Home > Computer Security > Computer Security: Implementing desktop virtualization is no longer optional

Computer Security: Implementing desktop virtualization is no longer optional

VMWare I’m a firm believer that given today’s technology and security paradigms, compromise is inevitable and unavoidable. With this mindset, my focus has shifted from reactionary to anticipatory. In an office environment, I expect that users will not follow policy and do things that put an organization at risk – and I expect desktops to be compromised by malware. I even expect my home PC to be compromised. To expect otherwise, is to deny the fact that current security technologies are not 100% effective.

When a hacker obtains complete control of a computer, he can change any setting, install additional malware and replace any software with his own variants. Even if you are able to remove identifiable malware, your ability to identify and undo his configuration changes or identify replaced software may be very limited. Although you may think you have “cleaned” your computer, your computer may still contain code or configuration changes that will allow a hacker to maintain or regain control of your computer.  This is even more of a concern if the hacker was able to initially compromise your computer using a Web-based zero-day exploit without a known anti-malware signature.  If the hacker can point your browser at the same Website again, your anti-malware software is not going to catch the malware the second, third or fourth time around. The only way to be sure your system is malware free, is to re-image the hard drive (we all have full image backups of our hard drives, right?) or reformat the hard drive, reinstall the operating system and all the software. What a pain!

If you can buy into the fact that compromise is inevitable and unavoidable, a better way to deal with compromises is to use desktop virtualization. Virtualization allows you to maintain a completely clean and pristine master image of your computer. You then clone (copy) the master image and just use the clone. If something bad happens, you just delete the clone and create a new clone – it’s as simple as that.  Depending on your virtualization software, you can even create snapshots of your computer and revert to the snapshot as required.

The cool thing about virtualization, is that you can run “a computer within a computer”, so you don’t need to run every application in the virtual environment. CPU, memory and video intensive applications that may not run well under the virtual environment can still be run in your regular desktop environment.

Given the benefits of desktop virtualization for security purposes, there are a few issues you should be aware of:

1. Cost. The good stuff isn’t free, but given the value of your time and peace of mind, it’s worth it.

2. System requirements. Don’t expect optimal performance with an underpowered CPU and insufficient memory.  You may need to bump up your hardware to meet your individual requirements.

3. Education. Yes, now you have to learn another piece of software. If  you can read and follow instructions, this should not be a problem.

4. Setup and Management. This stuff doesn’t manage itself. You have to figure out how and where to store your user settings and data, fine tune performance settings and manage the master image and clones.  Once you get into a routine, it becomes second nature.

There are many software vendors that offer virtualization software. Before you buy anything, you need to do some research and determine what product best meets your needs and budget. Many vendors offer full working trial versions of their software.

Below are some VMware Workstation videos to help you understand some of the basics of virtualization.   If you want to try VMWare Workstation,  it’s available as a 30-day demo or you can try the free VMware Player, which allows you to create virtual machines – but doesn’t have many of the features in VMware Workstation.

Video 1:  Demo. Note: You can run a virtual machine in full screen mode. You don’t have to run it in a Window.

Video 2:  A more technical presentation on how to create a virtual machine and a discussion about settings.

Learn more

VMware offers a free multi-media VMware Workstation fundamentals course.  You can get smart about VMware Workstation in a very short amount of time. The Overview section is a bit too technical at times, but the Getting Started section is easy to understand.

http://blogs.vmware.com/workstation/2009/11/free-vmware-workstation-7-fundamentals-course.html

Advertisements
  1. July 2, 2010 at 9:01 am

    Hi,

    It’s early days yet, but have you looked at Qubes?

    http://qubes-os.org/Architecture.html

    It uses a concept of “App VMs”, where a single application (or a group of applications) are virtualised and compartmentalised, rather than an entire machine. It looks very interesting!

    alec

    • July 2, 2010 at 9:56 am

      Yes, it does look interesting. I’ll check it out. Thanks!

  2. July 2, 2010 at 7:43 pm

    I love VMware. It works very well. Especially when you want to try out a new OS or security program/technique. And I think it is one of the best solutions for the desktop today. But, my concern is that hackers know too that it is the security move of choice and are already looking at ways to circumvent the virtual environment.

    The Brower Explotaition Framework can detect when a browser is using VMware (http://vimeo.com/5972002) and at a recent Black Hat conference it was demonstrated that a flaw in a virtual server video driver could give access to the physical server.

    It looks like drivers will be the attack method of choice in circumventing the virtual machine and accessing the physical box. I hope the virtual machine programmers understand this and really lock things down.

    • July 3, 2010 at 2:23 am

      Once you’re actually on the box as in BEF’s case, it’s easy enough to detect that a system is running VMware. It’s not something that VMware attempts to hide.

      The High Assurance Platform (HAP) that is certified by the NSA for multi-domain security rides on top of VMware. If the NSA is going to certify it, it better be secure! LOL

      This High-Assurance Platform workstation will use VMwares hypervisor technology—software that allows a single piece of hardware to be divided into several virtual machines—to create a secure PC that is certified by the NSA to handle top secret, secret, classified and unclassified data. Black said the hypervisor supports a range of operating systems, including Microsoft Windows and Red Hat Linux, and will allow up to six virtual machines to run on a single physical workstation.

      • July 3, 2010 at 2:43 am

        Have you seen this article Mr. Reiner?
        http://gcn.com/Articles/2010/03/18/dark-cloud-security.aspx?s=gcndaily_190310&Page=1

        “Government IT upgrade projects may soon have a new wrench thrown into the works. According to recent research from Gartner, 60 percent of virtual servers are less secure than the ones they replace.”

        I am just really concerned about how much virtualization is being relied upon for future projects. If the virtual dependency layer is hacked, the hacker will have access to the physical machine and most likely all the virtual servers.

        “Another risk is that the virtualization layer could compromise all hosted workloads, with hackers already targeting this layer, Gartner said. Gartner recommends keeping the layer as “thin as possible, while hardening the configuration to unauthorized changes.”

        Scary stuff indeed.

      • July 3, 2010 at 8:02 am

        You definitely have some valid concerns Dan.

        I’m not a Gartner member at the moment, so I don’t have access to the report. I found this news snippet here that talks about the report in a little more detail, but it would be good to see the entire report.

        My take on just the information provided in these articles, is that Gartner’s report encompasses the entire industry as a whole. VMware is the only leader according to Gartner’s most recent Magic Quadrant graph and I haven’t spent enough time understanding other vendor’s solutions to understand what their challenges are with respect to the security concerns expressed in the report. I would never trust a Microsoft solution – LOL.

        If you know someone that is a Gartner member, he could contact the analyst who wrote the report and get clarification on all of this.

        As with most technology these days, people are still the weakest link – especially when they that don’t know what they’re doing, which these articles imply.

        I’m sorry that I can’t provide a more definitive response.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: