Since the early days of virtualization, people have theorized about the capability of an “escape the VM” type of attack. This is a hacker’s nirvana: to take over a running virtual guest and use it as a base from which to attack the underlying virtual host.
What is the significance of July 14, 2015? It is the end of extended support date for Windows Server 2003. This date is approaching faster than many administrators care to acknowledge, and the reality is that Windows Server 2003 just won’t be a viable operating system for production environments after that date.
We are trying out a new format for the Virtualization & Cloud Security Podcast: video. We’ll post it up on YouTube as well as posting it via Talkshoe and iTunes. In this episode, Mike Foley (@mikefoley) of VMware Technical Marketing joins me to discuss IoT security, the RSA Conference, and hardening guides. We have spoken about the last item quite a few times and featured the RSA Conference on a previous podcast as well. IoT security is now something very interesting.
At the GPU Technology Conference, NVIDIA CEO Jen-Hsun Huang and Tesla CEO Elon Musk talked about the security of a car. Musk stated that physical access is still required to hack most vehicles and that critical systems such as brakes and steering are segregated from the control display. This got me thinking about the security of the next generation of Internet of Things (IoT) devices.
In virtual and cloud environments, network traffic often flows into a virtualization, then back out, forwarded to another device, usually security, before it re-enters the virtual environment. I call this a “sadly defined network,” not software-defined. Many of my colleagues claim that this is not true. They say that an SDN keeps east-west traffic within the hypervisor and that north-south would not need to do this. I disagree. This will happen when bad design is implemented in virtual and physical security. “Ah!” some will say, “this is solved by micro-segmentation,” but that is not always true, either. Continue reading SDN: Sadly Defined Network
There is a growing movement to abstract hardware completely away, as we have discussed previously. Docker with SocketPlane and other application virtualization technologies are abstracting hardware away from the developer. Or are they? The hardware is not an issue, that is, until it becomes one. Virtualization may require specific versions of hardware, but these are commonplace components. Advanced security requires other bits of hardware, and those are uncommon; many servers do not ship with some of this necessary hardware. Older hardware may not deliver the chipset features needed to do security well. This doesn’t mean it can’t be done, but the overhead is greater. Hardware is dead to some, but not to others. This dichotomy drives decisions when buying systems for clouds or other virtual environments of any size. The hardware does not matter, until it does!