[isapros] Re: ..and the noise increases...
- From: "Steve Moffat" <steve@xxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Tue, 25 Sep 2007 18:18:00 -0300
My 02c
1. More secure.
2. Same diff.
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Tuesday, September 25, 2007 6:08 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: ..and the noise increases...
Totally agree then -- while it certainly does not increase security my
merit of its own existence, neither can one claim that it inherently
decreases security unless you point to specific issues created by or
solved by virtual environments.
There certainly are benefits of VM's when it comes to security, but like
everything else, you have to create the posture using the available
resources.
Interesting questions to answer regarding virtualization then:
1) Given a single machine, would you consider multiple VM's each with
individual host hardening and service configurations of a DC, Exchange,
SQL, and IIS to be more or less secure than an SBS-style installation on
the same single physical box?
2) Now let's through ISA in the mix... Still, on a single machine, which
would be more secure? A private network with ISA virtualized or one
without it at all in a single-box behind a NAT router?
In both cases, I'd have to say the virtualization contributes to
security. That being said, personally I would consider the risk of ISA
in a virtual environment too great for the cost consideration of a
different, separate hardware box given the ability of ESX to bypass
local stack IP access in vm-to-vm memory models in the same host. That
out-of-stack communication could very well be all it takes to own you.
It also depends on who is accessing the vm's, their level of access, and
the security boundaries you have in place. Let's say I had an
environment where I had to give someone admin access to a machine--
would I do that in VM where the host machine's security posture dictated
that that user could not gain access? No- because an admin user may be
able to hijack communications between the host and the VM. That's where
a separate physical machine would come into play. But then again, if I
tightly controlled each separate physical machine, then VM's on them
might actually make me more secure overall given the security-in-depth
controls I could have. All in all, I believe that when properly
deployed, virtualized environments can provide increased security
postures. Just don't go into it thinking it is a panacea, just you
wouldn't create a spreadsheet in Excel 2007 thinking it could multiply
850 by 77.1 :-D
t
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Tuesday, September 25, 2007 1:26 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ..and the noise increases...
>
> No no! I'm not saying that. As the CSO article pointed out so well,
> there is a place for virtualization as part of a secure infrastructure
> plan. The problem is that people read about "VMs" and *assume* that
> there is some security advantage to putting a server or desktop in a
VM
> vis a vis dedicated hardware. Just moving the workload from one
> "hardware" infrastructure to another doesn't make it de facto secure.
>
> Yes, I took on the project to show examples of how virtualization can
> actually be part of a secure infrastructure and hopefully disabuse
> people from the idea that virtualization, in and of itself, increases
> security and how in many cases decreases security.
>
> So, I think we agree here :)
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
>
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> > (Hammer of God)
> > Sent: Tuesday, September 25, 2007 2:08 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: ..and the noise increases...
> >
> > In regard to that article, what they are doing is actually a
> > good thing
> > given the way they are going about it. The secured, locked
> > down desktop
> > environment is FAR more secure than NOT doing it that way.
> > The benefits
> > of that configuration far outweigh the risks of having an
environment
> > where they don't have that control. The PC's would be pwned
> > anyway. And
> > the real crux of that article is in regard to off-shore asset
> > management
> > - like sending your infrastructure and IP over to another
> > country where
> > copyright and patent law may not exist...
> >
> > Are you going to write the white paper? Virtualization may very
well
> > provide excellent benefits within a "secure infrastructure" if done
> > properly. In fact, I think you owe it to the public to write
> > about what
> > they shouldn't do just so they see what is possible when done
> "right."
> >
> > Or are you saying that the inclusion of virtual assets in any
> topology
> > obviates security in any form?
> >
> > t
> >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > > Sent: Tuesday, September 25, 2007 11:45 AM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: ..and the noise increases...
> > >
> > > Lot's of places. Check out this article
> > >
> > > http://www.csoonline.com/read/050105/offshore.html
> > >
> > > Look at the section "Lock down the infrastructure"
> > >
> > > Also, I was recently hired to write a white paper on
> > creating a secure
> > > infrastructure for the professional services sector, and
> > they want me
> > > to
> > > include the benefits of virtualization as part of it. :\
> > >
> > > Tom
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- Microsoft Firewalls (ISA)
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> > > > (Hammer of God)
> > > > Sent: Tuesday, September 25, 2007 1:22 PM
> > > > To: isapros@xxxxxxxxxxxxx
> > > > Subject: [isapros] Re: ..and the noise increases...
> > > >
> > > > Not to start something none of us can finish, but where are you
> > > seeing
> > > > anyone declaring virtualization to be a security solution? It's
> a
> > > > deployment solution, just like Windows and Linux are
"deployment"
> > > > solutions. Just another operating system that's, well,
operating
> > > > systems. Security lives above and below any deployment
> > > > solution where's
> > > > it always been -- before everyone goes nuts regarding
> > what Microsoft
> > > > will or won't support, let's make sure we're all talking
> > > > about the same
> > > > thing.
> > > >
> > > > And regarding what MSFT does and doesn't support, it has far
> > > > less to do
> > > > with the products than it does the people they are hiring
> > to support
> > > > those products.
> > > >
> > > > t
> > > >
> > > > > -----Original Message-----
> > > > > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> > > > > bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > > > > Sent: Tuesday, September 25, 2007 11:10 AM
> > > > > To: isapros@xxxxxxxxxxxxx
> > > > > Subject: [isapros] Re: ..and the noise increases...
