TakeDownCon Dallas: Virtualization Security is NOT just about the Virtual Host

If there was any take-a-way from TakeDownCon Dallas related to virtualization, it was that the virtualization host is not the primary attack point but all the ancillary systems that touch it. These systems may not even be considered part of the virtual environment but they certainly can impact the security of the environment. I saw at TakeDownCon Dallas the following attacks:

  • Oracle elevation of privileges from a regular user to a DBA
  • Attack that left me with an administrative shell access on a vCenter host
  • Simple ways to bypass firewalls
  • Web shell attacks that gave me administrative privileges

Plus many more, but it got me to thinking about the security of the virtual environment as a whole and I just do not think hardening guides go far enough. Let us take the simple case of securing VMware vCenter, XenCenter, or Microsoft SCOM. These are all critical systems but they reside on Microsoft windows operating systems. A good hacker could get into a windows box in less than 20 seconds. Virtualizing the network and server does not change this possibility.  Or let’s go even deeper, and attack a database such as Oracle,  there are easy to implement attacks that could convert an regular Oracle user to a DBA with full rights to create, modify, and steal records without the need to touch the virtual environment directly. There are similar attacks as well for DB2, and MSSQL.

Even the supposed bastions are failing as well. There are some people who can bypass some of the most expensive security measures in use today. One showed us how to do it with just a pen. Once inside a secure location, setting up remote access was trivial. We have been saying this for a while and it applies today even more than ever, firewalls are important but are not the savior of virtual environment security. Which leaves the question: What is needed for virtual environment security and hence cloud security? I believe we need to change our mindset, it is not about protecting the network, but protecting the data. Protecting the network is just one phase of this.

Firewalls, protect the network but they may not actually protect the data. A case in point was the ease in which web shells can be executed on hosts over perfectly legitimate network ports. Web shells allow you to gain access to what is running underneath the web servers. So how does this impact the virtual environment? We use web appliances more and more within the management of the virtual environment and as such are suspect, unless you have run these attacks yourself.

Perhaps my direct management tools are protected with defense in depth measures such as multiple firewalls, role-based access controls, and the latest Honeypoint Wasp environment, but if an ancillary system such as the database is not protected, it becomes fairly easy to break into the system. So what is the solution? Think about your data, provide a defense in depth, that has the necessary multi-layer security, that provides for integrity and confidentiality as well as availability. A key to this is realizing just where all your data resides and how it moves about your network and systems. So ask yourself:

  • Where does the data live?
  • To where does the data move?
  • What accesses the data?

And a host of other data-centric questions. Our hardening guides and security guidelines for the virtual environment need to expand to include the locations of sensitive data which implies the ancillary systems such as Oracle, MSSQL, Microsoft Windows, DB2, Linux, Active Directory, etc. etc. We need to be serious about the security of those things that directly or indirectly touch or are touched by a virtualization host until we know where all the data resides.

2011 05 23 08 17 421
Figure 1: Virtual Environment Ancillary Systems

In Figure 1, we layout within the red box those ancillary systems that could hold virtual environment data and where they normally sit on the network. Some of these would be easy to move to the multi-layer virtual management network, but not all and perhaps not many due to the data they hold for other non-virtualization subsystems. Should we mirror these into a secure location? But if we do how do we handle updates, etc. The key is to realize that such exist, how they are normally accessed, and how to provide the necessary security? Perhaps we need a ancillary system two stage network like we did for the virtual environment management network, with defense in depth to provide multi-layer security. But in either case, everyone is responsible for security including all virtualization administrators.