Security

This category contains posts with a security focus or security-related content.

Technology Short Take #2

Saturday, August 28, 2010 in Networking, Security, Storage, Virtualization by slowe | 4 comments

Welcome to Technology Short Take #2, a collection of links, thoughts, ideas, and items pertaining to data center technologies—virtualization, networking, storage, and security. I hope you find something useful or interesting!

  • The release of FLARE 30 and DART 6 by EMC (formally announced last week) introduces some new concepts and new functionality. Matt Hensley recently did a write-up on some of the new functionality in this post on virtual provisioning, storage pools, and FLARE 30. It’s worth a read if you aren’t already familiar with these technologies and need a primer.
  • If you are looking for the definitive guide on connectivity between various VMware vSphere components and the TCP/UDP ports required, you need only look here. Great information!
  • Here’s a great guide from Cisco on deployment options when deploying 10 Gigabit Ethernet on VMware vSphere 4.0 with the Nexus 1000V or the VMware vNetwork Distributed Switch. I’ve read through it, but I’ve added it to my list of documents to go back and study more carefully; there’s lots of useful information in here.
  • Way back in March Dave Convery posted this article on limitations with VMware vShield Zones. While re-reading that article today, I noted in the comments that the Nexus 1000V has a feature called Virtual Service Domains that help address some of the limitations of vShield Zones (at that time). As pointed out in the comments, this makes vShield Zones usable in two NIC scenarios such as with Cisco UCS. If anyone has any additional links on Virtual Service Domains, please share them in the comments. This is a topic that I think needs some additional attention.
  • This article is a good breakdown of the differences in storage identifiers between ESX 3.x and ESX 4.1.
  • Jeff Woolsey at Microsoft finally wraps up his series of articles on Hyper-V Dynamic Memory with Part 6. I’ve been reading this series pretty faithfully as Jeff systematically lays out the various ways in which memory is handled in a virtualization scenario, and I’ve been consistently struck by the impression that Jeff was working really hard to distinguish what Microsoft was doing with Hyper-V from what VMware does with ESX/ESXi. In the end, though, I can’t help but see all the similarities between the two. Dynamic Memory allocates additional memory to a VM as it needs it (much the same way ESX/ESXi does by allocating memory only as requested by the VM) and reclaims free pages from the VMs (just like ESX/ESXi reclaims idle pages via idle page reclamation). When under memory pressure, Hyper-V might force the guests to page out to disk; ESX/ESXi’s memory balloon driver achieves the same effect. What’s missing, obviously, is that with Hyper-V the hypervisor itself won’t swap pages out to disk (ESX/ESXi will do this under extreme circumstances). Am I missing something, or is Microsoft’s Dynamic Memory a lot more like VMware’s memory management technologies than Microsoft wants to admit? Feel free to enlighten me (courteously and with full disclosure) in the comments if I’m missing something.
  • Via Geert Verbist’s site, I found this article on application consistent quiescing via VMware’s VSS integration in VMware Tools. (For more information on VSS support within VMware Tools, check out my liveblog from Partner Exchange earlier this year.) This is good to hear, but what’s still not clear is whether the application consistent snapshots will truncate transaction logs. If anyone has more information, speak up in the comments.
  • I think I pointed this out a week or two ago on Twitter, but I thought I’d mention here at well. If you ever need to help decode which WWPNs map to which ports on an EMC CLARiiON array, this article is quite helpful. Anyone have matching articles for EMC Symmetrix, NetApp, HP, HDS, or other arrays?
  • With the formal announcement by VMware that vSphere 4.1 will be the last major release that includes ESX, ESXi is naturally getting much more attention. With that, there’s been a flurry of ESXi-related articles:
    Using vMA As Your ESXi Syslog Server
    The Migration From ESX to ESXi is Happening: Moving Configurations, Part 1
    The Migration from ESX to ESXi is Happening: Moving Configurations, Part II
    My VMware ESXi Installation Checklist
    Virtually Ghetto: ESXi 4.1 – Major Security Issue (also documented here in the VMware KB)
    ESXi 4.1 – Major Security Issue – The Sequel and the Workaround
    ESXi 4.1 Active Directory Integration
  • If you’re into Cisco UCS but like Hyper-V instead of VMware vSphere, Cisco has a white paper on Cisco UCS with Hyper-V for delivery of virtualized Exchange 2010.
  • I’m a command-line junkie, so I liked this article on how to put an ESX host into maintenance mode from the CLI.
  • For those seeking to get up to speed on the Nexus 7000 switches, “Fryguy” posted some training documents on his site. I haven’t read them (yet), but they’re on my list of documents to read (a list that grows ever longer…)

I guess that will do it for this time around. I hope that you’ve found something useful and, as always, feel free to add more useful links or tidbits in the comments. Thanks for reading!

