I've mentioned RFID security topics several times in the past. Today it's worth to mention that while MasterCard is expending experimentation of its new PayPass (a RFID-powered debt cards) in Turkey, a couple of security researchers at HOPE conference demonstrated how to clone an RFID code from a chip implanted on a human.
Meanwhile the RFID Guardian project produced a prototype of RFID scrambler, able to spoofing RFIDs and jamming proximity readers in a selective manner (watch the introduction video here).
RFID Guardian is meant to defend privacy but I can immediately see a malicious application: just consider unauthenticated RFIDs implemented in supermarkets where customers armed with this tool, able to jam real products identifiers and spoof them with much less expensive goods identifiers.
It's fun to see how much real-world implementation is behind of security research.
Monday, July 24, 2006
Wednesday, July 19, 2006
Network protocols poster
Networking is strictly related to security. Perfectly knowing TCP/IP is the very first step toward full understanding of network computing and its security.
A must-have in this learning path is a wall-sized poster of all major network protocols around, possibly including last VoIP and IPv6 implementations.
I lost a lot of time searching the web to find one and found out a great one made which is also updated by RADCOM on the most obvious place: Protocols.com.
I mirrored a copy of it (since I cannot see any copyright around) but be sure to grab the last version at the original location.
A must-have in this learning path is a wall-sized poster of all major network protocols around, possibly including last VoIP and IPv6 implementations.
I lost a lot of time searching the web to find one and found out a great one made which is also updated by RADCOM on the most obvious place: Protocols.com.
I mirrored a copy of it (since I cannot see any copyright around) but be sure to grab the last version at the original location.
Saturday, July 15, 2006
Controlling the mobile sales force with VMware ACE
One of the most complex things an IT Manager or Security Manager has to face in a corporate environment is enforcing the mobile computer population.
Laptops, PDAs, Smartphones are all critical viral vectors, which are under control when behind million dollars company security infrastructures, but totally at risk when connected to home or public networks during owners' daily travels.
Infection of these devices and consequent corporate network compromising is not the only problem: they usually store business, sensible data and have configuration sets able to easily reach inner part of company datacenter. As soon as a laptop is stolen an IT Manager has to handle something even more painful than a virus infection: an authorized remote access with partial or complete clearance to reserved informations.
Today's products can hardly mitigate these kinds of scenarios, and upcoming endpoint security technologies are just partially committed to solve problems like ones described.
A real effective solution is provided by a virtualization product from VMware called Assured Computing Environment (ACE).
ACE is a special VMware Workstation version featuring a powerful and flexible security wrapper, able to control how a virtual machine interact with outside world, at host and guest level, in a centralized way.
In this article we'll describe a real world scenario where ACE is perfect to handle all arising security and privacy issues.
The problem
Our today's scenario involves a SMB company working in a small niche provisioning market, where competition is very aggressive.
The company bases the majority of revenue on its territory sales force carrying out direct sales on customers' sites.
Sales agents are required to order customers material accessing an online provisioning portal. They also have to access company intranet by VPN with a custom application to see, modify or cancel on-going orders and to verify their commissions.
The company develops its own orders management application for Windows operating system but doesn't adopt Microsoft Active Directory technology.
To lower costs the company populates its sales force with contractors, which are required to provide computer equipment from themselves.
On these machines company IT staff has to install and regularly update the orders management application, the Internet browser to access the online portal without problems, and the VPN.
The scenario presents many problems for the IT management:
In our particular scenario the computer equipment is also owned by sales agents and when they resign they are not obliged to give anything back.
Last but not least, sales agents could sell a copy of their application to competitors, providing them a continuous access to corporate data.
The VMware ACE solution
To address security issues of this scenario with ACE we'll create a minimal configured, secured and compatible operating system inside a virtual machine where to install and setup the company orders management application, a browser working with the online provisioning portal and the VPN to the corporate network.
Then we'll limit this virtual machine's capabilities to reach external networks, also preventing it from being moved or copied around. And finally we'll ship it in a 1-click installation package to be deployed in every sales agent laptop.
Preparing the virtual machine
The first step is creating the wanted virtual machine. We can do this by creating a new one from scratch inside the ACE environment, which is pretty identical to the Workstation one, or import an existing virtual machine created with another VMware product.
In this second case we should act carefully: if we created our VM with a version of Workstation 5.x it will not be available for use inside ACE.
This compatibility issue exists because at time of writing this article VMware is shipping Workstation 5.5.1 and ACE 1.0.2, which can only works with virtual hardware coming from Workstation 4.x family.
Luckily there is a solution: VMware is working on a product called Virtual Machine Importer 2.0, actually available just as beta, which is able to convert recent virtual machines hardware in legacy hardware, working with Workstation 4.x products and ACE 1.0.2:
It's a waste of time trying to do the same with the released Virtual Machine Imported 1.5 because that version is not able to work on VMware virtual machines but just on third party images.
Defining security policy
After the virtual machine creation or import it's time to define security policy to limit network access and availability.
One of the biggest security need here is to avoid that the corporate data is illegally accessed or copied, and that users can manipulate virtual machine configuration to workaround restrictions.
To achieve both objectives we can configure encryption for virtual machine image and configuration files, and request the creation of a complex password to access it:
Note that to avoid a management nightmare we also have to setup an administrative password for recovery purposes, which will generate a recovery key:
Finally, we have to prevent a virtual machine copy:
The leak of reserved informations can also happen by copying them on a USB memory stick, a floppy or a recordable CDROM.
A possible approach could be creating the original virtual machine already without these devices but it's unpractical for any administrative task or further needs.
So better configure ACE to block access to existing virtual devices without removing them:
The last and most critical media, network, has to be restricted as well, both for data leaking and risk of security compromising: as we already said it could both ruin the safety of local environment, preventing correct working of business applications, and propagate in the corporate network when connected in VPN.
ACE helps us in all these problems offering 4 kinds of network quarantine. We'll use the Version-based dynamic quarantine:
To maintain tightest control we want our virtual machine to check for latest available network quarantine policy at every startup and on regular basis.
