Is there security needed between virtual machines?  Some say no, some say yes.  I've been out talking to a number of virtualization users and non users on this topic and I'm finding that some say no and some say yes.  The users of virtualization technology tend to say yes while others looking at virtualization from the outside tend to say no.  Why is this?

Well, I thought I'd blog on my thoughts on this!

You see, in the physical datacenter there is no firewalling between servers plugged into the same switch and because of this some people think, well if its not done in the physical world why should it be done in the virtual world.  I believe that its not done in the physical world today because there are no solutions today that embed security into datacenter switches.  Should it be done in the physical world?  I think so!  It never hurts to get security as close as possible to the things you are trying to protect and what better place than the switch port in which the critical asset are connected to.  This is why people have HOST BASED FW/IPS ON SERVERS!  To get security as close as possible!  Is that needed? 

So my first response to those that say, security between virtual machines is not needed because its not done in the physical world is:  Well, just because people have done things one way for many years doesn't mean there isn't a better way.

Would environments be more secure if there was security between servers?  I tend to think so.  You see, many of the attacks that are taking place these days are not attacks for fame but attacks for fortune and gone are the days where people just hacked to spread nasty viruses.  Its all about the data these days (ie. credit cards, social security numbers, etc).  We've all heard about the TJ Max security breach where customer data was compromised and many others like banks that have had credit cards compromised. 

How and the heck do you think most of these things happened?  Attackers are targeting the datacenter these days.  Physical or Virtual.  Their gateway into these environments are the Web Front End Servers.  Let me say that again.  The Web Front End Servers!  Hackers get to the data from the web front end server that talks to the database backend server.  This useually occurs by something called "Cross-Site Scripting" or "SQL Injection" breaches. 

Here is a trival way of how this happens:

A hacker finds a vulnerable web site.  He sometimes does this by something called Google Hacking.  He uses Google to search for sites that has vulnerabilities on it.  Say a web site has some content on one of the pages that says "Powered by Drupal 4.1".  If a hacker knows that Drupal 4.1 software has a vulnerability in it, he can now target all the search results related to this.  Click Here for more detail.

Now lets say Drupal 4.1 on a web site has a SQL-Injection vulnerability because the developer of the Drupal software didn't do Form Field Validation properly.  A Form field is something you fill out on a web page like a form that asks for the user name and password.  User names and passwords to log into the web site are stored on whats called a Database Server.  Hmmm... So this means the web server needs to talk to the database server right?  Yes!  Keep this in the back of our head for now.  The hacker enters in "Admin" for the user ID and "password doesn't matter 'or 1=1--" for the password.  And presto!  He is logged in to the server as Admin.

The reason he was able to log in is because the web site sends a SQL Database command to the Database server and because the developer of the Drupal software didn't do "Form Field Validation" properly (method of checking for invalid characters like the ' (single quote)  symbol), the user was able to bypass the password.  Notice the 'OR 1=1 command appended to the password.  One does equal one so therefore it will return a TRUE result to the password checker and the OR says use the password typed in (password doesnt matter) OR check to see if one is equal to one.  If its true then the password is valid for this user which is Admin.

Now that the user is on the web server, he probably has the ability to connect to the database server or other servers in the network.  Why?  Because there is connectivity from the web front end to all of the backend servers.  He essently can backdoor his way throughout the network.

Another method is for him to append some SQL statement to another SQL statement.  Lets say their is a FORM FIELD on the website that collects some information from the database to display it to web site users.  It could be entering in the Zip code to find store locations in your area.  Instead of putting in the zip code you could put in "95123 'UNION SELECT * FROM credit_card_table--".  The hacker is injecting via the UNION command (which means join one SQL statement with another one) a command that says grab all (via the asterisk) information out the credit card table.

Lastly, the hacker can use the UNION command to write text of his desire to a text file on the database server.  He may write some nasty code, tell the database to write the code to a file and then tell the server to execute that file.  The code could be used to do a denial of service attack to the other virtual machines or whatever.  The possibilities are endless!!

Anyway, these are high level examples.  I think you get the point.

The Web Front End Virtual Machine has a need to talk to the Web Back End Virtual Machine and security such as Firewalling, Intrusion Prevention definately needs to be in place to have a higher level of security.

Another reason to have security between virtual machines is because servers are now mobile in the virtual world.  They move between trust domains to take advantage of computing resources that may be available on a given piece of hardware.  Lets say one PHYSICAL server was hosting database VM's and another PHYSICAL server was hosting file server VM's.  The file server VM could VMOTION to the same environment as the database VM's.   Now where is your isolation between trust domains or unlike resources?

