Hi there,
I have read some threads on antivirus being installed on the SC for ESX Servers. ( http://communities.vmware.com/message/327938#327938 / http://communities.vmware.com/message/307065#307065 )
I also read somewhere that you can get away with not having AV if the SC is not routable...but what if it is? Since we have 3 ESX Zones, and a FW sepearting, the network/secuirty lead is telling me it needs to be routable, unless I want a VC for each zone.
Any thoughts?
Cheers
Neel
If you properly secure your server you will not need anti-virus on your service console, even if it is on a routable network. It is a little more exposed on a routable network but ESX does have a built-in firewall and the chances of getting a virus on ESX are very remote. There are several good white papers on properly securing the ESX SC and if you follow these, limit access and do not open more ports then necessary on the ESX firewall then you should be secure.
Anti-virus protection for Service Console - http://www.vmware.com/community/thread.jspa?messageID=700835
CIS ESX Server 3.x Security Benchmark - http://www.cisecurity.org/tools2/vm/CIS_VMware_ESX_Server_Benchmark_v1.0.pdf
How to secure your VMware ESX Server - http://www.petri.co.il/secure-vmware-esx-server.htm
ESX Console Security - http://www.vmware-tsx.com/download.php?asset_id=37
Vmware Infrastructure 3 Security Hardening - http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf
Security in a Virtualized Environment (VMworld 2007) - http://www.vmworld.com/vmworld/mylearn?classID=11276
Security Architecture Design and Hardening VI3 (VMworld 2007) - http://www.vmworld.com/vmworld/mylearn?classID=11047
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
If you properly secure your server you will not need anti-virus on your service console, even if it is on a routable network. It is a little more exposed on a routable network but ESX does have a built-in firewall and the chances of getting a virus on ESX are very remote. There are several good white papers on properly securing the ESX SC and if you follow these, limit access and do not open more ports then necessary on the ESX firewall then you should be secure.
Anti-virus protection for Service Console - http://www.vmware.com/community/thread.jspa?messageID=700835
CIS ESX Server 3.x Security Benchmark - http://www.cisecurity.org/tools2/vm/CIS_VMware_ESX_Server_Benchmark_v1.0.pdf
How to secure your VMware ESX Server - http://www.petri.co.il/secure-vmware-esx-server.htm
ESX Console Security - http://www.vmware-tsx.com/download.php?asset_id=37
Vmware Infrastructure 3 Security Hardening - http://www.vmware.com/pdf/vi3_security_hardening_wp.pdf
Security in a Virtualized Environment (VMworld 2007) - http://www.vmworld.com/vmworld/mylearn?classID=11276
Security Architecture Design and Hardening VI3 (VMworld 2007) - http://www.vmworld.com/vmworld/mylearn?classID=11047
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
I think the probability of getting a virus on the SC doesn't justify the risk of causing other problems by installing AV software in the SC. Again, it should be thought of as more like an appliance, people usually don't (or cant) try to install AV on appliances. Your company may come to a different conclusion on the risk assessment though.
Don Pomeroy
VMTN Communities User Moderator
Hi,
The only excuse for installing AV into your COS that i can think of would be if you are offering SMB shares from the console.
That could possibly get loaded with viruses. As for the console itself, it's a RHEL derivative, you don't have to worry about viruses, it's a windows thing, still is, not likely to change.
The issue you should be worried for is getting rooted, not getting a virus and you cannot run antivirus software to protect you against being rooted. Heck if you are rooted, there's NO software that can reliably confirm this for you. Not unless you have installed software to help detect this BEFORE the hack happened.
As stated earlier, the console has a built-in firewall and only has a few services running, it is not a windows desktop with users clicking on links in emails etcetera. Getting infected with a virus is highly unlikely.
--
Wil
So if the SC is routable, the virus (that probably wont even happen) could spread to other hosts right?
I think that could our main concern. If it was isolated, I might be able to change some minds.
I suppose that is possible but unlikely, most viruses spread via Windows services or email. However if you have a properly patched and secured server then it is unlikely that you will get a virus to begin with.
