Security

You are currently browsing articles tagged Security.

Cleaning Out Some VMworld Info

Monday, September 7, 2009 in Virtualization by slowe | No comments

VMworld is always a very busy time of year. Press releases, product announcements, new product or technology releases, companies emerging from stealth mode—it all happens around VMworld. Now that I’m back home again from VMworld, I thought I’d clear out my Inbox from all the various VMworld-related news items. Perhaps you’ll find something interesting or useful here!

VMware and HP Unveil Solution to Simplify Datacenter Management
World’s Leading Service Providers Build New Cloud Services on the VMware Platform
Altor VF 3.0 Meets VMware’s VMsafe Certification Requirements (no hyperlink available)
VMware Submits VMware vCloud API Specification to the Distributed Management Task Force (DMTF) — First Ever Submission of Key Cloud Interface
VMware Leads in Virtual Desktops With VMware View(TM) — Simplifying Desktop Management, Lowering Costs and Enriching User Experience
Cisco and VMware Validated Architecture for Long Distance VMotion
VMworld 2009 Hello Freedom videos (this one is funny)
VMworld 2009 Virtual Infrastructure Design - Lab Manager vPODS Enable Conference Cloud
VMworld 2009: VMware, Cisco, and EMC Super-Session (SS5240)
VMworld 2009: Best Practices for Multipathing in VI3.5 and vSphere (TA2467)
VMworld: Is it a scalability issue to run drivers in the Hyper-V parent partition? (Answer: No)

That’s it this time around. I promise that some original content is coming soon…

Tags: , , ,

HyTrust Appliance 1.5

Monday, August 24, 2009 in Networking, Security, Virtualization by slowe | No comments

Numerous other sites and numerous other bloggers have already covered the fact that HyTrust released version 1.5 of the HyTrust Appliance a couple of weeks ago. If you’re attending VMworld 2009 in San Francisco, I believe that HyTrust will be demonstrating the new version and some of its new features at the show, so be sure to stop by.

I actually had the opportunity to sit down with Eric Chiu, President and CEO of HyTrust, when I was in San Jose a few weeks ago. We talked extensively about the features that were coming in version 1.5 of the HyTrust appliance. He’s really excited about the features that have been added and the future plans that HyTrust has in place for the product.

Some of the new features included in version 1.5 include:

  • Full support for VMware vSphere (both ESX and ESXi)
  • Full support for VMware vCenter Server 2.5 and 4.0
  • Support for two-factor authentication using RSA SecurID
  • Label-based policy (akin to Web 2.0-style tagging)
  • VM-to-host control
  • VM-to-network segment control

Those last three features are pretty cool. The label-based policy engine is a new way for virtualization administrators to apply policy to VMs, hosts, and network segments that breaks out of the old tree or container styles of applying policy. For example, you could label (or tag) a VM as “PCI”, and then specify that VMs labeled “PCI” can only be started on ESX/ESXi hosts also labeled as “PCI”, or attached to network segments also labeled “PCI”. This latter functionality—the ability to control network segment attachment based on HyTrust’s labels—was functionality that HyTrust developed in close coordination with Cisco’s Nexus 1000V development team. Further integration between HyTrust and the Nexus 1000V includes the ability to apply policy based on VNtag information.

Taken together, you can see that this new functionality is quite powerful and gives administrators a very flexible yet extensive ability to apply policy throughout the environment in a consistent fashion.

For more information, please visit the HyTrust site directly, or stop by and see them at VMworld 2009 in San Francisco next week.

Tags: , , ,

Altor Announces VMsafe-Integrated Altor VF 3.0

Tuesday, July 7, 2009 in Security, Virtualization by slowe | No comments

Since the announcement of the VMsafe APIs at VMworld Europe 2008, the virtualization world has been waiting. First, we waited for the actual release of the VMsafe APIs, which came with the release of VMware vSphere 4. Next, we waited for the delivery of the first VMsafe-integrated security solutions. While I can’t say definitively that it’s the first, Altor Networks is announcing its VMsafe-integrated virtual firewall solution, Altor VF 3.0. The wait is over, and now we get to see: just how powerful does VMsafe allow virtual security solutions to be?