In this way we can update the restrictions upon needs just updating a single file:
Consider that the quarantine policy check and update is done at host level and not at the virtual machine level, so we should put our policy file in a location easily reachable by any point on the Internet (like a non-linked and non-indexed directory on company's website).
At the same time, since sales agents in our scenario are not always connected we want to permit them to work even without checking policy, allowing a policy caching that expires after a week:
If, for any reason after the caching period, the virtual machine doesn't update its quarantine policy, it goes in a restricted status, limiting even more access to resources.
So while in a allowed status it can reach corporate intranet servers for data access, in restricted status it loose this permission, only accessing security servers for antivirus checking and patch management.
Now that we defined limitations for virtual machines interaction with real world, we have to handle the case in which sales agents resign and, in our scenario, don't have to give back any equipment.
Let's define an expiration date for the virtual machine with a warning before the last day, so that renewed contractors can request an IT staff intervention:
Distributing the package
Once we completely defined the virtual machine and ACE environment policies we can assemble the distribution package.
For the first deployment we'll ask to include every part of the solution, while in subsequent updates, if needed, we'll just package the virtual machine part:
An ACE package can easily become very large in dimension and deployment can become pretty complex. To simplify delivery we just have to ask ACE to split executable package in several CD-sized or DVD-sized images:
Installation is 1-click operation without further intervention and the final user interface is almost identical to the one offered by free VMware Player: the virtual machine can be powered on with a single button and if the sales agent is in hurry and cannot shut down operating system, it will be suspended until next use.
Bottom line
It's not a secret VMware never pushed ACE as much as other more popular products like Workstation or ESX Server, but it turned to be a great product in managing hard to control productivity environments.
At the price of $795 for ACE Manager (which can be used a standard Workstation installation) and $99 for each ACE virtual machine, this product can easily be a more affordable solution than traditional security alternatives to address issues of this scenario and others not contemplated, and customers should seriously consider it when planning their security strategy.
This article originally appeared on SearchServerVirtualization.com.
Laptops, PDAs, Smartphones are all critical viral vectors, which are under control when behind million dollars company security infrastructures, but totally at risk when connected to home or public networks during owners' daily travels.
Infection of these devices and consequent corporate network compromising is not the only problem: they usually store business, sensible data and have configuration sets able to easily reach inner part of company datacenter. As soon as a laptop is stolen an IT Manager has to handle something even more painful than a virus infection: an authorized remote access with partial or complete clearance to reserved informations.
Today's products can hardly mitigate these kinds of scenarios, and upcoming endpoint security technologies are just partially committed to solve problems like ones described.
A real effective solution is provided by a virtualization product from VMware called Assured Computing Environment (ACE).
ACE is a special VMware Workstation version featuring a powerful and flexible security wrapper, able to control how a virtual machine interact with outside world, at host and guest level, in a centralized way.
In this article we'll describe a real world scenario where ACE is perfect to handle all arising security and privacy issues.
The problem
Our today's scenario involves a SMB company working in a small niche provisioning market, where competition is very aggressive.
The company bases the majority of revenue on its territory sales force carrying out direct sales on customers' sites.
Sales agents are required to order customers material accessing an online provisioning portal. They also have to access company intranet by VPN with a custom application to see, modify or cancel on-going orders and to verify their commissions.
The company develops its own orders management application for Windows operating system but doesn't adopt Microsoft Active Directory technology.
To lower costs the company populates its sales force with contractors, which are required to provide computer equipment from themselves.
On these machines company IT staff has to install and regularly update the orders management application, the Internet browser to access the online portal without problems, and the VPN.
The scenario presents many problems for the IT management:
- Centralized control Sales agents have to move along their competency territory with laptops, often where no Internet connectivity is available and the company cannot count on Group Policy feature offered by Active Directory: laptops are not easily controllable in a centralized way.
- Heterogenic environments Sales agents have to provide their own computer equipment, which means IT staff has no guarantees the operating system will always be secure for corporate network remote access and compatible for company provisioning application.
- Data disclosure Sales agents have complete control over their laptops and can illegally replicate corporate data in personal storages for different purposes: backup, personal benefits, etc.
At the same time equipment can get lost or stolen, leaking downloaded data and configuration details for company remote access.
In our particular scenario the computer equipment is also owned by sales agents and when they resign they are not obliged to give anything back.
Last but not least, sales agents could sell a copy of their application to competitors, providing them a continuous access to corporate data.
The VMware ACE solution
To address security issues of this scenario with ACE we'll create a minimal configured, secured and compatible operating system inside a virtual machine where to install and setup the company orders management application, a browser working with the online provisioning portal and the VPN to the corporate network.
Then we'll limit this virtual machine's capabilities to reach external networks, also preventing it from being moved or copied around. And finally we'll ship it in a 1-click installation package to be deployed in every sales agent laptop.
Preparing the virtual machine
The first step is creating the wanted virtual machine. We can do this by creating a new one from scratch inside the ACE environment, which is pretty identical to the Workstation one, or import an existing virtual machine created with another VMware product.
In this second case we should act carefully: if we created our VM with a version of Workstation 5.x it will not be available for use inside ACE.
This compatibility issue exists because at time of writing this article VMware is shipping Workstation 5.5.1 and ACE 1.0.2, which can only works with virtual hardware coming from Workstation 4.x family.
Luckily there is a solution: VMware is working on a product called Virtual Machine Importer 2.0, actually available just as beta, which is able to convert recent virtual machines hardware in legacy hardware, working with Workstation 4.x products and ACE 1.0.2:
It's a waste of time trying to do the same with the released Virtual Machine Imported 1.5 because that version is not able to work on VMware virtual machines but just on third party images.
Defining security policy
After the virtual machine creation or import it's time to define security policy to limit network access and availability.
One of the biggest security need here is to avoid that the corporate data is illegally accessed or copied, and that users can manipulate virtual machine configuration to workaround restrictions.
To achieve both objectives we can configure encryption for virtual machine image and configuration files, and request the creation of a complex password to access it:
Note that to avoid a management nightmare we also have to setup an administrative password for recovery purposes, which will generate a recovery key:
Finally, we have to prevent a virtual machine copy:
The leak of reserved informations can also happen by copying them on a USB memory stick, a floppy or a recordable CDROM.
