servers that I’m going to have.

One for my internal network and one for my DMZ and then I can have virtualized servers inside of those servers in those zones. So if you have them all on the same computer, there is a risk that there could be cross contamination. There’s not supposed to be. But again, bad things happen. There’s things like VM escapes and there’s things like hackers who can get into the hypervisor and go from one machine to another. And if they can do that, that’s going to put your data and systems at risk. Now, one more warning I have here in terms of virtual networking, when you’re thinking about your virtual switches that are part of your hypervisor, these don’t always behave like physical switches. They often will fail and they might not be able to isolate the traffic adequately between your different virtual hosts that are sitting on that hypervisor.

So if you’re worried about that, which a lot of companies are, you can actually take that information and switch it out to physical hardware by connecting each virtual machine to a dedicated network interface card. Now, if you don’t have enough network interface cards, that’s when you’re going to have to start relying on some of those virtual networking. And you’re going to have to do your due diligence to figure out which company and which software is the best for that. Now, the last thing we want to talk about here is management interface. Now, the management interface is the management application that’s located either on the physical host that runs the virtual machine or on a centralized platform that can oversee that virtual machine and many others across your network.

Now, this is a great way of doing things and it can make your life really easy as a system administrator because you have one platform in a centralized location that accesses all of your virtual machines, that’s great. But again, that’s a risk and you need to make sure you’re protecting it because if somebody gets access to that one area, they now have access to all of your virtual machines. So you need to keep that in mind as well. One of the ways you can do this is you can utilize a separation of duties. You can do this by having different administrators for the hypervisor who manages the management interface and one for the different servers and hosts that are being run as virtual machines.

So you can have two teams, the virtualization team and the system administration team. The virtualization team is responsible for the servers and the hypervisor and patching those things. The server team, on the other hand, the system administrators are going to be responsible for all of the virtualized servers that are being run on top of those hypervisors. And so that’s a good way of separating out the duties and be able to make sure that one person doesn’t have too much control over everything. Finally, you want to make sure you’re monitoring the host platform itself and you want to make sure it’s not suffering from resource exhaustion because it’s really easy for us to spin up a new virtual machine.

But if we spin up too many virtual machines, all of those virtual machines take processor, they take storage, they take memory, and the physical server that’s hosting them is going to eventually run out of all of that. So if I have a big server that has say, 64GB of Ram and I give each of my servers 4GB of Ram m, how many servers can I put on there? I can only put on 16 servers, right? Because I would run out of memory otherwise. So if I put on 20 servers, I now have too many servers for the amount of Ram I have. And so this is one of the things you have to monitor and keep track of because otherwise you could inadvertently cause a denial of service.

• Category: Uncategorized