November 30th, 2009 by bl4ckc4t

vShield Zones is a security virtual appliance that provides visibility and enforcement of network policies within a VMware vSphere deployment. It provides the compliance protection of corporate security policies as well as industry regulations. Previous visibility compliance required diverting traffic from ESX host to an external physical appliance lacking the efficiency of shared computing pool or cloud.

vShield Zones allow the capability to create logical zones that span all the physical resources of the virtual datacenter, so that distinct levels of trust, privacy and confidentiality can be maintained. It also enables the capability to bridge, firewall or isolate virtual machine zones based on logical trust or organizational boundaries.

The main components of the architecture consist of 2 appliances, the vShield Manage and the vShield Appliance. The vShield Manager is the console to gain central view of each zones set through the vShield Appliance. The vShield is the active security component of vShield zones and each instance provides application aware traffic analysis and state full firewall protection by inspecting network traffic and determining access based on a set rules.

A vShield regulates traffic based on zones of trust separating traffic into unprotected and protected zones. The virtual machines protected by a vShield reside in the protected zone and all traffic destined for the protected machines enter from the unprotected zones.

Key features of vShield Zones:

• Central Management of Logical Zone Boundaries and Segmentation
  • Leveraging existing virtual infrastructure container, hosts, virtual switches and VLANS as logical trust or organizational zones, also define policies to bridge, firewall, or isolate network traffic between zone boundaries and manage and deploy policies for entire vCenter server deployment.

• Network Enforcement and Flow Monitoring
  • Classify traffic by network or application protocol (HTTP, RDP and SNMP); in addition you can filter traffic with state full packet inspection (SPI). vShield zones also allows you to automatically track dynamic port connections for protocol, such as FTP and track network connections across vmotions migration events. It also converts observed network flows into precise network enforcement rules and lets you monitor both allowed and disallowed activities.

• Tight Integration with Existing Deployments
  • Self configure vShield Zones virtual appliances in line on existing ESX host and integrate with vCenter server to automatically gather and present existing deployment hierarchy. Also scan and discover existing applications running on virtual machines to identify application protocols.

• Management and Reporting
  • Managed via a web base access to report on zones and provides a dashboard overview of current deployment status and real-time activity.

November 21st, 2009 by bl4ckc4t

vSphere has restructured the core architecture that incorporates an Application Services as well as an Infrastructure Services. The new vShield Zones and vSafe has been introduced to the architecture as part of the Application Services layer that compliments the already robust security within the Virtual infrastructure. I will highlight the new features later during my series of posts, but starting with the base component concepts of security within vSphere. The posts will be a start of multiple series of sections related to the components of security within the vSphere Architecture.  As I go through my research and understanding of each component I will post another section.

Let’s break down the virtual component structure layer to get a better idea of the segregation of resources and its security aspect.

CPU Virtualization:

Binary translation is used to provide CPU virtualization and isolation characteristics. Binary translation is only used for privilege instructions. The input is binary x86 codes and is running under at the code level and the translator is dynamic, which happens at run time interleaved with execution of generated code. The code is translated on demand only when it is about to execute eliminating the need to differentiate code and data.

The binary translation characteristics occur at the system level and make no assumptions about the code running in the virtual machine. Rules are set by the x86 architecture and not by a higher-level application binary interface.

The input is the full x86 instruction set, including all privileged instructions; output safe subset (mostly use-mode instructions).  The binary translator is adaptive and the code is adjusted in response to virtual machine behavior changes to improve overall efficiency.

Since the binary translator doesn’t operate on translation units of more than 12 instructions, it is not possible for the translator to experience a buffer overflow.  The VMM (Virtual Machine Monitor) supports the buffer overflow prevention capabilities built in to most Intel and AMD CPUs, known as the NX or XD bit. These chips don’t allow code to execute from writable sections of memory, thus preventing generic buffer overflow attacks.

November 21st, 2009 by bl4ckc4t

Memory Partitioning:

Each virtual machine is assigned its own physical zero-based. The operating system that executes within the virtual machines expects a zero-based physical address space as provided by real hardware. VMware ESX abstracts physical memory by adding a layer of memory address translation.

The concept is that the virtual memory assigned to each process within the virtual machine is only allowed, within the layer of abstraction to access the memory that is assigned to it, which enforces the isolation between the virtual machines. Because the virtual machines have no visibility or access directly to the physical memory there is no way for a virtual machine to access the data of another virtual machine.

Memory isolation is imposed be segmentation and paging in x86 systems and is hardware enforced. It is also imposed by hardware memory management unit or MMU for those chips that have this feature.