Tags: , , , , , , , , ,

Windows 7, Microsoft Security Essentials, and Proxy Servers

Monday, August 23, 2010 in Microsoft, Security by slowe | 12 comments

On the recommendation of a number of Twitter users, I decided to install Microsoft Security Essentials (MSE) on a couple of laptops running 64-bit Windows 7. These laptops are used by my kids for their school work (they are home-schooled), and I just wanted to make sure that the laptops don’t get infected with some nasty bug. More than a few Twitter users recommended MSE, so I figured it couldn’t be all bad, right?

The install was quick and painless. And that’s where the fun started. MSE wanted to do an update immediately; OK, that’s fine. The problem is, it won’t connect. I use a Squid proxy server to control outbound web access, so I figured that somewhere was a setting that told MSE to use a proxy server. There’s nothing within MSE itself. Could it be that I had forgotten to configure Internet Explorer? I did make Firefox the default browser, after all. Nope, a quick check shows that the Internet Explorer settings are configured for the right outbound proxy as well. Both Internet Explorer and Firefox are working fine, so I know it’s not the network, the proxy, or the firewall. It must be MSE itself.

Google turns up the first part of the puzzle; even though your proxy support might be configured correctly for Internet Explorer (and thus most of the rest of Windows), MSE won’t take those settings. Instead, you have to use netsh, like this:

netsh winhttp import proxy source=ie

Unfortunately, in its efforts to be “helpful,” Windows 7 won’t allow you to run that command without elevated privileges. All you get when you try is a nondescript error message that vaguely implies that you don’t have permission. However, instead of being able to elevate that one command (a la sudo in the UNIX/Linux/BSD world), you have to run the entire command prompt with administrative privileges, like explained here (and probably countless other places on the ‘Net).

Once you get a command prompt running with administrative credentials, then you can run the netsh command and it will successfully import the IE proxy configuration. Once the IE proxy configuration is successfully imported, then MSE will fetch updates from the Internet and function properly. Wasn’t that fun?

This little episode brings up a couple questions/thoughts:

  1. Why in the world wouldn’t MSE use IE’s proxy configuration? Most of the rest of Windows does.
  2. Even if Microsoft wanted MSE to have its own proxy settings, why force users down a rathole of command prompts and administrative privileges? Why not put it in the GUI?
  3. Windows 7 has made great strides in making Windows more secure, but does this enhanced security posture come at the price of decreased flexibility for the power user?
  4. If so, does Microsoft even care? After all, the default settings are probably fine for most users.

Anyway, there you have it. If you use a proxy server on your network and you also want to use MSE, you’ll need to use netsh (with administrative privileges) to configure your proxy settings properly.

Tags: , , ,

Partner Exchange 2010 Session TECHDV0721

Thursday, February 11, 2010 in Security, Virtualization by slowe | 4 comments

This is a two-hour session on VMware View security architecture and security benefits titled “VMware View Security Benefits, Architecture, and Best Practices”.

So what is VMware’s security strategy? First, start with core platform security. This encompasses all the various features and functions of the hypervisor like memory protection and isolation, kernel module protections, hypervisor attack surface, etc. Next, continue with operational security. This is about integrating VMware’s products into your organization’s existing operational security policies and includes things like the vSphere Security Hardening Guide that was recently released. Using security virtual appliances is another step that enables broad-based security for all VMs in the environment. Finally, VMware is striving for a “better than physical” model where virtual security is better than physical security. Consider VMsafe as an effort in this area.

The presenter next reviewed the VMware View infrastructure and all the various components that are included in this infrastructure. To ensure security, all of these various components need to be reviewed with an eye on security. For example, componentizing the different parts of a View infrastructure—for example, separating access points, user data, applications, data, and operating system helps to secure each of these different pieces.