A possible approach could be creating the original virtual machine already without these devices but it's unpractical for any administrative task or further needs.
So better configure ACE to block access to existing virtual devices without removing them:
The last and most critical media, network, has to be restricted as well, both for data leaking and risk of security compromising: as we already said it could both ruin the safety of local environment, preventing correct working of business applications, and propagate in the corporate network when connected in VPN.
ACE helps us in all these problems offering 4 kinds of network quarantine. We'll use the Version-based dynamic quarantine:
To maintain tightest control we want our virtual machine to check for latest available network quarantine policy at every startup and on regular basis.
In this way we can update the restrictions upon needs just updating a single file:
Consider that the quarantine policy check and update is done at host level and not at the virtual machine level, so we should put our policy file in a location easily reachable by any point on the Internet (like a non-linked and non-indexed directory on company's website).
At the same time, since sales agents in our scenario are not always connected we want to permit them to work even without checking policy, allowing a policy caching that expires after a week:
If, for any reason after the caching period, the virtual machine doesn't update its quarantine policy, it goes in a restricted status, limiting even more access to resources.
So while in a allowed status it can reach corporate intranet servers for data access, in restricted status it loose this permission, only accessing security servers for antivirus checking and patch management.
Now that we defined limitations for virtual machines interaction with real world, we have to handle the case in which sales agents resign and, in our scenario, don't have to give back any equipment.
Let's define an expiration date for the virtual machine with a warning before the last day, so that renewed contractors can request an IT staff intervention:
Distributing the package
Once we completely defined the virtual machine and ACE environment policies we can assemble the distribution package.
For the first deployment we'll ask to include every part of the solution, while in subsequent updates, if needed, we'll just package the virtual machine part:
An ACE package can easily become very large in dimension and deployment can become pretty complex. To simplify delivery we just have to ask ACE to split executable package in several CD-sized or DVD-sized images:
Installation is 1-click operation without further intervention and the final user interface is almost identical to the one offered by free VMware Player: the virtual machine can be powered on with a single button and if the sales agent is in hurry and cannot shut down operating system, it will be suspended until next use.
Bottom line
It's not a secret VMware never pushed ACE as much as other more popular products like Workstation or ESX Server, but it turned to be a great product in managing hard to control productivity environments.
At the price of $795 for ACE Manager (which can be used a standard Workstation installation) and $99 for each ACE virtual machine, this product can easily be a more affordable solution than traditional security alternatives to address issues of this scenario and others not contemplated, and customers should seriously consider it when planning their security strategy.
This article originally appeared on SearchServerVirtualization.com.
Thursday, July 13, 2006
Top 20 best free tools for security attack and defense
Fyodor, author of worldwide famous Nmap portscanner, published the 2006 list of top 100 most appreciated security tools by its readers.
I disagree on the list name since a lot of mentioned product are not really about network security (some of them are not even specifically for security). I also feel too many categories are messed up together.
I would prefer a different order but many of my tools of choice are there.
Taking description from the list (where available) and adding some missing tools, here's my personal top 20 best free tools for security, divided in attacking tools and defending tools (a dangerous distinction to do but I'll take the risk):
Attacking tools
1. Wireshark
Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic open source network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types. A tcpdump-like console version named tethereal is included. One word of caution is that Ethereal has suffered from dozens of remotely exploitable security holes, so stay up-to-date and be wary of running it on untrusted or hostile networks (such as security conferences).
2. Nmap
Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available.
3. Cain & Abel
UNIX users often smugly assert that the best free security tools support their platform first, and Windows ports are often an afterthought. They are usually right, but Cain & Abel is a glaring exception. This Windows-only password recovery tool handles an enormous variety of tasks. It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. It is also well documented.
4. Ophcrack LiveCD
The Ophcrack LiveCD is a bootable Linux CD-ROM containing ophcrack 2.2 and a set of rainbow tables (SSTIC04-10k). It allows for testing the strength of passwords on a Windows machine without having to install anything on it. Just put it into the CD-ROM drive, reboot and it will try to find a Windows partition, extract its SAM and start auditing the passwords.
5. Yersinia
Yersinia is a low-level protocol attack tool useful for penetration testing. It is capable of many diverse attacks over multiple protocols, such as becoming the root role in the Spanning Tree (Spanning Tree Protocol), creating virtual CDP (Cisco Discovery Protocol) neighbors, becoming the active router in a HSRP (Hot Standby Router Protocol) scenario, faking DHCP replies, and other low-level attacks.
6. Metasploit
Metasploit took the security world by storm when it was released in 2004. No other new tool even broke into the top 15 of this list, yet Metasploit comes in at #5, ahead of many well-loved tools that have been developed for more than a decade. It is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. It ships with hundreds of exploits, as you can see in their online exploit building demo. This makes writing your own exploits easier, and it certainly beats scouring the darkest corners of the Internet for illicit shellcode of dubious quality. Similar professional exploitation tools, such as Core Impact and Canvas already existed for wealthy users on all sides of the ethical spectrum. Metasploit simply brought this capability to the masses.
7. SiteDigger
SiteDigger searches Google's cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites.
8. Helix LiveCD
Helix is a customized distribution of the Knoppix Live Linux CD. Helix is more than just a bootable live CD. You can still boot into a customized Linux environment that includes customized Linux kernels, excellent hardware detection and many applications dedicated to Incident Response and Forensics. Helix has been designed very carefully to NOT touch the host computer in any way and it is forensically sound. Helix will not auto mount swap space, or auto mount any attached devices. Helix also has a special Windows autorun side for Incident Response and Forensics.
9. Paros
A Java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.
10. AirCrack
Aircrack is a suite of tools for 802.11a/b/g WEP and WPA cracking. It can recover a 40 through 512-bit WEP key once enough encrypted packets have been gathered. It can also attack WPA 1 or 2 networks using advanced cryptographic methods or by brute force. The suite includes airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).
Defending tools
1. Sysinternals utilities (Process Explorer, Filemon, Regmon, Autoruns, TCPView)
Sysinternals provides many small windows utilities that are quite useful for low-level windows hacking. Some are free of cost and/or include source code, while others are proprietary.