> > > > >
> > > > > I don't think the problem is that virtualization isn't
> > good. Heck,
> > > > I've
> > > > > been using Vmware since it's pre 1.0 days.
> > > > >
> > > > > The problem is that people think it's a miracle cure all for
> all
> > > the
> > > > > problems they've had (which is amazing, because even
> > when I first
> > > > > starting using VMs, I never considered it anything other
> > > > than a useful
> > > > > test tool and server consolidation solution). But somehow
> > > > people think
> > > > > it's a "security solution" which it truly ain't, except for
> > > > some very
> > > > > specific scenarios, such as offshoring a network and PC
> > > > infrastructure.
> > > > > When it comes to security, it just adds to the attack
> > > > surface, so keep
> > > > > your network and infrastructure security devices that
> > are meant to
> > > > > protect the virtualized infrastructure *off* VMs.
> > > > >
> > > > > IMHO,
> > > > > GMT
> > > > >
> > > > > Thomas W Shinder, M.D.
> > > > > Site: www.isaserver.org
> > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > Book: http://tinyurl.com/3xqb7
> > > > > MVP -- Microsoft Firewalls (ISA)
> > > > >
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
> > Steve Moffat
> > > > > > Sent: Tuesday, September 25, 2007 12:45 PM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: ..and the noise increases...
> > > > > >
> > > > > > Absolutely.
> > > > > >
> > > > > > And remember...not supported doesn't mean it doesn't work.
It
> > > also
> > > > > > doesn't mean it's not supported either.....
> > > > > >
> > > > > > Betcha if you had Jimbo on the other end of the CSS phone
> > > > call, he'd
> > > > > > help if he wasn't busy.....
> > > > > >
> > > > > > Anyway..if it's a vm and it worked when you first set it up,
> > > > > > you'd have
> > > > > > a backup that you could rely on anyway...wouldn't you???
> > > > > >
> > > > > > :)
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > > > > On Behalf Of Jim Harrison
> > > > > > Sent: Tuesday, September 25, 2007 2:40 PM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: ..and the noise increases...
> > > > > >
> > > > > > Yes; disappointment in the blog posting by an otherwise
> > respected
> > > > > > person.
> > > > > >
> > > > > > Actually, I do like virtualization (ask Steve about my
> > > > latest toy).
> > > > > > I'd really love it if we could have a policy that
> > didn't have to
> > > > > > consider the "but I wanna!!!!" 1d10t'5 that will try to
blame
> > ISA
> > > > for
> > > > > > what it can't control. Remember the IPv6 fiasco of last
> > > > > > year? That was
> > > > > > started by an MVP, no less... Imagine what "Joe
> > > > IsaAdmin" will try
> > > > > to
> > > > > > do (seen the NG postings lately?).
> > > > > >
> > > > > > I'm trying to work out something a bit better than what
> > > > we currently
> > > > > > have, but what (nearly) everyone forgets is that any
> > ISA support
> > > > > > statement has to be balanced on the needle-point of
> > > > > > "support". Our CSS
> > > > > > folks have to be able to recognize fact from bullshrimp and
> > > > > > we all know
> > > > > > that "customers never lie; they merely misrepresent certain
> > > > facts"...
> > > > > > MS counts support costs in minutes and every minute
> > that the CSS
> > > > > folks
> > > > > > waste sorting out the ISA deployment into "supported &
> > > > unsupported"
> > > > > > wastes time for the customer and MS both.
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > > > > On Behalf Of Amy Babinchak
> > > > > > Sent: Tuesday, September 25, 2007 10:19 AM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: ..and the noise increases...
> > > > > >
> > > > > > Jim,
> > > > > >
> > > > > > Is that disappointment I see in the subject line?
> > > > > >
> > > > > > Don't you know? Virtualization is the solution to all
things.
> > > It's
> > > > > > backup. It's totally secure. It's business
> > continuity. And it's
> > > > > cheap!
> > > > > > What could possibility be better?
> > > > > >
> > > > > > Yes, that's sarcasm.
> > > > > >
> > > > > >
> > > > > > P.S. Oh yeah Tom. Shiver me timbers, talk like a pirate day
> > > > > > was like so
> > > > > > last Wednesday, arg.
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > > > > On Behalf Of Thomas W Shinder
> > > > > > Sent: Tuesday, September 25, 2007 12:56 PM
> > > > > > To: isapros@xxxxxxxxxxxxx
> > > > > > Subject: [isapros] Re: ..and the noise increases...
> > > > > >
> > > > > > And they'll blame Microsoft when they implement
> > abysmal security
> > > > > > practices because they want to get security "on the cheep"
> > > > > >
> > > > > > ARG.
> > > > > >
> > > > > > Thomas W Shinder, M.D.
> > > > > > Site: www.isaserver.org
> > > > > > Blog: http://blogs.isaserver.org/shinder/
> > > > > > Book: http://tinyurl.com/3xqb7
> > > > > > MVP -- Microsoft Firewalls (ISA)
> > > > > >
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: isapros-bounce@xxxxxxxxxxxxx
> > > > > > > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim
> > Harrison
> > > > > > > Sent: Tuesday, September 25, 2007 11:34 AM
> > > > > > > To: isapros-repost@xxxxxxxxxxxxx
> > > > > > > Subject: [isapros] ..and the noise increases...
> > > > > > >
> > > > > > >
> > http://www.windowsitpro.com/Articles/ArticleID/97153/97153.html
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > >
> > > >
> > > >
> > > >
> >
> >
> >
> >
Other related posts:
