Tuesday, 17 June 2008

Citrix iForum - part 4

I actually attended one particular session at iForum that I didn't even mean to atttend. I walked into the wrong room by accident but, due to the fact that about 30 pairs of eyes revolved 180 degrees in unison thanks to the door slamming hard behind me, I then felt compelled to sit down and shut up anyway. As it turned out, it was all about virtualisation and security and was thoroughly fascinating. Anyhow, as a distributor that built its reputation on security products, I also felt as though I was doing my bit for COMPUTERLINKS at the same time.

The talk was given by Chris Mayers, a Citrix guy who I think I've met before at their Cambridge R & D labs when the Access Gateway product was released. He's a very interesting speaker actually. Completely unassuming but authoritative nevertheless and with a soft, smooth voice I could listen to all day. I think he should quit this IT lark and go and do the speaking clock or the shipping forecast on Radio 4. I found him very entertaining. I love listening to people who so obviously know their topic inside out and I'm sure I won't be able to do his speech any justice at all here.

He brought up lots of important points however I only managed to note down a few. The aforementioned Citrix bag had a velcro fastener on it and I didn't think that, after my escapades with the slamming door, any more noise disturbance by getting out my notebook would have gone down particularly well.

Have you ever heard of Hyperjacking? I hadn't but apparently it exists. It means attacks on the hypervisor and the virtualisation layer and is already becoming more and more prevalent. Chris said a lot more work needs to be done around this by the likes of McAfee, Symantec, Trend and the rest of them but, oddly enough, a hypervisor-based server could actually be less prone to this sort of attack than a normal one in some situations. The reason being that some malware will automatically shut off if it thinks it's entered a virtualised environment because it will presume that it has been snared by a honeypot. Best not leave it at that and hope for the best though I guess.

Another point made was that, in a virtualised environment, there may well be less potential for user administration error. The natural separation of duties that occurs in normal environments, i.e. one person (or team) looks after the servers, another looks after the desktops and yet another the security and so on, does not necessarily need to happen in virtual server deployments. Using virtual firewalls and anti-malware devices instead of physical and putting them on gold builds could reduce the amount of people required for these tasks and therefore make the organisation as a whole less vulnerable. This could play an important part in PCI-DSS qualification and maintenance.

However, it's not all good. With virtual servers, memory is now disk. If you were to stop a server at the wrong time, you may well find all sorts of interesting information that, normally, would have been saved to disk and encrypted that is now in memory instead. Also, time can go backwards just as easily as forwards in virtual worlds. Simple roll-back is one of the main benefits of virtualising servers but can you always be sure, by going back, that all the necessary patches and security updates have then been installed? If so, how would this be policed?

I think Chris' speech may well have raised as many questions as it did answers but it is undoubtedly something that will dominate future developments in this area. Chris actually appealed for everyone to put pressure on their application suppliers to ensure not only compatibility but also security for their apps in a virtual world. I know Tripwire, for one, are doing a lot of work around this. One of my colleagues informs me the virtualisation security checker recently released on their website has had hundreds of thousands of downloads in just a few days. Currently it only works with VMWare but I'm sure they'll see the light eventually.

Hypervisors are typically small and sit on bare metal rather than the OS but does that make them safer? I am certainly not qualified to say but I expect a lot of companies to be jumping on the bandwaggon of telling us "NO!!! BUY OUR PRODUCT OTHERWISE YOUR VIRTUAL SERVERS ARE DOOMED!!!" any month now.

P.S. if you'd like to read up further on this, I noticed Chris was also quoted in ZDNet recently.

No comments: