Virtualization.com

News and insights from the vibrant world of virtualization and cloud computing

virtualization security

Invisible Things Lab: Hypervisors Mucho Hackable

by Leave a Comment

Security researchers from Invisible Things Lab claim will be demonstrating how easy it is to hack hypervisors at the next Black Hat conference in Las Vegas in August. More specifically, they’ll be discussing the (in)security of the Xen hypervisor, such as how to plant rootkits, how to bypass various hypervisor anti-subverting techniques, as well as how “Bluepills” (ah, that rang a bell) can be used in bare-metal hypervisor compromises. They plan on releasing proof-of-concept code.

From the Invisible Things blog:

The three presentations have been designed in such a way that they complement each other and create one bigger entirety, thus they can be referred as “Xen 0wning Trilogy” for brevity.

The three presentations that are mentioned, are the following:

  1. Subverting the Xen hypervisor
  2. Detecting and Preventing the Xen hypervisor subversions
  3. Bluepilling the Xen hypervisor

Should be interesting!

On a sidenote, this caveat in the Invisible Things Lab blog post is an interesting statement on its own:

It’s worth noting that we chose Xen as the target not because we think it’s insecure and worthless. On the contrary, we believe Xen is the most secure bare-metal hypervisor out there (especially with all the goodies in the upcoming Xen 3.3). Still we believe that it needs some improvements when it comes to security. We hope that our presentations will help making Xen (and similar hypervisors) more secure.

Do you agree?

[Source: Information Week]

Tresys Ships VM Fortress, Aims To Meet High End Desktop Virtualization Security Needs

by Leave a Comment

Tresys Technology, a provider of technology and services for customers with high security requirements, today announced (PDF) the availability of Tresys VM Fortress, a patent-pending secure desktop virtualization technology for organizations seeking strong security and operational integrity.

VM Fortress (not to be confused with vFortress, a company recently acquired by Propalms), aims to give organizations with high-end security needs the ability to utilize desktop virtualization without compromising protection by strengthening the guest operations system and the virtualization software itself to withstand the most threatening of compromises.

According to the press release, VM Fortress benefits and market differentiators include:

  • Strong Endpoint Security: Providing strong, independent control over system resources by leveraging the flexible mandatory access control (MAC) features provided by Security Enhanced Linux (SELinux) to limit damage caused by exploitable vulnerabilities in virtual machines
  • Decreased Operational Costs: Removing the barrier of entry to desktop consolidation where security assurance is a high priority; leveraging stronger MAC security reduces the damage and costs to desktop environments should they become attacked
  • Increased Data Confidentiality & Integrity: Providing separation for the user and the application on a per VM basis, ensuring that data is not leaked across VMs and that applications cannot interfere with each other while sharing the same hardware resources
  • Increased Operational Integrity: Limiting the effects of attacks and errors, so that vulnerabilities in one VM cannot be exploited to gain access to other VMs or to the host operating system
  • Ease of Management/Deployment: Systems can be deployed over the network from a central installation server and VMs can be remotely downloaded on demand by the user

Trustware Introduces BufferZone Pro 3.0

by Leave a Comment

Trustware, provider of application virtualization security technologies, recently unveiled a new version of its security software application, BufferZone Pro 3.0.

Trustware

While BufferZone Pro is mostly known for creating a virtual “buffer zone” around Internet facing applications, BufferZone Pro 3.0 adds a new feature called “privacy zone”. Beginning with Version 3.0, users are now able to both encapsulate their browser session and create a list of trusted Web sites used for confidential transactions such as banking, online trading or Intranet sites. Once defined, these trusted sites will always open within the “privacy zone,” thereby preventing identity thieves from stealing or gaining access to sensitive information such as social security numbers, banking information, or passwords. With BufferZone Pro 3.0, consumers can safely browse their favorite Web sites, as well as shop and bank online, without being afraid.

Based on virtualization technology, BufferZone Pro claims it creaties an impenetrable barrier that isolates Internet activity like Web browsing, instant messaging and peer-to-peer downloads, from the actual underlying PC’s operating system. This approach eliminates the need for file and traffic scanning as well as analysis of malicious code. Similarly, BufferZone Pro requires no signatures or security updates to perform its work. Its “set and forget” approach not only provides constant, always on protection, but also acts as an ideal partner for desktop firewalls and existing anti-virus solutions.

BufferZone Pro 3.0 for Windows XP is available immediately. Its suggested retail price of $39.95 includes one year of service and maintenance. BufferZone 3.0 for Windows Vista is available as a free beta version.