People should think about this problem in greater detail.  I'd love to hear everyones comments as to whether or not they think security between VM's is needed.

John Peterson
Montego Networks

1) We ended up monitoring 205 nodes in the official show network. They broke down as follows:

• 73 switches (Enterasys and Netgear),
• 4 routers (Enterasys),
• 28 power distribution units (APC),
• 5 IDSes (Enterasys Dragon),
• 20 environmental monitors (APC),
• 2 load balancers (Coyote Point),
• 2 VMware servers,
• 5 DNS and DHCP Servers (BlueCat Networks),
• 27 IP KVMs (Avocent),
• 27 IP Power Strips (Server Technologies),
• 1 Master Wireless Controller (Aruba Networks),
• 2 IP-PBX Boxes (Digium Asterisk),
• 4 Optical Taps (NetOptics),
• 1 Splunk server and
• 4 external WAN links (Qwest).

EM7 pulled data from all of these devices and delivered a single view of the data to the NOC.

2) Uptime for the network was 100%. That isn’t to say that there weren’t some device failures, but each of them was handled properly by the redundancy in the network and the show exhibitors and attendees saw no impact from these failures. This is a real testament to the design and build of the network. It’s hard enough to build a complicated network in two weeks, but then to keep it up and running 100% of the time in the wild west environment that is Interop, is really phenomenal.

3) The average monitored device in the show network didn’t even hit 10% CPU utilization. This is interesting because many items were virtualized using vmWare this year and yet, there was still a lot of hardware overhead available. (Maybe we should run Folding@Home on the show network?)

4) The show network was busy. By our calculation over 864 gigabytes of data was pulled in and 1.01 terabytes of data were pushed out of the WAN links in the 3 days that the show floor was open. That’s a sustained 56Mbps average, including off hours. At peak the show network hit about 102Mbps of WAN utilization.

5) In the three days the show floor was open the network and its supporting NOC gear used 600 kwh (kilowatt hours) per day. As a comparison, the town of Rockport, Missouri (1,300 residents) uses about 35,600kwh per day. On a side note, they are completely powered by wind power and in fact sell 3,000,000kwh per year back to the local power utility. I’m thinking next year Interop should bring some wind turbines as part of the InteropNet kit?

Next I’ll be doing some analysis on the trouble tickets opened. I think it’ll be interesting to see the kinds of issues that vendors experienced and how quickly the InteropNet staff handled them. Look for that in the next couple of days.

ShareThis

Synopsis:  Blue Box #79: Asterisk vulnerabilities, VoiceCon/VON coverage, eavesdropping, FBI, ZFone, P2P, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #78, a 32-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 15MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on March 27, 2008. Yes, that was over two months ago... we know...

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• MANY thanks for all the offers of audio production assistance


• Dan met with Craig Bowser down at VoiceCon, also David Endler, Mark Collier, etc.


• Jonathan met with Dean Elwood, Martyn Davies, etc.


• Four Asterisk vulnerabilities


• The Economist: Bugging The Cloud


• Forbes: How to Make Your Phone Untappable


• VoIP News: VoIP: Who Might Be Spying on Your Communications? (Hint – It’s Not Just the NSA


• VoIP News: Listen Up: 17 Signs That You Are Being Wiretapped


• eChannelLine: Businesses lagging in securing VoIP (also ComputerWeekly.com and news release )


• eChannelLine: Ingate launches enhanced security for VoIP and SIP (also Enterprise VoIPPlanet )


• Voice of VOIPSA: Hacking Zyxel Gateways


• Voice of VOIPSA: Vishing Attacks


• Voice of VOIPSA: FBI VoIP Surveillance Requirements Leaked (also in FierceVoIP and Slashdot )


• Voice of VOIPSA: Hackers Send Thousands of Fake Calls to Deaf People


• SnapVoIP: Unified Communications in Virtual Worlds to Solve ‘Tower of Babel’ for Intelligence Agencies


• Israeli-made Cryptophone attracts world spy agencies pointing to product site


• BlogInfoSec.com: Save The Whales (about a new form of phishing)


• Network Computing: Your Data and the P2P Peril


• NetQoS: VoIP Monitor 1.1 released


• PC World: FaceTime Security Product Scans Skype’s Encrypted IM and news release


• Sipera IPCS Solution for Teleworkers Rated ‘Avaya Compliant’


• Extreme Networks Boosts Security for Converged Voice and Data Networks with New Tools
• Review of the last week's traffic on the VOIPSEC public mailing list 


• Wrap-up of the show


• 32:27 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis:  Blue Box #79: Asterisk vulnerabilities, VoiceCon/VON coverage, eavesdropping, FBI, ZFone, P2P, VoIP security news and more

Welcome to Blue Box: The VoIP Security Podcast #78, a 32-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 15MB) or subscribe to the RSS feed to download the show automatically. 

