Cool Green IT Products from DNS-DIRECT

IGEL Slide

Save money & energy Green IT

WEB UD2 Summerpromo 600px

Saturday 16 January 2010

Virtual Machines Security Blanket

Hi All I’m asked at least three or four times a year about virtual machines and security. Invariably, the dialog goes something like this from a colleague I’ll refer to as Jim: I hope this help you all if you wish to go down the Virtual machine road.........

Vince

Jim: “Hey, I’m thinking of moving my physical machines to virtual ones. What do you think of that?”

Ken: “It’s a great idea, you’ll save a lot of money and you’ll love the provisioning speed, ability to move workloads around, snapshots and I could go on and on.”

Jim: “What about security? You didn’t mention security.”

Ken: “What about security?”

Jim: “Well, I’m hoping to make my systems more secure by recreating them as virtual machines.”

Ken: “It won’t work. Virtual machines are no more secure than physical ones.”

Jim: “Maybe I should rethink moving to virtual machines.”

Ken: “No, maybe you should just rethink why you want to move to virtual machines.”

There are good reasons for moving to virtualization but security isn’t one of them. Virtual machines are no more or less secure than physical machines. It’s pure fantasy or what most Internetnicks call “FUD” (Fear, Uncertainty and Doubt). A good example of this misconception is an article I read a few days ago that described how to steal a virtual machine and its data. The author describes how someone with administrative access can easily steal a virtual machine.

The author did a fine job in describing how to do this. I have no problems with the article or the author. However, the uninformed reader might assume that a virtual machine somehow allows an administrator better access to a system and its data. This is not true.

The operative word in this concept is administrator. Administrators have unlimited access to the systems they administer whether they are physical or virtual. As a business owner, you entrust your systems, your data and your secrets to the person(s) with root or Administrator access. Such a person can touch, look at and steal every bit of data on your systems—physical or virtual.

Virtual systems have the same three major security concerns as physical systems: Users, Services and Files.

Users

Having user accounts on a computer system poses a security risk. Users who use weak or predictable passwords, write down their passwords, “loan” their passwords or have malicious intent pose the greatest threat to systems. Once an attacker compromises a user account, the effort required to crack the administrative account and gain access to the whole system has decreased significantly. In system administrative parlance, users are “a necessary evil”.

Administrators (those who hold the password to the root account) have no limitations on what they may view, change or remove from a system. There are no files or processes protected from the administrative user. The administrative user, or an attacker with equivalent access, may take any action against the system including; copying data, removing files, killing processes or leaving the system in an unusable state.

Services

System administrators will also tell you that services provide an excellent path into a system for wanton attackers. They begin by scanning your systems for listening ports (services) that may be unguarded, unpatched or wholly ignored by administrators. A service is a daemon that runs in memory and “listens” for TCP/IP connections on a port number as typically defined in /etc/services. These ports allow communications from a client application, on a remote system, to the listening port on your system. For example, the incoming mail service, POP3, listens on port 110 by default. If a listening service has vulnerabilities, it is an opportunity for exploitation.

When an attacker locates one such service, he goes to work to glitch that service and present himself with an opening to a user account—hopefully one with elevated privileges—or at the least one with a usable shell.

Virtual machines have listening ports for their services just as physical ones do. There is absolutely no difference in the quality, security or stability of one over the other. In the virtual world, as well as the physical, administrators must prune the number of services running on a host to the minimum number possible. Turning off superfluous services decreases the exploitable footprint of the system.

Maintaining a system that’s current on all security patches and service packs, also helps protect it from compromise.

Files

Every collection of bits on a *nix filesystem is a file. Directories are files. Executables are files. Scripts are files. Everything is a file. Virtual machines have filesystems as do physical ones. So, how can a simple file pose a security threat to a system? Permissions. Permission rule the *nix galaxy. Permissions determine who can see a file, change into a directory, execute a file, remove a file and execute a file with special privileges (setuid and setgid).

Incorrectly set permissions can allow exploitation of vulnerabilities in programs that aren’t designed well or those that haven’t received security updates. In *nix systems, certain programs have the ability to allow you to use them with temporary elevated privileges. A good example is the passwd program. You run passwd to change your system password but to do so, the passwd program must update the /etc/shadow file with your new password. The problem is that the /etc/shadow file’s permissions restrict all but the root user. Temporarily, the passwd program elevates your privileges long enough to allow your new password to update the /etc/shadow file. During that momentary security lapse, an attacker could break the process and gain root access to the system.

