Attacks/Breaches
9/8/2011
11:15 PM
Charles Babcock
Charles Babcock
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Virtualization Security: No One Product Does It

VMware environments demand multiple tools to build barriers, trap intruders, maintain VM security-- and keep the Jason Cornishes out.

Symantec, as another VMware security partner, offers a suite of backup, recovery, and data protection products. In addition, in May, it announced Virtualization Ray, or V-Ray, to supply visibility into a variety of virtualized environments and help protect them. It "provides you the visibility needed to peer inside your VMs and understand how to protect these systems" it said at the time.

How does that make you more secure? Well after the announcement, Stephen Foskett explained in his Packrat blog that V-Ray has been embedded in Symantec products such as NetBackup and Backup Exec. V-Ray can identify files within a virtual machine image that have been changed, compared to a secure, backup image, and recover the original virtual machine by restoring the correct file. This is quicker than rebuilding an entire virtual machine from scratch.

The visibility offered by V-Ray will be embedded in other Symantec products that work in virtual environments.

Sophos provides spam and malware protection and email encryption, as well as data loss protection, in its Virtual Email Security Appliance. Data loss protection is an inspection service that detects and prevents the exposure of sensitive data, such as credit card or social security numbers, being moved around carelessly in email. The Sophos virtual appliance combines runs in the virtual environment alongside a virtualized email server.

The Sophos antivirus protection engine, however, has its shortcomings, according to some observers. For a summary of its weaknesses, read this report on the findings of Google researcher Tavis Ormandy at the Black Hat USA event last month in Las Vegas.

Data loss protection is one of the latest measures VMware has added to its vShield 5.0 framework, Chuang said. It included DLP from EMC subsidiary, RSA, a sister company to VMware. "Many people don't know when they have sensitive information resident on virtual machines. Our goal is to do whatever we can do to help insure compliance," he said.

File protection and compliance protection are strong security measures to add to the virtual environment, but they still don't amount to much protection against a character such as Jason Cornish, due to be sentenced for the $800,000 in damage he caused Shiongi last November.

I was discussing that point with Eric Chiu, CEO of HyTrust at VMworld Aug. 31, and he claimed, "80% of the people we talk to have not secured their virtual machines." As the virtualized part of the data center continues to grow, that picture has to change.

He recommended products that can log who is accessing and copying virtual machines. "They may be stealing," he notes matter of factly. Only give virtual machine administrators the level of privilege they need to do their jobs. Don't give the "god-like root privileges" to everyone.

In addition, limit the number of servers any one administrator may access, and include an alerting system that tells responsible parties when bad things are happening, such as the deletion of a production server or multiple productions servers, he recommends.

This still would not have prevented Jason Cornish from doing damage, but it would have limited the damage one former systems administrator could have done, even with illicitly restored privileges. In the virtual world, new boundaries can and must be identified and watchdog measures, as well as the more traditional filtering mechanisms, put in place to sound the alarm when something starts to go wrong.

Virtualization is taking over enough of the data center to raise particular security concerns. For VMware's wider view, see VMware's Next Act: Operations Expert.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3594
Published: 2014-08-22
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.