chrisbrenton.org

Your source for invisible security bug spray

Archive for the ‘Virtualization’ category

VMware Fast Path Versus Slow Path Firewalls

August 30th, 2010

Many of us are now working with virtual firewalls. I did an earlier post regarding the strengths and weaknesses of security within the virtual realm, but today I want to talk about the firewalling possibilities with VMware. There has been a lot of excitement regarding VMware’s relatively new VMsafe API. Specifically, everybody is scrambling to create/deploy fast path firewalls. But are all fast path implementations created equal? Are there security concerns with going with a fast path solution? Let’s dive in and see.

Breakdown of VMsafe

With the release of the VMsafe security API, VMware has enhanced the options available for implementing security within a vSphere environment by permitting vendors to plug directly into the hypervisor at ring 0. VMsafe consists of three components:

VDDK – Disk block inspection. API has been publically released.
vCompute – CPU and memory API. Has not been publicly released. Unknown which third parties have access, if any.
vNetwork – API to monitor/filter between the vNIC and vSwitch. Has not been publicly released. To the best of my knowledge, only Altor Networks & Reflex Systems have access (two vendors who assisted in the development of the API).

Specifically, I want to speak to the vNetwork API. When controlling network traffic flow within an ESX host, there are two possible implementation, “slow path” and “fast path”.

Slow Path

Slow path is the simplest implementation and the one we have been using for years. Effectively this is just a VM guest, similar to any other VM guest, running on the ESX host. Typically each guest is connected to a unique vSwitch, and each of these vSwitches is connected to a unique vNIC on the firewall. This is similar to a legacy firewall setup, but implemented virtually. The benefit of executing in slow path is that you can run a full blow OS with any libraries or services required to support the firewall.

Fast Path

Fast path is effectively a ring 0 driver that plugs directly into the hypervisor kernel. This allows a third party vendor to leverage the hypervisor for insertion between each vNIC/vSwitch connection. Because a fast path driver is running in kernel context, it adds minimal overhead to the system. The result is code execution within fast path is substantially faster than the same code being executed within slow path (thus the VMware naming convention for each context). Load on the ESX host is minimized, so the end result is you can run far more virtual guests.

Fast Vs Slow

So it sounds like you would want to do everything within fast path, but there are a number of issues. Fast path is a kernel driver plugging into a minimized hypervisor, not a full blow operating system. This limits the libraries and services the firewall has available for controlling traffic flow. Further, we are plugging in a kernel driver so there needs to be assurances that it does not bloat the hypervisor, increase the attack surface or interfere with other hypervisor functions. VMware performs a code review on all fast path drivers prior to release. So if I could theoretically implement all my code in fast path, I would need VMware approval prior to every patch or feature release.

With this in mind, a vendor claiming “fast path” support is actually going to end up implementing a portion of their code as fast path, a portion as slow path, and then create a connector between the two. How much load is placed on the system will depend on how much of this code is implemented in fast path and how much of it is executed in slow path.

Possible Fast Path Deployments

For example, a vendor could choose to write a fast path driver that simply tunnels all packets back to a slow path implemented firewall. The slow path code then determines if the traffic should be passed or dropped, with passed packets being sent back to the fast path code for insertion into the hypervisor control channel. While this would be the easiest method of deploying fast path, and arguably the safest and most secure, it would provide the least performance benefits. System load would probably not be much better than a full slow path implementation. I see this option as being very attractive to legacy firewall vendors, as it would require the least amount of modification to their existing code while still being able to claim “fast path support”.

Another option would be to use the slow path space for administrative functions with the fast path driver acting as the firewall engine. So for example the firewall administrator would create the policy using an interface running on a slow path VM, which would then push the policy down to a fast path driver. In this setup the fast path driver has a copy of the policy so traffic control can be implemented immediately. The result is faster traffic handling with minimal system load. The trade off is bulkier code at ring 0.

