Download - Cloud Security Alliance

More documents

Recommendations

Info

CLOUD SECURITY ALLIANCE SecaaS Implementation Guidance, Category 6: Intrusion ManagementFigure 4: Hypervisor IntegrationThis type of integration allows inspection/blocking of guest events, offline VMs and “on-demand” and “onaccess”scanning of virtual disksAdvantages:Easy deploymentInterception of VM-to-VM communicationInterception of guest operationsAllows inspection of offline VMsUsage of additional configuration and status informationDisadvantages:A software instance cannot use hardware support (ASICs) like today’s dedicated IPS appliancesHigh load on the IPS modules will impact virtual machines or the host performanceIf the hypervisor is compromised, the IPS cannot be trusted4.1.4.2 Protecting the Virtualization LayerThe next level of protection is maintaining integrity of the hypervisor itself which is actually the foundation of alltrust in the previously described technologies.© Copyright 2012, Cloud Security Alliance. All rights reserved. 26
CLOUD SECURITY ALLIANCE SecaaS Implementation Guidance, Category 6: Intrusion ManagementOne approach is to work on the physical memory of your cloud environment and extract data from thehypervisor memory, define data sets, generate hash values (for data sets that should stay static), compile hashesinto an inspection engine and scan your container (for any unknown code running).Hypervisors should be monitored and protected as follows:• Monitor hypervisor login failures and successes• Perform real-time monitoring of hypervisor files and configuration settings• Identify and alert when administrators connect to the virtualization system• Protect against insider abuse and external attacks using granular policy-based controls. Forexample:o Perform intrusion detection and log inspection across management componentso Restrict inbound and outbound port access to trusted programso Deescalate user privileges to prevent tampering of virtual hosts or virtual machines4.1.5 Client-Based DetectionIf detection and filtering are done within the guest OS (either kernel modules of the OS vendor, or third-partymodules using an OS API), try to identify and prevent an intrusion by inspecting and filtering certain events,(function calls, packets, write/read to memory, etc.).Advantages:Figure 5: IM within the Guest OSEasy deploymentInterception of VM-VM communication© Copyright 2012, Cloud Security Alliance. All rights reserved. 27
Page 1 and 2: SecaaS Implementation GuidanceCateg
Page 3 and 4: CLOUD SECURITY ALLIANCE SecaaS Impl
Page 25: CLOUD SECURITY ALLIANCE SecaaS Impl
Page 33: CLOUD SECURITY ALLIANCE SecaaS Impl

Download - Cloud Security Alliance

Create successful ePaper yourself

Delete template?

Save as template?