Chap 10 - 01 - Understand Virt Essential Concepts and OS Virt Security - 03_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Virtualization and Cloud Computing Exam 212-82 Virtual Desktop Infrastructure (VDI) ‘4' Q Virtual desktop infrastructure (VDI) is a virtualization solution in which the desktop OSes of an organization are provisioned and operated at a data center, and images with virtual desktop resources are sent to the end devices O The connections to the virtual desktops from the clients are initiated through a specialized device/software known as a connection broker Laptop E ——\............... Virtual Desktop Instances : - mndiemfl......................... L gy LIL 1L I [ I | Connection Broker Software Mobile Phone IRGEH.........ceeenne. } Hypervisor Virtual Desktop Infrastructure (VDI) Virtual desktop infrastructure (VDI) is a virtualization solution in which the desktop operating systems of an organization are provisioned and operated in a data center and images with the virtual desktop resources are sent to the end nodes. The end node can be a laptop, mobile device, thin client, or traditional PC. VDI helps users connect with a virtual OS and applications in a flexible manner, and it provides an experience similar to the experience of operating within the local environment. If employees work from remote locations and are suffering from a weak signal or the lack of a hardwired Internet connection, the use of VDI in devices acting as thin clients is more feasible for remote data access. Upon turning on the thin client, it loads and runs minimal code to initialize the peripherals and enable clients to sign in to the virtual instances on the organization’s server. These thin clients should determine the valid image and use effective authentication methods for secure connections. The connections to virtual desktops connection from clients are initiated through a specialized device/software known as a broker. VDI can also be used as a security solution for addressing various threats that arise from policies such as BYOD, and it further prevents sensitive data from being stored in the endpoint device. Module 10 Page 1251 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Virtualization and Cloud Computing Laptop D Exam 212-82 : Virtual Desktop Instances Thin client Connection Broker Software Mobile Phone Hypervisor Figure 10.4: Virtual desktop infrastructure (VDI) Virtual desktops can be deployed in persistent and non-persistent ways. = Persistent VDI: In this type of VDI, the user receives a prearranged permanent VDI resource at each sign in. This type of instances has a 1:1 ratio of users to images, which implies that every user holds their own image. * Non-persistent VDI: In this type of VDI, a new image is generated at each sign in. This type of instances has a many:1 ratio of users to images, which implies multiple users can share a single image. Although VDI enables users to simplify their work and secure the organization’s data, it has various security risks. Attackers can target the endpoint devices and infect them with malware by leveraging third-party applications or software to access the organization’s sensitive data. As clients cannot perform local processing in VDI, network or server failures can increase the service outage time. Module 10 Page 1252 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Virtualization and Cloud Computing Exam 212-82 OS Virtualization Security and Concerns Copyright © by EC AL All Rights Reserved. Reproductions Strictly Prohibited. OS Virtualization Security and Concerns In OS virtualization, the host operating system’s kernel is virtually replicated in multiple instances of isolated user space, called containers, software containers, or virtualization engines, thereby lending (virtualized) operating system functionality to each container. A container is widely used for encapsulating an application and its dependencies in its own environment and runs in isolation from other containers and applications while utilizing the same resources and operating system. This section discusses vulnerabilities, attacks and security challenges associated with containers. The section also explains vulnerabilities, attacks and security challenges associated with Docker and Kubernetes, which are widely used for developing, packaging, running, and managing applications and all their dependencies in the form of containers. This section also discusses serverless computing concepts along with best practices for serverless security. Module 10 Page 1253 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Virtualization and Cloud Computing Exam 212-82 Container Q Virtualization based on an operating system, in which the kernel’s operating system functionality is replicated on multiple instances of isolated user space, called containers, software containers or virtualization engines O Containers as a service (Caa$S) includes the virtualization of containers and container management through orchestrators Q Using Caas, subscribers can develop rich, scalable containerized applications through the cloud or on-site data centers Container Engine = Contai s Container Orchestration Managed environment for deploying containerized applications = An automated process of managing the lifecycles of software containers and their dynamic * Ozxchestrati P Software O DockerSwarm OPENSHIFT Kubernetes environment Copyright © by EC-Council All Rights Reserved. Reproductionis Strictly Prohibited Container Containers (also called software containers or virtualization engines) refer to virtualization based on an operating system, in which the kernel’s operating system functionality is replicated on multiple instances of isolated user space. This can be used, for example, in a virtual hosting environment that requires segmentation of the physical resources among multiple users to enable each user to have their own virtual space. Containers help to manage the users and their respective resources, while keeping them isolated. The containers, are monitored and managed by the administrator having full admin rights to all the containers. Many virtualization problems are effectively resolved with containerization. In containerization, although each user space instance runs in isolation, resources are not wasted since the actual operating system runs independently of the containers. A container encapsulates an application and its dependencies in its own environment while utilizing the same resources and operating system as other containers. Compared to and shared because of their smaller sizes. can be easily maintained. Containers also run on the same hardware, increasing the The following containers. = are some VMs, each container image is more easily migrated As only one operating system is involved, a container minimize hardware costs since multiple applications utilization of the hardware. services and technologies that can be used to deploy and manage Containers as a service (CaaS): This refers to services that enable the deployment of containers and container management through orchestrators. Using CaaS, subscribers can develop rich, scalable containerized applications through the cloud or on-site data centers. Module 10 Page 1254 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Virtualization and Cloud Computing = Container containers Exam 212-82 Engine: as per A container engine requirements. It can be manages used the to create, add, environment and for remove deploying containerized applications. = Container Orchestration: This refers to an automated process of managing the lifecycles of software containers and their dynamic environment. Currently available open-source container orchestrators are Kubernetes and Docker Swarm, and a commercial container orchestrator is OpenShift by Red Hat. Module 10 Page 1255 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Virtualization and Cloud Computing Exam 212-82 Container Technology Architecture P A Ha ’ A Developer ™.. Developer P...... > - é e; e Plodink] Internal Registry Accreditation. NN | o Testing and : a TR Systems H External r' Registry EHi Admin |ryyyy L 6 Admin , Containers o Containers “** > Containers : A. v H :‘r HIOD 2 : : TTTTTYERR :. Hostwith........ G § Orchestrator ~ Host with Developer ' Image Creation, Testing and Accreditation ‘ { Storage and Retrieval of Image ‘ Deploy ’ Copyright © by and M. Container EC IL of ‘ All Rights Reserved. Reproduction is Strictly Prohibited. Container Technology Architecture Container technology architecture comprises the following five tiers: = The developer creates the images and sends them for testing and accreditation. = The testing and = Atregistries, the images are stored and distributed upon request from an orchestrator. = At orchestrators, the images are converted into containers and deployed to the hosts. = The host runs and stops the containers on the direction of the orchestrator. accreditation systems validate, verify, and sign the images them to the registry. M é.............. Developer - % A é H T.............. ;--n-.l) Developer : tfl i‘é P— H A : o] Internal Registry Accreditation Systems External r‘ Registry E....... ) Admin v v Containers : w....... & % Orchestrator """"" Host with E : FEEEED 2 : e Containers : 5.....-u---.----.....)[****"l."""". = Testing and 0 ¢ 000 ossoeree H Admin and send : : b Host with Containers o d Developer [ Image Creation, Testing and YR LR ’ Storage and Retrieval of Image ‘ , Depl = and Manag e 1t of ‘ Figure 10.5: Container technology architecture Module 10 Page 1256 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.