2. pfSense LiveCD
open source firewall derived from the m0n0wall operating system platform with radically different goals such as using OpenBSD's ported Packet Filter, FreeBSD 6.1 ALTQ (HFSC) for excellent packet queueing and finally an integrated package management system for extending the environment with new features.
3. AVG AntiVirus
AVG Anti-Virus Free is a free anti-virus protection tool developed by GRISOFT for home use.
4. ASSP
The Anti-Spam SMTP Proxy (ASSP) Server project is an open source platform-independent SMTP Proxy server which implements whitelists and Bayesian filtering to rid the planet of the blight of unsolicited email (UCE). UCE must be stopped at the SMTP server. Anti-spam tools must be adaptive to new spam and customized for each site's mail patterns. This free, easy-to-use tool works with any mail transport and achieves these goals requiring no operator intervention after the initial setup phase.
5. OpenVPN
OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls.
6. Kiwi Syslog (+ Snare agents)
Kiwi Syslog Daemon is a freeware Syslog Daemon for Windows. It receives, filters, logs, displays and forwards Syslog messages and SNMP traps from hosts such as routers, switches, Unix hosts and any other syslog enabled device.
Snare agents are syslog events generators for several platforms able to forward data to any syslog daemon on the network.
7. Snort (+ BASE + IDS Policy Manager)
This lightweight network intrusion detection and prevention system excels at traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine.
BASE is a PHP-based analysis engine to search and process a database of security events generated by various IDSs, firewalls, and network monitoring tools. Its features include a query-builder and search interface for finding alerts matching different patterns, a packet viewer/decoder, and charts and statistics based on time, sensor, signature, protocol, IP address, etc.
IDS Policy Manager was written to manage Snort IDS sensors in a distributed environment.
This is done by having the ability to take the text configuration files and allow you to modify them with an easy to use Graphical interface. With the added ability to merge new rule sets, manage preprocessors, configure output modules and securely copy rules to sensors, IDS Policy Manager makes managing snort easy for most security professionals.
8. GnuPG
PGP is the famous encryption program by Phil Zimmerman which helps secure your data from eavesdroppers and other risks. GnuPG is a very well-regarded open source implementation of the PGP standard (the actual executable is named gpg).
9. Password Safe
Password Safe is an Open Source (free) tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords.
10. TrueCrypt
TrueCrypt is an excellent open source disk encryption system. Users can encrypt entire filesystems, which are then on-the-fly encrypted/decrypted as needed without user intervention beyond entering their passphrase intially. A clever hidden volume feature allows you to hide a 2nd layer of particularly sensitive content with plausible deniability about whether it exists. Then if you are forced to give up your passphrase, you give them the first-level secret. Even with that, attackers cannot prove that a second level key even exists.
Note that all of them run on Windows (who said Microsoft platforms cannot be used for security?), except liveCDs and Yersinia (which I hope will be ported sooner or later).
I disagree on the list name since a lot of mentioned product are not really about network security (some of them are not even specifically for security). I also feel too many categories are messed up together.
I would prefer a different order but many of my tools of choice are there.
Taking description from the list (where available) and adding some missing tools, here's my personal top 20 best free tools for security, divided in attacking tools and defending tools (a dangerous distinction to do but I'll take the risk):
Attacking tools
1. Wireshark
Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic open source network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types. A tcpdump-like console version named tethereal is included. One word of caution is that Ethereal has suffered from dozens of remotely exploitable security holes, so stay up-to-date and be wary of running it on untrusted or hostile networks (such as security conferences).
2. Nmap
Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available.
3. Cain & Abel
UNIX users often smugly assert that the best free security tools support their platform first, and Windows ports are often an afterthought. They are usually right, but Cain & Abel is a glaring exception. This Windows-only password recovery tool handles an enormous variety of tasks. It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. It is also well documented.
4. Ophcrack LiveCD
The Ophcrack LiveCD is a bootable Linux CD-ROM containing ophcrack 2.2 and a set of rainbow tables (SSTIC04-10k). It allows for testing the strength of passwords on a Windows machine without having to install anything on it. Just put it into the CD-ROM drive, reboot and it will try to find a Windows partition, extract its SAM and start auditing the passwords.
5. Yersinia
Yersinia is a low-level protocol attack tool useful for penetration testing. It is capable of many diverse attacks over multiple protocols, such as becoming the root role in the Spanning Tree (Spanning Tree Protocol), creating virtual CDP (Cisco Discovery Protocol) neighbors, becoming the active router in a HSRP (Hot Standby Router Protocol) scenario, faking DHCP replies, and other low-level attacks.
6. Metasploit
Metasploit took the security world by storm when it was released in 2004. No other new tool even broke into the top 15 of this list, yet Metasploit comes in at #5, ahead of many well-loved tools that have been developed for more than a decade. It is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. It ships with hundreds of exploits, as you can see in their online exploit building demo. This makes writing your own exploits easier, and it certainly beats scouring the darkest corners of the Internet for illicit shellcode of dubious quality. Similar professional exploitation tools, such as Core Impact and Canvas already existed for wealthy users on all sides of the ethical spectrum. Metasploit simply brought this capability to the masses.
7. SiteDigger
SiteDigger searches Google's cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites.
8. Helix LiveCD
Helix is a customized distribution of the Knoppix Live Linux CD. Helix is more than just a bootable live CD. You can still boot into a customized Linux environment that includes customized Linux kernels, excellent hardware detection and many applications dedicated to Incident Response and Forensics. Helix has been designed very carefully to NOT touch the host computer in any way and it is forensically sound. Helix will not auto mount swap space, or auto mount any attached devices. Helix also has a special Windows autorun side for Incident Response and Forensics.
9. Paros
A Java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.
10. AirCrack
Aircrack is a suite of tools for 802.11a/b/g WEP and WPA cracking. It can recover a 40 through 512-bit WEP key once enough encrypted packets have been gathered. It can also attack WPA 1 or 2 networks using advanced cryptographic methods or by brute force. The suite includes airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).
Defending tools
1. Sysinternals utilities (Process Explorer, Filemon, Regmon, Autoruns, TCPView)
Sysinternals provides many small windows utilities that are quite useful for low-level windows hacking. Some are free of cost and/or include source code, while others are proprietary.