Only time will provide the full picture, but an initial glance at Altor’s press release and a pre-release discussion I had with Altor lead me to believe that VMsafe really will change the landscape of security solutions in VMware environments. By leveraging VMsafe in fast-path mode—meaning that the security solution runs as a module in the hypervisor—Altor is able to provide not only firewalling functionality but also intrusion detection functionality as well. In fact, the intrusion detection features can be configured to work only on traffic that successfully passes through the firewall rules.

Altor also claims much greater performance with Altor VF 3.0, up to ten times the performance of a virtual machine-based security solution. And, of course, Altor has ensured that their virtual firewall product can apply firewall rules at various levels within the VMware vCenter Server hierarchy, and the product also helps protect the hypervisor management interfaces as well (the Service Console interfaces in ESX, Management interfaces in ESXi).

The initial release of Altor VF 3.0 will use a separate web-based management console, but Altor Networks did indicate that they are investigating the use of a plug-in for the vSphere Client for more integrated management. Future versions of Altor VF also plan to address vApp integration, something that is missing from the initial release.

For more detailed information or for the full press release, visit Altor Networks’ web site.

Tags: , ,

Virtualization Short Take #27

Thursday, June 25, 2009 in Macintosh, Virtualization by slowe | 7 comments

Here’s Virtualization Short Take #27, a collection of news, tidbits, thoughts, articles, and useless trivia I’ve gathered over the last week or so. Perhaps you’ll find a diamond in the rough among these items!

  • Interested in more information on how it is, exactly, that Cisco is going to provide so much memory in their UCS blades and rack mount servers to make them ideal virtualization hosts? This article from CommsDesign and this “Catalina” article by Rodos Haywood both provide some great information on how Cisco is working around the Intel reference architecture limitations introduced with the Xeon 5500 and Quick Path Interconnect (QPI).
  • This article provides a handy reference on how to unregister the Nexus 1000V vCenter Server plug-in. I wish I’d known this information several weeks ago…
  • Need to view some configuration files on an ESX host? Just browse to http://<IP address of ESX server>/host and you’re all set. I learned of this handy little trick via Virtual Foundry.
  • And speaking of handy little tips, here’s one Eric Sloof shared regarding the vCenter Ops Dashboard. Again, just browse over to http://<IP address of vCenter Server>/vod/index.html to view the vCenter Ops Dashboard.
  • Adam Leventhal describes using the latest version of VirtualBox—which now includes OVF support and host-only networking—to run the Sun Storage 7000 Simulator. This is pretty cool stuff. I hope Oracle doesn’t kill it like Virtual Iron…
  • I just mentioned Virtual Foundry a bit ago, but forgot to mention this great post on hardening the VMX file. Good stuff.
  • For others who are, like myself, pursuing the elusive VMware Certified Design Expert (VCDX) certification, Duncan’s recent post describing the VCDX design defense is a great resource. Thanks, Duncan!
  • The VMware networking team addresses some questions around using VMware for virtualized DMZs, and how to protect against Layer 2 attacks.
  • Want to do manual linked clones in VMware Fusion? Here’s how.
  • Via Matt Hensley, I found this VIOPS document on configuring a VMware vCenter Data Recovery dedupe store.
  • This article has more information on installing ESXi 4.0 to a flash drive, a process I have yet to try. (Instructions for burning ESXi 3.5 to a flash drive can be found here.) Anyone else done it yet? I’d be interested in how it went.
  • If you have any questions about SAN multipathing, Brent Ozar’s two part series on the topic may help straighten things out (here’s Part 1 and Part 2). I’m not sure that I agree with Brent’s statement regarding the ability of desktop-class SATA drives to saturate 4Gbps Fibre Channel, but I’m no storage expert so I could very well be wrong.
  • VMware SE and friend Aaron Sweemer provides a handy script that can help fix Service Console networking when performing automated builds of VMware ESX.

