Attacks/Breaches
9/8/2011
11:15 PM
Charles Babcock
Charles Babcock
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Virtualization Security: No One Product Does It

VMware environments demand multiple tools to build barriers, trap intruders, maintain VM security-- and keep the Jason Cornishes out.

Symantec, as another VMware security partner, offers a suite of backup, recovery, and data protection products. In addition, in May, it announced Virtualization Ray, or V-Ray, to supply visibility into a variety of virtualized environments and help protect them. It "provides you the visibility needed to peer inside your VMs and understand how to protect these systems" it said at the time.

How does that make you more secure? Well after the announcement, Stephen Foskett explained in his Packrat blog that V-Ray has been embedded in Symantec products such as NetBackup and Backup Exec. V-Ray can identify files within a virtual machine image that have been changed, compared to a secure, backup image, and recover the original virtual machine by restoring the correct file. This is quicker than rebuilding an entire virtual machine from scratch.

The visibility offered by V-Ray will be embedded in other Symantec products that work in virtual environments.

Sophos provides spam and malware protection and email encryption, as well as data loss protection, in its Virtual Email Security Appliance. Data loss protection is an inspection service that detects and prevents the exposure of sensitive data, such as credit card or social security numbers, being moved around carelessly in email. The Sophos virtual appliance combines runs in the virtual environment alongside a virtualized email server.

The Sophos antivirus protection engine, however, has its shortcomings, according to some observers. For a summary of its weaknesses, read this report on the findings of Google researcher Tavis Ormandy at the Black Hat USA event last month in Las Vegas.

Data loss protection is one of the latest measures VMware has added to its vShield 5.0 framework, Chuang said. It included DLP from EMC subsidiary, RSA, a sister company to VMware. "Many people don't know when they have sensitive information resident on virtual machines. Our goal is to do whatever we can do to help insure compliance," he said.

File protection and compliance protection are strong security measures to add to the virtual environment, but they still don't amount to much protection against a character such as Jason Cornish, due to be sentenced for the $800,000 in damage he caused Shiongi last November.

I was discussing that point with Eric Chiu, CEO of HyTrust at VMworld Aug. 31, and he claimed, "80% of the people we talk to have not secured their virtual machines." As the virtualized part of the data center continues to grow, that picture has to change.

He recommended products that can log who is accessing and copying virtual machines. "They may be stealing," he notes matter of factly. Only give virtual machine administrators the level of privilege they need to do their jobs. Don't give the "god-like root privileges" to everyone.

In addition, limit the number of servers any one administrator may access, and include an alerting system that tells responsible parties when bad things are happening, such as the deletion of a production server or multiple productions servers, he recommends.

This still would not have prevented Jason Cornish from doing damage, but it would have limited the damage one former systems administrator could have done, even with illicitly restored privileges. In the virtual world, new boundaries can and must be identified and watchdog measures, as well as the more traditional filtering mechanisms, put in place to sound the alarm when something starts to go wrong.

Virtualization is taking over enough of the data center to raise particular security concerns. For VMware's wider view, see VMware's Next Act: Operations Expert.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0714
Published: 2015-05-02
Multiple cross-site scripting (XSS) vulnerabilities in Cisco Finesse Server 10.0(1), 10.5(1), 10.6(1), and 11.0(1) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCut53595.

CVE-2014-3598
Published: 2015-05-01
The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image.

CVE-2014-8361
Published: 2015-05-01
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request.

CVE-2015-0237
Published: 2015-05-01
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 ignores the permission to deny snapshot creation during live storage migration between domains, which allows remote authenticated users to cause a denial of service (prevent host start) by creating a long snapshot chain.

CVE-2015-0257
Published: 2015-05-01
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 uses weak permissions on the directories shared by the ovirt-engine-dwhd service and a plugin during service startup, which allows local users to obtain sensitive information by reading files in the directory.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.