2. pfSense LiveCD
open source firewall derived from the m0n0wall operating system platform with radically different goals such as using OpenBSD's ported Packet Filter, FreeBSD 6.1 ALTQ (HFSC) for excellent packet queueing and finally an integrated package management system for extending the environment with new features.
3. AVG AntiVirus
AVG Anti-Virus Free is a free anti-virus protection tool developed by GRISOFT for home use.
4. ASSP
The Anti-Spam SMTP Proxy (ASSP) Server project is an open source platform-independent SMTP Proxy server which implements whitelists and Bayesian filtering to rid the planet of the blight of unsolicited email (UCE). UCE must be stopped at the SMTP server. Anti-spam tools must be adaptive to new spam and customized for each site's mail patterns. This free, easy-to-use tool works with any mail transport and achieves these goals requiring no operator intervention after the initial setup phase.
5. OpenVPN
OpenVPN is a full-featured SSL VPN solution which can accomodate a wide range of configurations, including remote access, site-to-site VPNs, WiFi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls.
6. Kiwi Syslog (+ Snare agents)
Kiwi Syslog Daemon is a freeware Syslog Daemon for Windows. It receives, filters, logs, displays and forwards Syslog messages and SNMP traps from hosts such as routers, switches, Unix hosts and any other syslog enabled device.
Snare agents are syslog events generators for several platforms able to forward data to any syslog daemon on the network.
7. Snort (+ BASE + IDS Policy Manager)
This lightweight network intrusion detection and prevention system excels at traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine.
BASE is a PHP-based analysis engine to search and process a database of security events generated by various IDSs, firewalls, and network monitoring tools. Its features include a query-builder and search interface for finding alerts matching different patterns, a packet viewer/decoder, and charts and statistics based on time, sensor, signature, protocol, IP address, etc.
IDS Policy Manager was written to manage Snort IDS sensors in a distributed environment.
This is done by having the ability to take the text configuration files and allow you to modify them with an easy to use Graphical interface. With the added ability to merge new rule sets, manage preprocessors, configure output modules and securely copy rules to sensors, IDS Policy Manager makes managing snort easy for most security professionals.
8. GnuPG
PGP is the famous encryption program by Phil Zimmerman which helps secure your data from eavesdroppers and other risks. GnuPG is a very well-regarded open source implementation of the PGP standard (the actual executable is named gpg).
9. Password Safe
Password Safe is an Open Source (free) tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords.
10. TrueCrypt
TrueCrypt is an excellent open source disk encryption system. Users can encrypt entire filesystems, which are then on-the-fly encrypted/decrypted as needed without user intervention beyond entering their passphrase intially. A clever hidden volume feature allows you to hide a 2nd layer of particularly sensitive content with plausible deniability about whether it exists. Then if you are forced to give up your passphrase, you give them the first-level secret. Even with that, attackers cannot prove that a second level key even exists.
Note that all of them run on Windows (who said Microsoft platforms cannot be used for security?), except liveCDs and Yersinia (which I hope will be ported sooner or later).
Monday, July 03, 2006
Security by virtualization
Modern server virtualization has been relaunched in early '80 for lowering maintenance costs due to server sprawl, including hardware and software purchase, power, IT management staff time, etc.
But quite immediately customers and virtualization vendors themselves revaluated virtualization for a lot more purposes.
Security is one of the biggest fields where virtualization can serve, isolating unstable or compromised applications, providing fast disaster recovery solutions, offering powerful forensic analysis capabilities, creating cheap intrusion detection tools.
Below we'll explore all of these applications, also looking at how the virtualization evolution will help security even more in a near future.
Virtualization for Sandboxing
The first and easiest application of virtualization for security purposes is application isolation.
Moving a set of applications or a single one in a virtual machine helps IT managers control two kind of problems: application instability, which could lead to a significant resource wasting or to a complete system crash in worst cases, and application compromising, which could lead to local privilege escalation and system unauthorized owning.
The best example to avoid this second scenario comes from VMware, pioneer of modern virtualization, which promoted the concept of so called Virtual Appliances, launching a Browser Appliance: an operating system in a virtual machine just for Internet-related tasks, like surfing, reading emails, chatting, or downloading stuffs from P2P networks.
All these actions are critical today and in case of compromising the attacker cannot interact with the underlying host operating system, where the important user data are stored and from where he can obtain access to corporate network.
Recovering compromised systems is even easier: the user, without technical skills, once recognized something is not working good, can revert to the starting point just restarting the virtual machine, having a completely intact and brand new system in matter of seconds, anytime he wants.
It's important to mention that about virtualization use for sandboxing many security analysts raised over years doubts about the real capability of virtualization layers to securely isolate virtual machines from themselves and host operating system.
It's a reasonable doubt since the Virtual Machine Monitor (VMM) process virtual machines I/O requests all the time and a malformed one could lead to buffer overruns and further compromising of host operating system where VMM resides.
But until today we have no public news of successful attacks against VMMs and we'll have to wait some more time before the underground community will seriously start looking at this.
Virtualization for Disaster Recovery and High Availability
The biggest need in any corporate environment is data preservation and availability of service.
The first one is achievable today with backup solutions acting at file level inside the protected server. This approach has two big downsides: data restore requires a large amount of time and the original hardware (or an exact copy) to get back on business without further manipulations.
Virtualization greatly helps reducing time and costs of disaster recovery operations.
Instead of saving files, backup solutions working at host level can copy the whole virtual machine, in some environments even if it is running, which appears as a unique big file, which will take much less time in restoring than re-installing operating system and restoring data.
If this seems good but not revolutionary you should also consider the saved virtual machine can be restored in any host operating system, on any enough powerful hardware, permitting you to recover even a physical failure without expensive downtimes.
In case downtimes are not affordable at all we have to approach high availability configurations, where cluster nodes share and balance traffic load, or less expensive hot-standby configurations, where one or more secondary node are ready to take over if the primary has a failure.
Both solutions rely on availability of two or more physical servers, which you have to multiply for all services you intend to protect, but virtualization can help provide some of these capabilities at a cheaper price.
