Improving Virtualization and Cloud Management Security with Symantec CSP

The 3/22 Virtualization Security Podcast brought to light the capabilities of Symantec Critical System Protection (CSP) software. This software successfully implements a manageable version of mandatory access control policies based on role-based and multi-level security functionality within the virtual environment, more specifically on those systems that are critical to the well being and health of your virtual and cloud environments such as all your management and control-plane tools (VMware vCenter, Microsoft SCVVM, XenConsole, etc.). In addition, Symantec CSP will monitor your virtualization hosts for common security issues. This in itself is great news but why are we just hearing about this now? Is this a replacement for other security tools?We were joined by Alan Bolinger CTO of OnSystem Logic who worked with Symantec to develop CSP and to hook it into the virtual environments. As we discussed CSP we determined that is was the following elements all rolled into one:

  • Whitelisting on Steriods
  • A Manageable form of SELinux for all operating systems (the list is impressive)
  • Used to protect those Management tools that directly touch the virtualization host
  • Used to protect those Management Clients (ala vSphere Client) that talk to the Virtualization Central Management Servers
  • Used by Tenants within a Cloud to add to their OWN security

But how does it work? The key is that the group that developed CSP all come from a Multi-Level Security (MLS) background and are familiar with the now out-dated Orange Book definitions of security and how to apply them. In essence the following happens:

  1. Each application, executable, user, and system object is given a Token
  2. The Token is then used to inquire of a role based access control (RBAC) repository if it has access to any other application, executable, user or system object
  3. If access is granted then that application, executable, user, or system object can proceed within its own sandbox

This is the key, RBAC is used extensively, not just for users, but for all other objects within the system and, in addition, on launch the executable is launched within its very own sandbox environment – one per object.

So how does this work in reality? Let us use an example:

  1. User Attempts to Launch vSphere Client
  2. The User’s Token is looked up within the RBAC repository for access to the vSphere Client executable
  3. Access is granted, so vSphere Client Executable loads within a sandbox which knows what ports, and files the vSphere Client uses
  4. If there is a Hack against the vSphere Client to try and access something outside the sandbox (such as writing to a port not allowed, or to a directory not within the sandbox), that access is denied
  5. If all goes as expected, the User is granted access to talk to the vCenter Server (but could be denied access to various plugins as they may be outside the scope of the ports and executables allowed within the sandbox).

All in all Symantec CSP offers a great leap forward in protecting your virtual environments as Symantec’s team has already done the heavy lifting to setup the sandboxes to work with normal virtualization management tools. But it does quite a bit more as well. CSP can also inspect various aspects of the vSphere hosts to determine if critical files have changed and if so, warn you about them. Granted, it will only look at files that vSphere itself allows you to access and not ones you would ultimately like to have (that would require modification of an XML file that controls what the vCLI tools are allowed to access). Even with these limitations, the list of files it can inspect for errors, changes, and security issues is pretty impressive: Minimally it will inspect key configuration files for the vSphere host, VM configuration files, as well as all log files (including ones not seen by syslog servers).

This is one more very useful tool within your security toolbox, but it is not a replacement for good architecture, and existing defense in depth measures. While we cannot apply CSP directly to a hypervisor (to protect against ‘escape the VMs’) we can apply it to all the management constructs that directly or indirectly touch those virtualization hosts.

Give the podcast a listen, lots of great details!

Edward Haletky (351 Posts)

Edward L. Haletky, aka Texiwill, is the author of VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization. [All Papers/Publications...]

Connect with Edward Haletky:

Tags: , , , , , , ,

2 Responses to Improving Virtualization and Cloud Management Security with Symantec CSP

  1. sbeaver
    March 30, 2012 at 9:59 AM

    So what would be the difference between this product and say the Hytrust solution?

  2. March 30, 2012 at 10:10 AM

    Hello Steve,

    The HyTrust Product provides authentication and authorization by being the man between the vSphere Client and the vCenter Server or vSphere Hosts. It interprets all the requests and compares that network traffic to the RBAC it controls and your current policies.

    Symantec CSP on the other hand provides RBAC within a system and can govern whether you can actually access the vSphere Client ports to access the vCenter Server, etc.

    HyTrust -> Network controls, CSP -> Operating System controls

    If I was asked to design a system with the most useful security I would combine the two products but use a scripted way to keep policies in sync.

    Best regards,
    Edward

Leave a Reply

Your email address will not be published. Required fields are marked *

Please Share

Featured Solutions