Putting all your eggs in one basket has never been a great idea – by not securing your virtual environment – you’re doing just that with your corporate data.

Without any security, your virtual host server isn’t far from being an open door – a direct route into your organisation for pretty much anyone with a little knowledge 
to access, compromise or corrupt every virtual machines you’ve got: not an appealing prospect!
Although it’s not impossible for the same thing to happen in a physical world: most servers and desktops after all have some form of security layer in their build – however basic: there probably isn’t a network out there that doesn’t include IDS, Firewalls, DLP or Anti-Virus in some guise. It provides a minimum level of security against internal and external threats that just doesn’t apply in a new virtual infrastructure. Virtual machines’ lack of individual security provision and their dynamic nature means that unless security is over-layered at the management level, they’re wide open to attack – in a way that most systems or network devices aren’t.
But securing the virtual world isn’t all bad news: a brand new virtual deployment gives you a unique opportunity to implement security policies and procedures from scratch – using the latest technologies. That’s rarely possible in a physical network where legacy systems, multiple vendor solutions, anomalies and upgrades mean that policies and procedures can be difficult to implement and harder still to enforce or police.
Your HyperVisor and management console are the gatekeepers to your whole virtual infrastructure, so not deploying some form of security solutions to protect them isn’t an option, it’s a necessity – unless you like scrambled eggs!

Virtualization Myths

Thought I would share this presentation with everyone from a recent seminar that I gave at the back end of last year entitled “Security in a Virtual World”.

You can check out the presentation at this link: http://bit.ly/8Vh4MM

This appeared on a VMware KB article back in August but some of you may have not seen it. Basically if you use a port scanner like NMAP and scan an ESX host in particular on port 8000, subsequent VMotion events will fail.

The only way to get VMotion to work again is to disable and then re-enable VMotion. It’s interesting that this service is obviously not robust enough to cope with a simple port scan and also highlights the fact that you should be isolating your vmotion network from general network traffic.

The original VMware article can be viewed here, KB1010672

Traditional Firewall vendors as well as VMware themselves (vShield Zones) are starting to develop solutions for the virtualization space. Vendors like Altor Networks and Check Point have or are in the process of having Firewall technology to enable you to further secure your VMware infrastructure.

I’ve had a look under the hood of early Alpha code from these vendors and whilst very impressive it did start to make me wonder a number of things like:

1. What resources would this firewall need, after all it would be contending for the same resources as other VM’s on the ESX host.
2. Who is going to manage the firewall, as the vendors are both hooking it into the management components of their existing products or offering plugins to vCenter. Do you get your VMware admin people to look after the firewall, cross train them or do you hand this off to the network security team who may not understand virtualization?
3. Do we need the firewall, we don’t necessarily have internal firewall’s today so why do we need them in the virtual world?
4. Performance, can the firewall keep up? Does it require its own dedicated CPU?

The Firewall’s main purpose is as we all know to block and prevent unauthorized access to services and applications that we wish to protect. In the physical world this is bread and butter stuff and we have clearly defined perimeters where we typically deploy these devices. In the virtual world these perimeters become blurred, and the demarcation points that we are all used to are no longer there. If you are thinking of protecting your virtual infrastructure using a virtual firewall you need to ask yourself what it is you are trying to achieve and can the virtual firewall cope with the load that your $100,000 physical firewall was capable of.

The firewall should not be your only line of defence in the virtual world, you need to think about locking down the configuration of all your ESX hosts and VM’s as you would do for physical servers. You then need to look at the design of the network and make sure that this is as secure as possible. This may involve using VLANs and implementing port group security and making sure that non production machines are not sharing the same networks as production machines.

You should also look at entitlement in terms of what roles and permission you have defined within your vCenter and ESX hosts, you should work on the principal of least privilege.

The firewall does have a role to play you just need to step back and take perspective before you jump on the hype of “I must have a firewall for my virtual world.”

Idiotic buzz words!

There are many buzz words and hype the computer industry has created over the last decade.  If I had to pick my number one phrase for being the most misused, annoying and idiotic it would be “Cloud Computing” or “Cloud Services” and any other usage of the word “Cloud” in this context.  The industry in general is now using terms like “Private Cloud” what planet have these people stepped off?  It’s a building with a bunch of computers in, umm now let me think wasn’t that my datacenter?!!  Also didn’t we have other terms like “Intranets”, “Extranets” and other “nets” to describe separate networks, come on!

This industry also seems to enjoy creating new acronyms for things and although I am not against acronyms if they are necessary making up things like, “SAAS”, “DAAS” and “NAAS” who are these people trying to kid.  Also haven’t we been here before to some extent?  Less than a decade ago I seem to remember people talking about ASP’s being the next big thing, where are they now?

For those of you who don’t know what I am talking about when I refer to “Cloud” lets try and define it because there seems to be a myriad of definitions for it out there doing the circuit.  You have a business, could be small, could be big, it doesn’t really matter.  You say to yourself rather than doing all that complicated technical stuff needed to run my business or because I don’t have the resource or startup capital right now I’ll let someone else handle that .  That person does have the know how, the resources and can spread my cost base over a period of time, and this makes sense you don’t have to be a genius to see the benefits of doing this.

Outsourcing

So however you wrap it up “Cloud” is essentially about outsourcing your business processes and assets to an external provider.  You may decide to do this in combination or in a step by step process.  Now for the “one man and his band” this may be fine, and as I said earlier you don’t need to be a genius to see the flexibility that this “pay as you go” type service offering gives you.

But is this right for an enterprise business?

