The Virtualization Security Podcast on 7/22 was all about the news of the week with our panelists discussing how this news affects everyone and anyone with respect to Virtualization Security. The news discussed:
- NIST Released their Guide to Security for Full Virtualization Technologies (Draft)
- There is a Security issue with VMware vSphere 4.1
- VMware discussed the new vShield Zones Edge and vShield App products
- HyTrust and Catbird announced a cooperative effort
NIST Guide to Security for Full Virtualization Technologies
This is a fairly generic guide that leverages a library of other guides controlled by NIST, specifically the SP800 series. Yet is not proscriptive. By being generic it tries to encompass all Type 1 or Type 2 hypervisors. What the panel stated is that this is a Good Start to forming a Security Policy if you do not already have one or can be of great use for revising an existing policy.
This is one of the first Guides that are advocating the use of Continual Auditing over point in time with respect to the virtual environment.
Security Issue with VMware vSphere 4.1
We discussed the findings of William Lam and others about the use of DES encryption versus other mechanisms that seems to have slipped through the cracks. There are several workarounds for this problem: Use the Likewise AD integration module, use Root Password Vaulting Techniques, and update PAM to use md5 instead of the default DES encryption mechanisms.This last mechanism may fail for ‘Free’ ESXi after a reboot due to the non-writable nature of the filesystems.
Since the recommendation has always been to have very few users on any ESX system, this issue affects a subset of users but two very important users: root and vpxuser. Both of which can give you full rights to the system.
The panel agreed, with a segregated virtualization management network and trust zone, that the impact of this issue is reduced but does not go away.
vShield Zones Edge
On the most recent VMware Communities Podcast, VMware announced two new products that just entered public beta: vShield Zones Edge and vShield Zones for Apps. This is the second generation of vShield Zones products. Edge is designed to protect the edge networks by providing NAT, Port Redirection, and other Edge firewall capabilities. vShield App provides internal protection between the VMs within an App. They did not say, but one can surmise they are using VMsafe for vShield App at the very least.
Catbird and HyTrust held a webinar on their combined product earlier within the day, which we will add a link to when it is available. The conversation was continued during the podcast. For Government customers, this cooperative agreement provides a single way to purchase both products, a single SKU. With single SKUs to purchase hardware/software stacks it makes sense for there to be a single SKU to purchase a security stack.
Soon their will be a guide for configuring both tools to protect each other as well as the best way to configure policies between the products. As of now, they are two separate products that complement each other. HyTrust does not have competitors in their space, yet. Some consider HyTrust a competitor for their products but that is really based on how many dollars there are to spend on security, than a functional statement. HyTrust provides the management access controls while Catbird provides the networking component.
HyTrust Tags are equivalent to Catbird Trust Zones.
Is this truly End-to-End? I think not, but it is a dynamic combination, there is not a huge amount of log analyzing going on within these products, just enough to improve the decision process for authentication. Each product protects externally to the hypervisor as well, they control access to and from but not within, which may be infeasible if you are not the hypervisor vendor. For that, TPM/TXT may be the best mechanism.
Does this provide Secure Multi-Tenancy? From my definition no, but it does head in the proper direction by closing the gap on who can do what, how the system is accessed, etc. Without both Catbird and HyTrust, there were ways around the products that would allow an attacker to gain access they should not have had. Combining these products limits this mechanism to just the physical console. Which is nothing new. Granted, proper configuration of the tools is required, as is the use of HyTrust‘s root password vaulting.
You can get a Demo of HyTrust and Catbird from their websites. Give em both a try.
- HyTrust Community Edition
- Catbird’s Compliance Enforcer
What other Team-Ups would you like to see
The panel mentioned that they would like to see a common mechanism for setting policy between all parties. A standard mechanism so that data does not need to be replicated across all the tools, which makes it difficult for people to use. Since many products complement each other, having a single mechanism to set policy within the virtual environment would help everyone. DTMF and S/Cap were mentioned as possibilities.
The news of the week has been interesting. many new products, collaborations, and concerns have been raised. As we gear up for VMworld, we will see many more like this.