Virtualization.com

News and insights from the vibrant world of virtualization and cloud computing

virtsec

Invisible Things Lab: Hypervisors Mucho Hackable

by Leave a Comment

Security researchers from Invisible Things Lab claim will be demonstrating how easy it is to hack hypervisors at the next Black Hat conference in Las Vegas in August. More specifically, they’ll be discussing the (in)security of the Xen hypervisor, such as how to plant rootkits, how to bypass various hypervisor anti-subverting techniques, as well as how “Bluepills” (ah, that rang a bell) can be used in bare-metal hypervisor compromises. They plan on releasing proof-of-concept code.

From the Invisible Things blog:

The three presentations have been designed in such a way that they complement each other and create one bigger entirety, thus they can be referred as “Xen 0wning Trilogy” for brevity.

The three presentations that are mentioned, are the following:

  1. Subverting the Xen hypervisor
  2. Detecting and Preventing the Xen hypervisor subversions
  3. Bluepilling the Xen hypervisor

Should be interesting!

On a sidenote, this caveat in the Invisible Things Lab blog post is an interesting statement on its own:

It’s worth noting that we chose Xen as the target not because we think it’s insecure and worthless. On the contrary, we believe Xen is the most secure bare-metal hypervisor out there (especially with all the goodies in the upcoming Xen 3.3). Still we believe that it needs some improvements when it comes to security. We hope that our presentations will help making Xen (and similar hypervisors) more secure.

Do you agree?

[Source: Information Week]

Trustware Introduces BufferZone Pro 3.0

by Leave a Comment

Trustware, provider of application virtualization security technologies, recently unveiled a new version of its security software application, BufferZone Pro 3.0.

Trustware

While BufferZone Pro is mostly known for creating a virtual “buffer zone” around Internet facing applications, BufferZone Pro 3.0 adds a new feature called “privacy zone”. Beginning with Version 3.0, users are now able to both encapsulate their browser session and create a list of trusted Web sites used for confidential transactions such as banking, online trading or Intranet sites. Once defined, these trusted sites will always open within the “privacy zone,” thereby preventing identity thieves from stealing or gaining access to sensitive information such as social security numbers, banking information, or passwords. With BufferZone Pro 3.0, consumers can safely browse their favorite Web sites, as well as shop and bank online, without being afraid.

Based on virtualization technology, BufferZone Pro claims it creaties an impenetrable barrier that isolates Internet activity like Web browsing, instant messaging and peer-to-peer downloads, from the actual underlying PC’s operating system. This approach eliminates the need for file and traffic scanning as well as analysis of malicious code. Similarly, BufferZone Pro requires no signatures or security updates to perform its work. Its “set and forget” approach not only provides constant, always on protection, but also acts as an ideal partner for desktop firewalls and existing anti-virus solutions.

BufferZone Pro 3.0 for Windows XP is available immediately. Its suggested retail price of $39.95 includes one year of service and maintenance. BufferZone 3.0 for Windows Vista is available as a free beta version.

A Conversation About Virtualization Security, The Quotes

by 2 Comments

Last week, an interesting conference call took place with several industry leaders in the virtualization security (virtsec) area, initiated by Virtualization.com. The panel included:

  • Joe Pendry, Director of Marketing – StackSafe,
  • Kris Buytaert – Infrastructure Architect; Open Source Expert; Principle Consultant Inuits; Blogger & editor at Virtualization.xom,
  • Tarry Singh – Sr. Consultant, Blogger, Industry/Market Analyst; Founder & CEO of Avastu & editor at Virtualization.xom
  • Andreas Antonopoulos, SVP & Founding Partner – Nemertes Research
  • Allwyn Sequeira ,SVP & CTO – Blue Lane, Michael Berman, CTO – Catbird
  • Chris Hoff, Chief Security Architect – Systems & Technology Division and Blogger – Unisys
  • Hezi Moore, President, Founder & CTO – Reflex Security

We’ll publish the highlights from our conversations shortly, but as a teaser, here are some of the most interesting quotes:

“I don’t see much point in really thinking too much about five steps ahead, worrying about VM Escape, worrying about hypervisor security, etc. when we’re running Windows on top of these systems and they’re sitting there naked.”

“We’re dealing with virtualized storage, while nobody will ever raise their hand saying they’re a security expert when it comes to that.”

“More than 75 percent of the people we asked, how are you securing virtualized environments? Their answer was VLANs. That’s where we stand today.”

“This was a network guy and his email went: WTF, you need 30 VLANS on one server? That’s the first time he became aware of virtualization. That team wasn’t even working with him. And the first inkling he had when he got a request that was just so out of the norm he just didn’t know what was going on.”

“To me, security is like bell bottoms, every 10-15 years or so, it comes back into style.”

Watch Virtualization.com for more!

Catbird Delivers Virtual Infrastructure Security Assessment

by Leave a Comment

Catbird, virtualization security specialist and developer of the V-Agent virtual appliance, announced (PDF) today the industry’s “first and only” Virtual Infrastructure Security Assessment (VSA).

Catbird

Catbird’s VSA helps IT administrators identify and close the potential gaps in security and compliance created in the move from “P to V”. The 30-day assessment includes a security analysis, reports with actionable intelligence and a plan to mitigate risk and protect critical virtual systems, networks, desktops and processes.

The VSA aims to identify the scope and magnitude of the virtualization compliance gap through qualitative and quantitative analysis of the new architecture’s impact on change control, separation of duties, network visibility and segmentation, and secondary validation.

