Everyone talks about good design principles when it comes to securing network infrastructures. It doesn’t matter if you are in a physical or virtual environment these basic design principles apply. But in reality especially in a virtual world are they enough combined with other techniques to raise the bar in terms of security?

Design

The above design is taken from VMware’s own best practice guidelines for good network design topology. I’m not going to discuss if it is right or wrong what I am going to be asking is it right for you and should you just copy it?

Should I Copy Design’s?

Depends how good they are I guess? But bottom line NO NO NO, DON’T BE STUPID!
Would you after all leave your keys in your front door or give a shotgun to your kids to play with?
Plenty of people and organizations have been guilty of the above even to the level of copying IP address information and default usernames and passwords.

If I had a dollar every time I heard someone say isolate the management network or isolate this network I would be a rich man. Isolation alone does not guarantee security. It can help for sure but unlike the physical world it only takes a few clicks to add a new virtual network interface to a server and hey presto you have just bypassed your firewall by linking your DMZ servers to your internal LAN.

Virtualization Security, VirtSec, Security Virtualization?

Slightly different things depending on your perspective. Virtualization isn’t necessarily any less secure or more secure than traditional physical infrastructure, some people might differ! Virtualization because of its dynamic nature just lends itself to becoming less secure either because of lack of knowledge, the gun-ho approach taken to roll it out or just plain and simple mistakes combined with not enough awareness.

Surely if I have a firewall and install anti-virus and various other security measures I must be secure it’s better than nothing right? Not necessarily so in my opinion you will be giving yourself a false sense of security.

Know your Enemy and Risks

Ultimately know your enemy or at least have an idea and understand what your risks are. What are you ultimately trying to protect? If it is data which invariably it is where is it?, how is currently protected? and how valuable is it compared to the controls you need to put in place to protect it? When doing a risk analysis work out the series of events that could occur and then evaluate them on how likely they are to occur and then weight them. Going through this kind of exercise will prove invaluable later on and may turn up some interesting results that you may never have thought of.

Know what’s going on…

AUDIT, AUDIT and AUDIT some more. If you don’t keep any eye on what is going on in your virtual environment you will never be able to provide adequate security measures to protect it. Don’t just simply do this for a tick in the box for compliance. Do this because you need to drive security measures within your virtual environment and be able to provide accountability not just lip service to the compliance auditors.

Idiotic buzz words!

There are many buzz words and hype the computer industry has created over the last decade.  If I had to pick my number one phrase for being the most misused, annoying and idiotic it would be “Cloud Computing” or “Cloud Services” and any other usage of the word “Cloud” in this context.  The industry in general is now using terms like “Private Cloud” what planet have these people stepped off?  It’s a building with a bunch of computers in, umm now let me think wasn’t that my datacenter?!!  Also didn’t we have other terms like “Intranets”, “Extranets” and other “nets” to describe separate networks, come on!

This industry also seems to enjoy creating new acronyms for things and although I am not against acronyms if they are necessary making up things like, “SAAS”, “DAAS” and “NAAS” who are these people trying to kid.  Also haven’t we been here before to some extent?  Less than a decade ago I seem to remember people talking about ASP’s being the next big thing, where are they now?

For those of you who don’t know what I am talking about when I refer to “Cloud” lets try and define it because there seems to be a myriad of definitions for it out there doing the circuit.  You have a business, could be small, could be big, it doesn’t really matter.  You say to yourself rather than doing all that complicated technical stuff needed to run my business or because I don’t have the resource or startup capital right now I’ll let someone else handle that .  That person does have the know how, the resources and can spread my cost base over a period of time, and this makes sense you don’t have to be a genius to see the benefits of doing this.

Outsourcing

So however you wrap it up “Cloud” is essentially about outsourcing your business processes and assets to an external provider.  You may decide to do this in combination or in a step by step process.  Now for the “one man and his band” this may be fine, and as I said earlier you don’t need to be a genius to see the flexibility that this “pay as you go” type service offering gives you.

But is this right for an enterprise business?

Would you really outsource all of your core business services, assets, data, intellectual property to a service provider?  If I put my security hat on for a moment I would have to say if as a business you decide to go down this route then you would without doubt be commiting corporate suicide.

Would you put all your confidential data and any other intellectual property you had in a skip on the street?  Would you leave your valuables in your car unlocked?  Would you leave your front door open?  Of course you wouldn’t unless you were completely stupid, and I am not trying to scare anyone here I am trying to make people think and get some perspective on the situation.

Step back for a second and look at what “Cloud” strategy is going to give you. Way up the benefits and then however the marketing people (by the way I don’t have anything against marketing people!) wrap the wolf up in sheep’s clothing, strip it bare, get back to basics and ask why am I doing this, what will it achieve that I don’t already have today or can’t do in other ways.  Then look at protection, how do I protect myself if I do decide to go down this road to armegeddon.  You may have high security standards and practices, the provider however may not or even if they claim they do, may not bother to implement them for reasons of cost.

Then what about insurance can the provider indemnify you if a security breach occurs?

Unless the provider is very large and lets face it today there are only a handful of those that make up the hundreds of other companies starting to offer cloud services, then the answer is that no insurance underwriter is going to provide those organizations with adequate insurance for indemnity purposes.

Sharing

Lets say for a minute you do decide that “Cloud” is for you, you like the idea of saving money its going to make you look good in the board room, it will save the organization millions, help you link with new business partners, whatever the reason.