CloudShield Helps Service Providers Virtualize Network Appliances

by Leave a Comment

CloudShield Technologies, a provider of services management and infrastructure security solutions, has announced (PDF) a new release of CPOS, a packet processing operating system which aims to reudce the cost and environmental impact of implementing high-traffic converged IP networks.

CloudShield

The new version of CPOS enables service providers and federal organizations to run multiple stand-alone applications simultaneously on a CloudShield platform or blade, with the ability to share applications across different departments or with other organizations. The latest version of CPOS also features a graphical ‘Virtual Patch Panel’ configuration environment, enabling the installation or reconfiguration of virtual appliances without service interruptions.

To guarantee reliable service, service providers deploy these appliances in pairs each sized with surplus processing capacity. Each would likely have a different management interface. With CloudShield, all of these functions can be delivered as discrete applications running on top of CPOS on a single CloudShield platform
or blade. Also, the total amount of processing capacity can be reduced because surplus capacity can be shared across these four applications, thereby reducing the carbon footprint.

The new Virtual Patch Panel enables service providers to graphically add, reconfigure or re-sequence applications in real-time without requiring any network downtime. Previously, it wasn’t possible to completely repurpose a network device without taking it off-line or without dropping any packets.

CPOS is available immediately for service providers and national governments.

[Source: VMBlog]

A Conversation About Virtualization Security, The Quotes

by 2 Comments

Last week, an interesting conference call took place with several industry leaders in the virtualization security (virtsec) area, initiated by Virtualization.com. The panel included:

  • Joe Pendry, Director of Marketing – StackSafe,
  • Kris Buytaert – Infrastructure Architect; Open Source Expert; Principle Consultant Inuits; Blogger & editor at Virtualization.xom,
  • Tarry Singh – Sr. Consultant, Blogger, Industry/Market Analyst; Founder & CEO of Avastu & editor at Virtualization.xom
  • Andreas Antonopoulos, SVP & Founding Partner – Nemertes Research
  • Allwyn Sequeira ,SVP & CTO – Blue Lane, Michael Berman, CTO – Catbird
  • Chris Hoff, Chief Security Architect – Systems & Technology Division and Blogger – Unisys
  • Hezi Moore, President, Founder & CTO – Reflex Security

We’ll publish the highlights from our conversations shortly, but as a teaser, here are some of the most interesting quotes:

“I don’t see much point in really thinking too much about five steps ahead, worrying about VM Escape, worrying about hypervisor security, etc. when we’re running Windows on top of these systems and they’re sitting there naked.”

“We’re dealing with virtualized storage, while nobody will ever raise their hand saying they’re a security expert when it comes to that.”

“More than 75 percent of the people we asked, how are you securing virtualized environments? Their answer was VLANs. That’s where we stand today.”

“This was a network guy and his email went: WTF, you need 30 VLANS on one server? That’s the first time he became aware of virtualization. That team wasn’t even working with him. And the first inkling he had when he got a request that was just so out of the norm he just didn’t know what was going on.”

“To me, security is like bell bottoms, every 10-15 years or so, it comes back into style.”

Watch Virtualization.com for more!

Catbird Delivers Virtual Infrastructure Security Assessment

by Leave a Comment

Catbird, virtualization security specialist and developer of the V-Agent virtual appliance, announced (PDF) today the industry’s “first and only” Virtual Infrastructure Security Assessment (VSA).

Catbird

Catbird’s VSA helps IT administrators identify and close the potential gaps in security and compliance created in the move from “P to V”. The 30-day assessment includes a security analysis, reports with actionable intelligence and a plan to mitigate risk and protect critical virtual systems, networks, desktops and processes.

The VSA aims to identify the scope and magnitude of the virtualization compliance gap through qualitative and quantitative analysis of the new architecture’s impact on change control, separation of duties, network visibility and segmentation, and secondary validation.

Catbird’s V-Security assessment starts by establishing a scope based on existing controls and best-practices on the physical infrastructure. Once the scope is defined, the team deploys Catbird’s V-Security to passively monitor the networks and check specific assets identified in the scope of work.

Catbird VSA clients receive their first report within 24 hours of setup. For the next four weeks, Catbird’s V-Security monitors and tests all network segments for gaps in security, integrity, management control, configuration and availability. Daily dashboard reports provide snapshots of the test results, which are then aggregated into a comprehensive report presented in an actions workshop by the assessment team. The final report identifies compliance and protection gaps, and contains explicit recommendations based on common best security practices to immediately correct each identified issue.

Catbird’s Virtual Infrastructure Security Assessment is delivered through its partners.