NOTE: This show was originally recorded on March 27, 2008. Yes, that was over two months ago... we know...

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• MANY thanks for all the offers of audio production assistance


• Dan met with Craig Bowser down at VoiceCon, also David Endler, Mark Collier, etc.


• Jonathan met with Dean Elwood, Martyn Davies, etc.


• Four Asterisk vulnerabilities


• The Economist: Bugging The Cloud


• Forbes: How to Make Your Phone Untappable


• VoIP News: VoIP: Who Might Be Spying on Your Communications? (Hint – It’s Not Just the NSA


• VoIP News: Listen Up: 17 Signs That You Are Being Wiretapped


• eChannelLine: Businesses lagging in securing VoIP (also ComputerWeekly.com and news release )


• eChannelLine: Ingate launches enhanced security for VoIP and SIP (also Enterprise VoIPPlanet )


• Voice of VOIPSA: Hacking Zyxel Gateways


• Voice of VOIPSA: Vishing Attacks


• Voice of VOIPSA: FBI VoIP Surveillance Requirements Leaked (also in FierceVoIP and Slashdot )


• Voice of VOIPSA: Hackers Send Thousands of Fake Calls to Deaf People


• SnapVoIP: Unified Communications in Virtual Worlds to Solve ‘Tower of Babel’ for Intelligence Agencies


• Israeli-made Cryptophone attracts world spy agencies pointing to product site


• BlogInfoSec.com: Save The Whales (about a new form of phishing)


• Network Computing: Your Data and the P2P Peril


• NetQoS: VoIP Monitor 1.1 released


• PC World: FaceTime Security Product Scans Skype’s Encrypted IM and news release


• Sipera IPCS Solution for Teleworkers Rated ‘Avaya Compliant’


• Extreme Networks Boosts Security for Converged Voice and Data Networks with New Tools
• Review of the last week's traffic on the VOIPSEC public mailing list 


• Wrap-up of the show


• 32:27 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Blue Box #75: Asterisk vulnerability, SANS paper on VoIP security, SPIT, tons of listener comments and much more...

Welcome to Blue Box: The VoIP Security Podcast #75, a 38-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• AST-2008-001: Remote Crash Vulnerability in SIP channel driver
• Voice of VOIPSA: IETF seeking feedback on ???Requirements from SIP Session Border Controller Deployments???
• SANS paper on VoIP Security pointing to actual paper
• ComputerWorld: Security dominates 2008 IT agenda
• TechCentral.ie: Coming Together ??? 8 for 2008
• SecurityPark: IT managers complacent about VoIP infrastructure security threats
• TechRepublic: SPAM and SPIT: what are the dangers? pointing to Does UC present new opportunities for spammers?
• VoIP-News: The VoIP-News Top 25 VoIP Blogs of 2007
• List of VoIP Hacking software
• ITworld.com: IT job skills that matter now (see the first line of the sidebar)
• Comment (audio) from Frank Leonhardt
• Comment (blog) from Raffi
  welcome_to_blue.html#comment-96147586 about Blue Box #73
• Comment (blog) from Aswath
• Comment (email) from Ben Penson
• Comment (email) from Shawn Merdinger
• Comment (email) from Jon Farmer
• Comment (email) from Shlomo Dubrowin
• Comment (email) from someone seeking assistance in southern California
• Review of the last week's traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 43:57 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Blue Box #75: Asterisk vulnerability, SANS paper on VoIP security, SPIT, tons of listener comments and much more...

Welcome to Blue Box: The VoIP Security Podcast #75, a 38-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 17MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• AST-2008-001: Remote Crash Vulnerability in SIP channel driver
• Voice of VOIPSA: IETF seeking feedback on ‘Requirements from SIP Session Border Controller Deployments’
• SANS paper on VoIP Security pointing to actual paper
• ComputerWorld: Security dominates 2008 IT agenda
• TechCentral.ie: Coming Together – 8 for 2008
• SecurityPark: IT managers complacent about VoIP infrastructure security threats
• TechRepublic: SPAM and SPIT: what are the dangers? pointing to Does UC present new opportunities for spammers?
• VoIP-News: The VoIP-News Top 25 VoIP Blogs of 2007
• List of VoIP Hacking software
• ITworld.com: IT job skills that matter now (see the first line of the sidebar)
• Comment (audio) from Frank Leonhardt
• Comment (blog) from Raffi
  welcome_to_blue.html#comment-96147586 about Blue Box #73
• Comment (blog) from Aswath
• Comment (email) from Ben Penson
• Comment (email) from Shawn Merdinger
• Comment (email) from Jon Farmer
• Comment (email) from Shlomo Dubrowin
• Comment (email) from someone seeking assistance in southern California
• Review of the last week's traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 43:57 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Blue Box #74: 2008 Crystal Ball Edition, Asterisk and Trixbox vulnerabilities, top 10 lists, VoIP security trends for 2008 and more....

