-
April 22nd, 2007, 10:51 PM
#1
Virtual machines and network security...
...how are network admins handling the presence of virtual computers on
their networks? Currently I rank as a domain admin, and virtual machines/
computers are not yet an issue for us largely because very few of our users
are even local admins thus lack the priviledges to install apps. I've been
playing with the technology as time permits, and we may use it for our NT
simulators. I'm interested in how other admins are handling their presence.
Thanks.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
April 22nd, 2007, 11:36 PM
#2
Treat VMs like any physical box and lock them down accordingly. It will depend on what platform the VMs run on (e.g., ESX, Windows, Linux etc) in addition to the VMs Guest OS itself.
The principles are the same, just a slight variance in the number of physical boxes.
-
April 23rd, 2007, 08:52 AM
#3
The IT dep't I'm working in is woefully understaffed and underfunded, and
has been for some time. Currently there's two of us who handle support
for 400+ computers onsite and maybe 150 remote users. I hate to admit
this, but we don't even know where many of our computers are, nor does
my company nor the client company (this is an outsourcing situation) seem
particularly concerned at this point in time. There's a lot of network upgrading
going on, but for now our network is not monitored save for some of the
web browsing.
What I'm wondering about more than anything is detecting rogue VM's and tracking them down.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
April 23rd, 2007, 09:48 AM
#4
Wow broken, that is quite a stress factor for you. I played with Vm's abit and agree with MsKittens.
PSeak to the boss there, you cant carry on like that :P
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
April 23rd, 2007, 10:06 AM
#5
Originally Posted by brokencrow
The IT dep't I'm working in is woefully understaffed and underfunded, and
has been for some time. Currently there's two of us who handle support
for 400+ computers onsite and maybe 150 remote users. I hate to admit
this, but we don't even know where many of our computers are, nor does
my company nor the client company (this is an outsourcing situation) seem
particularly concerned at this point in time. There's a lot of network upgrading
going on, but for now our network is not monitored save for some of the
web browsing.
What I'm wondering about more than anything is detecting rogue VM's and tracking them down.
What is the actual virtual appliance? Are all the machines Windows? or do you know?
-
April 23rd, 2007, 03:12 PM
#6
We use virtual machines and love it, something simple to help track them down would be nmap. Nmap will at least return that the mac address attached to a virtual machine is a vmware device, I am sure you could edit the vmx of a appliance and change it, but might be a quick and dirty way to check for rogues.
Sample:
MAC Address: 00:xx:xx:xx:xx:C4 (VMware)
kr5kernel
(kr5kernel at hotmail dot com)
Linux: Making Penguins Cool Since 1994.
-
April 24th, 2007, 02:30 AM
#7
Originally Posted by kr5kernel
We use virtual machines and love it, something simple to help track them down would be nmap. Nmap will at least return that the mac address attached to a virtual machine is a vmware device, I am sure you could edit the vmx of a appliance and change it, but might be a quick and dirty way to check for rogues.
Sample:
MAC Address: 00:xx:xx:xx:xx:C4 (VMware)
Before I comment.. WOW.. You obfuscated a MAC Address... very odd...
Anyways... The problem with relying on MAC Address detection is that it's way to easy to change it....
So a couple of questions:
1) Are you worried about rogue VMs on internal machines or personal machines? (I'm guessing internal, since if it's a much better issue in general if people are able to use their personal computers at the office)...
Following on my assumption of internal machines..
These machines will be on the domain no doubt... So while kr5's suggestion works.. since it can be bypassed there are better methods..
1. Write a quick and dirty tool to check and see if a version of VMWare, VirtualPC, Xen, etc is installed on the machine. (Since you have domain credentials... and assuming these machines are on the domain this will be fairly straight forward)... If a computer has VMWare without requiring it then it's probably running Rogue VMs... at that point you just have to watch for them..
Unfortunately this is reactive...
If you want to be proactive..
2. Configuring your network (assuming quality switches) to make use of some of the more basic NAC features that most switches support... I highly suggest that on Cisco switches you take advantage of the command switchport port-securit maximum 1. This limits you to 1 Mac Address per switch port. You can use switchport port-security violation [shutdown|restrict|protect] to determine the method of action to take if a second MAC address is detected..
Peace,
HT
-
April 24th, 2007, 06:18 PM
#8
Originally Posted by Cider
Wow broken, that is quite a stress factor for you.
Yeah, no kidding. I'm getting a bit fed up, especially with purchasing, but I won't go there.
Originally Posted by HTRegz
1. Write a quick and dirty tool to check and see if a version of VMWare, VirtualPC, Xen, etc is installed on the machine. (Since you have domain credentials... and assuming these machines are on the domain this will be fairly straight forward)... If a computer has VMWare without requiring it then it's probably running Rogue VMs... at that point you just have to watch for them..
Unfortunately this is reactive...
If you want to be proactive..
2. Configuring your network (assuming quality switches) to make use of some of the more basic NAC features that most switches support... I highly suggest that on Cisco switches you take advantage of the command switchport port-securit maximum 1. This limits you to 1 Mac Address per switch port. You can use switchport port-security violation [shutdown|restrict|protect] to determine the method of action to take if a second MAC address is detected..
My question as it pertains to my current position is more hypothetical
than anything. We do have a series of Perl scripts we use to search
PC's for files when need be. And that first solution came to me as I
pondered what I'd posted. Just search the network for MS's VPC and
VMware's app files.
We run a series of Cisco 2800 and 2900's, and I think at some point my
current employer may indeed employ those very NAC features. They
make the most sense. Currently I'm not privy to config'ing those units,
though I am a domain admin, and the network upgrades are coming fast
and furious. I know when things settle down, we'll see a series of these
features.
Fwiw, I've finally caught on to VM's and am enjoying them when I get the chance. I can see how useful they really are. Well, back to the g-r-i-n-d...
“Everybody is ignorant, only on different subjects.” — Will Rogers
Similar Threads
-
By XTC46 in forum Site Feedback/Questions/Suggestions
Replies: 15
Last Post: August 24th, 2005, 07:52 PM
-
By Tiger Shark in forum Microsoft Security Discussions
Replies: 5
Last Post: January 14th, 2005, 08:47 PM
-
By qod in forum The Security Tutorials Forum
Replies: 6
Last Post: February 27th, 2004, 03:03 AM
-
By -DaRK-RaiDeR- in forum Newbie Security Questions
Replies: 9
Last Post: December 14th, 2002, 08:38 PM
-
By Noble Hamlet in forum AntiOnline's General Chit Chat
Replies: 1100
Last Post: March 17th, 2002, 09:38 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|