Virtualization Myths

Thought I would share this presentation with everyone from a recent seminar that I gave at the back end of last year entitled “Security in a Virtual World”.

You can check out the presentation at this link: http://bit.ly/8Vh4MM

This appeared on a VMware KB article back in August but some of you may have not seen it. Basically if you use a port scanner like NMAP and scan an ESX host in particular on port 8000, subsequent VMotion events will fail.

The only way to get VMotion to work again is to disable and then re-enable VMotion. It’s interesting that this service is obviously not robust enough to cope with a simple port scan and also highlights the fact that you should be isolating your vmotion network from general network traffic.

The original VMware article can be viewed here, KB1010672

Lab Security’s important, right? Well, so it may be – but when it comes to virtualisation, it’s not hard to get the impression that it isn’t being treated as seriously as it should be. I don’t know about you, but when I read about the take-up of virtualisation, the feeling of foreboding is not unlike seeing a five-year-old play with Daddy’s collection of Samurai swords – while nothing awful has happened yet, one can’t help thinking it’s a matter of when, not if.

More can be read the the following link:

http://www.theregister.co.uk/2009/12/15/virtual_server_security/

Idiotic buzz words!

There are many buzz words and hype the computer industry has created over the last decade.  If I had to pick my number one phrase for being the most misused, annoying and idiotic it would be “Cloud Computing” or “Cloud Services” and any other usage of the word “Cloud” in this context.  The industry in general is now using terms like “Private Cloud” what planet have these people stepped off?  It’s a building with a bunch of computers in, umm now let me think wasn’t that my datacenter?!!  Also didn’t we have other terms like “Intranets”, “Extranets” and other “nets” to describe separate networks, come on!

This industry also seems to enjoy creating new acronyms for things and although I am not against acronyms if they are necessary making up things like, “SAAS”, “DAAS” and “NAAS” who are these people trying to kid.  Also haven’t we been here before to some extent?  Less than a decade ago I seem to remember people talking about ASP’s being the next big thing, where are they now?

For those of you who don’t know what I am talking about when I refer to “Cloud” lets try and define it because there seems to be a myriad of definitions for it out there doing the circuit.  You have a business, could be small, could be big, it doesn’t really matter.  You say to yourself rather than doing all that complicated technical stuff needed to run my business or because I don’t have the resource or startup capital right now I’ll let someone else handle that .  That person does have the know how, the resources and can spread my cost base over a period of time, and this makes sense you don’t have to be a genius to see the benefits of doing this.

Outsourcing

So however you wrap it up “Cloud” is essentially about outsourcing your business processes and assets to an external provider.  You may decide to do this in combination or in a step by step process.  Now for the “one man and his band” this may be fine, and as I said earlier you don’t need to be a genius to see the flexibility that this “pay as you go” type service offering gives you.

But is this right for an enterprise business?

Would you really outsource all of your core business services, assets, data, intellectual property to a service provider?  If I put my security hat on for a moment I would have to say if as a business you decide to go down this route then you would without doubt be commiting corporate suicide.

Would you put all your confidential data and any other intellectual property you had in a skip on the street?  Would you leave your valuables in your car unlocked?  Would you leave your front door open?  Of course you wouldn’t unless you were completely stupid, and I am not trying to scare anyone here I am trying to make people think and get some perspective on the situation.

Step back for a second and look at what “Cloud” strategy is going to give you. Way up the benefits and then however the marketing people (by the way I don’t have anything against marketing people!) wrap the wolf up in sheep’s clothing, strip it bare, get back to basics and ask why am I doing this, what will it achieve that I don’t already have today or can’t do in other ways.  Then look at protection, how do I protect myself if I do decide to go down this road to armegeddon.  You may have high security standards and practices, the provider however may not or even if they claim they do, may not bother to implement them for reasons of cost.

Then what about insurance can the provider indemnify you if a security breach occurs?

Unless the provider is very large and lets face it today there are only a handful of those that make up the hundreds of other companies starting to offer cloud services, then the answer is that no insurance underwriter is going to provide those organizations with adequate insurance for indemnity purposes.

Sharing

Lets say for a minute you do decide that “Cloud” is for you, you like the idea of saving money its going to make you look good in the board room, it will save the organization millions, help you link with new business partners, whatever the reason.

