Security Basics mailing list archives
Re: Deny access to copy files
From: "Al MailingList" <alpal.mailinglist () gmail com>
Date: Thu, 12 Jun 2008 00:55:57 +1000
<snip>
But to prove the negative (and to paraphrase a little from the Burton group).
...
3. Separation reduces risk. Running several systems on the same hypervisor makes them more (not less vulnerable). All of the systems are just as vulnerable as a locked down host on a system with the added benefit of also having the risk from the hypervisor abstracted onto them.
</snip> Ignoring the discussion about development boxes for a moment... I'm a bit confused at what you're getting at here - I thought in law 3 the article was alluding to the fact that using VMs as separation *was* a good idea to offset increased risk from the hypervisor? Quoting the article, "One of the ways to benefit from virtualization is to separate various functions into their own isolated operating environments. An even better way is to separate data as well. Either type of separation provides an opportunity to reduce the risk added by the virtualization software." As Greg pointed out, non VMware solution in the case a client only wants to buy a single physical box: - Mail Server - Name Server - Web Server obviously a large attack surface, and in the event a single service is compromised, there go the other two services and associated data. Obviously (I think? :) ) chroot and priv separation is a good idea here. A different way of implementing separation is of course virtualisation: Single box Vm1 - Mail Vm2 - Name Vm3 - Web As you point out, the attack surface is now slightly bigger per service (if you +hypervisor), but in general two compromises are now required to compromise all three services (exploit against one of the services and then compromise of priv separation mechanism (chroot or vm)) Have I missed something? Are you also suggesting chrooting services is bad idea? I agree with your statement about cost reduction - if cost doesn't factor into the equation, then by far the best choice is a physically separate box per service. But can you not also then argue that with certain constraints placed on the scenario (i.e. I can afford one physical box), separation does reduce resultant risk (by reducing severity of a compromise)? Just a final note out of curiosity, you state: "Risk = hypervisor_risk + Host_risk" (which I understand...), but I was wondering, do you have an example of a vulnerability that would affect virtual machine for an internet based service? I mean I know vulnerabilities like CVE-2008-1340 are serious, but obviously they don't increase the initial risk of, say, an email server being compromised. Examples being a powerful thing, I was curious in the scenario I presented above (3 vms... 1 runs mail, 1 runs name server, and one runs web) if you could point me at a CVE that would demonstrate the +hypervisor_risk ? Cheers, Al PS Agreed: internal systems *should* mirror production - it's quite possible these days that production systems *will* be virtual :D
Current thread:
- Re: Deny access to copy files, (continued)
- Re: Deny access to copy files Shreyas Zare (Jun 20)
- Message not available
- Re: Deny access to copy files Shreyas Zare (Jun 23)
- Message not available
- Re: Deny access to copy files Shreyas Zare (Jun 23)
- Message not available
- Re: Deny access to copy files Shreyas Zare (Jun 24)
- Re: Deny access to copy files Ansgar -59cobalt- Wiechers (Jun 24)
- Message not available
- Message not available
- Message not available
- Re: Deny access to copy files Shreyas Zare (Jun 24)
- Re: Deny access to copy files Jeremy Winder (Jun 24)
- Re: Re: Deny access to copy files Breno BF (Jun 03)
- Re: Deny access to copy files Al MailingList (Jun 11)
- RE: Deny access to copy files Craig Wright (Jun 12)