VM /ETC

Archive for the ‘security’ Category

During VMworld 2009 I talked to Trend Micro about their virtualization protection solutions. Some of which are based in part on VMware’s VMSafe APIs. Trend told me about their protection against virus and malware attacks, network intrusion, firewall integrity, and application threats in VMware virtual machines (VMs). After researching some more about what I heard in the Trend booth at the conference, I discovered Trend also offers a free product, VM Protection, for a maximum of 100 guests.

Antivirus and Malware

At the Trend Micro booth I was introduced to Core Protection for VMware Virtual Machines, and I learned that although virtual machines still require Trend Real Time Agents (RTA) installed in each VM, the protection workload is now isolated to a dedicated “scanning virtual machine”.

The virtualization RTA on each guest is a specialized version responsible only for scheduling and status monitoring, and is not the same agent installed if using Trend’s physical server protection. The volumes and files of each guest are actually scanned directly on the VMFS datastore by the scanning VM, and not performed by the RTA running on each virtual server.

The following diagram was copied from the Trend Core Protection data sheet and shows the logical design of the solution. Read the rest of this entry »

I am a little late relaying this important security vulnerability found in basically all VMware products. VMware publicly resolved this concern with patches and new product versions released as of April 10, 2009. I strongly suggest reviewing VMware’s Security Advisory VMSA-2009-0006 and upgrading or patching your respective product(s) as needed.

Some brief info and overview of the problem from the VMSA:

3. Problem Description

a. Host code execution vulnerability from a guest operating system

A critical vulnerability in the virtual machine display function might allow a guest operating system to run code on the host.

This issue is different from the vulnerability in a guest virtual device driver reported in VMware security advisory VMSA-2009-0005
on 2009-04-03. That vulnerability can cause a potential denial of  service and is identified by CVE-2008-4916.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-1244 to this issue.

The following table lists what action remediates the vulnerability (column 4) if a solution is available. Read the rest of this entry »

If you thought that because all ESX virtual machines (VM) share a virtual portgroup on a virtual switch (vSwitch) inside an ESX host you could easily sniff all VM traffic with a protocol analyzer like ethereal or wireshark, when you tried it you found out you were wrong. If I am not mistaken, ESX vSwitches are considered layer 2 devices and come with all the expected security and isolation. However, you can make some relatively simple vSwitch design and setting changes to turn a VM into a virtual sniffer and monitor all other VMs on that same host. Another option is a free virtual appliance that can allow you to use your physical monitoring tools to watch your VMs. This post explores both of these free VM sniffer alternatives.

I’m going out on a limb here reporting what I’ve learned about VM sniffers, but I figure that passing on what I know so far would be helpful to VM /ETC readers. At the very least, use the info in this post to get you pointed in the right direction. Fill me in on what I’ve missed, please! Read the rest of this entry »

When Tripwire released ConfigCheck for ESX 3.5 back in June, the product was an instant success and downloaded by tens of thousands of VMware administrators. The free security hardening tool, jointly developed by VMware and Tripwire, could not be used on ESX 3.0 versions, however. On July 21 Tripwire announced the availability of Tripwire ConfigCheck for ESX 3.0 thus now allowing the same security assessment capabilities for the still widely deployed previous version of ESX.

I received a courtesy email about the new version from Kim Blogren of Tripwire’s Public Relations. In the email Kim explained the following about the reason for releasing the new version: Read the rest of this entry »

In my post 730 Days Later – Replace The VirtualCenter Default SSL Certificate I pointed out the SSL certificate installed by VirtualCenter expires after 2 years. I did not document how to replace the default cert, but instead I linked to VMware’s guide for readers to explore. Thank goodness Leo Raikhman has picked up where I left off on his Leo’s Ramblings Blog! Leo has created 2 great “how to” posts for replacing certificates using OpenSSL that are much easier to follow then VMware’s guide.

In the post VirtualCenter CA Configuration Leo covers replacing the default certificate with a stand alone OpenSSL version that expires after 10 years. However, in his post More nonsense with VirtualCenter certificates – part 2 he provides instructions for using a domain enforced Windows Certificate Authority.

Read Leo’s posts in their entirety at the links above, but I am copying his instructions here for my personal knowledgebase. As a matter of fact, I recommend adding Leo’s RSS feed to your reader and bookmarking his site. He has been consistently creating posts relevant and helpful for virtual administrators.

Read the rest of this entry »

Catbird, makers of the V-Security solution for VMware, has announced a new virtual infrastructure security certification. The CVSP certification is designed to train individuals with skills necessary to assess virtual infrastructure for security risks and compliance. A description of the program is found in the Computer Technology Review article Catbird announces Certified Virtual Security Professional Program.

“The CVSP program is designed to enable security engineers, along with IT audit and compliance professionals, to conduct security assessments and implement virtual infrastructure security measures to
maintain compliance with regulatory and internal standards. Graduates of the course will have the ability to analyze the efficacy of their existing virtual security protocols, as well as the know-how to take proactive measures to enhance their existing security.

Upon completion of the CVSP program, students are eligible to sit for the CVSP certification exam, consisting of a practice deployment and a multiple choice test. A background in VMware ESX Server 3.x, Virtual Center 2.x, Linux networking, and network security concepts is recommended for participants, as is a Certified Information Systems Security Professional (CISSP) certification.”

Catbird’s slogan, “Don’t Run Naked”, is definitely the eye opening marketing needed to draw attention to virtual security. From the Catbird web site: Read the rest of this entry »

VMware and Tripwire have released a free tool that analyzes the configuration of ESX servers and compares the results against established best practices. ConfigCheck is a free utility that downloads to your desktop where you can easily assess whether your VMware virtual infrastructure is properly configured for security. According to Tripwire’s download page the tool is available for both Windows and Linux. Tripwire Configcheck was developed as a no cost introduction to the fully featured and licensed version of Tripwire Enterprise.

Both VMware and Tripwire have information about the free product on their websites. The following information from both sources provides a good summary about what the tool can do. Read the rest of this entry »