A further benefit of this separation is that it allows for the creation of a true “gold master” for VMs. Products like ThinApp and VMware View Composer helps to simplify this process and help maintain a true “gold master” image. This means that all the various security guidelines can be more easily incorporated into this master image, the master image can be patched more easily, configuration drift is reduced, and you can recover more easily and more quickly after an attack.

Using virtual desktops also allows organizations to more easily create “desktop security zones” that help isolate higher-risk PCs from lower-risk PCs, thus containing potential security risk to a limited subset of all desktops. This might also help with meeting compliance requirements (the presenter specifically mentioned PCI).

Thin clients are helpful in reducing complexity at the edge, which can (in some cases) help reduce the attack surface and limit the amount of work that IT organizations need to do to help secure the endpoints.

What about backing up data? Using View to centralize desktops allows organizations to more easily implementation full data backups for the various types of data that are being created within the virtual desktop environment.

The presenter next moves on to vSphere security. Because VMware View depends upon vCenter and ESX/ESXi, the security of View is dependent upon the security of vCenter and ESX/ESXi. This led into a discussion of the benefits of virtualization vs. the security impact of virtualization. The topics covered here include all the usual suspects: greater impact of misconfiguration or attack; loss of visibility in the network access layer; loss of separation between network admins and server admins; potential VM sprawl without consistent configurations and properly defined procedures; possible security problems resulting from VM mobility; and unauthorized access to VMs because of VM encapsulation (users copying a VM by copying the VM’s files).

So how does one protect the virtual infrastructure? You use existing techniques such as hardening and lockdown; defense in depth; and authorization, authentication, and accounting.

The same goes for protecting virtual machines. Use anti-virus, IDP/IDS systems, firewalls, etc. VMsafe and the functionality enabled by VMsafe will be very helpful here.

Be sure to isolate the management interfaces using physically separate management networks or by using VLANs. You should also control access to the management network using ACLs, jump boxes, VPNs, or other access controls. Only authorized individuals should have access to the management network and “ordinary end-users” should absolutely not have access.

The separation of duties is also important. Use vCenter Server’s built-in roles to enable the principle of least privilege to help enforce separation of duties. Third-party products like HyTrust might also be helpful.

The presenter argues that moving to a vNetwork Distributed Switch is a security benefit. One big plus is the mitigation of the risk associated with misconfiguration. In addition, there is support for private VLANs (PVLANs), inbound traffic shaping, Network VMotion, and (with the Nexus 1000V) ACLs and a natural separation of duties.

At this point the presenter moves on to a discussion of secure access to virtual desktops.

Authentication is one key area; View supports AD authentication as well as RSA SecurID. View Manager does not store any of the authentication information; this is all offloaded to Active Directory or the RSA Authentication Manager. Smart Card authentication is an alternative to standard username and password authentication. The certificate on the Smart Card contains a Subject Alternative Name (SAN); the SAN is matched against the User Principal Name (UPN) in Active Directory. Smart Card authentication is not supported with PCoIP.

View does support a form of single-sign on so that users log on to the View Client and is authenticated all the way down to the virtual desktop.

Future support with regard to authentication will include Kerberos realm authentication; UPN authentication; RADIUS support in the View Connection Server; and improved SSO to virtual desktops.

Moving on to access options, PCoIP requires direct access to the virtual desktop; it won’t work with SSL tunneling. Fortunately, PCoIP is already encrypted (wirespeed encryption using AES 128-bit encryption). For non-PCoIP connections, HTTPS tunneling of RDP is supported by VMware View. This can greatly simplify firewall configuration (only TCP port 443 is required). Secure tunneling also has the benefit of helping to maintain sessions in the event of a dropped connection.

Some advantages of PCoIP is the built-in encryption and support for blocking USB Plug events (to control USB device usage).

The View Security Server enables you to create a DMZ infrastructure that prevents end points from having direct access to virtual desktops or the Connection Server. The use of load balancers is supported with both Security Servers and Connection Servers.

VMware does recommend replacing the self-signed certificates that are supplied with VMware View with valid SSL certificates. Note that the specific SSLv3/TLSv1 ciphers that are used with secure connections can be configured to enable or disable specific ciphers.

The use of a VPN can also help provide a single point of entry and simply the firewall configuration.

The next topic is VMware View’s entitlements model. View uses Microsoft ADAM on Windows Server 2003 or Microsoft AD LDS on Windows Server 2008. Back-end Active Directory is still leveraged for authentication. View uses the idea of foreign security principals (FSPs), which means that Active Directory doesn’t have to be synchronized with the local LDAP instance. In addition, user authorizations and entitlements don’t have to be stored in Active Directory (which would require schema extensions).

