Will infrastructure virtualization sweep away existing switching structures while failing to grant benefits of performance, cost or improved security? Some say yes.
Virtualization “will not save you money, it will cost you more,” said Christopher Hoff, chief security architect at Unisys. In addition, “virtualized security can seriously impact performance, resilience and scalability,” he said in an impassioned presentation Wednesday at the Black Hat conference.
Hoff argued the user community is being sweet-talked into virtualization by an industry unmindful of the security consequences.
The next 12 to 18 months will bring an uncomfortable set of circumstances as every vendor rushes to claim it is virtualized, Hoff said in his talk titled “The Four Horsemen of the Virtualization Apocalypse.”
“It’s getting real messy,” Hoff said, as Cisco, Brocade Communications, 3Leaf Systems and Xsigo Systems, among others, gallop off to virtualize basic switching infrastructures without a clear notion of what the security consequences are for enterprise customers accustomed to wholly different topologies that include such technologies as Spanning-Tree Protocol.
“A virtual switch is just a piece of code like a hypervisor,” Hoff said about the industry’s new direction. “It’s basically Layer 2 switching modules,” he said, which means you’ve collapsed the network into “a single tier” and “it all boils down to three settings in a GUI.”
Virtual security is taking shape in the form of virtual appliances that will become the cornerstone for trying to replicate such traditional defenses as intrusion-prevention systems, antivirus and firewalls, Hoff said. As security functions compete for virtual-machine resources, however, there will be a performance hit, just as is seen in unified-threat-management devices today that combine IPS, firewall and other functions, he said.
Capacity planning with a virtualized network is going to be very difficult to predict, Hoff said, adding he was profoundly skeptical that trying to virtualize a firewall is going to work as DMZs are pushed into going virtual, too.
“If I decide to V-Motion a firewall, it won’t work,” Hoff said, alluding to his own research with VMware and its V-Motion capability for deploying virtual-machine images rapidly. He also warned of the threat of virtual-machine sprawl, “where I can’t even track down in my network where this thing is.”
With virtualization, “you won’t get rid of host-based security software. As we add more solutions, we add complexity,” Hoff said, advising the Black Hat audience “not to be dragged into the environment.”
Rootkits galore
Polish researcher Joanna Rutkowska also plans to call attention to the frailties in existing virtualization products, including the Citrix Systems Xen hypervisor.
Wednesday, Sherri Sparks, president of Clear Hat Consulting, and Shawn Embleton, the firm’s CTO, gave a talk about how they’ve developed a network interface card (NIC)-chipset-based rootkit they call “Deeper Door” that an attacker might use to hide and monitor traffic stealthily.
Deeper Door is operating-system independent, unlike the rootkit called Deep Door developed by Rutkowska, Sparks said.
There are advantages and disadvantages to each from an attacker’s point of view, but the Deeper Door Intel 8255x chipset rootkit resides “completely in the chipset, the motherboard chipset and on the LAN controller,” he said.
Sparks and Embleton demonstrated how Deeper Door can be loaded up, and said their research has shown it can’t be detected by software-based firewalls and intrusion-detection systems including Snort IDS, ZoneAlarm and the Windows XP firewall. They gave a demo showing how ZoneAlarm didn’t detect the rootkit sending unauthorized outbound traffic.
Hardware-based firewalls should be able to detect Deeper Door, Embleton said. He added, however, that it’s very resilient: Simply disabling the NIC won’t stop it because it’s designed to check to see if the card has been disabled and reenable it.
In another rootkit session at Black Hat Wednesday, Ariel Futoransky, researcher at Core Security Technologies, detailed how the security firm has been able to develop a Cisco IOS rootkit it calls “DIR” (“da IOS rootkit”).
DIK is a lightweight rootkit that can compromise a Cisco IOS router by infecting the image and leaving malicious code to run and perform stealthy tricks on traffic, he pointed out, with a short demo of it.
There’s no known instance of a Cisco IOS rootkit in the wild, but the research shows that it is possible — despite hooks in IOS that make writing rootkits for other types of operating systems far easier, Futoransky said.
“Can we protect ourselves [from DIR]?” Futoransky asked. “I don’t have easy answers for this one.” Using cryptographic tools would make it harder to hide traces of a rootkit attack, he said.
Cisco spokesperson Kevin Petschow said Cisco is working closely with Core Security Technologies on the IOS-rootkit research, and is glad to work with other researchers, too, that identity new types of attacks on Cisco gear.
In yet another session, Apple’s Mac OS X got the rootkit treatment, as security researcher and software engineer Jesse D’Aguanno of Praetorian Global showed that it, too, is subject to rootkits. While it’s not necessarily easy to develop rootkits for the Mac OS X, it can be done, he said, providing evidence and a demonstration of one he developed.
Toll evaders
Not even highway electronic-toll systems got a pass at Black Hat.
Nate Lawson, founder of Root Labs, spoke at a session titled “Highway to Hell” that offered evidence of how it’s possible to tamper with the commuter-toll system FasTrak by manipulating the radio-frequency-based equipment used by commuters in the San Francisco Bay Area and elsewhere to compromise data integrity and user privacy.
In a detailed technical presentation, Lawson said he had evidence he’s willing to provide for free to local-area authorities and FasTrak equipment manufacturers to show them how it’s fairly simple to alter the transponders used in FasTrak to come up with criminal attacks that would change electronic records-keeping, switch user IDs and undermine the system in other ways.
Lawson, a long-time researcher who now owns his own security firm in the Bay area, said his efforts to gain attention about security issues with FasTrak have been ignored to date by equipment vendors and local authorities.
Lawson said one step to take would be adding strong encryption to the electronic-toll system.