Hi guys,

I've been thinking for some time now about running one isolated O/S within another using VM-Ware or something of that sort, as a means of adding another layer of security into my systems. I'm particularly concerned about spyware being able to break into my financial records and seize account numbers and passwords. I have also heard that Google's Chrome browser is highly compartmentalised with firewalls between open tabs and may incoroprate that, too. I just wondered if anyone else here has used the VM concept to bolster security on their systems and if so, how have they gone about it? I need a few ideas from those who're more knowledgeable about these matters than I am (which is almost everyone!)

Thanks,

CC.

There is/was a discussion among some prominent OpenBSD developers as to whether x86 virtualization really offers security benefits. Rather than resurrect and rehash that debate here, I will say that the idea is not foreign to me (I run FreeBSD jails for certain server services, which provides a level of separation).

Is there a specific threat scenario you're looking to guard against? What other approaches to a secure configuration have you implemented already?

I have a live server that uses virtualization as a layer of security.

It's an online application that needs to run in Windows, it's open source so I want to make it run in Linux eventually. I really don't like the idea of having RDP wide open to the internet, so what I did is I got my leased server setup as Linux CentOS then installed vmware server 1.0 (go 1.0 if it lets you install otherwise 2.0 is ok, but I prefer 1.0 tbh).

I assigned 2 nics to the windows vm. 1 nic is accessible only from the host, the other nic is open to the internet under another IP, and serves only the application. The "internal" nic I have setup so I can ssh into Linux then tunnel through to the windows vm via RDP.

The downside of this is if I had other people using my server (ex: shared webhost) anyone else could also access RDP, but they'd still have to try to guess the password, as opposed to opening it up to the world and have anyone able to guess the password. Brute force is a killer. It's not a matter of if people can get in, it's a matter of when. A complex password only increases this time and makes you hope they give up, but if it's a bot, it will eventually get in. This is also why brute force protection is important but it seems to be hard to implement on some server programs when imo should be standard.

Reading your goals it seems you're more worried about threats like Phishing and Malware. IMO Virtualization is useful in two key scenarios although there are probably many more:
--- Testing out applications of another OS
--- Isolating data of 2 different OS's

How is the spyware going to get there in the first place? Irrespective of what protection you put on a server if your clients who use the application are using unpatched software or visit fuuny sites their data isn't safe anyway.

If you're safely behind a FW with only 80/443 open, all the latest patches installed and have hardened your box as well as you can by changing defaults, turning off services etc then I'm trying to see what benefits a "public IP virtualized" environment will really provide you. In your case its just the cost of new hardware that you save on if you want to run say your financial app, your Qmail server , your Apache server and your Oracle on Linux database all with the same hardware.

Beyond that from what you've said , I don't think you need virtualization. My 2 cents anyway

Cheers
Arvind

Okay, thanks to you and the others who responded.
One upon a time I was quite happy with Windows. I knew very little of Operating Systems and certainly of nothing better. My vulnerability is that I keep a huge amount of financial dealing records on one hard drive. This includes client information, account information, bank account numbers, their passwords, and a record of trades I've carried out with various leading brokers. Anyone who can assess this one disk can wipe me out and leave me in the gutter by usurping my good name and masquerading as me in the deals I do with them over the internet.

This vulnerability became a much more serious matter when I did a ascii scan of the entire hard drive one day and found it contained confidential financial data in un-encrypted form on a volume that I never use for such purposes. Furthermore, these valuable data had somehow got copied to a *system file* that Windows refused to even acknowledge existed! No Windows search (including hidden and system files in the choices box) would show it up. I had to get in third party software which immediately identified the offending file which I then wiped out by the Guttman process.

Some weeks later, similar thing happened again! I had plugged in a usb memory stick monemtariy, realized it was the wrong one and unmounted it, then physically removed it. AT NO POINT were any documents opened up by Windows explorer. Later I found that the contents of that stick had mysteriously been copied by Windows to a directory in C:\windows\......\my music\tunes. Using the same text sring search tool as the firt time, I have been able to establish that the sensitive, plain-text contents of the incorrectly insterted usb stick were copied over, UNencrypted, to a .wav file in a directory of many other .wav files on the computer's internal hard disk!

What else could do that apart from spyware? Possibly even built-in spyware on Windows XP! And I've heard Vista is *even worse* where this kind of thing is concerned. It polices it's users better than the Federal Goverment.

I have no idea what M$ are playing at, but I want *nothing* further to do with their insanely insecure software.

By the way, my machines aren't functioning as servers and are not networked locally. I suspect a good security improvement would be running something like Slax (with the "nomount" option for neither read nor write)within any other OS but Windows.<spit!>

Your views invited.....