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-
I am curious, do you have Linux systems on your network and do they have AV installed? From what I can tell many companies do not install AV on Linux systems because the risk is so low. If your companies policy is any OS that could send a virus over the network to other systems must have AV installed, then I guess you don't have a choice.
Do you have any appliances on your network, and do they have AV installed? If not what is the justification?
Don Pomeroy
VMTN Communities User Moderator
I am not sure that there is any standard for 'Servers' to have AV installed. There is for Windows servers, obviously much needed. We have linux appliances with ClamAV installed, but we also have some that do not have it installed. Not sure what the reason for the split is.
I think realistically you have a higher probability to cause performance problems or other issues by having AV installed on the SC then to get a Linux virus as most virus/worms target Windows. I think security best practices for the SC should reduce the risk quit a bit. You may want to also point out VMware doesnt list any approved AV software for running in the SC, so that is one other angle you could peruse.
AV on the SC is something some people do, so if you have to it is doable.
Don Pomeroy
VMTN Communities User Moderator
Thanks for all the info guys, I will have to flip a coin for the points!
So is it true (what I said above), that if I have 3 different zones sepearted by FW, and the SC network is not routable, I will need 3 VC Servers?
Thanks
I would open the appropriate firewall ports and stay with one VC server for easier administration and much less cost, as you would have to pay for each VC server. If you have to install AV on the SC to get this then I would do that.
Don Pomeroy
VMTN Communities User Moderator
In addition to what was said before.
The new 3i version of vmware cannot even be infected by a virus as it sits in flash memory.
Hello,
That is not quite true, that running instance of 3i could be infected with a virus but a reboot will clear it out. However, if the device is using writable flash memory (USB Stick) then it could still be there. Also, there is no way to insert an AV into 3i for the OS. Well not yet anyways.
Best regards,
Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074
Edward,
But your "could" is pretty hypothetical isn't it? Especially when you are talking about getting infected with a virus.
If you didn't misconfigure your ESX pretty badly then how is the virus going to get in? What will execute it?
I agree it is possible, like it is possible for routers to get infected with worms and malware and this is something i've actually heard before... but i still think that we are then talking about rootkits and not about a simple virus.
Hello,
New things are being created daily, what we say may not happen today, will not be the case tomorrow. If the system is properly configured can a virus get in.... Not sure actually, there are so few Linux virus' out there that well most are trapped by other things up the road. But could it, yes, will it? Not sure. So is it hypothetical, yes....
However, if 3i has the vulnerability to allow it to happen or a root kit to be installed, then a reboot just means they (the nebulous hackers) just have to redo it every time. This type of thing takes seconds to do. I have been working with penetration testers and it is amazing how fast a system can be infiltrated, takes seconds. So should 3i have AV/chkrootkit or something like that available to it? I think so... I always err on the side of being overly cautious.
Best regards,
Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074
Many people think that adding AV will help things. But in fact the opposite result is as likely. Look at the security risks.
Anti-Virus is not free from security errors. Take a look at the recent vulnerabilities in AV software.
Adding AV to a VM with management privileges is crazy. Think about it.
If the AV software on the service console scans VM disk files, an exploit to catch a AV scanner may result exploitation of not the VM, but the service console AV process.
In an ideal world ESX has at least two networks. An administrator network, and the outside world network. Putting AV in the administrator network to scan stuff that comes from the outside world is a really bad idea. Putting AV on the service console is pointless if you control who can access the administrator network.
Keep the two worlds separate. Doing something different may break isolation. Control the administrator network, then life is good.
Well the point i tried to make is that a virus requires HUMAN action in order to propagate.
If i'm not mistaken that's inherently part of the definition of a virus, it replicates and does so by a human taking action like browsing to a dark site on the web, getting a drive-by exploit from a rogue ad-site, users clicking links in IM chats, emails....
If the malware can replicate by itself, we are talking about worms.
The administration console should not be used for any of the above.