Catbird’s V-Security assessment starts by establishing a scope based on existing controls and best-practices on the physical infrastructure. Once the scope is defined, the team deploys Catbird’s V-Security to passively monitor the networks and check specific assets identified in the scope of work.

Catbird VSA clients receive their first report within 24 hours of setup. For the next four weeks, Catbird’s V-Security monitors and tests all network segments for gaps in security, integrity, management control, configuration and availability. Daily dashboard reports provide snapshots of the test results, which are then aggregated into a comprehensive report presented in an actions workshop by the assessment team. The final report identifies compliance and protection gaps, and contains explicit recommendations based on common best security practices to immediately correct each identified issue.

Catbird’s Virtual Infrastructure Security Assessment is delivered through its partners.

Who Owns Virtualization Security? The Hoff/Crosby Debate

by 5 Comments

We’ve decided to cross-publish a blog post by Gregory Ness, VP of Marketing for Blue Lane Technologies, because we think it delivers a good insight in the whole Hoff/Crosby debate about virtualization security (virtsec, if you will).

Gregory NessLast year when I blogged about the impact of virtsec on the world of static security I focused on how virtualization could degrade the effectiveness of security solutions. Since then we’ve seen a surge of vendor marketing around virtualization security (virtsec), from a growing corral of one trick pony start-ups with various Barney announcements (“I love you, you love me…”) to the likes of the world’s leading security companies joining VMware’s unprecedented, visionary VMsafe initiative.

Last month I blogged about data center security’s key requirements, which included virtsec. My point was that virtsec will require more intelligence and agility than perimeter network security, because it will need to be deployed within the hypervisor layer and will consume hypervisor resources. Simply moving deep packet regular expression inspection engines into the hypervisor layer could add big hypervisor footprints and/or unacceptable levels of latency. These problems aren’t new; they’ve been hidden by faster and faster dedicated hardware at the network perimeter.

That’s why I found a recent virtsec blog exchange between Hoff and Crosby so disconcerting. Two brilliant guys with two very different perspectives are arguing about the ownership and accountability of virtualization security. Chris Hoff is a security guru with a sizable following who has been among the most vocal on the virtsec challenge. Security blogger Rothman calls Hoff Captain Virtual because he has been on a tear when it comes to the blog debate around virtsec.

Simon Crosby is leading the virtualization charge for Xen/Citrix and he insists that virtualization platform vendors should stay focused on securing their platform versus the new infrastructure they’re enabling. Like Chris, Simon is one very smart guy with a deep technology background in virtualization. And from Simon’s perspective he doesn’t sound unreasonable.

The virtualization security debate thus far has had so many issues swept underneath it by various parties that it resembles a lumpy rug. Simon and Chris are exposing some of the lumps as they humor each other with comments about smoking cigars from the wrong end and the following (from Hoff):

“Focusing only on your little patch of grass is short-sighted and it won’t work. Just like it hasn’t worked in the past. It’s a disaster waiting to happen, and you’re enabling it”. – Hoff

The problem isn’t that these two very smart guys disagree; it’s rather that this disagreement promises to play itself out on a micro-level in enterprises around the world, as I commented last year in “VM Security- The Keys to the Virtualization Kingdom.” And no one stands to win, except those hoping for a slow adoption.

Perhaps Rothman is right to suggest that security will stay tactical and reactionary when it comes to virtsec, because that has been the recent history of netsec on many fronts. Yet if virtsec isn’t done right it could jeopardize the very flexibility and efficiency that virtualization enables. Strategic virtsec is an enabler of growth; tactical virtsec is a rocky road.
Rothman’s scenario seems to anticipate the rocky road: the slow and grinding deployment of hypervisors in production stretched out for years, as tactical decisions and budgets respond to new risks and events driven by cycles of hacks, reactionary regulatory responses and internal operations and security discussions. Feels a lot like the status quo today, doesn’t it? I hope he’s wrong.

The colorful and spirited debate between Hoff and Crosby is very symbolic of the issues we’ve discussed here since my initial virtsec blog in Feb 2007.

Unfortunately I think this debate risks becoming a metaphor for production data center virtualization; it feels to me like two different worlds colliding in a potentially myopic haze of finger-pointing and original sin debates. That scenario will not help Citrix/Xen virtualize production environments, and I think that is why Hoff’s points bear such weight. And I’m not sure that Crosby gets this given his thoughtful and understandable Mother of All Misunderstandings response to Hoff.

I think the mother of all misunderstandings is about to play itself out as “a funny thing happened on the way to the datacenter” scenario. When Caesar crossed the Rubicon he knew his security profile would change, but he still underestimated the Senate. If Citrix doesn’t show leadership (ala VMware and VMsafe, etc.) and instead talks about security as “other people’s problems” its growth in the data center could experience a thousand cuts Caesar style as internal conflicts and strife within customers (between the Hoff’s and Crosby’s) could demonize the incredible and undeniable power of virtualization to enhance data center security.

The virtualization and security vendors can either lead on this issue as an opportunity to enhance security today or merely create awareness around the new risks and dynamics and talk about far-off solutions that may one day work when the market matures. One strategy will lead to the faster deployment of hypervisors in production; the other will fulfill Rothman’s prediction.

Virtualization is a massive opportunity to escape the cycle of attack followed by tactical/regulatory response and establish a new order, with security pros getting powerful, flexible new capabilities to protect systems. That will require leadership and new thinking and a full appreciation by those who don’t want to relive the past. Security may turn out to be strategic to virtualization in ways that it couldn’t be strategic to the network. The hypervisor layer is perhaps the most substantial strategic security opportunity in many years. Let’s hope we leverage it to its fullest.