Putting all your eggs in one basket has never been a great idea – by not securing your virtual environment – you’re doing just that with your corporate data.

Without any security, your virtual host server isn’t far from being an open door – a direct route into your organisation for pretty much anyone with a little knowledge 
to access, compromise or corrupt every virtual machines you’ve got: not an appealing prospect!
Although it’s not impossible for the same thing to happen in a physical world: most servers and desktops after all have some form of security layer in their build – however basic: there probably isn’t a network out there that doesn’t include IDS, Firewalls, DLP or Anti-Virus in some guise. It provides a minimum level of security against internal and external threats that just doesn’t apply in a new virtual infrastructure. Virtual machines’ lack of individual security provision and their dynamic nature means that unless security is over-layered at the management level, they’re wide open to attack – in a way that most systems or network devices aren’t.
But securing the virtual world isn’t all bad news: a brand new virtual deployment gives you a unique opportunity to implement security policies and procedures from scratch – using the latest technologies. That’s rarely possible in a physical network where legacy systems, multiple vendor solutions, anomalies and upgrades mean that policies and procedures can be difficult to implement and harder still to enforce or police.
Your HyperVisor and management console are the gatekeepers to your whole virtual infrastructure, so not deploying some form of security solutions to protect them isn’t an option, it’s a necessity – unless you like scrambled eggs!

Virtualization Myths

Thought I would share this presentation with everyone from a recent seminar that I gave at the back end of last year entitled “Security in a Virtual World”.

You can check out the presentation at this link: http://bit.ly/8Vh4MM

This appeared on a VMware KB article back in August but some of you may have not seen it. Basically if you use a port scanner like NMAP and scan an ESX host in particular on port 8000, subsequent VMotion events will fail.

The only way to get VMotion to work again is to disable and then re-enable VMotion. It’s interesting that this service is obviously not robust enough to cope with a simple port scan and also highlights the fact that you should be isolating your vmotion network from general network traffic.

The original VMware article can be viewed here, KB1010672

Lab Security’s important, right? Well, so it may be – but when it comes to virtualisation, it’s not hard to get the impression that it isn’t being treated as seriously as it should be. I don’t know about you, but when I read about the take-up of virtualisation, the feeling of foreboding is not unlike seeing a five-year-old play with Daddy’s collection of Samurai swords – while nothing awful has happened yet, one can’t help thinking it’s a matter of when, not if.

More can be read the the following link:

http://www.theregister.co.uk/2009/12/15/virtual_server_security/

The VMinformer Community Edition allows security professionals and those tasked with managing virtual infrastructures the ability to assess the overall security configuration of their virtual environment. Critical virtual infrastructure assets can be rapidly assessed against out of the box policy templates based on industry standards such as CIS and PCI benchmarks.

The VMinformer Community Edition is a free, single user version with most of the capabilities of VMinformer PRO.

VMinformer provides:-

• Simple deployment - installs on a laptop or workstation in minutes
• Out of the box policies - based on standard industry benchmarks
• Remediation guidance - helps identify risks to your infrastructure quickly and accurately and provides step by step fix guidance
• No cost start up security solution - provides a free entry level solution for your virtual environment

To download the community edition of the tool follow this link

If you didn’t already know this the VMware Web Services SDK is a WSDL API that allows developers to write applications that integrate with VMware. You can also query this API using a standard web browser. The WSDL interface requires authentication and once authenticated you have access to the entire API as shown in the screenshot below.

Even if you are not a developer once authenticated using the browser you can query the virtual infrastructure in much the same way as you would using the standard VI client. You can also scheduled tasks which means you have a lot of power, eg. shutdown VM’s, Change configs etc.

Bruteforce Attack

The interesting thing to note is that the interface can be attacked using Brute Force techniques, so if you do not have adequate access control mechanisms in place you are leaving your virtual infrastructure open to compromise.

To mitigate this from happening I would suggest you lock down which source IP’s in your network are allowed to access vCenter and each ESX host, and never expose your Virtual Management layer to the Internet.