When today a breach occurs that results in you losing thousands of credit card numbers or core IPR of some sort, when you enter the board room tomorrow are you going to look that brilliant.  No you will be making a fast exit but the aftermath to the company you worked for could be catastrophic, share prices could plummit, customer confidence falter, brand reputation suffer, you get the picture.

FUD

Am I trying to feed you FUD? (fear, uncertainty and doubt for the uninitiated) well maybe to drive the point home.  The reason I paint the above picture is that if you outsource your assets to a provider you have to be damn certain that you can TRUST them.  Further still it’s not that you just TRUST them but all the business connections they may have as well as the other customers that are using their services alongside you.  Is the provider offering you dedicated resources or are they shared, and when I talk about sharing I mean at all 7 layers of the OSI model, from the application, to the network to the physical layer.

If these resources are shared which they will be as that’s why it’s cheap, how does the “Cloud” provider offer you robust security?  How do they guarantee the same levels of security you have today within your own network?  The answer is they can’t and if they say they can then walk away!

Attacking management frameworks

We have already seen attacks on social networking sites, and business sites, most recently at Black Hat 09 in Vegas a talk titled “Clobbering the Cloud” showed how researchers compromised the management frameworks of “Salesforce.com” to extract data that didn’t belong to them.

Virtualization

So where does virtualization fit into all of this?  vCloud?  VMware have a so called cloud operating system and are making moves into this space in a big way with their own service offerings.  Microsoft and Xen are also starting to do the same thing so virtualization is becoming very much a part of the “Cloud’, whether this is the network, the operating systems or applications  Does it complicate things? Does it make things easier?  There is no black and white answer to this if anything depending on your perspective it makes things easier  and it could if implemented correctly be more secure.

Unfortunately history has shown us that even if we have the most technologically advanced system in our grasp, human nature in the end just lets us down, the enigma cipher machine is a classic testimony to this.

Right now I’m off to get myself a brew in my virtual shed or was that cloud at the bottom of the garden!

Two researchers from North Carolina State University have developed software that they say can protect virtualization hypervisors from malicious “Blue Pill” rootkit threats.

“HyperSafe enables the hypervisor self-protection from code injection attempts,” said Xuxian Jiang, an assistant professor of computer science at NCSU.

Jiang, along with his PhD. student Zhi Wang, developed the software, called HyperSafe, with funding from the U.S. Army Research Office and the National Science Foundation.

For the rest of this article please follow this link, blue pill.

The main concern I have for anyone searching for practical information about securing their virtual infrastructure is the amount of FUD that is out there. You only have to do a search on google and you know what I am talking about. Sure the vendors themselves have very useful security hardening guides but they are vendor centric and often don’t give you a sense of relevance to your organization or needs. VMware’s latest vSphere 4.0 Security hardening guide is somewhat better than its predecessor as it does try to give the reader a level of relevance in terms of controls as they might pertain to specific environments. Eg. DMZ.

With this in mind I set out to write a short document that would hopefully impart to the reader practical advice on how to secure their virtual environment. You can check out the document at the following link (A Practical Guide to Securing Your Virtual Environment), if you like it or even if you don’t please let me know by leaving your comments below…(spiv)

We are pleased to announce that VMinformer v2.0.2 has now been released!

New Features

- Visual Storage Maps
- Virtual Machine Business Asset Tags
- Report filtering
- Virtual Center Policy Checks
- ISO 27001 Policies

To download the free community edition of the tool please visit the community registration page.

This Thursday 25th at 2.00pm GMT we will be holding a 1 hour webinar on the “Truths and Myths of Virtualization Security”. The webinar will include a demo of VMinformer Enterprise v2.0

To register please follow this link, vminformer.webex.com

If you are unable to attend, the webinar will be recorded so you can watch at a later date.

Putting all your eggs in one basket has never been a great idea – by not securing your virtual environment – you’re doing just that with your corporate data.

Without any security, your virtual host server isn’t far from being an open door – a direct route into your organisation for pretty much anyone with a little knowledge 
to access, compromise or corrupt every virtual machines you’ve got: not an appealing prospect!
Although it’s not impossible for the same thing to happen in a physical world: most servers and PCs have some form of security layer in their build – however basic: there probably isn’t a network out there that doesn’t include IDS, Firewalls, DLP or Anti-Virus in some guise. It provides a minimum level of security against internal and external threats that just doesn’t apply in a new virtual infrastructure. Virtual machines’ lack of individual security provision means that unless it’s over-layered at the management level, they’re wide open to attack – in a way that most PCs or network devices aren’t.
But securing the virtual world isn’t all bad news: a brand new virtual deployment gives you a unique opportunity to implement security policies and procedures from scratch – using the latest technologies. That’s rarely possible in a physical network where legacy systems, multiple vendor solutions, anomalies and upgrades mean that policies and procedures can be difficult to implement and harder still to enforce or police.
Your HyperVisor and management console are the gatekeepers to your whole virtual infrastructure, so not deploying some form of security solutions to protect them isn’t an option, it’s a necessity – unless you like scrambled eggs!

Virtualization Myths

Thought I would share this presentation with everyone from a recent seminar that I gave at the back end of last year entitled “Security in a Virtual World”.

You can check out the presentation at this link: http://bit.ly/8Vh4MM

This appeared on a VMware KB article back in August but some of you may have not seen it. Basically if you use a port scanner like NMAP and scan an ESX host in particular on port 8000, subsequent VMotion events will fail.

The only way to get VMotion to work again is to disable and then re-enable VMotion. It’s interesting that this service is obviously not robust enough to cope with a simple port scan and also highlights the fact that you should be isolating your vmotion network from general network traffic.

The original VMware article can be viewed here, KB1010672