More and more companies every day are deploying in production mixed clustered services where the secondary node is virtual: while the primary node is installed on physical hardware, a second node is available in a virtual machine, ready to take over any failure.
Since the standby node actually consumes no resources, a single host physical machine can store several of them, dynamically providing enough physical resources to demanding virtual node at failover time.
A frequent stop-issue of this second scenario is the problem of replicating data from the physical node to the virtual, standby node.
Companies like vizioncore are filling this hole offering affordable replication services for most common virtualization platforms.
Virtualization for Forensic Analysis
Another, even older application of virtualization for security purposes is for sure forensic analysis.
VMware executives love to remember how law enforcement agencies, like FBI, approaching their products at company beginning, immediately asked how to copy criminal hard disk content in a virtual machine for offsite analysis of contents.
This kind of approach, today largely automated, is called physical to virtual (P2V) migration and permits to have an exact working copy of a physical computer, including hidden or encrypted partitions, without altering data.
The process is straight simple in most cases and can transfer the whole hard disk content over the wire in few minutes (depending on size).
The backside is that at today we still have to shut down the original machine, which for a security professional means losing volatile memory contents.
Today big PV2 solutions providers are PlateSpin, Leostream and VMware itself with some emerging start-ups offering free migration tools to tailor a space in this segment.
Also traditional imaging solutions like Symantec LiveState are now doing the trick since newest virtualization products are providing capability of importing this proprietary formats in empty virtual machines.
P2V migration is not the only way to do forensic analysis with virtualization.
The best tool for simplifying testing in virtual machines, called snapshots, is by chance also the best tool for forensic analysis.
Snapshots are the way virtualization products freeze the operating system image, to permit recovery of messed up environments when we work with betas or unstable products.
Snapshots can be taken when the virtual machine is powered off or on: in the first case just what is in the virtual hard disk is marked as point of restore, in this second case also the whole volatile memory is saved in the image file.
Considering an on-ongoing compromising we have to deal with so called 0day tools, able to exploit new vulnerabilities without being recognized by updated malware engines, and with the ability of hackers to cover tracks, clearing logs and deleting used tools.
To mitigate this loss of precious informations today we have to rely on so called host intrusion detection systems (HIDS) able to track changes to files and memory and send them over the network to dedicated logging facilities.
But these tools not only are often very expensive but waste a large amount of protected servers' resources, are not necessarily deployed on every server we want to protect and can be compromised as well.
Virtualization is a cheap and effective alternative in this case: a live snapshot taken at the right moment can freeze 0days tools in RAM or disk, and attacker tracks in system logs before he can delete both.
At convenient time, even on a different host operating system inside the laboratory, the virtual machine can be restarted at the snapshot point, providing an unprecedented capability in forensic analysis.
Virtualization for Honeypotting
A research field in which security community is investing a lot is honeypotting.
A honeypot is a system looking and acting like a production environment, deployed in specific points of the corporate network, and with enough interesting data to attract attackers, but full of logging sensors. Its mission is to discover as much as possible about new hacking tools and techniques and to foul attacker enough to give security managers time to patch real systems against these new kinds of attacks.
Before virtualization spread setting up a machine or a whole network, called honeynet, just for security research purposes could be prohibitive for costs and managing efforts.
Today we can rely on free virtualization platforms, free traffic generators tools and raising virtual lab automation solutions (like ones offered by Akimbi or Dunes).
Building a virtual honeynet in a box it's finally possible and affordable, and companies should evaluate deploying such systems to mimicking their production servers, considering them as enhanced monitoring sensors, precious in critical realities where standard security effort is not enough.
Virtual honeypotting is also effective for simulating a desktop population, catching internal threats antivirus agents can handle no more and endpoint security solutions has still to handle.
Similar applications have been launched by Microsoft, with its project codename Honeymonkey, and IBM with codename Billy Goat, automating virtual desktops to surf the Net and be infected, just to discover new viruses.
A big objection in using virtualization for honeypotting is that virtual machines are immediately recognizable by simply checks an attacker can run at network level or system level once compromised. Once discovered to be in a virtual machine the attacker would stay away from it or leave it immediately if already inside, considering the environment a trap.
We can argument this objection in two ways.
First of all many attacks are automated, like worms, and malicious code is not yet so evolved to avoid virtual machines.
Secondarily, at today more and more companies, from enterprises to SMB, are moving their production servers in virtual infrastructures: being inside a virtual machine is no more so suspicious for attackers which could possibly decide to stay, evaluating the target as a real one.
A more blended future
Virtualization is still at an early stage and technologies in this segment are evolving fast as well as their applications, which will advantage of more computing power and smarter programmable interfaces.
In an immediate future the very first benefit of virtualization from a security point of view will be the free of resources in virtualized servers actually wasted by security agents.
In fact as soon as VMware and Microsoft granted open access to their virtual hard disk format, vendors like Symantec and Trend Micro applied for access, eventually followed by the whole security industry.
Being able to know how a virtual disk is structured means for this companies being able to act on files inside virtual file system from the host level.
In other words antivirus, patching and backup softwares will need no more to access data from inside the virtualized operating system, but from the layer below, achieving their security tasks in a transparent way.
And, as side benefit will not be possible anymore to compromise their agents, dropping down systems' defences at origin.
Also the concept of using virtualization for sandboxing is going to be much more common very soon.
Intel announced the new vPro technology, enhancing virtualization capabilities in its processors to provide two fully isolated environments out of the box: one hosting the traditional operating system meant for usual computing purposes and another one hosting independent and safe environment meant for any kind of purpose, from rescue to intrusion detection.
An immediate use of this second isolated environment has been announced by Symantec that will host on it a monitoring product, able to detect when the standard operating system is compromised and act to prevent it access to network resources accordingly.
It's likely this trend will grow over time and several hardware vendors, including network interfaces and memory's supports manufacturers, will offer this kind of partitioning capabilities in tomorrow's servers and desktops.
But there is much more than inline antivirus and patching capabilities or hardware partitioning in virtualization-aided security future.
Today's virtualization can be employed in many security tasks but it still requires a lot of customization and manual intervention.
Within few years it could be so much more responsive to permit real self-defending datacenters.
