Archive for April, 2011
I really hope 2011 will be the year the security industry will design their solutions specific for the virtualization platform. And we are good on track. HP released their tipping point solution for VMware, Trend Micro has their antivirus solution for vShield End point called Deep Security 7.5 and now (today) kaspersky announced that they will also support vShield End Point, meaning that they will also release this year an Anti-Malware solution designed to run via the virtualization layer, so that you do not have to install anti virtus software inside your VMs any more.
“Kaspersky Lab is truly excited to support VMware vShield for our mutual customers. Our support of VMware vShield enables our clients to securely maintain state-of-the-art, multi-layered anti-malware strategies across virtual environments and heterogeneous IT infrastructures, with a level of performance and Total Cost of Protection that truly meets their business needs,” commented Nikolay Grebennikov, Chief Technology Officer at Kaspersky Lab.
No information yet on pricing or an actual shipping date. The kaspersky folks are saying it is hard to get commitment from the russian programmers but the company does see it as one of their top priorities.
Read more about kaspersky’s announcement here.
Trend Micro, Kaspersky…. where is the rest? I know sophos has done technical previews of their solution as well, so hopefully they will soon come with a product to market. Here at the infosecurity show in the UK, McAfee is showing off a solution with Citrix’s virtualization platform, Symantec has been quite, but have also claimed they are working on a solution. With a bit of luck, by the end of 2011 all major anti-virus / malware companies should have a product designed for virtualization.. Or would that be a too big request for Santa
After the release 2 weeks ago of the vSphere hardening guide for 4.1, you might feel overwhelmed with the information in the hardening guide. To help you understand how ‘bad’ your systems are configured compared to the hardening guide, VMware released today a free Compliance Checker for vSphere
So of course I had to run the easy-to-install (just requires java) tool against my vSphere environment and had to find out I am a bad admin, well at least from a security perspective. The compliance checker does not only check the config of the ESX boxes but also the .vmx parameters of the individual VMs. Unfortunately the tool is not smart enough to show which VMs are lacking in security, it just shows that 50% or 3 out of 6 VMs are not ‘compliant’. I guess you have to figure out yourself which of the 3 VMs are correctly configures and which are not
you can download the compliance checker here: http://www.vmware.com/products/datacenter-virtualization/vsphere-compliance-checker/overview.html
Ok, virtualization geeks also need to have some fun On twitter a ‘competition’ seems to have broken out about who can best describe the VMware Stig, and if you like Top Gear and are a VMware Fan, some of these should give you a smile on your face
Some say he can vMotion without having to select a resource pool. All we know is, he’s called the #TheVMwareStig
Some say his mac address is A1:A1:A1:A1:A1:A1 and that his average ping response time is 0ms. All I know is that he is #TheVMwareStig
Some say his home lab is a three host ESX cluster running on Comodore 64′s with vCenter on a VIC-20. He is #TheVMwareStig
Some say he contracted VDI while in promiscuous mode, and that when he eats popcorn, he only eats the kernels. #TheVMwareStig
Some say he is vcdx000 & taught @DuncanYB @FrankDenneman and @vcdx001 everything they know. He is #TheVMwareStig, and he’s likely Dutch
Some say he dreams in PowerCLi and thinks Hyper-V is a curable disease, all we know is he’s called the #TheVMwareStig.
Follow and participate http://twitter.com/#search?q=thevmwarestig
Want to start with virtualization from scratch? and do it super simple? Well hardware vendors are moving to this model were you can just buy a rack which contains all the compute, networking and storage resources you need, already wired-up and configured, ready to go out of the box.
Dell’s vStart comes as 2 offerings; the vStart 100 and vStart 200. The vStart 100 offer the capacity for 100 VMs and the vStart 200 offers 200 VM capacity.
The 100 VM system will set you back $99.000 USD ($990 per VM) and the 200 VM system will start at $169.000 ($845 per VM).
Dell made a simple but nice too watch movie to explain their vstart offering
Please join VMware and friends on April 12th for a special live webcast about cloud application development.
Each new era of computing changes the way we build applications. Current and aspiring cloud developers are invited to learn more about the next step in building cloud applications.
The live webcast will feature leaders in the cloud development community, including Rod Johnson, Mark Lucovsky, Derek Collison, Ben Galbraith, Dion Almaer, Ryan Dahl, Ian McFarland, Roger Bodamer, Michael Crandell and others.
Please join us on April 12th for an exciting advance for cloud developers.
North American Audiences
9:00 a.m. Pacific Daylight (San Francisco, GMT-07:00)
12:00 p.m. Eastern Daylight (New York, GMT-04:00)
5:00 p.m. Western European Summer (London, GMT+1:00)
6:00 p.m. Europe Summer (Paris, GMT+02:00)
Not everyone seems to be aware, or take security seriously enough , but VMware does release hardening guides for vSphere. The vSphere 4.1 guide was a while in the making and getting feedback from the community, but yesterday VMware released the official version.