It is also possible to implement a mixture of the two. For example I could use the fast path driver to implement the firewall policy, but then pass all “accepted” packets back to the slow path system for intrusion checking, virus scanning, or whatever is needed. Acceptable packets are then passed back to the fast path driver for insertion. So in this setup all “dropped” packets are handled via fast path, while accepted packets interact with a slow path component.

As a side note, you need to keep the above info in mind when considering all vNetwork implementations, not just firewalls. The vNetwork API can also be used for policy enforcement, QoS, gathering of network statistics, etc. For example the very first vNetwork implementation was actually VMWare’s Lab Manager. This tool is used for self service provisioning and does not contain a firewall component (this is implemented via vShield).

Summary

While a VMware product that integrates with VMsafe can strictly be a “slow path” implementation, it is highly unlikely that any product can be considered solely a “fast path” implementation. Any fast path product is most likely going to be a hybrid. It is just a matter of how much code exists in the “fast path” space versus the “slow path” space. When a product claims fast path support, you need to dig a bit deeper to analyze the implementation in order to identify any real performance benefits.

No comments »

Posted in Virtualization

Are Virtualized Systems More Or Less Secure?

May 18th, 2010

I’ve had the above question asked enough times that I felt it worthy of a blog post. While a few years back the answer may have been “less secure”, today the answer is “both”. I know, sounds like Chris being non-committal, but that answer really does most accurately describe the current state of the technology.

Virtualization Changes Everything

I’ve heard a few folks remark that virtualization is about to impact the industry the same way that the Internet did in the 90’s. To be honest, I think there is merit in that opinion. In the early 90’s most folks were running IPX, AppleTalk, NetBUI and a plethora of other protocols on closed networks. By the end of the 90’s, most folks were running IP exclusively with connectivity to the entire world. The way we did business, as well as the way we applied security, completely changed over that 10 years. Both network administration and security skills that were cutting edge in 1990 were all but useless by 1999.

Virtualization is starting to ramp up to have the same impact on the industry. Virtualization deployment requires a complete rethinking of how to apply security. Back in the 1990’s, admins who simply plugged into the Internet, without regard for how this would impact their network, got burned big time. We are lining up to see a similar outcome as folks adopt virtualization.

What Makes Virtualization Less Secure

The Achilles heel of virtualization is in the software itself. We are hoping we can trust the software to keep guest systems away from each other, as well as the host and/or hypervisor. There are two major problems with this expectation:

No software is bug free
Software can be misconfigured

A few years back Core Research showed they could break out of a guest and gain full control of the host OS. While a hypervisor is supposed to limit that type of exposure, we’ve certainly seen cases where even the hypervisor has been bypassed. We’ve even seen cases were software becomes exploitable only when run in a virtualized environment. These links show a small cross section of the virtualization problems that have been discovered over the last few years. Google can give you a more complete list if you are interested.

So a prudent security professional is going to be cautious of blindly trusting software to be secure. The problem is vendors do not always take this same approach. Take VMware with their ESX (soon to be ESXi) product as an example. Many of us were flabbergasted when a VMware representative announced at CanSecWest that it was theoretically impossible to attack the ESX hypervisor. When we simply assume something is unbreakable, someone more creative is going to figure out a way to punch through.

One of my biggest concerns with ESX/ESXi is that VMware has designed it to be modular (via VMSafe). On the plus side, this means that outside vendors can create products to help improve the hypervisor’s functionality and security. On the downside this dramatically increases the chances of bad code being introduced which can compromise security.

We’ve seen a great example of this in the past. Marcus Ranum created the Gauntlet firewall, which at that time was one of the most secure and kick butt security devices available. When three letter agencies wanted the best security, they turned to Gauntlet. Marcus sold Gauntlet to Network Associates (later became McAfee) who immediately started adding in features. It was not long before a steady string of vulnerabilities were being discovered, each introduced by these new “features”. From there, the product lost its security cred and slid off of the radar.