At this point the presenter moves into a discussion of View security best practices:

  • Harden the base OS within the virtual desktops and enforce refresh intervals and OS patching.
  • Choose the proper authentication model and use a Security Server or VPN for secure remote access.
  • Be sure to understand the firewall requirements and configure the firewall accordingly.
  • Be sure to harden the Connection Server and the underlying Windows Server OS upon which it is installed.
  • Replace the default self-signed certificates.
  • Set appropriate entitlements within the Connection Server. Zone users according to use case and risk.
  • Avoid direct remote access to virtual desktops where possible. Don’t allow users to connect without going through the Connection Server.
  • Control USB access, redirection of clipboard, printers, and drives.
  • Leverage Active Directory Group Policy to help with virtual desktop OS lockdown and some View-specific settings. (You might need to use Loopback Policy Processing in this instance.)
  • Know the different ports and the directions that are required when configuring firewalls. Refer to the View Architecture Planning Guide for full details.
  • Install anti-virus, but use a minimal installation to reduce bloat.
  • Use a staggered or randomized scanning policy to avoid overwhelming the infrastructure. Use policies or corporate configuration tools to enforce staggered scanning and signature updates and to configure exclusion lists (only need to scan the user data disk; the base OS is locked down through the use of linked clones).
  • Consider a VMsafe Ready AV product.
  • Include Network Access Control (NAC) management agent in the parent VM prior to cloning.
  • Use ThinApp to gain some security benefits (prevents the OS from getting infected through the actions of a ThinApped application). Consider using ThinApp for browsers.
  • Specific to ThinApp and anti-virus, don’t install AV on the Capture/Build system if at all possible. If AV is installed, no on-demand scanning of the ThinApp project directory.

The next topic of the session was a discussion of using VMware vShield Zones. vShield Zones provide virtual firewalls that operate as transparent Layer 2 bridges and allow you to create different security zones. This can provide some technological enforcement of zones for different user environments (different pools for web browsing vs. internal CRM access and these pools cannot communicate with each other because of vShield Zones).

The presenter wrapped up the session with an overview of VMsafe and how VMsafe can help contribute to the security of a VMware View environment. VMsafe enables greater protection of VMs through APIs that allow deepened inspection of CPU/memory, networking, and storage. For example, VMsafe allows knowledge of specific CPU state or inspection of specific memory pages. VMsafe allows networking traffic to be inspected, intercepted, modified, or even replicated (consider vShield Zones integrated with the VMsafe APIs). With regard to storage, VMsafe allows the ability to mount VMDKs, inspect storage I/Os, and do so transparently and inline to the storage stack.

The session wrapped up with a list VMsafe-integrated solutions from companies like Altor Networks, TrendMicro, McAfee, and Checkpoint.

Tags: , , , ,

HyTrust Appliance 1.5

Monday, August 24, 2009 in Networking, Security, Virtualization by slowe | No comments

Numerous other sites and numerous other bloggers have already covered the fact that HyTrust released version 1.5 of the HyTrust Appliance a couple of weeks ago. If you’re attending VMworld 2009 in San Francisco, I believe that HyTrust will be demonstrating the new version and some of its new features at the show, so be sure to stop by.

I actually had the opportunity to sit down with Eric Chiu, President and CEO of HyTrust, when I was in San Jose a few weeks ago. We talked extensively about the features that were coming in version 1.5 of the HyTrust appliance. He’s really excited about the features that have been added and the future plans that HyTrust has in place for the product.

Some of the new features included in version 1.5 include:

  • Full support for VMware vSphere (both ESX and ESXi)
  • Full support for VMware vCenter Server 2.5 and 4.0
  • Support for two-factor authentication using RSA SecurID
  • Label-based policy (akin to Web 2.0-style tagging)
  • VM-to-host control
  • VM-to-network segment control

Those last three features are pretty cool. The label-based policy engine is a new way for virtualization administrators to apply policy to VMs, hosts, and network segments that breaks out of the old tree or container styles of applying policy. For example, you could label (or tag) a VM as “PCI”, and then specify that VMs labeled “PCI” can only be started on ESX/ESXi hosts also labeled as “PCI”, or attached to network segments also labeled “PCI”. This latter functionality—the ability to control network segment attachment based on HyTrust’s labels—was functionality that HyTrust developed in close coordination with Cisco’s Nexus 1000V development team. Further integration between HyTrust and the Nexus 1000V includes the ability to apply policy based on VNtag information.

Taken together, you can see that this new functionality is quite powerful and gives administrators a very flexible yet extensive ability to apply policy throughout the environment in a consistent fashion.

For more information, please visit the HyTrust site directly, or stop by and see them at VMworld 2009 in San Francisco next week.

Tags: , , ,

Altor Announces VMsafe-Integrated Altor VF 3.0

Tuesday, July 7, 2009 in Security, Virtualization by slowe | No comments

Since the announcement of the VMsafe APIs at VMworld Europe 2008, the virtualization world has been waiting. First, we waited for the actual release of the VMsafe APIs, which came with the release of VMware vSphere 4. Next, we waited for the delivery of the first VMsafe-integrated security solutions. While I can’t say definitively that it’s the first, Altor Networks is announcing its VMsafe-integrated virtual firewall solution, Altor VF 3.0. The wait is over, and now we get to see: just how powerful does VMsafe allow virtual security solutions to be?

Only time will provide the full picture, but an initial glance at Altor’s press release and a pre-release discussion I had with Altor lead me to believe that VMsafe really will change the landscape of security solutions in VMware environments. By leveraging VMsafe in fast-path mode—meaning that the security solution runs as a module in the hypervisor—Altor is able to provide not only firewalling functionality but also intrusion detection functionality as well. In fact, the intrusion detection features can be configured to work only on traffic that successfully passes through the firewall rules.

Altor also claims much greater performance with Altor VF 3.0, up to ten times the performance of a virtual machine-based security solution. And, of course, Altor has ensured that their virtual firewall product can apply firewall rules at various levels within the VMware vCenter Server hierarchy, and the product also helps protect the hypervisor management interfaces as well (the Service Console interfaces in ESX, Management interfaces in ESXi).

The initial release of Altor VF 3.0 will use a separate web-based management console, but Altor Networks did indicate that they are investigating the use of a plug-in for the vSphere Client for more integrated management. Future versions of Altor VF also plan to address vApp integration, something that is missing from the initial release.

For more detailed information or for the full press release, visit Altor Networks’ web site.

Tags: , ,

VC105: The Marriage of Figaro

Wednesday, May 6, 2009 in Security, Virtualization by slowe | 4 comments

This is Christofer Hoff’s session at Virtualization Congress. The title of the session is “The Marriage of Figaro: Complexity and Insecurity of the Cloud”. I’m looking forward to the presentation, as I’ve heard some great things about Christofer’s presentations. Unfortunately, I can’t get a Internet connection here in the break-out session room, so this will have to be published later. (Even if I did get a wireless connection, the network here at Synergy seems to be incapable of supporting the demands placed upon it.)

The story behind the title of the presentation is an allusion to the comment made about Mozart’s The Marriage of Figaro that “it had too many notes.” Hoff thinks that this is particularly applicable to cloud computing. However, after exploring the facts behind his theme, Hoff realized that this just wasn’t the right theme, so he declared thematic fail and transitioned the presentation over to “The Frogs Who Desired a King,” based on Aesop’s fable about frogs who wished to have a king.

Hoff gets into cutting through the hype and the FUD about cloud computing and what is real: abstraction of virtualization, resource democratization, and service orientation. However, these things are things that have been around for a while. What’s new in cloud computing is elasticity/dynamism and a utility model (consumption/allocation). This differentiates cloud computing from previous computing trends.

What makes things “cloud-ready”? Some attributes would include:

  • Processes, applications, and data are largely independent
  • Points of integration are well-defined
  • High level of security required
  • Core internal architecture needs work

With that in mind, there are really only three archetypes of cloud computing:

  • IaaS
  • PaaS
  • SaaS

Hoff then goes on to compare the various components of SaaS/PaaS/IaaS (which he refers to as SPI) to a seven layer dip, then goes deeper into the actual models and interaction of the components within these different types of cloud computing. This shows how PaaS simply builds on top of IaaS by adding another layer of integration and middleware on top of the IaaS APIs. Similarly, SaaS builds on top of PaaS (and IaaS) by adding data, metadata, applications, APIs, presentation platforms, and presentation mobility.