First UK VirtSec Training course to be offered in London from February 2010. I am just putting the finishing touches to the content and format for this 2 day course. More details will follow shortly if you would like to register your interest in attending this course then please register here.

Traditional Firewall vendors as well as VMware themselves (vShield Zones) are starting to develop solutions for the virtualization space. Vendors like Altor Networks and Check Point have or are in the process of having Firewall technology to enable you to further secure your VMware infrastructure.

I’ve had a look under the hood of early Alpha code from these vendors and whilst very impressive it did start to make me wonder a number of things like:

1. What resources would this firewall need, after all it would be contending for the same resources as other VM’s on the ESX host.
2. Who is going to manage the firewall, as the vendors are both hooking it into the management components of their existing products or offering plugins to vCenter. Do you get your VMware admin people to look after the firewall, cross train them or do you hand this off to the network security team who may not understand virtualization?
3. Do we need the firewall, we don’t necessarily have internal firewall’s today so why do we need them in the virtual world?
4. Performance, can the firewall keep up? Does it require its own dedicated CPU?

The Firewall’s main purpose is as we all know to block and prevent unauthorized access to services and applications that we wish to protect. In the physical world this is bread and butter stuff and we have clearly defined perimeters where we typically deploy these devices. In the virtual world these perimeters become blurred, and the demarcation points that we are all used to are no longer there. If you are thinking of protecting your virtual infrastructure using a virtual firewall you need to ask yourself what it is you are trying to achieve and can the virtual firewall cope with the load that your $100,000 physical firewall was capable of.

The firewall should not be your only line of defence in the virtual world, you need to think about locking down the configuration of all your ESX hosts and VM’s as you would do for physical servers. You then need to look at the design of the network and make sure that this is as secure as possible. This may involve using VLANs and implementing port group security and making sure that non production machines are not sharing the same networks as production machines.

You should also look at entitlement in terms of what roles and permission you have defined within your vCenter and ESX hosts, you should work on the principal of least privilege.

The firewall does have a role to play you just need to step back and take perspective before you jump on the hype of “I must have a firewall for my virtual world.”

Idiotic buzz words!

There are many buzz words and hype the computer industry has created over the last decade.  If I had to pick my number one phrase for being the most misused, annoying and idiotic it would be “Cloud Computing” or “Cloud Services” and any other usage of the word “Cloud” in this context.  The industry in general is now using terms like “Private Cloud” what planet have these people stepped off?  It’s a building with a bunch of computers in, umm now let me think wasn’t that my datacenter?!!  Also didn’t we have other terms like “Intranets”, “Extranets” and other “nets” to describe separate networks, come on!

This industry also seems to enjoy creating new acronyms for things and although I am not against acronyms if they are necessary making up things like, “SAAS”, “DAAS” and “NAAS” who are these people trying to kid.  Also haven’t we been here before to some extent?  Less than a decade ago I seem to remember people talking about ASP’s being the next big thing, where are they now?

For those of you who don’t know what I am talking about when I refer to “Cloud” lets try and define it because there seems to be a myriad of definitions for it out there doing the circuit.  You have a business, could be small, could be big, it doesn’t really matter.  You say to yourself rather than doing all that complicated technical stuff needed to run my business or because I don’t have the resource or startup capital right now I’ll let someone else handle that .  That person does have the know how, the resources and can spread my cost base over a period of time, and this makes sense you don’t have to be a genius to see the benefits of doing this.

Outsourcing

So however you wrap it up “Cloud” is essentially about outsourcing your business processes and assets to an external provider.  You may decide to do this in combination or in a step by step process.  Now for the “one man and his band” this may be fine, and as I said earlier you don’t need to be a genius to see the flexibility that this “pay as you go” type service offering gives you.

But is this right for an enterprise business?

Would you really outsource all of your core business services, assets, data, intellectual property to a service provider?  If I put my security hat on for a moment I would have to say if as a business you decide to go down this route then you would without doubt be commiting corporate suicide.

