ACCORD-V.

ACCORD-V.

Hardware and software complex ACCORD-V. is designed to protect virtualization infrastructure VMware vSphere 4.1, VMware vSphere 5.

Accord-V. provides protection for all components of the virtualization environment: ESX-servers and virtual machines themselves, vCenter control servers and additional servers with VMware services (e.g. VMware Consolidated Backup).

What's the problem?

  • The start the virtual infrastructure is "stretched" and consists of stages, separated by different elements of the infrastructure.
  • To ensure the protection, all the stages of the system startup should be controlled within the virtual machine.
  • There is a need for a solution that will allow the resident component to have access to a new controlled environment while being outside of that environment.

Major idea:

Continuous control of correctness of the start based on the algorithm of a step-by-step integrity check, the essence of which is as follows:

to control data on the i-th logical level of their representation for reading, the use of procedures of i-1st level is needed, the integrity of which was preliminary checked.

Composition of Accord-V.:

Hardware and software complex DST PUA Accord-V. consists of the following components:

  • "Accord-V. for vCenter";
  • "Accord-V. for ESX-server";
  • "Accord-V. for client workstations".

The software part of the complex consists of the following components:

  • "Subsystems for control of virtual machines integrity" (the module for checking the integrity of OS of virtual machines);
  • "Subsystems of access isolation in a virtual infrastructure" (the functions of access isolation in a virtualization infrastructure);
  • "Subsystems for control and monitoring the integrity check modules and identification/authentication check modules" (a control module that allows to manage the modules for checking integrity, identification/authentication, and analyze their logs);
  • Module of identification/authentication for the management console of ESX-server;
  • "Subsystems of protection in OS of virtual machines" (a complex protecting data from unauthorized access in OS of virtual machines), additional software libraries and service programmes (installation, testing, archiving utilities, etc.).

The scheme of integration of «ACCORD-V.» into a virtual infrastructure

Protection of Е1 servers:

  • Trusted startup of ЕSХ/ЕSХ servers;
  • Hardware control of the integrity of the hypervisor, Service Console and modules protecting Accord-V.;
  • Hardware identification of administrators.

Protection of elements controlling the virtualization infrastructure:

  • Trusted startup of vCenter
  • Control of the integrity of devices, BIOS and vCenter files before starting up OS
  • Hardware identification of administrators
  • Discretionary and mandatory mechanisms of access isolation (Accord-Win32/64)

Protection of virtual machines:

  • Control of the integrity of devices, BIOS and configuration of virtual machines before the startup
  • Control of the integrity of OS files within a virtual machine before the startup
  • Hardware identification of users
  • Discretionary and mandatory mechanisms of access isolation
  • Control of the access to resources
  • Control of printing

So:

Advantages:

  • The protection system is fully integrated into the virtualization infrastructure, so its operation does not require additional servers.
  • Accord-V. does not limit the possibilities of virtual infrastructure (snapshots, migration, etc.), making available all of its advantages.

Certificate:

Certificate of the Federal Service for Technical and Export Control of Russia No. 2598 for the complex DST PUA "Accord-V."