Fortunately, most system functions have programming in place to circumvent this activity. Programming techniques such as privilege separation, privilege bracketing and dropping root help prevent these types of exploits.

System security and backups are the two highest priorities for system administrators. Good administrators will run periodic network and local vulnerability scans to check for exploitable code. They’ll also maintain a regular patch and maintenance program to secure their systems. I hope you understand from this discussion that virtual machines have no more and no fewer security concerns than physical machines. Security is a concern for all systems regardless of operating system, location or status. System security requires constant vigilance but if you have a renegade administrator in your midst, all bets are off.

Wednesday 6 January 2010

Whose Platform is it, Anyway

Cloud computing, virtualization and mobile devices take the ‘proprietary’ out of computing–at least for the consumer. Just think of the possibilities.

Remember how you’re not supposed to ask for something unless you really want it? I predicted, a few short years ago, that we would cease to bind ourselves to a particular platform or operating system. Now that the future is here, I’m looking to it with a tinge of trepidation. I’m not sure that I’m ready for what’s to come: a world without local operating systems. And one where everything is virtual. Windows, Linux, Mac OS, Solaris, HP-UX, AIX and will cease to have any significance to the end user. The end user will only see services or applications but not operating systems. For the end user, the operating system will not exist.

Operating systems will still exist, of course, on server hardware clouds and they’ll provide everything we need from a service standpoint. Localized operating systems (Desktops) will obsolete themselves from existence. Electronic devices will have enough storage for files and a minimal “boot to service” operating systemlet. The days of fat, local operating systems are numbered.

Waging OS Peace

Cloud computing, when it’s fully utilized, removes the need for a local operating system. I’m not talking about VDI. I’m just talking about enabling web browsers to function as operating portals. If any application that you use is web-based, why would you need or want a local operating system?

By removing the need for a client-side operating system, you effectively remove customer dependence on software vendor support. Only service providers will have customer to vendor relationships with software companies. End users will purchase services from a primary provider, a secondary provider or a broker provider. End users will have no real contact with operating system or even application vendors.

What will we do without those lovely OS wars to plague our forums and to waste countless hours on?

Declaration of Interdependence

What about the server side of things in this new client agnostic, desktop operating systemless world?
For service providers, the story takes on a different flavor. Service providers setup services, applications and virtual systems for use by their end users or subscribers. They provide desirable technology to hungry consumers at a reasonable cost. Few providers, if any, have a preference as to server operating system.

They’re in business and that means giving customers what they want by any means necessary. If customers hunger for services best provided by Linux, that’s what they do. The same rule applies to Windows, Mac OS, Solaris or any other operating system available. Do you really care on which platform “Service X” runs? I don’t. I just want Service X there when I need it.

Saying that I don’t care on which platform my applications run, requires some explanation. Knowing that most cloud providers run their services on Linux, I don’t really have to fret over it. I know, however, that Windows virtual machines do exist on those Linux hosts. I, personally, am OK with that. Hardly any environment exists in a homogeneous operating system vacuum. The beauty of this scenario is that I’d rather have Windows as a guest than as a host. But, if I’m using remote applications and they work, do I really care? No, I really don’t.

McCloud

Is it possible, through all this operating system agnosticism, that services will morph into some weird, commoditized applet hell? Will our beloved cloud computing environments house applets and craplets that do little more than replace the cheap trinkets that fast food workers pack into our kid’s meals? Imagine a time when Trade Show SWAG includes small electronic gadgets that run a single applet containing hundreds of vendor advertisements from the show. Vendors can track the locations of their gadgets to check their market penetration, update them at will via their developers and even send you regionalized messages. And, that’s just one application of such technology.

How about some advertising (electronic billboards) as you drive down the road using your TomTom on your way to the beach. How about some coupons that tap into your car’s navigation system as you pass a grocery store–”Avocados five for a dollar at Blarg Family Grocers. Turn left and go one-half mile to lower prices.” Oh yeah, it could happen.