One of the other things with AV is that it uses the "enumerate badness" technique, a bit of a self downplaying technique as it depends on the virus be known to the AV first and then hope its digital signature is accurate enough to recognize it in the wild. So your AV won't catch original malware, freshly rehashed public exploits (which are trivial to make). The AV won't catch it, unless it uses a engine that uses some heuristic engine to verify for other typical virus-like behavior. This exists, but also generates false positives. So AV is ok as an extra safety net on a normal desktop/server, but that's what it is, an extra safety net, nothing more. I don't like them much anymore as they tend to create a false sense of security to the average computer user.
Unfortunately while people tend to think that their AV engine checks for all types of malware, it doesn't. Most AV vendors want you to buy other AV suits for that. Seen too many owned windows boxes with "everything" up-to-date (OS/AV) to still trust AV to catch the badness for me. Am I paranoid? Maybe, it's a security paranoid thing which i think is good as it keeps one sharp. But it eats up hours sometimes too
You are correct about the ease of penetration these days (was easier in the past really) by the availability of "professional exploit" bundles that are available nowadays with the black hat community moving more and more to the criminal site of things. It's a fast moving world...
Hello,
Absolutely, AV is a sentry to make sure no more bad guys get in past the first one that was discovered, somewhat like closing the barn door after the horses have fled..... However, in most systems it is a necessary precaution dictated by the Security Echelon as it is SOMETHING that you can do, you are betting on the virus/work/malware being found elsewhere before it gets to your systems. This is only one precaution to take, there are others, but for something brand new that no one has seen before, there is not much you can do. Absolutely nothing but be vigilant. Monitor those same hacker boards, etc.... Hopefully using something like TOR.... You really do not want to use your own system....
Can a Virus get to ESX, yes, there are daemons running, speaking over the network, so therefore it is at risk. But more to the point you are generally not looking for Virus' as you are looking for rootkits, misconfigured ports, extraneous things happening, etc. Something out of the ordinary, the way 3i closes off most of the traditional aspects of this is just frightening. I want logs, without which I can not tell what is happening to my critical hardware....
Actually penetration is actually easier today than in the past due to the fact that the majority of the people just do not keep things up-to-date and trust that the vendor fixes everything. I think that is just nonsense. Trust is really what it is all about...
The blackhat group is not really moving more to the criminal side of things, it is laws being passed that make it criminal for them to even do their research... Modern Laws are making it impossible to even own a computer much less turn it on as they state, no hacking material should be used, well most hacking tools are already on most systems today! Consider that tracert, traceroute and its ilk is actually a hacking tool, so therefore every system in the nation that passed that law could be confiscated! These types of laws are the same as putting your head in the sand and hoping it goes away. We need active defenses, that can not be developed if you can not even do the research. Part of the job of the security person is to find those holes report on them, and close them.
Best regards,
Edward L. Haletky, author of the forthcoming 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', publishing January 2008, (c) 2008 Pearson Education. Available on Rough Cuts at http://safari.informit.com/9780132302074
... as it is SOMETHING that you can do
Sure I agree
the way 3i closes off most of the traditional aspects of this is just frightening. I want logs, without which I can not tell what is happening to my critical hardware....
Yikes, that would led me to believe that 3i is actually less secure. I suppose you can still setup a syslog server to mitigate this. Unfortunately haven't been exposed to 3i yet. Didn't have the time to visit vmworld 2007
...and trust that the vendor fixes everything
Heheh.. yeah i know and with the current java/swf attacks, the hackers are moving from OS exploits to application exploits.
So on windows you need something like secunia's PSI to make sure your desktop isn't fragile.
more to the criminal side of things, it is laws being passed that make it criminal for them to even do their research...
You are referring to the german anti hacker law i suppose. A very silly law. No i meant that nowadays there is lots of money to be made if you are an elite hacker. Back in the days when i knew people from a group that had something to do with dead cows, there was no money connected to this and it was much more about skills. Those guys are now working for top security firms. Of course there was black hats back then as well.
When there is alot of money, there's criminals too.
Ok, i'm going to shut up now as it seems i've hijacked the thread too much already