Looking at these archetypal models in a dimensional model you can see how SaaS may have higher levels of security, but lower levels of extensibility. Conversely, IaaS will have higher levels of extensibility but lower levels of security. That means that the lower in the SPI stack that the provider stops, the more liable you—the end user—are for ensuring security. This doesn’t mean a reduction of risk, but simply a transfer of risk.

That means you can’t answer the question, “Is the cloud more secure?” can’t be answered without context.

Hoff next moves into a discussion of hosted services versus cloud services. What are the differences? Underneath the covers, the differences are in single tenancy vs. multi-tenancy, isolated data vs. co-mingled data, and dedicated secuirty vs. social security.

Let’s apply all these concepts against the journey of a large enterprise organization toward cloud computing. The first phase is virtualization to achieve consolidation. The second phase is supposed to be automation and optimization, but it is “really freaking hard” (RFH). As a result, most organizations have skipped Phase 2 and moved to Phase 3, which is essentially embracing cloud computing.

What about private clouds vs. public clouds? Hoff discusses the various definitions of public clouds and private clouds. To Hoff, having a private cloud is more than just adding chargeback to your virtualized infrastructure.

The Jericho Forum’s Cloud Cube model allows organizations to define cloud computing on a number of axes: internal/external, proprietary/open, perimeterized/de-perimeterized, and outsourced/insourced.

According to Hoff, we’ve rushed to embrace virtualization without resolving issues like virtualization management, we’ve brushed past the automation and self-service business processes that would have added maturity to virtualization, and are now rushing to cloud computing. How can something not go wrong? This leads to simplexity (simplest representation of complexity) and the “squeezing the balloon” problem. Issues haven’t been solved, they’ve just been shifted.

What’s true with VirtSec (virtualization security) is even more true with CloudSec (cloud security). Depending upon the type of cloud service, you may not get feature parity for security. Your visibility and ability to deploy compensating controls are greatly diminished or even eliminated. Many of the things we do today are shifting controls away from the network back into the host or the guest, where that’s even possible.

Hoff shows how computing has evolved, but the answer to security problems has remained the same over almost twenty years. The answer to security problems remains firewalls and SSL, but these technologies simply do not address today’s security concerns.

The “Hamster Sine Wave of Pain” shows how security cyclically moves from network centricity to application centricity to information centricity to user centricity to host centricity and then back again. Yet at each and every one of these steps we have still failed to address the fundamental security issues.

Hoff describes a number of “new security threats” pertaining to cloud computing, like CloudFlux (turning up virtual botnets via Amazon EC2), LeapFrog (using and abusing VPNs between clouds), or EDoS (economic denial of service). That last option (EDoS) describes a scenario in which a competitor drives up utilization (and thus drives up the pay-as-you-go bill) and forces a company out of business.

Interesting port: Amazon EC2′s terms of service forbid vulnerability assessments or pen testing.

Wrapping up and bringing it back to the fable upon which the presentation is based, the fable is that we are screwed with regard to security. The reality is that we are not, but instead we are just as insecure as we’ve always been. This goes back the “squeezing the balloon” problem—the security problems have just been shifted elsewhere.

Tags: ,

HyTrust Appliance Community Edition

Tuesday, May 5, 2009 in Security, Virtualization by slowe | No comments

I’m a bit behind the times on this one, as I know that several other bloggers have already made the announcement about the HyTrust Appliance Community Edition. This is a free version of the HyTrust Appliance that supports up to 3 ESX hosts and provides centralized access management and audit logging.

In any case, if you want more information on the HyTrust Appliance Community Edition, go have a look here at the HyTrust web site. If you are so inclined, you can get the full press release here.

Tags: , , ,

HyTrust Launches Security Appliance

Monday, April 6, 2009 in Security, Virtualization by slowe | 4 comments

Today HyTrust launched its flagship product, the HyTrust Appliance, a security solution that is designed to centralize the control, management, and visibility for virtualized environments, in particular VMware Infrastructure environments. The HyTrust appliance achieves this through a number of key features:

  • The HyTrust Appliance provides integration with Active Directory or other LDAP-based directory services to enable centralized authentication. This allows organizations to leverage existing directory services for authentication, both for access via the VI Client or via SSH to the Service Console.
  • The HyTrust Appliance enables role-based access controls. These role-based access controls are defined in the appliance and permit organizations to control commands run in the Service Console as well as operations performed via the VI Client and vCenter Server.
  • The HyTrust Appliance provide secure logging and auditing functionality for all actions. Again, this logging occurs for every command and every action that is taken via any access method.

Since all traffic runs through the HyTrust Appliance, the solution has complete visibility and thus complete control over the traffic moving to or from the VMware ESX hosts. A number of different configurations are available for inserting the HyTrust Appliance into the flow of traffic, including using a different VLAN for ESX management traffic as well as a proxied configuration. The HyTrust Appliance can also ensure that the hosts it is protecting are configured to only accept traffic from the HyTrust Appliance itself, thus further ensuring that all access and actions are seen, controlled, and recorded.

The HyTrust Appliance will be available as both a hardware appliance as well as a virtual appliance. HyTrust also plans to make available a Community Edition at no charge; the Community Edition will support up to 3 VMware ESX hosts.

For more information, visit the HyTrust web site.

Tags: , , , ,

Next-Gen Stuff: Verifying the SHA-1 Fingerprint

Wednesday, March 25, 2009 in Security, Virtualization by slowe | 20 comments

This post is not necessarily specific to next-generation ESX/ESXi and vCenter Server, but it was prompted by behaviors in these products. (Besides, the truth is that I’m really just trying to be sensationalist and capitalize on interest in the next-generation products.)

When you add an ESX/ESXi host to vCenter Server in the next generation of products, you will receive a security warning that displays the SHA1 thumbprint (or fingerprint) of the ESX/ESXi host’s default SSL certificate. The fact that the dialog box displays the SHA1 fingerprint got me to thinking—how does one go about verifying the SHA1 fingerprint to ensure that the host to which you are connecting is really the host you think it is? I mean, that’s the idea behind displaying the fingerprint, isn’t it? Paranoid people will then go to the specific host in question, generate the fingerprint on the SSL certificate, and then compare the two fingerprints to make sure they are identical.

I haven’t figured out a way to do this for ESXi yet, but for ESX you can verify the SHA1 fingerprint of the SSL certificate using this command:

openssl x509 -sha1 -in /etc/vmware/ssl/rui.crt -noout
-fingerprint

This should all be on a single line; I’ve wrapped it here for readability. The command will then display the SHA1 fingerprint on the SSL certificate, which you can compare to the fingerprint displayed in the vCenter Server dialog box to ensure that the two values match. (If you’re really paranoid, you’ll run this command at the server’s physical console and not remotely. Unless, of course, you took the time to actually verify the SSH key fingerprints when you first connected via SSH, but that’s an entirely different post.)

So, here’s the real question: how does one verify the SHA1 fingerprint for an ESXi host? The ideal solution should not require the use of any unsupported hacks. (And yes, I know that you can view the SSL certificate, and thus the SHA1 fingerprint, by connecting to the ESXi host remotely using a web browser. But you still don’t know for sure that the host to which you connected is the host you thought it was, do you?)

UPDATE: At the ESXi console, logging in and selecting the “View Support Information” menu item will display the SSL fingerprint. Challenge solved!

Tags: , , , , , , ,

Recent VMware Security Notice

Tuesday, November 11, 2008 in Security, Virtualization by slowe | 1 comment

I started to mention this in Virtualization Short Take #22, but I felt that burying mention of a security notice amongst a bunch of other links just wasn’t the right way to bring it to everyone’s attention. I don’t want to be accused of crying wolf, but I do want readers to be aware of this sort of issues when they arise.

Via Infosecurity.us and Tarry Singh, I saw that VMware had released a security notification regarding a potential flaw in both the hosted products (VMware Workstation, Server, ACE, and Player) as well as ESX and ESXi. At the root of the issue is a potential flaw in the way that these products handle the Trap flag, and this potential flaw might lead to privilege escalation within the guest operating system. Yes, you read that right—a flaw within the host could lead to privilege escalation in the guest.

The full VMware security advisory, VMSA-2008-0018 (incorrectly listed as VMSA-2009-0018), provides full details on the specific versions that are affected and provides links to applicable patches for vulnerable products. Interestingly enough, the latest versions of the hosted products—VMware Workstation 6.5, VMware Server 2.0, and VMware ACE 2.5—are not affected.

If you aren’t keeping your VMware ESX hosts patched using Update Manager, now might be a good time to start.

Tags: , , , ,

« Older entries § Newer entries »