I don’t want to cheapen your awesome cloud-based computing experiences with my random ponderings but you have to realize that for every lofty goal and application for the cloud, there’s at least a thousand others with lower targets in mind. The cloud, in all its glory, has many uses and possibilities. In a few years, it won’t matter whose software you’re running when you’re tweeting, updating your status, or shopping for toothpaste at Blarg’s. When you think of the future, think no operating system. Think of the big picture. Think heterogeneous. Think freedom. And know that the days of proprietary software and the poor, locked-in consumer are behind us.

Are you ready to face the operating systemless future head-on or do you have some trepidations?
Think about it And what if the cloud  fails?
Is big brother really watching us!!!!!!!!!!!

Write back and let me know.

Vince Bailey

A Virtual Solution for Mobile Development

Who needs expensive solutions to develop your design ideas prototypes
At DNS (Desktop Network systems) We have have an App for that!!!
Give us a call about virtualization.?

From this posting you can tell we like Apple mac and unix. i don't like my Dell any more here comes the facts.

My delivery date was weeks out and I had work to do. Being tied to a desktop computer just didn’t feel right. I looked at some of the “retail” laptops at Staples but couldn’t bring myself to purchase 1/2 a laptop at 2/3 the price of a “real” machine — like the one I already had on order from Dell. And, besides, I had a somewhat seldom-used MacBook on my desk, it wasn’t as if I were entirely without a laptop.

Now, if I were to go out of the house with a MacBook, my first preference would be one of those cool, aluminum uni-body types — not the girlie-looking white plastic version sitting on my desk. I purchased it so I could do some iPhone development over a year ago. It’s just a color, I know, but thinking back, I could have purchased basically the same device in black with a little more video ram. Hindsight is 20/20 they say. But, the thing has a 2.4 GHz Intel Dual Core — not too bad, particularly considering the fact that the new (and expensive) varieties are not all that much faster — and certainly not worth the additional investment considering what I was about to try next.

irtualBox

Using the MacBook itself isn’t really all that bad — I have been looking for an excuse to use MacOSX a little bit more anyway. It is a pretty intuitive platform and increasingly, software development environments support OSX right out of the gate. If you doubt it, just go to a mobile software conference and everyone it seems is using a Mac.

The trouble was that I had a handful of applications for which I just had to use Windows. Yes, I know I should be using Linux — you can make the comments if you like. And yes, I could use the Mac VPN client and the RDP client to connect to servers and run a couple of administrative applications at my consulting firm — software applications that only run on Windows. However, the idea of running Windows 7 “inside” my Mac was too enticing. So, I took the virtual plunge.

Armed with my MacBoox, a respectable 160GB, 5400 RPM hard drive and a meager 2GB of RAM, I ventured into the land of VirtualBox from Sun

If you are not familiar with VirtualBox, you can learn more in this http://www.virtualbox.org/

After a couple of VirtualBox upgrades, most recently to version 3.1.2, I had a reasonably stable Windows 7 installation. However, it was awfully slow — yes, slower than one would expect, despite the virtual configuration.

After a Christmas Eve visit to the Genius Bar and a $200 donation to Mr. Jobs and his elves, I upgraded my MacBook to 4GB of RAM. Throw in a 500GB, 7200 RPM Hitachi hard drive and my MacBook was starting to show some brawn. Even if it is still the white plastic variety.

Even more cool is the nice wide-screen monitor on my desk which houses my “Windows 7″ environment in beautiful full-screen while I have the MacBook’s built-in display for running Firefox, Finder, iTunes, etc. Add to the mix the “Spaces” feature and I’ve now got four desktops x 2 monitors. Too bad I cannot get 8 GB of RAM into this thing!

OK, but can I get any work done you ask?

What about my files?

At this point my development files, and everything else I seemed to have accumulated over the past 37 months on my Dell, were still sitting on the orphaned hard drive. Borrowing a SATA/USB drive caddy from my network support friends, I copied the files over to a directory sitting in my home directory on the MacOSX side of things.

I was able to “share” the files via VirtualBox’s built-in \\vboxsvr sharing mechanism. However, the file access was pitifully slow. Unbearably slow. A number of Internet searches turned up some problems with NetBios over TCP, name resolution timeouts for every packet and other low-level networking stuff that just tested my patience. The guy who was responsibl

in reference to: Firefox Updated (view on Google Sidewiki)