That wraps it up for this edition of Virtualization Short Takes. Feel free to share thoughts, questions, or corrections in the comments, and thanks for reading!

Tags: , , , , , ,

VC105: The Marriage of Figaro

Wednesday, May 6, 2009 in Security, Virtualization by slowe | 4 comments

This is Christofer Hoff’s session at Virtualization Congress. The title of the session is “The Marriage of Figaro: Complexity and Insecurity of the Cloud”. I’m looking forward to the presentation, as I’ve heard some great things about Christofer’s presentations. Unfortunately, I can’t get a Internet connection here in the break-out session room, so this will have to be published later. (Even if I did get a wireless connection, the network here at Synergy seems to be incapable of supporting the demands placed upon it.)

The story behind the title of the presentation is an allusion to the comment made about Mozart’s The Marriage of Figaro that “it had too many notes.” Hoff thinks that this is particularly applicable to cloud computing. However, after exploring the facts behind his theme, Hoff realized that this just wasn’t the right theme, so he declared thematic fail and transitioned the presentation over to “The Frogs Who Desired a King,” based on Aesop’s fable about frogs who wished to have a king.

Hoff gets into cutting through the hype and the FUD about cloud computing and what is real: abstraction of virtualization, resource democratization, and service orientation. However, these things are things that have been around for a while. What’s new in cloud computing is elasticity/dynamism and a utility model (consumption/allocation). This differentiates cloud computing from previous computing trends.

What makes things “cloud-ready”? Some attributes would include:

  • Processes, applications, and data are largely independent
  • Points of integration are well-defined
  • High level of security required
  • Core internal architecture needs work

With that in mind, there are really only three archetypes of cloud computing:

  • IaaS
  • PaaS
  • SaaS

Hoff then goes on to compare the various components of SaaS/PaaS/IaaS (which he refers to as SPI) to a seven layer dip, then goes deeper into the actual models and interaction of the components within these different types of cloud computing. This shows how PaaS simply builds on top of IaaS by adding another layer of integration and middleware on top of the IaaS APIs. Similarly, SaaS builds on top of PaaS (and IaaS) by adding data, metadata, applications, APIs, presentation platforms, and presentation mobility.

Looking at these archetypal models in a dimensional model you can see how SaaS may have higher levels of security, but lower levels of extensibility. Conversely, IaaS will have higher levels of extensibility but lower levels of security. That means that the lower in the SPI stack that the provider stops, the more liable you—the end user—are for ensuring security. This doesn’t mean a reduction of risk, but simply a transfer of risk.

That means you can’t answer the question, “Is the cloud more secure?” can’t be answered without context.

Hoff next moves into a discussion of hosted services versus cloud services. What are the differences? Underneath the covers, the differences are in single tenancy vs. multi-tenancy, isolated data vs. co-mingled data, and dedicated secuirty vs. social security.

Let’s apply all these concepts against the journey of a large enterprise organization toward cloud computing. The first phase is virtualization to achieve consolidation. The second phase is supposed to be automation and optimization, but it is “really freaking hard” (RFH). As a result, most organizations have skipped Phase 2 and moved to Phase 3, which is essentially embracing cloud computing.

What about private clouds vs. public clouds? Hoff discusses the various definitions of public clouds and private clouds. To Hoff, having a private cloud is more than just adding chargeback to your virtualized infrastructure.

The Jericho Forum’s Cloud Cube model allows organizations to define cloud computing on a number of axes: internal/external, proprietary/open, perimeterized/de-perimeterized, and outsourced/insourced.

According to Hoff, we’ve rushed to embrace virtualization without resolving issues like virtualization management, we’ve brushed past the automation and self-service business processes that would have added maturity to virtualization, and are now rushing to cloud computing. How can something not go wrong? This leads to simplexity (simplest representation of complexity) and the “squeezing the balloon” problem. Issues haven’t been solved, they’ve just been shifted.

