Results 1 to 8 of 8

Thread: Virtual machines and network security...

  1. #1
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243

    Virtual machines and network security...

    ...how are network admins handling the presence of virtual computers on
    their networks? Currently I rank as a domain admin, and virtual machines/
    computers are not yet an issue for us largely because very few of our users
    are even local admins thus lack the priviledges to install apps. I've been
    playing with the technology as time permits, and we may use it for our NT
    simulators. I'm interested in how other admins are handling their presence.
    Thanks.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Treat VMs like any physical box and lock them down accordingly. It will depend on what platform the VMs run on (e.g., ESX, Windows, Linux etc) in addition to the VMs Guest OS itself.

    The principles are the same, just a slight variance in the number of physical boxes.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    The IT dep't I'm working in is woefully understaffed and underfunded, and
    has been for some time. Currently there's two of us who handle support
    for 400+ computers onsite and maybe 150 remote users. I hate to admit
    this, but we don't even know where many of our computers are, nor does
    my company nor the client company (this is an outsourcing situation) seem
    particularly concerned at this point in time. There's a lot of network upgrading
    going on, but for now our network is not monitored save for some of the
    web browsing.

    What I'm wondering about more than anything is detecting rogue VM's and tracking them down.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  4. #4
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Wow broken, that is quite a stress factor for you. I played with Vm's abit and agree with MsKittens.

    PSeak to the boss there, you cant carry on like that :P
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Quote Originally Posted by brokencrow
    The IT dep't I'm working in is woefully understaffed and underfunded, and
    has been for some time. Currently there's two of us who handle support
    for 400+ computers onsite and maybe 150 remote users. I hate to admit
    this, but we don't even know where many of our computers are, nor does
    my company nor the client company (this is an outsourcing situation) seem
    particularly concerned at this point in time. There's a lot of network upgrading
    going on, but for now our network is not monitored save for some of the
    web browsing.

    What I'm wondering about more than anything is detecting rogue VM's and tracking them down.
    What is the actual virtual appliance? Are all the machines Windows? or do you know?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    We use virtual machines and love it, something simple to help track them down would be nmap. Nmap will at least return that the mac address attached to a virtual machine is a vmware device, I am sure you could edit the vmx of a appliance and change it, but might be a quick and dirty way to check for rogues.
    Sample:
    MAC Address: 00:xx:xx:xx:xx:C4 (VMware)
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Quote Originally Posted by kr5kernel
    We use virtual machines and love it, something simple to help track them down would be nmap. Nmap will at least return that the mac address attached to a virtual machine is a vmware device, I am sure you could edit the vmx of a appliance and change it, but might be a quick and dirty way to check for rogues.
    Sample:
    MAC Address: 00:xx:xx:xx:xx:C4 (VMware)
    Before I comment.. WOW.. You obfuscated a MAC Address... very odd...

    Anyways... The problem with relying on MAC Address detection is that it's way to easy to change it....

    So a couple of questions:

    1) Are you worried about rogue VMs on internal machines or personal machines? (I'm guessing internal, since if it's a much better issue in general if people are able to use their personal computers at the office)...

    Following on my assumption of internal machines..

    These machines will be on the domain no doubt... So while kr5's suggestion works.. since it can be bypassed there are better methods..

    1. Write a quick and dirty tool to check and see if a version of VMWare, VirtualPC, Xen, etc is installed on the machine. (Since you have domain credentials... and assuming these machines are on the domain this will be fairly straight forward)... If a computer has VMWare without requiring it then it's probably running Rogue VMs... at that point you just have to watch for them..

    Unfortunately this is reactive...

    If you want to be proactive..

    2. Configuring your network (assuming quality switches) to make use of some of the more basic NAC features that most switches support... I highly suggest that on Cisco switches you take advantage of the command switchport port-securit maximum 1. This limits you to 1 Mac Address per switch port. You can use switchport port-security violation [shutdown|restrict|protect] to determine the method of action to take if a second MAC address is detected..

    Peace,
    HT

  8. #8
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Quote Originally Posted by Cider
    Wow broken, that is quite a stress factor for you.
    Yeah, no kidding. I'm getting a bit fed up, especially with purchasing, but I won't go there.

    Quote Originally Posted by HTRegz
    1. Write a quick and dirty tool to check and see if a version of VMWare, VirtualPC, Xen, etc is installed on the machine. (Since you have domain credentials... and assuming these machines are on the domain this will be fairly straight forward)... If a computer has VMWare without requiring it then it's probably running Rogue VMs... at that point you just have to watch for them..

    Unfortunately this is reactive...

    If you want to be proactive..

    2. Configuring your network (assuming quality switches) to make use of some of the more basic NAC features that most switches support... I highly suggest that on Cisco switches you take advantage of the command switchport port-securit maximum 1. This limits you to 1 Mac Address per switch port. You can use switchport port-security violation [shutdown|restrict|protect] to determine the method of action to take if a second MAC address is detected..
    My question as it pertains to my current position is more hypothetical
    than anything. We do have a series of Perl scripts we use to search
    PC's for files when need be. And that first solution came to me as I
    pondered what I'd posted. Just search the network for MS's VPC and
    VMware's app files.

    We run a series of Cisco 2800 and 2900's, and I think at some point my
    current employer may indeed employ those very NAC features. They
    make the most sense. Currently I'm not privy to config'ing those units,
    though I am a domain admin, and the network upgrades are coming fast
    and furious. I know when things settle down, we'll see a series of these
    features.

    Fwiw, I've finally caught on to VM's and am enjoying them when I get the chance. I can see how useful they really are. Well, back to the g-r-i-n-d...
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Similar Threads

  1. Tips
    By XTC46 in forum Site Feedback/Questions/Suggestions
    Replies: 15
    Last Post: August 24th, 2005, 07:52 PM
  2. Network Security made easy?
    By Tiger Shark in forum Microsoft Security Discussions
    Replies: 5
    Last Post: January 14th, 2005, 08:47 PM
  3. A look into IDS/Snort Whole thing by QoD
    By qod in forum The Security Tutorials Forum
    Replies: 6
    Last Post: February 27th, 2004, 03:03 AM
  4. Newbies, list of many words definitions.
    By -DaRK-RaiDeR- in forum Newbie Security Questions
    Replies: 9
    Last Post: December 14th, 2002, 08:38 PM
  5. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 09:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •