Vulnerabilities / Threats

3/4/2011
03:35 PM
Commentary
Commentary
Commentary
50%
50%

Hypervisor Security: Don't Trust, Verify

Combating vulnerabilities (and passing audits) is a matter of starting from the root and working up.

InformationWeek Green Virtualization Security Digital Issue- Mar. 7, 2011 InformationWeek Green
Download the InformationWeek March supplement on virtualization security , distributed in an all-digital format as part of our Green Initiative
(Registration required.)
We will plant a tree for each of the first 5,000 downloads.

VIrtualization Security

For years I've watched the delicate balance between enterprise IT groups and their security teams. Every now and then, there's a sea change in one area that gives rise to, let's say, passionate discussions. After attending last month's RSA conference, I feel one of those moments coming on, this time around production server virtualization. Specifically, we're talking about hardening the hypervisor--arguably one of the most important components of your virtual architecture.

What? Didn't think your CISO cared about hypervisors? Well, if he attended RSA, he does now. And if you have production VMs, you better get ready to prove they're secure. Don't expect your security team to just trust you.

Combating vulnerabilities (and passing audits) is a matter of starting from the root and working up. One option that impressed me at RSA is Intel's TXT (Trusted Execution Technology)--Intel's response to the Trusted Platform Module (TPM) specification published by the Trusted Computing Group and accepted as an ISO standard in 2009.

The foundation of this new trusted computing infrastructure is what's known as the "hardware root of trust," which establishes a bottoms-up security posture based on assuring the integrity of the VM kernel and loaded modules as they reside on disk and in memory. To take advantage, first make sure your server hardware supports TPM. Once you've verified that your gear has the correct processor extensions and supporting chipsets, it's just a matter of adding a small circuit board that plugs into a TPM slot on the server motherboard. After you enable TXT in the server BIOS that runs your host, you go through a process of generating the hash state that VMware ESXi, Xen, and other hypervisors will use during the boot process to detect unauthorized changes or whether malware has infiltrated the host operating system.

Moving up the stack, software vendor HyTrust offers a virtual appliance that can access the TXT status through the vSphere vCenter API and make decisions on controlling guest movement based on the classification status of the host server. HyTrust also offers network-based policy management for your virtual infrastructure that provides administrative access control, hypervisor hardening, and audit-quality logging to protect you from malicious, or sometimes just careless, insiders. Now when your security auditor asks for proof of hypervisor protection, you can go down your checklist: hardware root of trust (check), trusted virtualization environment (check), and security information and event management tools (check).

You're only going to increase your use of virtualization, so think in terms of evolving security. Evaluate where you are today and educate yourself as new hypervisor hardening options become available to ensure that you always stay a step ahead of the CISO--and the people after your data.

Schalk Theron is VP of security and operations for cloud services and ECM company SpringCM. Prior to joining SpringCM, Theron was at Washington Mutual, leading operational support for more than 50,000 users and a national network of more than 3,000 sites and multiple enterprise-class data centers supporting the award-winning Wamu.com. Write to us at [email protected].

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.