VMware has been the first talking about integrating an intrusion detection system (IDS) at the host operating system level, providing transparent traffic analysis and threats interception.
But once a security monitor is at the host level and can programmatically interact with virtual infrastructure, it can do much more than just alerting about an on-going attack, like an IDS, or terminating open malicious sessions, like an IPS.
The intrusion detection sensor for example could request running snapshots for virtual machines as soon as a port scan is recognized.
Depending on time of snapshot it could provide a safe point of restore for compromised virtual machines or a freeze of attacked memory, to be sent to the security department for forensic analysis.
And to avoid an identical attack, the sensor could invoke a transparent virtual machine patching starting at host level.
In another scenario the intrusion detection sensor, recognizing an on-going attack could redirect traffic in another virtual network where a dedicated virtual machine, what today we call honeypot, appears as the designed target, ready to be compromised and log any 0day tools and hacking techniques attackers will use.
While highly expected, this evolutionary path will not be easy to walk since the whole picture relies on two factors: the whole datacenter have to move in virtual infrastructure and time required to achieve operations on virtual machines has to be much shorter than now.
Bottom line
Server virtualization is not just a compelling need for server consolidation, but it's becoming and will eventually be the most important allied for security managers, simplifying a wide range of tasks from disaster recovery to forensic analysis, up to intrusion detection and prevention.
Companies approaching security by virtualization today will have noticeable results, even if a big effort could be required on tool automation for most complex scenarios, knowing that tomorrow, when virtual infrastructure will be self-defending and self-healing datacenters, they'll have to move their effort on engagement rules.
This article originally appeared on SearchServerVirtualization.
But quite immediately customers and virtualization vendors themselves revaluated virtualization for a lot more purposes.
Security is one of the biggest fields where virtualization can serve, isolating unstable or compromised applications, providing fast disaster recovery solutions, offering powerful forensic analysis capabilities, creating cheap intrusion detection tools.
Below we'll explore all of these applications, also looking at how the virtualization evolution will help security even more in a near future.
Virtualization for Sandboxing
The first and easiest application of virtualization for security purposes is application isolation.
Moving a set of applications or a single one in a virtual machine helps IT managers control two kind of problems: application instability, which could lead to a significant resource wasting or to a complete system crash in worst cases, and application compromising, which could lead to local privilege escalation and system unauthorized owning.
The best example to avoid this second scenario comes from VMware, pioneer of modern virtualization, which promoted the concept of so called Virtual Appliances, launching a Browser Appliance: an operating system in a virtual machine just for Internet-related tasks, like surfing, reading emails, chatting, or downloading stuffs from P2P networks.
All these actions are critical today and in case of compromising the attacker cannot interact with the underlying host operating system, where the important user data are stored and from where he can obtain access to corporate network.
Recovering compromised systems is even easier: the user, without technical skills, once recognized something is not working good, can revert to the starting point just restarting the virtual machine, having a completely intact and brand new system in matter of seconds, anytime he wants.
It's important to mention that about virtualization use for sandboxing many security analysts raised over years doubts about the real capability of virtualization layers to securely isolate virtual machines from themselves and host operating system.
It's a reasonable doubt since the Virtual Machine Monitor (VMM) process virtual machines I/O requests all the time and a malformed one could lead to buffer overruns and further compromising of host operating system where VMM resides.
But until today we have no public news of successful attacks against VMMs and we'll have to wait some more time before the underground community will seriously start looking at this.
Virtualization for Disaster Recovery and High Availability
The biggest need in any corporate environment is data preservation and availability of service.
The first one is achievable today with backup solutions acting at file level inside the protected server. This approach has two big downsides: data restore requires a large amount of time and the original hardware (or an exact copy) to get back on business without further manipulations.
Virtualization greatly helps reducing time and costs of disaster recovery operations.
Instead of saving files, backup solutions working at host level can copy the whole virtual machine, in some environments even if it is running, which appears as a unique big file, which will take much less time in restoring than re-installing operating system and restoring data.
If this seems good but not revolutionary you should also consider the saved virtual machine can be restored in any host operating system, on any enough powerful hardware, permitting you to recover even a physical failure without expensive downtimes.
In case downtimes are not affordable at all we have to approach high availability configurations, where cluster nodes share and balance traffic load, or less expensive hot-standby configurations, where one or more secondary node are ready to take over if the primary has a failure.
Both solutions rely on availability of two or more physical servers, which you have to multiply for all services you intend to protect, but virtualization can help provide some of these capabilities at a cheaper price.
More and more companies every day are deploying in production mixed clustered services where the secondary node is virtual: while the primary node is installed on physical hardware, a second node is available in a virtual machine, ready to take over any failure.
Since the standby node actually consumes no resources, a single host physical machine can store several of them, dynamically providing enough physical resources to demanding virtual node at failover time.
A frequent stop-issue of this second scenario is the problem of replicating data from the physical node to the virtual, standby node.
Companies like vizioncore are filling this hole offering affordable replication services for most common virtualization platforms.
Virtualization for Forensic Analysis
Another, even older application of virtualization for security purposes is for sure forensic analysis.
VMware executives love to remember how law enforcement agencies, like FBI, approaching their products at company beginning, immediately asked how to copy criminal hard disk content in a virtual machine for offsite analysis of contents.
This kind of approach, today largely automated, is called physical to virtual (P2V) migration and permits to have an exact working copy of a physical computer, including hidden or encrypted partitions, without altering data.
The process is straight simple in most cases and can transfer the whole hard disk content over the wire in few minutes (depending on size).
The backside is that at today we still have to shut down the original machine, which for a security professional means losing volatile memory contents.
Today big PV2 solutions providers are PlateSpin, Leostream and VMware itself with some emerging start-ups offering free migration tools to tailor a space in this segment.
Also traditional imaging solutions like Symantec LiveState are now doing the trick since newest virtualization products are providing capability of importing this proprietary formats in empty virtual machines.
P2V migration is not the only way to do forensic analysis with virtualization.
The best tool for simplifying testing in virtual machines, called snapshots, is by chance also the best tool for forensic analysis.
Snapshots are the way virtualization products freeze the operating system image, to permit recovery of messed up environments when we work with betas or unstable products.