Now it is certainly possible to add features and keep things secure. The FreeBSD folks are an excellent example of how to do this correctly. To ensure security they maintain a very strict auditing process. Is it perfect? Absolutely not, but their auditing process has set the bar for secure software implementation. With any luck VMware will do similar, but I have not heard any buzz about this being the case.

Getting Your Head Straight

OK, so we can’t blindly trust virtualization software to keep attackers at bay. We can however still take precautions to help minimize the impact if the worst does occur. One of the biggest steps you can take is to carefully consider which servers get hosted, and what other guest systems are permitted to run on the same box. The security zone concept used by network architects is just as applicable here.

A security zone is simply a collection of systems that share the same relative level of risk. For example Web, name and SMTP servers are usually all located on a DMZ, because they all share similar risk from direct attack. On the internal portion of the network, desktops are usually placed in a different security zone than the servers. This is because servers have little to no access to the Internet while desktops are usually permitted to communicate directly. This places the desktops at higher risk of attack than the servers.

We can apply this same logic when implementing virtualization. A DMZ server and an internal server should not be guests on the same hardware (both CPU and disk array). Doing so could allow an attacker to create an alternate route into our network. Rather than having to pass through any firewall, NIDS, NIPS, etc. devices that has been deployed on the wire, an attacker may be able to gain access to internal resources via the virtualization software. Is it an easy attack? Not from what we have seen so far. Functional exploits have been discovered however, so why introduce unnecessary risk if we don’t have to.

By the way, these same security zone rules should be applied to your virtualized network gear. For example it is a bad idea to use the same physical switch to VLAN the DMZ and the internal network. I’ve seen a couple of clients get whacked that way.

What Makes Virtualization More Secure

Fortunately, from a security perspective, virtualization is not all bad news. In fact there are some very cool security practices you can apply in a virtualized environment that you simply cannot do without it. This was one of the reasons we started using virtualization within the Honeynet as early as 2000.

One of the biggest security issues we face today is kernel level rootkits. What makes this strain of malware so insidious is it effectively turns the operating system itself into malware. This makes detection extremely difficult, as all security checks must pass through the kernel. If the kernel itself is compromised, we can’t rely on the kernel to accurately report security information. We end up having to shutdown the system, mount the drive on a known to be clean OS, and performing our forensic checks from there. Oh course the problem with this process is that it does not scale well. If we have dozens or hundreds of servers, there simply is not enough time in a day to check them all properly.

As mentioned earlier, VMware is now permitting third party vendors access to the hypervisor API via VMSafe. This permits access to privileged state information, such as memory and network traffic, on each of the guest OSs. By plugging into the hypervisor, some extremely cool security options become possible.

For example let’s say a guest OS is attacked by a kernel level rootkit. By analyzing guest memory, the rootkit can be detected from outside of the virtual operating system. When performing the checks via the hypervisor, there is far less of a chance that a rootkit can stealth its activities and go undetected. As mentioned earlier, there is no comparable option with a non-virtualized system.

The API plug also creates new possibilities for dealing with encrypted traffic. When end to end encryption is employed (like a VPN), network based checks of the application layer are easily bypassed. Your only real option was to run agent software on the end point, so security could be implemented after the decryption process. Of course the problem here is that if the agent is attacked, all bets are off. Again, by plugging into the hypervisor we are in a better position to more safely scrutinize this data.

We are just starting to see new products that leverage the VMSafe API plug. Since all of the products are relatively new, the jury is still out on how effective they can be. Offerings run the gambit from replacing host based firewall and IDS protection to full policy enforcement. It will be interesting to see how this product niche shakes out over the next year.

Summary

So as I mentioned at the beginning of this post, virtualization has the ability to make your environment either more or less secure, depending on how you deploy it. If you simply start running everything on a single box, you are probably going to get whacked. If you extend the best practices that have been developed over the years into the virtualization realm, as well as leverage some of the new security features that are being released, you can actually create a better overall security posture.