Nearly almost virtually secure
With another VMworld conference in the books, the talk of the town is VirtSec. All of the major security players, and some lesser known newcomers were all touting their Virtual Security solutions. McAfee and Symantec seemed to have a strong presence at the conference as well as up to 14 other vendors pushing Virtual Security. All fighting for the chance to prove that their product is the next answer to Virtual Security concerns ranging from enterprise firewalls, compliance, package management, virus and malware protection, and IPS. Virtualization is no longer merely a cost savings initiative. With today’s infrastructure capacity and emphasis on green initiates, virtualization is definitely on the positive side of the IT ROI curve. It doesn’t hurt that VMware is no longer the only major player in the market. In addition to smaller companies like RingCube and Brocade, major players like Sun, IBM, Checkpoint, and Microsoft have thrown their names in the hat. Last month’s, highly anticipated Hyper-V release from Microsoft has received some high reviews and in some circles, has been crowned the VMware killer. Others who love the flexibility of VMware do not believe that Hyper-V is ready for a non-Microsoft environment. Whatever side of the fence you reside, there is no doubt that your company is entertaining the idea of virtualization. But where does traditional security fit into the virtualization mix?
Enterprise class firewalls have not progressed enough to perform the application layer security necessary in a virtualized environment. Instead of separate physical servers that handle email, web hosting, and SQL databases, we have F5’s and other load balancers in front of a handful of Virtual Servers using VLAN tagging and application awareness to segment traffic.
Virtualization adds a new layer, the Hypervisor Layer, to be concerned with. According to Gregory Ness of Security Alpha, “Most existing perimeter security appliances will not be able to see or secure inter-VM traffic. They were never architected with the level of protocol fluency to understand the traffic flows, and their form factors will continue to require specialized hardware, a flashback to the recently departed past.”
Companies like Tripwire, Altor, and Shavlik Technologies, all left the conference believing that their products wowed the thousands of VMworld enthusiasts. Having just launched in March of 08, Altor has already won over customers like Revelon and ServiceMaster, with their datacenter management security solutions.
“Existing NAC solutions lack integration with and the ability to configure virtual switches and thus fail to deliver NAC into the virtual environment. As VMs move up, down and around the virtual network, there is no admission control enforcing their connection to virtual switches.”explained Poornima DeBolle, Sr., director of business development for Altor Networks.DeBolle goes on to say “Software IPS/firewalls will have performance challenges, and still need to connect with the virtual infrastructure and reconfigure virtual switches to control and enforce network connections,”
Tripwire currently has a free utility that checks the structure and integrity of VMware ESX servers for vulnerabilities, configuration “best practices”, and overall security posture. Additionally, Tripwire Enterprise allows for advanced configuration assessment of both physical and virtual servers. Their change auditing system prevents any unwanted misconfigurations.
Shavlik Technologies’ NetChk Protect focuses on server compliance. It identifies games in security posture and centrally manages patching. Their nitch centers around the ability to address security concerns of offline Virtual Machines. NetChk Protect also monitors for spyware and non-bizware.
With the belief that more than half of enterprise servers going virtual in the next 5 years, McAfee has shifted it’s sights as well. Their VmWare tuned McAfee Total Protection for Virtualization is primed to address virtualized anti-virus and Intrusion Prevention. According to Shekar Ayyar, VMware’s vice president of alliances, "By combining superior VMware hypervisor security with tools from partners like McAfee that leverage virtual machine resource and network visibility through our VMsafe APIs, customers can run applications in a more secure virtualized environment."
IBM’s sHype hypervisor is focused on tieing security policies to virtual machines on IBM infrastructure. It excels in mediated sharing between VM’s, resource control and allocation, authenticated booting, and policy management and auditing. According to their site, IBM’s sHype “focuses on securing IBM server platforms and we are taking advantage of IBM's high-performance virtualization support because performance is key to the acceptance of sHype.”
So with all this virtualization, where does this leave traditional appliance vendors like Juniper and Cisco who have not fully jumped on the virtualization bandwagon? Greg Young, a Gartner analyst believes that hardware based firewall vendors “lack the software firewalls that might fit into virtual environments” He goes on to say “With physical servers, businesses had set up Web applications in isolated network segments — demilitarized zones — separated by firewalls from databases. In a virtual environment, that separation can become blurred”
If the trend of virtualization continues, traditional security market leaders who chose not to jump on board may land on some hard times. IT Security is in a constant state of transition and is probably currently seeing its most aggressive focus changes ever. Just a few months ago, many of the security heavy hitters began releasing their cloud based security solutions to address 0-day, or more accurately, near 0-day, solutions that offload many of the security decisions to third parties on the internet. Now many of these same companies, like McAfee, are carefully balancing their marketing strategies to focus on both cloud based security and virtual security. And at the same time, leaving their traditional security solutions to fend for themselves.