Snapshots can be taken when the virtual machine is powered off or on: in the first case just what is in the virtual hard disk is marked as point of restore, in this second case also the whole volatile memory is saved in the image file.
Considering an on-ongoing compromising we have to deal with so called 0day tools, able to exploit new vulnerabilities without being recognized by updated malware engines, and with the ability of hackers to cover tracks, clearing logs and deleting used tools.
To mitigate this loss of precious informations today we have to rely on so called host intrusion detection systems (HIDS) able to track changes to files and memory and send them over the network to dedicated logging facilities.
But these tools not only are often very expensive but waste a large amount of protected servers' resources, are not necessarily deployed on every server we want to protect and can be compromised as well.
Virtualization is a cheap and effective alternative in this case: a live snapshot taken at the right moment can freeze 0days tools in RAM or disk, and attacker tracks in system logs before he can delete both.
At convenient time, even on a different host operating system inside the laboratory, the virtual machine can be restarted at the snapshot point, providing an unprecedented capability in forensic analysis.
Virtualization for Honeypotting
A research field in which security community is investing a lot is honeypotting.
A honeypot is a system looking and acting like a production environment, deployed in specific points of the corporate network, and with enough interesting data to attract attackers, but full of logging sensors. Its mission is to discover as much as possible about new hacking tools and techniques and to foul attacker enough to give security managers time to patch real systems against these new kinds of attacks.
Before virtualization spread setting up a machine or a whole network, called honeynet, just for security research purposes could be prohibitive for costs and managing efforts.
Today we can rely on free virtualization platforms, free traffic generators tools and raising virtual lab automation solutions (like ones offered by Akimbi or Dunes).
Building a virtual honeynet in a box it's finally possible and affordable, and companies should evaluate deploying such systems to mimicking their production servers, considering them as enhanced monitoring sensors, precious in critical realities where standard security effort is not enough.
Virtual honeypotting is also effective for simulating a desktop population, catching internal threats antivirus agents can handle no more and endpoint security solutions has still to handle.
Similar applications have been launched by Microsoft, with its project codename Honeymonkey, and IBM with codename Billy Goat, automating virtual desktops to surf the Net and be infected, just to discover new viruses.
A big objection in using virtualization for honeypotting is that virtual machines are immediately recognizable by simply checks an attacker can run at network level or system level once compromised. Once discovered to be in a virtual machine the attacker would stay away from it or leave it immediately if already inside, considering the environment a trap.
We can argument this objection in two ways.
First of all many attacks are automated, like worms, and malicious code is not yet so evolved to avoid virtual machines.
Secondarily, at today more and more companies, from enterprises to SMB, are moving their production servers in virtual infrastructures: being inside a virtual machine is no more so suspicious for attackers which could possibly decide to stay, evaluating the target as a real one.
A more blended future
Virtualization is still at an early stage and technologies in this segment are evolving fast as well as their applications, which will advantage of more computing power and smarter programmable interfaces.
In an immediate future the very first benefit of virtualization from a security point of view will be the free of resources in virtualized servers actually wasted by security agents.
In fact as soon as VMware and Microsoft granted open access to their virtual hard disk format, vendors like Symantec and Trend Micro applied for access, eventually followed by the whole security industry.
Being able to know how a virtual disk is structured means for this companies being able to act on files inside virtual file system from the host level.
In other words antivirus, patching and backup softwares will need no more to access data from inside the virtualized operating system, but from the layer below, achieving their security tasks in a transparent way.
And, as side benefit will not be possible anymore to compromise their agents, dropping down systems' defences at origin.
Also the concept of using virtualization for sandboxing is going to be much more common very soon.
Intel announced the new vPro technology, enhancing virtualization capabilities in its processors to provide two fully isolated environments out of the box: one hosting the traditional operating system meant for usual computing purposes and another one hosting independent and safe environment meant for any kind of purpose, from rescue to intrusion detection.
An immediate use of this second isolated environment has been announced by Symantec that will host on it a monitoring product, able to detect when the standard operating system is compromised and act to prevent it access to network resources accordingly.
It's likely this trend will grow over time and several hardware vendors, including network interfaces and memory's supports manufacturers, will offer this kind of partitioning capabilities in tomorrow's servers and desktops.
But there is much more than inline antivirus and patching capabilities or hardware partitioning in virtualization-aided security future.
Today's virtualization can be employed in many security tasks but it still requires a lot of customization and manual intervention.
Within few years it could be so much more responsive to permit real self-defending datacenters.
VMware has been the first talking about integrating an intrusion detection system (IDS) at the host operating system level, providing transparent traffic analysis and threats interception.
But once a security monitor is at the host level and can programmatically interact with virtual infrastructure, it can do much more than just alerting about an on-going attack, like an IDS, or terminating open malicious sessions, like an IPS.
The intrusion detection sensor for example could request running snapshots for virtual machines as soon as a port scan is recognized.
Depending on time of snapshot it could provide a safe point of restore for compromised virtual machines or a freeze of attacked memory, to be sent to the security department for forensic analysis.
And to avoid an identical attack, the sensor could invoke a transparent virtual machine patching starting at host level.
In another scenario the intrusion detection sensor, recognizing an on-going attack could redirect traffic in another virtual network where a dedicated virtual machine, what today we call honeypot, appears as the designed target, ready to be compromised and log any 0day tools and hacking techniques attackers will use.
While highly expected, this evolutionary path will not be easy to walk since the whole picture relies on two factors: the whole datacenter have to move in virtual infrastructure and time required to achieve operations on virtual machines has to be much shorter than now.
Bottom line
Server virtualization is not just a compelling need for server consolidation, but it's becoming and will eventually be the most important allied for security managers, simplifying a wide range of tasks from disaster recovery to forensic analysis, up to intrusion detection and prevention.
Companies approaching security by virtualization today will have noticeable results, even if a big effort could be required on tool automation for most complex scenarios, knowing that tomorrow, when virtual infrastructure will be self-defending and self-healing datacenters, they'll have to move their effort on engagement rules.
This article originally appeared on SearchServerVirtualization.
Subscribe to:
Posts (Atom)