Jack Daniel, Tenable customer Russell Butturini, and I recently presented the "Addressing the Security Challenges of Virtualization" webcast. This was part 2 in the “Vulnerabilities Exposed” webcast series, and there will be 2 more sessions delivered before the end of the year.
If you missed the webcast or would like to re-watch it, view the recording.
Here are responses to the top questions we received during the webcast.
- Yes, click here to view the presentation slides.
- If an attacker were to gain access to the hypervisor level, they would not necessarily have access to the storage where virtual machines live. However, if an attacker gains access to the storage array, they could make copies of the virtual hard drives and gain access to your data.
Does encrypting your VMDKs (Virtual Machine Disks) make any difference in protecting your data in the event of a VM escape attack?
- VMware does have support for native encryption, and this would help defend against attackers after your data in a virtual environment.
PVS may cover some of the App-V surface, but a scenario where that falls apart is when a malicious PDF is downloaded, and they open the PDF which runs virtual Adobe. Reader is not accessing the Internet at that point. Is there anything on the Nessus roadmap that will allow you to enumerate the idle packages that are waiting to be requested so you can fix the problem upstream? They are just exe/dll's on shares, so auditing the static package would be a big win.
- We are exploring many approaches to enhancing our malicious process and malicious content detection capability, but we do not have any specific commitments on the roadmap at this time.
- See our Nessus 5.0 and Scanning Virtual Machines document for more information.
- Nessus offers support for Oracle VirtualBox (formerly Sun VirtualBox) in the form of remote checks for any platform and local credentialed plugin checks when installed on Microsoft Windows. Since VirtualBox is included in many OS distributions, Nessus also offers a variety of local credentialed checks specific to Debian, FreeBSD, Gentoo, Mandriva, and SuSE.
- Nessus currently offers remote support for Citrix XenServer, specifically several detection plugins for XenServer and associated services. Tenable plans to add support for local, credentialed checks this year, as well as compliance audits that are currently under development.
- Nessus has support for auditing Microsoft Hyper-V technology. Remotely, via API, Nessus can detect and enumerate virtual machines, as well as use several Microsoft Security Bulletin-based plugins to test for known vulnerabilities.
- Supported versions are ESXi 4.x/5.x and vCenter 4.x/5.x. See here for more details.
In the new NIST Cyber Security Framework (draft), a lot of weight is being given to SANS 20 Critical Security Controls (CSCs). When you talk standards, are these controls incorporated?
- PVS has 1-2Gb/s throughput using standard hardware. We are currently developing 10Gb/s support for PVS.
The virtualization of the hardware and OS is still tangible, and one can still enumerate them as though they were physical devices and OSes by way of IP. How is Nessus approaching a rapidly shrinking/centralizing application footprint with application virtualization (re: App-V, Citrix Apps). The application only exists in memory, and on demand, which makes scanning difficult or impossible at the "end node" virtual or physical.
- PVS can help detect vulnerable applications as they communicate on the network. Beyond that, we are exploring ways to integrate with evolving technologies, such as software-defined networking to get better visibility into dynamic environments, but have no specific features on the roadmap at this time.
Tenable Virtualization Resources
- Blog Post: Scanning and Patch Auditing VMware Using Nessus
- Blog Post: Nessus VMware/vSphere vCenter Audits
- Data Sheet: Security Monitoring for the vSphere Infrastructure
- Documentation: Nessus 5.0 and Scanning Virtual Machines
- Whitepaper: Extending Vulnerability Management to Virtualized Infrastructures and Cloud Computing
- Webcast: Managing Vulnerabilities in Virtualized and Cloud-based Deployments
"Vulnerabilities Exposed" Webcast Part 3 – BYOD/Mobile
The next webcast will be held on October 22nd at 2 pm EDT, and we'll discuss how to handle BYOD/mobile threats before they cause loss and disruption. Hope you can join us.