Twitter users beware: Trojans and malware becoming common place
It's often said that you can tell how popular your web site is but the number of times your name shows up on IT Security sites like McAfee, Kaspersky, Dark Reading, and of course, Netleets. If that is true, Twitter should take some comfort in being able to sit at the grown folks table this holiday season. Conversely, their IT Security staff appears to be putting in long hours patching holes in their technology and figuring out ways to keep their names out of the headlines. Last week, Kaspersky Labs reported a Follow-Me Trojan hosted by Twitter that forces the unsuspecting victim, who clicks on what they believe is a picture, to follow then to unscrupulous sites on the net that host malware, viruses, and more. Twitter has also had to release patches recently to fix a problem with the way they send emails to users. They did not have provisions in place to sanitize user names, so users called www.badsite.com, would appear as a hyperlink in all Twitter communications. Recipients of these emails would be sent to the site contained in the username. Twitter's vulnerabilities, partially due to their recent increase in popularity, have been stacking up. Not long ago, http://www.twitpwn.com/ was launched to chronicle their short commings.
According to Kaspersky labs, "If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular." They went on to say that the Trojan downloads 10 other Trojans on the injected host, disguised as MP3's.
More recently, a user known as rabit bonito, pretty rabbit in English, began hiding malware links in what appears to be links to porn.
Space Station laptops infected with password stealing virus
I once read that the only way to get away from Cyber Space was to go to Outter Space. Recent events at the International Space Station have debunked that theory. According to Wired.com the worm's intention was to steal passwords. The worm,W32.Gammima.AG, copies itself to all drives and executes whenever a drive is accessed. Discovered in 2007, it was initially designed to steal online gaming passwords. It is unknown whether this worm had been modified specifically for NASA and other Space Station personnel. A NASA spokesperson, Kelly Humphries, acknowledged that this is not the first time that something like this has happened. In a press release, Humphries stated:
"It's not a frequent occurrence, but this isn't the first time."
The Space Station is not connected directly to the internet and email is supposedly scanned by an intermediary before going to its destination.
FEMA does not take their own advise and gets hacked
Last week, Sprint took notice of irregular call patterns on the Federal Emergency Management Agency's call records. FEMA, a division of U.S Homeland Security, became a national scapegoat in 2005 as many of the Hurricane Katrina short comings pointed in their direction. Since then, many hackers, domestic and international, have attempted to compromise their networks.
On August 16th, Sprint advised FEMA of these "inappropriate" calling patterns to Asia and the Middle East. More than 400 calls were made to Yemen, Afghanistan, and Saudi Arabia, among others. Each call lasting from 3 to 10 minutes long. These calls racked up in access of $12,000 in long distance charges. The sad part is this could have been avoided it they took their own advise from 2003.
The breach appears to have been related to a hole left in the PBX systems after a recent upgrade by a government contractor. Why FEMA does not use VOIP is a mystery to me. None the less, the actual method of the breach has not been released but history tells us that it was probably a simple default password or something similar that was "guessed" by the hacker.
To add insult to injury, the Department of Homeland Security investigated these types of breaches in 2003 and released warning of the potential for something like this to happen on legacy PBX systems. A bulletin released in 2003 by the Department of Homeland Security shows that they don't actually believe in taking their own advise. It begins by indicating, "The Department of Homeland Security is working with the Federal Bureau of Investigation to address multiple reports from private industry describing incidents involving compromises of Private Branch Exchange (PBX) and telephone voice-mail systems." It goes own to talk about the potential for a PBX breach, "This illegal activity enables unauthorized individuals anywhere in the world to communicate via compromised U.S. phone systems in a way that is difficult to trace,".
And to enhance the feeling of dejavu, the
bulletin states "An intruder circumvents a PBX system's security and
gains access to a
voice-mail system. The intruder may then configure the compromised
system to dial out to a domestic or foreign phone number.".