The guide covers topics from VMX parameters (special VM configuration settings), ESX host settings, vCenter setup and Virtual Networking guidelines.
One of the topics covered in the guide is ESXi logging (like I discussed about in my post from yesterday):
Another point is that, by default, the logs on ESXi are stored only in the in-memory file system. They are lost upon reboot, and only one day’s worth of logs are stored. Persistent logging to a datastore can be configured. It is recommended that this be done so that a dedicated record of server activity is available for that host.
Reading thru the Hardening Guide does give me the feeling it requires a lot of manual tuning As I only have 2 hosts in my environment, so not a big deal. But I do feel sorry for some of you with 100+ hosts. Maybe someone should write a cool powershell script for this??? (any volunteers?). Update: just got feedback that a perl script does excist and can help you apply the hardening guide. I have not tested it myself, but you can find it here: http://communities.vmware.com/docs/DOC-11901
Eric sloof just posted an video about VMinformer, which is an automated tool to apply the security hardening guidelines. It is a normal windows application and looking at the video seems to work easy. VMinformer is not a free tool, when I run their TCO calculator it claims the licensing cost for 100 hosts is $27600 USD. It does save a huge amount of manual labor, but I do find the cost quite high, especially as this license cost is per annum.
More info about VMinformer: http://www.vminformer.com/products/vmi-professional/
Doing it your-self with help, using powershell
Well my question about anyone making a powershell script for this, did give me some replies I understand a new book is about to be released called: VMware VSphere PowerCLI Reference: Automating VSphere Administration. Chapter 12 in this book dedicated to Hardening the vSphere Environment. As the book is not published yet, I am not sure how much details if will cover, but might be worth a read
More about the book: http://www.powerclibook.com/
2 Weeks ago I attended the Blackhat security event in Barcelona and got me thinking about security around the VMware platform. At the show there was even a session about vulnerabilities in virtualized environments. Happy to hear there where no major leaks in the ESX layer, it still got me thinking. What is someone right now is trying to hack into my ESX hosts or my vCenter environment, would I know??
During blackhat I also saw a tool demonstrated that I never had heard of. It is called OSSEC and is made by Trend, but is free to use by anyone. OSSEC is designed to collect centrally all the logs from servers, including ESX, ESXi and Windows (vCenter) servers and analyze the entries to raise alerts when it detects something wrong. For instance if someone was not successful in logging in. It can even increase the alert when it notices if multiple failed login attempts happen in a short time span; this could indicate that a bruteforce attack is taking place.
I found that OSSEC worked quite simple in defining rules and was even more surprised that it came with default build-in VMware rules. unfortunately designed I think for 4.0 as I had to make some small changes for my 4.1 environment to accomodate VMware’s updated log syntax.
OSSEC’s success depends on the quality of the rule set. So I am really hoping more people with real world VMware environments have a look at this and share their experiences against what would make good rules. To make this a bit easier, I have written a simple ‘manual’ on how to install ossec and configure ESXi host and vCenter servers to remote log against the OSSEC server. You can find the instructions here: http://www.run-virtual.com/?page_id=690
You might wonder (like I did), who cares? Should the VMware management environment not be on its own isolated network? Well I found out that in the real world this is not the case. Last week I did a workshop around security with 15 customers and I think all had an environment that any desktop in their company could access their vCenter and/or ESX hosts. So if any of these clients would get infected by some kid of VMware Virus, it could attack!
After hearing that so many people had their VMware environment ‘so’ exposed, I wondered. Are there any ESX / vCenter servers directly attached to the internet? So the hacker in me decided to spend an evening building a ‘vmware scanner’. I made it fully multi threading (about 800 threads per program) and spinned up 5 virtual machines running this scanner. This allowed me to scan roughly 4000 IP addresses every 30 seconds (max winsocket timeout)… The scanner was build using the VMware APIs, so it could not only detect if an IP was a VMware server, but also what version and build number. Yes, requesting this information can be done ‘anonymously’ with no special permissions.
… 24 hours after scanning and suffering from having bad internet at home because all the scanner bots where eating up my outgoing bandwidth I was completely shocked. Each of my scanner bot had long lists of ESX, ESXi and even vCenter server IP addresses, including some very old versions (which I wonder if they have them fully patched).
Well I do hope that none of your VMware boxes are directly internet attached, but the real world has shown that most people do have their VMware servers attached to their entire internal network. I understand the practical reason behind this, but you should then also make sure you have the right measurements in place to detect any attacks.
I would suggest, tryout OSSEC, let me know what you think and let’s share some good rule sets, so we all can detect the instant something ‘strange’ is going on, from security attacks to hardware failures.
The OSSEC/VMware install manual: http://www.run-virtual.com/?page_id=690