Attacks/Breaches
9/8/2011
11:15 PM
Charles Babcock
Charles Babcock
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Virtualization Security: No One Product Does It

VMware environments demand multiple tools to build barriers, trap intruders, maintain VM security-- and keep the Jason Cornishes out.

Symantec, as another VMware security partner, offers a suite of backup, recovery, and data protection products. In addition, in May, it announced Virtualization Ray, or V-Ray, to supply visibility into a variety of virtualized environments and help protect them. It "provides you the visibility needed to peer inside your VMs and understand how to protect these systems" it said at the time.

How does that make you more secure? Well after the announcement, Stephen Foskett explained in his Packrat blog that V-Ray has been embedded in Symantec products such as NetBackup and Backup Exec. V-Ray can identify files within a virtual machine image that have been changed, compared to a secure, backup image, and recover the original virtual machine by restoring the correct file. This is quicker than rebuilding an entire virtual machine from scratch.

The visibility offered by V-Ray will be embedded in other Symantec products that work in virtual environments.

Sophos provides spam and malware protection and email encryption, as well as data loss protection, in its Virtual Email Security Appliance. Data loss protection is an inspection service that detects and prevents the exposure of sensitive data, such as credit card or social security numbers, being moved around carelessly in email. The Sophos virtual appliance combines runs in the virtual environment alongside a virtualized email server.

The Sophos antivirus protection engine, however, has its shortcomings, according to some observers. For a summary of its weaknesses, read this report on the findings of Google researcher Tavis Ormandy at the Black Hat USA event last month in Las Vegas.

Data loss protection is one of the latest measures VMware has added to its vShield 5.0 framework, Chuang said. It included DLP from EMC subsidiary, RSA, a sister company to VMware. "Many people don't know when they have sensitive information resident on virtual machines. Our goal is to do whatever we can do to help insure compliance," he said.

File protection and compliance protection are strong security measures to add to the virtual environment, but they still don't amount to much protection against a character such as Jason Cornish, due to be sentenced for the $800,000 in damage he caused Shiongi last November.

I was discussing that point with Eric Chiu, CEO of HyTrust at VMworld Aug. 31, and he claimed, "80% of the people we talk to have not secured their virtual machines." As the virtualized part of the data center continues to grow, that picture has to change.

He recommended products that can log who is accessing and copying virtual machines. "They may be stealing," he notes matter of factly. Only give virtual machine administrators the level of privilege they need to do their jobs. Don't give the "god-like root privileges" to everyone.

In addition, limit the number of servers any one administrator may access, and include an alerting system that tells responsible parties when bad things are happening, such as the deletion of a production server or multiple productions servers, he recommends.

This still would not have prevented Jason Cornish from doing damage, but it would have limited the damage one former systems administrator could have done, even with illicitly restored privileges. In the virtual world, new boundaries can and must be identified and watchdog measures, as well as the more traditional filtering mechanisms, put in place to sound the alarm when something starts to go wrong.

Virtualization is taking over enough of the data center to raise particular security concerns. For VMware's wider view, see VMware's Next Act: Operations Expert.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0985
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.

CVE-2014-0986
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.

CVE-2014-0987
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.

CVE-2014-0988
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.

CVE-2014-0989
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.

Best of the Web
Dark Reading Radio