Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:15 PM
Charles Babcock
Charles Babcock
Connect Directly

Virtualization Security: No One Product Does It

VMware environments demand multiple tools to build barriers, trap intruders, maintain VM security-- and keep the Jason Cornishes out.

Security in the virtual environment is both potentially better than in the physical world and at the same time more complex. After the Jason Cornish affair, you may be asking yourself whether your virtual machines could be exposed to a powerful, concentrated attack like that through the VM management interface.

Cornish, in his deletion of 88 production servers at Japanese pharmaceutical company Shionogi, had a "legitimate" password, probably handed off to him from an unidentified insider about to become a casualty of layoffs. Shionogi's procedures didn't detect the maneuver or the placement of a vSphere client on a data center server from which an authorized IT administrator could gain access to vCenter management consoles. With these tools in hand, Cornish deleted his former employer's production environment, apparently while munching down $4.96 worth of hamburger and fries at McDonald's.

Mark Chuang, VMware's director of product marketing in the security area, did not respond to a query about the Cornish affair. But he said in an interview at VMworld Aug. 31 that VMware's vShield framework contains many VMware security measures, plus third parties are plugging their own security products into it. The plug-ins work through a VMware vShield API. Together, these point products and VMware's measures amount to a defense in depth, he said.

What about intruders? VMware works with three partners to supply intrusion detection in the virtual environment. They are McAfee's Network IPS, HP's Tipping Point, and Sourcefire. These three also happen to be Gartner's picks as the three leading intrusion detection/intrusion prevention vendors. McAfee has been a leader in the field for the past five years, according to Gartner. HP enjoys a leadership spot, thanks to its acquisition of Tipping Point as part of the 3Com purchase. Sourcefire is an intrusion prevention specialist; its Sourcefire 3D System appliance has been rated by NSS Labs as providing the most complete protection among the IPS competitors.

Intrusion detection--I should say, intrusion prevention, as the field has changed--consists of using an appliance on the network to inspect all incoming packets in real time, looking for any patterns that match known patterns of attack. The appliance can block an attack signature when it detects one. In many cases, a McAfee, Tipping Point, or Sourcefire intrusion prevention appliance is going to be a physical device. But there's no reason it can't also be a virtual appliance and be installed at a specific point of vulnerability in the virtual environment. Sourcefire in particular has been quick to extend physical world-type protections into virtual appliances and virtual world operations.

These systems are updated quickly, usually within 24 hours, when a new malware signature is discovered, which makes them useful as blocking mechanisms until all data center servers can be updated with a vulnerability patch.

Would one of these systems have prevented a Cornish-style attack? No, Cornish did not use any malware or attack pattern to get into the data center over the network. He connected and logged in as an authorized user, which is a different problem, and one that is related to an insider-style attack. By definition, intrusion detection is looking for outsiders coming in.

In addition to intrusion detection at the network perimeter, there are many additional security boundaries that can be guarded. Chuang said applications may be grouped according to their sensitivity in particular hardware clusters, then security measures, such as firewalls, applied to those clusters--another physical boundary.

At the same time, the VMware API allows third party security products to peer inside the operation of specific virtual machines, including their CPU and memory use, allowing the addition of highly specific point products to the virtual environment.

Chuang mentioned seven security partners: Trend Micro, Symantec, Luminous, Sophos, BitDefender, Kaspersky, and again, McAfee. They offer different security measures, including virtual firewalls applied to specific virtual machines or virtual machine hosts. Let's take a look at a few of them to see how defense in depth might be constructed.

Trend Micro focuses on defense of the integrity of servers in the data center, including host servers and their virtual machines, said Harish Agastya, director of marketing for the firm's data center security products, in an interview. "We can make sure the files have not been modified in some way. Our software notifies you if something has changed," said Agastya.

Trend Micro's Deep Security product, which acts as a watchdog over virtual and physical environments, would have notified the Shionogi IT staffers that Cornish had deleted the files of its production systems--but after the fact notification isn't much help, is it?

Deep Security, however, was highly useful in a situation where a knowledgeable insider modified the payroll system just before direct deposits were made in order to route a number of deposits to his own account. The alteration was then erased at the end of the payroll run and the original list of recipients restored. When employees complained they hadn't gotten their payments, IT managers could find no defect in the payroll list. But using Trend Micro's Deep Security product, they found that the files were being altered, then restored, immediately before and after the payroll run. The discovery helped IT administrators identify who was capable of such a maneuver and track down the offender, Agastya said.

The Deep Security virtual appliance, working with VMware's vShield Endpoint, can maintain vigilance over virtual machine files, examine access attempts for any known threats, and screen out malware, he added. VShield Endpoint allows the normal processing required by an agent located in a virtual machine--the usual way of implementing anti-malware measures--to be offloaded to Deep Security, improving virtual machine performance. Trend Micro's approach is "agent-less," said Agastya.


Recommended Reading:

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-05
LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters.
PUBLISHED: 2020-08-05
USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs.
PUBLISHED: 2020-08-05
IBM UrbanCode Deploy (UCD),,, and is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
PUBLISHED: 2020-08-05
CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered c...
PUBLISHED: 2020-08-05
Directory traversal vulnerability in CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to cre...