Another key concept is that the physical memory is explicitly zeroed out when allocated to a virtual machine, which means there is no potential for memory leaks. As an example, virtual machine 2 release some memory and virtual machine 1 needs that memory. When the memory is assigned to virtual machine 1 the pages are explicitly zeroed out. This means there are no memory leaks between virtual machines.

Transparent Page sharing is a technique for using memory resources more efficiently, by taking memory pages that are identical in 2 or more virtual machines and storing the once on the hosts systems RAM. Each of the shared pages is marked as read-only for each of the virtual machines using the memory.

If one virtual machine tries to modify a shared page it will automatically receive its own private copy, because shared memory pages are marked copy on write, it is impossible for one virtual machine to leak private information to another through this mechanism. Transparent page sharing is controlled by the VMkernel and the virtual machine monitor and cannot be compromised by virtual machines.

The virtualization layer or VMkernel runs the virtual machines, it controls the hardware that hosts use and schedules the allocation of hardware resources among the virtual machines. The VMkernel is fully dedicated to supporting virtual machines and is not used to other purposes the interface is strictly limited to the API required to manage virtual machines.

ESX and ESXi provide additional memory protection with the following features:

• Memory Hardening
  • ESX/ESXi kernels, user mode applications and executable components such as drivers and libraries are located at random non-predictable memory addresses. Combined with a non-executable memory protections made available by microprocessors, this provides protections that makes it difficult for malicious code to use memory exploits to take advantage of vulnerabilities.
• Kernel Module Integrity Digital Signing
  • This ensures the integrity and authenticity for modules, drivers and applications as they are loaded by the VMkernel. Modules signing allow ESX and ESXi to identify the providers of modules, drivers or applications and whether they are VMware certified.

November 21st, 2009 by bl4ckc4t

Network Isolation:

A common cause of traffic leaks in the world of physical switches is cascading often needing because physical switches have a limited number of ports. Because virtual switches provide all the ports you need in one switch there is no code to “connect” virtual switches. VMware ESX provides no path for network data to go between virtual switches at all; therefore it is relatively easy for ESX to avoid accidental violations of network isolation or violations that result from malicious software running in a virtual machine or a malicious user.

Virtual switches cannot share physical Ethernet adapters, so there is no way to fool the Ethernet adapter into doing loopback or something similar that will cause a leak between virtual switches. In addition each virtual switch has its own forwarding table and there is no mechanism in the code to allow an entry in one table to point to a port on another virtual switch. In other words, every destination the switch looks up must match ports on the same virtual switch as the port where the frame originated even if the virtual switches lookup tables contain entries for that address.

A would be attacker would likely have to find a remote code execution bug in the VMkernel to circumvent virtual switch isolation, because ESX parses so little of the frame data primarily just the Ethernet header this would be difficult.

There are natural limits to this isolation, if you connect the uplinks of 2 virtual switches together or if you bridge 2 virtual switches with software running in a virtual machine you open the door to the same kind of problem you might see in physical switches.

November 16th, 2009 by bl4ckc4t

Topic: Log Analysis , Log Management Penetration Testing and Security Analysis

EC-Council’s Licensed Penetration Tester (LPT) is a natural evolution and extended value addition to its series of security related professional certifications. The LPT standardizes the knowledge base for penetration testing professionals by incorporating best practices followed by experienced experts in the field.Join us as we explore Log Analysis, Log Management Penetration Testing and Security Analysis of the LPT Program, in this 2 hours “live” online training session led by EC-Council Co-Founder and Technical Director – Mr. Haja Mohideen!

In this training session you will:

• Understand what role does different logs play in the security infrastructure
• Be introduced to the different type of logs
• Know what are the events that need to be logged
• Understand the different types of approaches for log analysis
• Learn how to design, secure and test networks
• Be aware of various tools available that are used

In addition, we are pleased to have Mr. Trent Heisler, an expert engineer from LogRhythm Inc, voted by readers of SC Magazine’s as the “Best SIEM” in 2009, demonstrate “live” how logs can be collected and analyzed using one of their innovative tools.

Attendees will also be able to participate in a 30 minutes Q&A session where Haja and Trent will answer to your questions pertaining to the training.

Get Trained !

Trainers
Mr. Haja Mohideen, EC-Council Co Founder and Technical Director
Mr. Trent Heisler, Engineer from LogRhythm Inc

Date
Wednesday, November 18, 2009

Time
9.00AM – 11.00AM (EST)

Price
$499 Complimentary