VM /ETC

Archive for the ‘security’ Category

The VIRTUMANIA continues with Episode 19! Rick Vanover joins Marc and I again along with very special guest Ed Haletky for an extremely important discussion about security in virtualization infrastructure. The following is the podcast summary:

VIRTUMANIA Podcast Episode 19 – Security is The Dark Side of Virtualization. Rich Brambley (@rbrambley) of VMETC and Marc Farley (@3parfarley) of 3Par and StorageRap.com with show regular Rick Vanover (@rickvanover) of RickVanover.com host Ed Haletky (@texiwill) of The Virtualization Practice Blog. This episode includes interesting discussion about unintentionally created security concerns with virtual infrastructure that arise when administrators decide to deviate from best practices in the name of convenience. The show gets into well known attacks possible on a hypervisor, and what, if anything, can be done to stop them. Virtumania is an Infosmack Production.

All virtualization administrators should pay close attention to the Blue Pill Attack discussion. it’s definitely some scary stuff!

Before, between, and after the important stuff we also have some fun with Farley Fest, The World Cup, 4th of July Vacations, and Wisconsin. Ed reveals he is a foodie like Jason Perlow in our last episode, and he makes a recommendation for Mama Reux in Austin, TX. Look out for the bad alligator jokes too.

Rick gives Ed a hard time for being a known as being too serious at times, and he proudly keeps track of how many times Haletky laughs on this show.

Listen to the podcast with the embedded player or subscribe to get a weekly copy so you can listen when convenient.

Check out the VM /ETC VIRTUMANIA Page to listen to past episodes as well as episodes of Infosmack.

The following links offer more information on some of the topics mentioned in VIRTUMANIA Episode 19:

Read the rest of this entry »

During VMworld 2009 I talked to Trend Micro about their virtualization protection solutions. Some of which are based in part on VMware’s VMSafe APIs. Trend told me about their protection against virus and malware attacks, network intrusion, firewall integrity, and application threats in VMware virtual machines (VMs). After researching some more about what I heard in the Trend booth at the conference, I discovered Trend also offers a free product, VM Protection, for a maximum of 100 guests.

Antivirus and Malware

At the Trend Micro booth I was introduced to Core Protection for VMware Virtual Machines, and I learned that although virtual machines still require Trend Real Time Agents (RTA) installed in each VM, the protection workload is now isolated to a dedicated “scanning virtual machine”.

The virtualization RTA on each guest is a specialized version responsible only for scheduling and status monitoring, and is not the same agent installed if using Trend’s physical server protection. The volumes and files of each guest are actually scanned directly on the VMFS datastore by the scanning VM, and not performed by the RTA running on each virtual server.

The following diagram was copied from the Trend Core Protection data sheet and shows the logical design of the solution. Read the rest of this entry »

I am a little late relaying this important security vulnerability found in basically all VMware products. VMware publicly resolved this concern with patches and new product versions released as of April 10, 2009. I strongly suggest reviewing VMware’s Security Advisory VMSA-2009-0006 and upgrading or patching your respective product(s) as needed.

Some brief info and overview of the problem from the VMSA:

3. Problem Description

a. Host code execution vulnerability from a guest operating system

A critical vulnerability in the virtual machine display function might allow a guest operating system to run code on the host.

This issue is different from the vulnerability in a guest virtual device driver reported in VMware security advisory VMSA-2009-0005
on 2009-04-03. That vulnerability can cause a potential denial of  service and is identified by CVE-2008-4916.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-1244 to this issue.

The following table lists what action remediates the vulnerability (column 4) if a solution is available. Read the rest of this entry »

If you thought that because all ESX virtual machines (VM) share a virtual portgroup on a virtual switch (vSwitch) inside an ESX host you could easily sniff all VM traffic with a protocol analyzer like ethereal or wireshark, when you tried it you found out you were wrong. If I am not mistaken, ESX vSwitches are considered layer 2 devices and come with all the expected security and isolation. However, you can make some relatively simple vSwitch design and setting changes to turn a VM into a virtual sniffer and monitor all other VMs on that same host. Another option is a free virtual appliance that can allow you to use your physical monitoring tools to watch your VMs. This post explores both of these free VM sniffer alternatives.

I’m going out on a limb here reporting what I’ve learned about VM sniffers, but I figure that passing on what I know so far would be helpful to VM /ETC readers. At the very least, use the info in this post to get you pointed in the right direction. Fill me in on what I’ve missed, please! Read the rest of this entry »

When Tripwire released ConfigCheck for ESX 3.5 back in June, the product was an instant success and downloaded by tens of thousands of VMware administrators. The free security hardening tool, jointly developed by VMware and Tripwire, could not be used on ESX 3.0 versions, however. On July 21 Tripwire announced the availability of Tripwire ConfigCheck for ESX 3.0 thus now allowing the same security assessment capabilities for the still widely deployed previous version of ESX.

I received a courtesy email about the new version from Kim Blogren of Tripwire’s Public Relations. In the email Kim explained the following about the reason for releasing the new version: Read the rest of this entry »

In my post 730 Days Later – Replace The VirtualCenter Default SSL Certificate I pointed out the SSL certificate installed by VirtualCenter expires after 2 years. I did not document how to replace the default cert, but instead I linked to VMware’s guide for readers to explore. Thank goodness Leo Raikhman has picked up where I left off on his Leo’s Ramblings Blog! Leo has created 2 great “how to” posts for replacing certificates using OpenSSL that are much easier to follow then VMware’s guide.

In the post VirtualCenter CA Configuration Leo covers replacing the default certificate with a stand alone OpenSSL version that expires after 10 years. However, in his post More nonsense with VirtualCenter certificates – part 2 he provides instructions for using a domain enforced Windows Certificate Authority.

Read Leo’s posts in their entirety at the links above, but I am copying his instructions here for my personal knowledgebase. As a matter of fact, I recommend adding Leo’s RSS feed to your reader and bookmarking his site. He has been consistently creating posts relevant and helpful for virtual administrators.

Read the rest of this entry »

Catbird, makers of the V-Security solution for VMware, has announced a new virtual infrastructure security certification. The CVSP certification is designed to train individuals with skills necessary to assess virtual infrastructure for security risks and compliance. A description of the program is found in the Computer Technology Review article Catbird announces Certified Virtual Security Professional Program.

“The CVSP program is designed to enable security engineers, along with IT audit and compliance professionals, to conduct security assessments and implement virtual infrastructure security measures to
maintain compliance with regulatory and internal standards. Graduates of the course will have the ability to analyze the efficacy of their existing virtual security protocols, as well as the know-how to take proactive measures to enhance their existing security.

Upon completion of the CVSP program, students are eligible to sit for the CVSP certification exam, consisting of a practice deployment and a multiple choice test. A background in VMware ESX Server 3.x, Virtual Center 2.x, Linux networking, and network security concepts is recommended for participants, as is a Certified Information Systems Security Professional (CISSP) certification.”

Catbird’s slogan, “Don’t Run Naked”, is definitely the eye opening marketing needed to draw attention to virtual security. From the Catbird web site: Read the rest of this entry »