Would you really outsource all of your core business services, assets, data, intellectual property to a service provider?  If I put my security hat on for a moment I would have to say if as a business you decide to go down this route then you would without doubt be commiting corporate suicide.

Would you put all your confidential data and any other intellectual property you had in a skip on the street?  Would you leave your valuables in your car unlocked?  Would you leave your front door open?  Of course you wouldn’t unless you were completely stupid, and I am not trying to scare anyone here I am trying to make people think and get some perspective on the situation.

Step back for a second and look at what “Cloud” strategy is going to give you. Way up the benefits and then however the marketing people (by the way I don’t have anything against marketing people!) wrap the wolf up in sheep’s clothing, strip it bare, get back to basics and ask why am I doing this, what will it achieve that I don’t already have today or can’t do in other ways.  Then look at protection, how do I protect myself if I do decide to go down this road to armegeddon.  You may have high security standards and practices, the provider however may not or even if they claim they do, may not bother to implement them for reasons of cost.

Then what about insurance can the provider indemnify you if a security breach occurs?

Unless the provider is very large and lets face it today there are only a handful of those that make up the hundreds of other companies starting to offer cloud services, then the answer is that no insurance underwriter is going to provide those organizations with adequate insurance for indemnity purposes.

Sharing

Lets say for a minute you do decide that “Cloud” is for you, you like the idea of saving money its going to make you look good in the board room, it will save the organization millions, help you link with new business partners, whatever the reason.

When today a breach occurs that results in you losing thousands of credit card numbers or core IPR of some sort, when you enter the board room tomorrow are you going to look that brilliant.  No you will be making a fast exit but the aftermath to the company you worked for could be catastrophic, share prices could plummit, customer confidence falter, brand reputation suffer, you get the picture.

FUD

Am I trying to feed you FUD? (fear, uncertainty and doubt for the uninitiated) well maybe to drive the point home.  The reason I paint the above picture is that if you outsource your assets to a provider you have to be damn certain that you can TRUST them.  Further still it’s not that you just TRUST them but all the business connections they may have as well as the other customers that are using their services alongside you.  Is the provider offering you dedicated resources or are they shared, and when I talk about sharing I mean at all 7 layers of the OSI model, from the application, to the network to the physical layer.

If these resources are shared which they will be as that’s why it’s cheap, how does the “Cloud” provider offer you robust security?  How do they guarantee the same levels of security you have today within your own network?  The answer is they can’t and if they say they can then walk away!

Attacking management frameworks

We have already seen attacks on social networking sites, and business sites, most recently at Black Hat 09 in Vegas a talk titled “Clobbering the Cloud” showed how researchers compromised the management frameworks of “Salesforce.com” to extract data that didn’t belong to them.

Virtualization

So where does virtualization fit into all of this?  vCloud?  VMware have a so called cloud operating system and are making moves into this space in a big way with their own service offerings.  Microsoft and Xen are also starting to do the same thing so virtualization is becoming very much a part of the “Cloud’, whether this is the network, the operating systems or applications  Does it complicate things? Does it make things easier?  There is no black and white answer to this if anything depending on your perspective it makes things easier  and it could if implemented correctly be more secure.

Unfortunately history has shown us that even if we have the most technologically advanced system in our grasp, human nature in the end just lets us down, the enigma cipher machine is a classic testimony to this.

Right now I’m off to get myself a brew in my virtual shed or was that cloud at the bottom of the garden!

Lets start with the obvious ports…

Most of you probably know that your VMware ESX host and Virtual Center allows connectivity over port 443 to a SOAP WSDL interface. This communication channel allows you to query various objects within your virtual infrastructure for the purpose of creating your own apps.  You can also connect to this port using a standard web browser to manage your virtual environment in a similar way to how you would with the standard VI client.

What probably isn’t known to those of you have never tried this before or maybe who are not developers is how powerful and how dangerous this communication channel could potentially be if accessed by a malicious hacker.

Access

So you should make sure that this port is not accessible from outside your organisation and ensure that proper network access controls are in place to allow only those that should be accessing this interface to do so.

When you initially connect to the interface it will prompt you for a username/password combination, however you could attempt to brute force this.  Once in you then have access to the api and all the methods that it allows.

The below screen shot shows you what you could potentially have access to once authenticated….

The actual Mob / SDK….

The above screen shot shows a detailed breakdown of  the Firewall rule set, there are many more things you can do with this interface which we shall explore next time….

Sooner or later even the graphic cards had to be virtualised.

To achieve this task three components are needed: a chipset providing some sort of I/O virtualisation technologies, a virtualisation platform that can support it, and a display card that can handle the requests to access its GPU coming from different virtual machines at the same time.
The first three companies that made this possible are Intel, which provides the I/O virtualisation technology (VT-d), Parallels, which provides the platform (Workstation) and NVIDIA which provides the GPU (Quadro with SLI Multi-OS).
Looking at this from a virtual desktop perspective the day is fast approaching where the percived limitations of using highly demanding applications will soon be over. There are many vendors now that are reducing the gap, and the benefits to businesses once this occurs will be massive. It is possible today to run many 2D and 3D applications with in a virtual environment on specific hardware, but once virtualisation companies such as VMware can achieve this through software then we will truely be there.
With VMware’s next release of its View product many 2D applications will be supported to run in a virtual environment either using TCX from Wyse a software verison of Teradici PC-over-IP or the RGS protocol from HP.
As you can see things are really starting to change for the virtual desktop and with the economy as it is, VDI could now start to offer the savings it always promised.