VM /ETC

Posts Tagged ‘security’

During VMworld 2009 I talked to Trend Micro about their virtualization protection solutions. Some of which are based in part on VMware’s VMSafe APIs. Trend told me about their protection against virus and malware attacks, network intrusion, firewall integrity, and application threats in VMware virtual machines (VMs). After researching some more about what I heard in the Trend booth at the conference, I discovered Trend also offers a free product, VM Protection, for a maximum of 100 guests.

Antivirus and Malware

At the Trend Micro booth I was introduced to Core Protection for VMware Virtual Machines, and I learned that although virtual machines still require Trend Real Time Agents (RTA) installed in each VM, the protection workload is now isolated to a dedicated “scanning virtual machine”.

The virtualization RTA on each guest is a specialized version responsible only for scheduling and status monitoring, and is not the same agent installed if using Trend’s physical server protection. The volumes and files of each guest are actually scanned directly on the VMFS datastore by the scanning VM, and not performed by the RTA running on each virtual server.

The following diagram was copied from the Trend Core Protection data sheet and shows the logical design of the solution. Read the rest of this entry »

I am a little late relaying this important security vulnerability found in basically all VMware products. VMware publicly resolved this concern with patches and new product versions released as of April 10, 2009. I strongly suggest reviewing VMware’s Security Advisory VMSA-2009-0006 and upgrading or patching your respective product(s) as needed.

Some brief info and overview of the problem from the VMSA:

3. Problem Description

a. Host code execution vulnerability from a guest operating system

A critical vulnerability in the virtual machine display function might allow a guest operating system to run code on the host.

This issue is different from the vulnerability in a guest virtual device driver reported in VMware security advisory VMSA-2009-0005
on 2009-04-03. That vulnerability can cause a potential denial of  service and is identified by CVE-2008-4916.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-1244 to this issue.

The following table lists what action remediates the vulnerability (column 4) if a solution is available. Read the rest of this entry »

If you thought that because all ESX virtual machines (VM) share a virtual portgroup on a virtual switch (vSwitch) inside an ESX host you could easily sniff all VM traffic with a protocol analyzer like ethereal or wireshark, when you tried it you found out you were wrong. If I am not mistaken, ESX vSwitches are considered layer 2 devices and come with all the expected security and isolation. However, you can make some relatively simple vSwitch design and setting changes to turn a VM into a virtual sniffer and monitor all other VMs on that same host. Another option is a free virtual appliance that can allow you to use your physical monitoring tools to watch your VMs. This post explores both of these free VM sniffer alternatives.

I’m going out on a limb here reporting what I’ve learned about VM sniffers, but I figure that passing on what I know so far would be helpful to VM /ETC readers. At the very least, use the info in this post to get you pointed in the right direction. Fill me in on what I’ve missed, please! Read the rest of this entry »

When Tripwire released ConfigCheck for ESX 3.5 back in June, the product was an instant success and downloaded by tens of thousands of VMware administrators. The free security hardening tool, jointly developed by VMware and Tripwire, could not be used on ESX 3.0 versions, however. On July 21 Tripwire announced the availability of Tripwire ConfigCheck for ESX 3.0 thus now allowing the same security assessment capabilities for the still widely deployed previous version of ESX.

I received a courtesy email about the new version from Kim Blogren of Tripwire’s Public Relations. In the email Kim explained the following about the reason for releasing the new version: Read the rest of this entry »

Catbird, makers of the V-Security solution for VMware, has announced a new virtual infrastructure security certification. The CVSP certification is designed to train individuals with skills necessary to assess virtual infrastructure for security risks and compliance. A description of the program is found in the Computer Technology Review article Catbird announces Certified Virtual Security Professional Program.

“The CVSP program is designed to enable security engineers, along with IT audit and compliance professionals, to conduct security assessments and implement virtual infrastructure security measures to
maintain compliance with regulatory and internal standards. Graduates of the course will have the ability to analyze the efficacy of their existing virtual security protocols, as well as the know-how to take proactive measures to enhance their existing security.

Upon completion of the CVSP program, students are eligible to sit for the CVSP certification exam, consisting of a practice deployment and a multiple choice test. A background in VMware ESX Server 3.x, Virtual Center 2.x, Linux networking, and network security concepts is recommended for participants, as is a Certified Information Systems Security Professional (CISSP) certification.”

Catbird’s slogan, “Don’t Run Naked”, is definitely the eye opening marketing needed to draw attention to virtual security. From the Catbird web site: Read the rest of this entry »

If you are planning on re-purposing some of your existing server hardware to run the latest virtualization products or to take advantage of modern hardware optimizations for virtual hosts and machines, you need to be able to determine which of your servers already have Intel-VT or AMD-V features. Here are some utilities and commands you can use to check from both Windows and Linux operating systems.

Read the rest of this entry »

Yes, this post uses another movie reference.

In the film 28 Days Later the Rage virus infects the Island of Great Britain turning all but a few survivors into zombie-like monsters called “The Infected”. The virus was unleashed when animal activists released medical research chimpanzees which ended up attacking the activists and scientists. This post is about what could cause a similar rage 730 days after installing VirtualCenter, potentially causing VI administrators to become lifeless, rabid, and insane.

After installing VirtualCenter (VC), you should check the installed SSL certificate used by the VI Client because you will most likely need to manually replace it. After a fresh installation the default certifcate expires in 730 days (or 2 years). If the certificate expires you will be unable to log in to the VirtualCenter Management Server using either the VI Client or the web administration interface.

Unfortunately, it is unclear to me at this writing if upgrading the VC Server within the 730 day period updates the certificate store. Read the rest of this entry »