Re: Deny access to copy files

["Al MailingList" <alpal.mailinglist () gmail com>]

<snip>

> But to prove the negative (and to paraphrase a little from the Burton group).
...
> 3. Separation reduces risk. Running several systems on the same hypervisor makes them more (not less vulnerable). All 
> of the systems are just as vulnerable as a locked down host on a system with the added benefit of also having the 
> risk from the hypervisor abstracted onto them.

</snip>

Ignoring the discussion about development boxes for a moment... I'm a
bit confused at what you're getting at here - I thought in law 3 the
article was alluding to the fact that using VMs as separation *was* a
good idea to offset increased risk from the hypervisor? Quoting the
article,

"One of the ways to benefit from virtualization is to separate various
functions into their own isolated operating environments. An even
better way is to separate data as well. Either type of separation
provides an opportunity to reduce the risk added by the virtualization
software."

As Greg pointed out, non VMware solution in the case a client only
wants to buy a single physical box:
- Mail Server
- Name Server
- Web Server

obviously a large attack surface, and in the event a single service is
compromised, there go the other two services and associated data.
Obviously (I think? :) ) chroot and priv separation is a good idea
here. A different way of implementing separation is of course
virtualisation:

Single box
 Vm1
    - Mail
 Vm2
    - Name
 Vm3
    - Web

As you point out, the attack surface is now slightly bigger per
service (if you +hypervisor), but in general two compromises are now
required to compromise all three services (exploit against one of the
services and then compromise of priv separation mechanism (chroot or
vm))

Have I missed something? Are you also suggesting chrooting services is
bad idea? I agree with your statement about cost reduction - if cost
doesn't factor into the equation, then by far the best choice is a
physically separate box per service. But can you not also then argue
that with certain constraints placed on the scenario (i.e. I can
afford one physical box), separation does reduce resultant risk (by
reducing severity of a compromise)?

Just a final note out of curiosity, you state:

"Risk = hypervisor_risk + Host_risk"

(which I understand...), but I was wondering, do you have an example
of a vulnerability that would affect virtual machine for an internet
based service? I mean I know vulnerabilities like CVE-2008-1340 are
serious, but obviously they don't increase the initial risk of, say,
an email server being compromised. Examples being a powerful thing, I
was curious in the scenario I presented above (3 vms... 1 runs mail, 1
runs name server, and one runs web) if you could point me at a CVE
that would demonstrate the +hypervisor_risk ?

Cheers,
Al

PS Agreed: internal systems *should* mirror production - it's quite
possible these days that production systems *will* be virtual :D