Would you put all your confidential data and any other intellectual property you had in a skip on the street?  Would you leave your valuables in your car unlocked?  Would you leave your front door open?  Of course you wouldn’t unless you were completely stupid, and I am not trying to scare anyone here I am trying to make people think and get some perspective on the situation.

Step back for a second and look at what “Cloud” strategy is going to give you. Way up the benefits and then however the marketing people (by the way I don’t have anything against marketing people!) wrap the wolf up in sheep’s clothing, strip it bare, get back to basics and ask why am I doing this, what will it achieve that I don’t already have today or can’t do in other ways.  Then look at protection, how do I protect myself if I do decide to go down this road to armegeddon.  You may have high security standards and practices, the provider however may not or even if they claim they do, may not bother to implement them for reasons of cost.

Then what about insurance can the provider indemnify you if a security breach occurs?

Unless the provider is very large and lets face it today there are only a handful of those that make up the hundreds of other companies starting to offer cloud services, then the answer is that no insurance underwriter is going to provide those organizations with adequate insurance for indemnity purposes.

Sharing

Lets say for a minute you do decide that “Cloud” is for you, you like the idea of saving money its going to make you look good in the board room, it will save the organization millions, help you link with new business partners, whatever the reason.

When today a breach occurs that results in you losing thousands of credit card numbers or core IPR of some sort, when you enter the board room tomorrow are you going to look that brilliant.  No you will be making a fast exit but the aftermath to the company you worked for could be catastrophic, share prices could plummit, customer confidence falter, brand reputation suffer, you get the picture.

FUD

Am I trying to feed you FUD? (fear, uncertainty and doubt for the uninitiated) well maybe to drive the point home.  The reason I paint the above picture is that if you outsource your assets to a provider you have to be damn certain that you can TRUST them.  Further still it’s not that you just TRUST them but all the business connections they may have as well as the other customers that are using their services alongside you.  Is the provider offering you dedicated resources or are they shared, and when I talk about sharing I mean at all 7 layers of the OSI model, from the application, to the network to the physical layer.

If these resources are shared which they will be as that’s why it’s cheap, how does the “Cloud” provider offer you robust security?  How do they guarantee the same levels of security you have today within your own network?  The answer is they can’t and if they say they can then walk away!

Attacking management frameworks

We have already seen attacks on social networking sites, and business sites, most recently at Black Hat 09 in Vegas a talk titled “Clobbering the Cloud” showed how researchers compromised the management frameworks of “Salesforce.com” to extract data that didn’t belong to them.

Virtualization

So where does virtualization fit into all of this?  vCloud?  VMware have a so called cloud operating system and are making moves into this space in a big way with their own service offerings.  Microsoft and Xen are also starting to do the same thing so virtualization is becoming very much a part of the “Cloud’, whether this is the network, the operating systems or applications  Does it complicate things? Does it make things easier?  There is no black and white answer to this if anything depending on your perspective it makes things easier  and it could if implemented correctly be more secure.

Unfortunately history has shown us that even if we have the most technologically advanced system in our grasp, human nature in the end just lets us down, the enigma cipher machine is a classic testimony to this.

Right now I’m off to get myself a brew in my virtual shed or was that cloud at the bottom of the garden!

Avoid denial of service caused by virtual disk modification operations

You should ensure that a normal user or process cannot make modifications to virtual disk operations. Particularly the process a virtual disk invokes to reclaim disk space. If this method is invoked repeatedly the disk could become unavailable and thus cause a denial of service on the guest. It is recommended that this feature be turned off.

Remediation Steps

1. Login to VirtualCenter or your ESX Host using the VI client
2. Power off the VM to be changed
3. Select the Virtual Machine that you wish to change
4. Select edit settings
5. Then select the options tab
6. Select Advanced, General and then select the “configuration parameters” button.
7. Add a row if necessary and then enter in the name field: “isolation.tools.diskWiper.disable”
8. In the value field enter the value “true”
9. Add another row and enter in the name field “isolation.tools.diskShrink.disable”
10. Add in the value field “true”