Welcome to Blue Box: The VoIP Security Podcast #74, a 44-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• SE 22 with Jonathan Rosenberg
• Asterisk AST-2007-027: Database matching order permits host-based authentication to be ignored
• Voice of VOIPSA: Trixbox contains ‘phone home’ code to retrieve arbitrary commands to execute
• trixbox CE audit tool official statement and fixes
• Audit Tool Change Plan
• Audit tool ‘fix’ being pushed out tonight
• ComputerWorld: VoIP vulnerabilities increasing, but not exploits
• CRN: Top 9 VoIP Threats and Vulnerabilities (Sipera PR strikes again) – points to CRN article: VoIP Threats, Vulnerabilities Abound which is based on press release Sipera VIPER Lab Reveals Top 5 VoIP Vulnerabilities in 2007
• Voice of VOIPSA: Pointers to any audi methodology for forensic analysis of VoIP systems?
• TMC.net: SIP and Security: Just Do It Right!
• PAETEC, Alcatel-Lucent Deploy Industry Leading Disaster Recovery VoIP Solution
• Feature: top stories of 2007 and trends for 2008
• No comments this week.
• Review of the last week's traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 43:57 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Blue Box #74: 2008 Crystal Ball Edition, Asterisk and Trixbox vulnerabilities, top 10 lists, VoIP security trends for 2008 and more....

Welcome to Blue Box: The VoIP Security Podcast #74, a 44-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• new comment line +1-415-830-5439
• SE 22 with Jonathan Rosenberg
• Asterisk AST-2007-027: Database matching order permits host-based authentication to be ignored
• Voice of VOIPSA: Trixbox contains ‘phone home’ code to retrieve arbitrary commands to execute
• trixbox CE audit tool official statement and fixes
• Audit Tool Change Plan
• Audit tool ‘fix’ being pushed out tonight
• ComputerWorld: VoIP vulnerabilities increasing, but not exploits
• CRN: Top 9 VoIP Threats and Vulnerabilities (Sipera PR strikes again) – points to CRN article: VoIP Threats, Vulnerabilities Abound which is based on press release Sipera VIPER Lab Reveals Top 5 VoIP Vulnerabilities in 2007
• Voice of VOIPSA: Pointers to any audi methodology for forensic analysis of VoIP systems?
• TMC.net: SIP and Security: Just Do It Right!
• PAETEC, Alcatel-Lucent Deploy Industry Leading Disaster Recovery VoIP Solution
• Feature: top stories of 2007 and trends for 2008
• No comments this week.
• Review of the last week's traffic on the VOIPSEC public mailing list 
• Wrap-up of the show
• 43:57 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Synopsis: Blue Box #72: Asterisk security vulnerabilities, Skype and the German government, VoIP security news, listener comments and more

Welcome to Blue Box: The VoIP Security Podcast #72, a 25-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 11MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

NOTE: This show was recorded on November 30, 2007.

Show Content:

• 00:20 - Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners - and to all those listeners who have been here for so long! 
• - AST-2007-025 – Asterisk – SQL Injection issue in res_config_pgsql
• - AST-2007-026 – Asterisk SQL Injection issue in cdr_pgsql
• - TechWorld: Expert scares world with VoIP hacking proof pointing to SIPtap - Articles also in ComputerWorld
• - Wired: Skype encryption baffles German police – also in The Register and TechDirt
• - VoIP News: Why Nobody’s VoIP is Secure
• - PC World: ‘Swatters’ Trick AT&T’
• - Comment (email) from Shawn Merdinger
• - Comment (email) from Yann Cloatre
• - Comment (email) from Miguel Garcia
• - Comment (email) from Roel Villarius about Dutch spam filter
• - Review of the last week's traffic on the VOIPSEC public mailing list 
• - Wrap-up of the show
• 25:27 - End of show 

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-7280 +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.