1. It sounds like your Windows OS is infected, possibly with a rootkit.
2. Running Windows as a virtual machine would not prevent this.

The reason security researchers often run Windows as a VMware is so they can snapshot it and roll it back after it gets infected, so they can test the behavior of malware without having to totally reinstall the OS every time. This doesn't prevent information from being read off the machine (so i.e. it wouldn't prevent your financial data from being stolen), it just makes it a lot easier to wipe and start over.

The best way to prevent your sensitive information from being stolen is to use an OS that is not Windows. It could be Linux, it could be OS X, it could be OS/2... whatever. The reason other OSs are safer is largely because they aren't as popular, so it's simply not cost-effective for criminals to try to attack those platforms.

I can't speak to your Windows-related comments/questions, but here are my comments on the others...

If you really need to keep this data on your hard drive, GPG-encrypt it. Only decrypt it when you need it to do your job, and when you're finished shred(1) it.

Be sure to keep (encrypted) backups of your sensitive data, and be double sure to keep backups of your GNUPG public/private keys.

Additionally, there is a lot you can do to reduce risk to your data. The easiest option would be to keep it off the 'net altogether (which it sounds like you may be doing). If that is not practical, then here is a very basic checklist to keep up with:

1. Turn off all services you do not require
2. Keep all software up to date via official repositories
3. Run a restrictive packet filtering firewall (netfilter for Linux)
4. Control physical access to your workstation

Finally, if possible, don't mix your business workstation (the one that pays your mortgage) with your pleasure workstation (the one you cruise youtube and facebook on).

This is only a preliminary baseline, IMO, and there is much more you can do as your paranoia levels increase.

Actually one way you could be safe, is setup a virtualized firewall using smoothwall or other app, then your actual application vm behind that firewall (using vmnet2 or something - one of the extra ones, not host only, nat etc)

So you have something like:

[real nic] == > 0:[Firewall VM]1: ==> [application VM]

Set firewall nic 0 to bridged and set firewall nic 1 to any vmnet that is unused such as vmnet2, then set the application VM's nic to the same as nic1.

Now on the firewall, block all outgoing traffic but the one you need such as port 80.

If you get a virus in your VM, it will be contained within that VM. This is a good way to build a "honey pot" as well, if you want to purposely open a virus to see what it does. To go a step further you could even block outgoing requests to any local IP, in case by chance there's a virus that can exploit a flaw in a web server and it happens to hit your own server.


In your case the application VM could be your web surfing machine. If you need to get data off it you could then open up a port to your local network and FTP it or something.

Read up on using PGP/GPG and also KeePass. Windows has a lot of ... idiosyncratic behaviors that might masquerade as a trojan, but it does sound like you may have a root kit.

If you have a some technical knowledge and a decent understanding of the aforementioned programs, simply reformatting, reinstalling, and starting with everything encrypted via pgp/gpg and keepass is a good start. Using a browser other than IE will also protect you from a lot of malware as will using a email client other than outlook.

You will gain very little by going to a vm other than the ability to roll back to a truly pristine state.

At the bare minimum obtain and run adaware (free for pers use), spybot (free for pers use), and rootkit revealer (from sysinternals/microsoft, also free) on your system to verify that things are reasonable. A good antivirus program and physical firewall is a recommendation too (to minimize user blunders and outside attack vectors.) If RKR finds a rk (standard items excluded of course) or any program finds your computer to be a zombie/infected with a trojan/botnet process consider all non-encrypted passwords and information to be compromised and start your recovery processes.

Okay, guys, I've now run a few further checks and it does *seem* there's a rootkit of some sort on my system. I ran Rootkit Revealer and it flagged up some 95 suspicious entries (none of them, in the Registry, though) but all buried way, way, way down a very long path of directories from root some 15 layers deep. I KNOW there's something not right, because they all branch off from /music/downloads/incomplete/ and refer to dozens of classic orchestral recordings which I *never* down-loaded myself. No 3rd party Windows filewipe /killdir utilities can erase them , so I figure on using Slax from a live CD to nuke 'em all. Problem is, the man page info I have for the rmdir command tells me it can't be used recursively! This means I'll have to go backwards through 95 X 15 operations of rm -r to clear this mess up. :-( :-( :-(

Does anyone know of a quicker way to do it (which doesn't involve a complete system re-install)? Is there another Linux version that *does* allow recursive deletion of long directory paths whether the directories are empty or not?

Thanks again,

CC.

Perhaps I shouldn't quote myself, but since I've just had a good nights sleep I now recall it's simply "rm -rf". D'oh!

CC.