What’s true with VirtSec (virtualization security) is even more true with CloudSec (cloud security). Depending upon the type of cloud service, you may not get feature parity for security. Your visibility and ability to deploy compensating controls are greatly diminished or even eliminated. Many of the things we do today are shifting controls away from the network back into the host or the guest, where that’s even possible.

Hoff shows how computing has evolved, but the answer to security problems has remained the same over almost twenty years. The answer to security problems remains firewalls and SSL, but these technologies simply do not address today’s security concerns.

The “Hamster Sine Wave of Pain” shows how security cyclically moves from network centricity to application centricity to information centricity to user centricity to host centricity and then back again. Yet at each and every one of these steps we have still failed to address the fundamental security issues.

Hoff describes a number of “new security threats” pertaining to cloud computing, like CloudFlux (turning up virtual botnets via Amazon EC2), LeapFrog (using and abusing VPNs between clouds), or EDoS (economic denial of service). That last option (EDoS) describes a scenario in which a competitor drives up utilization (and thus drives up the pay-as-you-go bill) and forces a company out of business.

Interesting port: Amazon EC2’s terms of service forbid vulnerability assessments or pen testing.

Wrapping up and bringing it back to the fable upon which the presentation is based, the fable is that we are screwed with regard to security. The reality is that we are not, but instead we are just as insecure as we’ve always been. This goes back the “squeezing the balloon” problem—the security problems have just been shifted elsewhere.

Tags: ,

HyTrust Appliance Community Edition

Tuesday, May 5, 2009 in Security, Virtualization by slowe | No comments

I’m a bit behind the times on this one, as I know that several other bloggers have already made the announcement about the HyTrust Appliance Community Edition. This is a free version of the HyTrust Appliance that supports up to 3 ESX hosts and provides centralized access management and audit logging.

In any case, if you want more information on the HyTrust Appliance Community Edition, go have a look here at the HyTrust web site. If you are so inclined, you can get the full press release here.

Tags: , , ,

HyTrust Launches Security Appliance

Monday, April 6, 2009 in Security, Virtualization by slowe | 4 comments

Today HyTrust launched its flagship product, the HyTrust Appliance, a security solution that is designed to centralize the control, management, and visibility for virtualized environments, in particular VMware Infrastructure environments. The HyTrust appliance achieves this through a number of key features:

  • The HyTrust Appliance provides integration with Active Directory or other LDAP-based directory services to enable centralized authentication. This allows organizations to leverage existing directory services for authentication, both for access via the VI Client or via SSH to the Service Console.
  • The HyTrust Appliance enables role-based access controls. These role-based access controls are defined in the appliance and permit organizations to control commands run in the Service Console as well as operations performed via the VI Client and vCenter Server.
  • The HyTrust Appliance provide secure logging and auditing functionality for all actions. Again, this logging occurs for every command and every action that is taken via any access method.

Since all traffic runs through the HyTrust Appliance, the solution has complete visibility and thus complete control over the traffic moving to or from the VMware ESX hosts. A number of different configurations are available for inserting the HyTrust Appliance into the flow of traffic, including using a different VLAN for ESX management traffic as well as a proxied configuration. The HyTrust Appliance can also ensure that the hosts it is protecting are configured to only accept traffic from the HyTrust Appliance itself, thus further ensuring that all access and actions are seen, controlled, and recorded.

The HyTrust Appliance will be available as both a hardware appliance as well as a virtual appliance. HyTrust also plans to make available a Community Edition at no charge; the Community Edition will support up to 3 VMware ESX hosts.

For more information, visit the HyTrust web site.

Tags: , , , ,

Next-Gen Stuff: Verifying the SHA-1 Fingerprint

Wednesday, March 25, 2009 in Security, Virtualization by slowe | 20 comments

This post is not necessarily specific to next-generation ESX/ESXi and vCenter Server, but it was prompted by behaviors in these products. (Besides, the truth is that I’m really just trying to be sensationalist and capitalize on interest in the next-generation products.)

When you add an ESX/ESXi host to vCenter Server in the next generation of products, you will receive a security warning that displays the SHA1 thumbprint (or fingerprint) of the ESX/ESXi host’s default SSL certificate. The fact that the dialog box displays the SHA1 fingerprint got me to thinking—how does one go about verifying the SHA1 fingerprint to ensure that the host to which you are connecting is really the host you think it is? I mean, that’s the idea behind displaying the fingerprint, isn’t it? Paranoid people will then go to the specific host in question, generate the fingerprint on the SSL certificate, and then compare the two fingerprints to make sure they are identical.

I haven’t figured out a way to do this for ESXi yet, but for ESX you can verify the SHA1 fingerprint of the SSL certificate using this command:

openssl x509 -sha1 -in /etc/vmware/ssl/rui.crt -noout
-fingerprint

This should all be on a single line; I’ve wrapped it here for readability. The command will then display the SHA1 fingerprint on the SSL certificate, which you can compare to the fingerprint displayed in the vCenter Server dialog box to ensure that the two values match. (If you’re really paranoid, you’ll run this command at the server’s physical console and not remotely. Unless, of course, you took the time to actually verify the SSH key fingerprints when you first connected via SSH, but that’s an entirely different post.)

So, here’s the real question: how does one verify the SHA1 fingerprint for an ESXi host? The ideal solution should not require the use of any unsupported hacks. (And yes, I know that you can view the SSL certificate, and thus the SHA1 fingerprint, by connecting to the ESXi host remotely using a web browser. But you still don’t know for sure that the host to which you connected is the host you thought it was, do you?)

UPDATE: At the ESXi console, logging in and selecting the “View Support Information” menu item will display the SSL fingerprint. Challenge solved!

Tags: , , , , , , ,

Recent VMware Security Notice

Tuesday, November 11, 2008 in Security, Virtualization by slowe | 1 comment

I started to mention this in Virtualization Short Take #22, but I felt that burying mention of a security notice amongst a bunch of other links just wasn’t the right way to bring it to everyone’s attention. I don’t want to be accused of crying wolf, but I do want readers to be aware of this sort of issues when they arise.

Via Infosecurity.us and Tarry Singh, I saw that VMware had released a security notification regarding a potential flaw in both the hosted products (VMware Workstation, Server, ACE, and Player) as well as ESX and ESXi. At the root of the issue is a potential flaw in the way that these products handle the Trap flag, and this potential flaw might lead to privilege escalation within the guest operating system. Yes, you read that right—a flaw within the host could lead to privilege escalation in the guest.

The full VMware security advisory, VMSA-2008-0018 (incorrectly listed as VMSA-2009-0018), provides full details on the specific versions that are affected and provides links to applicable patches for vulnerable products. Interestingly enough, the latest versions of the hosted products—VMware Workstation 6.5, VMware Server 2.0, and VMware ACE 2.5—are not affected.

If you aren’t keeping your VMware ESX hosts patched using Update Manager, now might be a good time to start.

Tags: , , , ,

A Couple of Product Announcements

Thursday, October 16, 2008 in Security, Virtualization by slowe | 2 comments

I don’t generally post lots of product announcements because I’m just too busy to keep up with everything that’s happening. (Either that, or I’m too lazy. Take your pick.) However, there are a couple of announcements that passed through my Inbox this week that I thought I’d share here.

First, the folks over at VKernel have released the Capacity Analyzer 2.0 product. I spoke with the VKernel team back during VMworld and I like what I’ve seen of their products. Even if you don’t think you need a capacity management tool, have a look at this product anyway.

Second, Altor Networks—of whom I wrote here regarding their VNSA—has released the Altor Networks VF (Virtual Firewall). This product builds upon the functionality of the VNSA to add policy enforcement, i.e., the ability to block traffic. I’ve had the beta running in my lab for some time now, and it’s pretty interesting. I’m a bit miffed that the Altor folks didn’t give me a heads-up on the release before it happened, but I guess that’s the way the cookie crumbles.

I just wanted to point out those new product releases. Oh, and along the lines of new products, I’m also working on some more in-depth information on Hyper9’s search-based management product and application virtualization from Xenocode. Stay tuned.

Tags: , ,

« Older entries