When today a breach occurs that results in you losing thousands of credit card numbers or core IPR of some sort, when you enter the board room tomorrow are you going to look that brilliant.  No you will be making a fast exit but the aftermath to the company you worked for could be catastrophic, share prices could plummit, customer confidence falter, brand reputation suffer, you get the picture.

FUD

Am I trying to feed you FUD? (fear, uncertainty and doubt for the uninitiated) well maybe to drive the point home.  The reason I paint the above picture is that if you outsource your assets to a provider you have to be damn certain that you can TRUST them.  Further still it’s not that you just TRUST them but all the business connections they may have as well as the other customers that are using their services alongside you.  Is the provider offering you dedicated resources or are they shared, and when I talk about sharing I mean at all 7 layers of the OSI model, from the application, to the network to the physical layer.

If these resources are shared which they will be as that’s why it’s cheap, how does the “Cloud” provider offer you robust security?  How do they guarantee the same levels of security you have today within your own network?  The answer is they can’t and if they say they can then walk away!

Attacking management frameworks

We have already seen attacks on social networking sites, and business sites, most recently at Black Hat 09 in Vegas a talk titled “Clobbering the Cloud” showed how researchers compromised the management frameworks of “Salesforce.com” to extract data that didn’t belong to them.

Virtualization

So where does virtualization fit into all of this?  vCloud?  VMware have a so called cloud operating system and are making moves into this space in a big way with their own service offerings.  Microsoft and Xen are also starting to do the same thing so virtualization is becoming very much a part of the “Cloud’, whether this is the network, the operating systems or applications  Does it complicate things? Does it make things easier?  There is no black and white answer to this if anything depending on your perspective it makes things easier  and it could if implemented correctly be more secure.

Unfortunately history has shown us that even if we have the most technologically advanced system in our grasp, human nature in the end just lets us down, the enigma cipher machine is a classic testimony to this.

Right now I’m off to get myself a brew in my virtual shed or was that cloud at the bottom of the garden!

Just returned from Vegas where I caught the end of this interesting talk about VMescape.  The bug was present in the virtualized video drivers and was patched back in March 09.  The following presentation covers the bug and exploit in detail and is very interesting….

Hacking 3D

VMinformer Security Hardening and Remediation Guide

Hot of the press the VMinformer security and remediation guide for your virtual infrastructure.  Includes information on how to secure your VC, ESX Host and VM Guests.  You can download the guide here

Lets start with the obvious ports…

Most of you probably know that your VMware ESX host and Virtual Center allows connectivity over port 443 to a SOAP WSDL interface. This communication channel allows you to query various objects within your virtual infrastructure for the purpose of creating your own apps.  You can also connect to this port using a standard web browser to manage your virtual environment in a similar way to how you would with the standard VI client.

What probably isn’t known to those of you have never tried this before or maybe who are not developers is how powerful and how dangerous this communication channel could potentially be if accessed by a malicious hacker.

Access

So you should make sure that this port is not accessible from outside your organisation and ensure that proper network access controls are in place to allow only those that should be accessing this interface to do so.

When you initially connect to the interface it will prompt you for a username/password combination, however you could attempt to brute force this.  Once in you then have access to the api and all the methods that it allows.

The below screen shot shows you what you could potentially have access to once authenticated….

The actual Mob / SDK….

The above screen shot shows a detailed breakdown of  the Firewall rule set, there are many more things you can do with this interface which we shall explore next time….

Saw this interesting article on “Real World Security – Part1″ on virtualization security, go check it out at virtualization.info

Where is my data….

So you have decided to take security seriously and have looked at VMware’s best practice guidelines and maybe have started to implement some of the recommendations. You may be also looking at what you can do at the network layer or defining user access roles more clearly.

The underlying data…

But what about the underlying data?  The data that is core to your business, the data that drives all your financial systems, the data that is your life blood.

You may have 20 or so machines running on a single ESX host and each one of those will have virtual machine files and other data that are required to make those systems run.   On top of that they will have application and business data that keeps your business alive.  But is that data encrypted?  Should it be? Is that data segregated on the underlying storage architecture?

Fundamental security….

These are fundamental security questions you should be asking especially if you are in and industry that is regulated or you fall under compliance regulations like PCI or SOX.  Even if you are not in an industry sector that require these types of controls you should from a security perspective keep data that belongs to critical systems away from data that is part of say a dev and test environment.  All common sense stuff I know but you would be amazed how many organisations are not following the basics when it comes to security…

Found this interesting article and debate on the merits of cloud security scanning, enjoy…

cloudsecurity.org