The bulletin also discusses the precautionary measures as follows:
1.. Periodically change the phone system administrator
and maintenance
passwords
2.. Lock users out after a limited number of failed attempts at
accessing
password protected accounts
3.. Mandate that all users create their own passwords and change them
periodically
4.. Ensure that passwords are as long as permitted by your system
5.. Properly secure or disable unnecessary features such as call
forwarding or call transfer
Start up company promises to boost cloud based security services
Jay Chaudhry, CEO of Secure Computing (CipherTrust), is promising to change the way we think of cloud based security services with his latest startup, Zscaler. Launched as an alternative to CPE (Customer Premises Equipment) web security services, Zscaler will provide cloud based internet firewall, IPS, antivirus, and web filtering using "single-Scan Multi-Action gateways and NanoLog log-reduction technology". according to InformationWeek. Though this is not designed to replace existing firewalls and IPS devices, its is a viable alternative to installing Bluecoat or Websense appliances on site. Subscription fees range from $1 to $5 per user using an ala cart fee structure for services.
Zscaler's niche is the cost savings associated with not needing to purchase appliances that perform the same internet security functions as thier cloud based service. In addition, this takes a proactive approach to malware and viruses. No more downloading the latest signatures. The downside is that all internet requests are proxied by a third party on the internet.Only time will tell if performance will be impacted. There were no guaranteed SLAs for throughput but similar services offered by Checkpoint and TrendMico estimate less than a few milliseconds of latency.
Checkpoint gives away ZoneAlarm ForceField for free
On yesterday, August 12, Checkpoint ran a 24 hour promotion coinciding with Microsoft's slew of Tuesday patches. The promotion included a free full version of ZoneAlarm's ForceField virtualized browser software. Checkpoint also offered a 3 user ForceField license for $19 (regularly $49). Read the entire article on Checkpoint's site here.
Network World gives IPSEC a bad rap
For years Network World has been the holy grail of network and infrastructure information. Their presumably unbiased reviews and information are invaluable to anyone in the IT industry. Recently however, I have witnessed a slight slant in their coverage. It started to sink in when their biased view of VMWare happened to coincide with the release of Microsoft's Hyper-V. Most recently Network World used an article called "VPNs: Six burning questions" to promote the use of MPLS and SSL VPNs. As MPLS is a standard that is quickly replacing ATM and Frame relay, the impression that I got was that it's purpose was to retire IPSEC.
The article talked about the worry free approach to MPLS VPNs but doesn't mention why it's that way. It doesn't talk about how your MPLS provider is now responsible for all of your VPN connections to partners that do not run in a MPLS environment and how the data is completely unprotected outside the WAN links. It also only hints at how using MPLS as a VPN solution would undoubtedly require a larger internet pipe than currently implemented in your Frame Relay environment. I'm not saying that MPLS is not a good solution. I just don't understand how it is being viewed as a slam dunk.
Every enterprise class network has equipment that is capable of terminating IPSEC VPNs. In addition, the termination point can be strategically located to provide the most protection (as close to the protected resources as possible). IPSEC's encapsulation methods are completely customizable and works great in multivendor environments. I do however believe that if you have the money in your budget, MPLS is an excellent solution for intercompany communications, within a single MPLS network.
The article also makes the decision between SSL VPN and IPSEC a no brainer. When asked "Should I use IPSEC or SSL for remote access VPNs?", the immediate response was "SSL, In almost all cases SSL can be setup to deliver the same access the IPSEC VPNs do." That is of course unless you want to access something other than a webafide application. SSL VPNs are great for accessing your company's Intranet but not scalable for SQL connections, client based email, or any socketed connections. SSL VPN is touted as a clientless solution however in the event that you do require non-web based access, a think client is dynamically installed. This client is not as fully featured as a true client solution and typically only supports specifically defined traffic and ports (forget about the virtual office). These thin clients are like client VPN's little brother. It aspires to be able to do everything big brother can do but is satisfied with its little accomplishments.
In addition, the typical Java based thin clients have to be dynamically installed every single time the user connects to their VPN. Yes every time. Which also means the user must have local administration rights to their PC. In a true Client based VPN environment, admins can install the software once and lock down the PC to prevent any future mishaps. None the less, configuring only web based SSL VPN access is a sinch and I recommend it to anyone who only needs web access. However if your decision on a remote access VPN solution requires a Virtual Office feel or access to non-webafide applications, SSL VPN should not be considered.....Yet.
Read more news:
The White Hat Revolution begins now
Mr. Linux believes IT Security is overrated
Millions vulnerable to DNS spoof
Checkpoint firewalls vulnerable
Rumors swirl as Apple pulls out of Black Hatna hosts m
DOS attack against Cisco devices
Walter Reed leaks personal info of military personnel
DARPA increasing effectiveness
Hezbollah vs Israel goes digital
Item of the Month!!!
