From AstroArch

Virtualization Security Round Table Podcast Episode 5 show notes

• VDI

Back to main podcast site

Go to Talkshoe to download or listen to the podcast. Soon to be available also on iTunes.

Our guest panelist was Hezi Moore. Thank you for joining us Hezi.

We tackled the following questions from various sources, most notably Tom Howarth.

• So panelists are Virtual Desktops a threat to the virtual environment?
  VMs as a rule are not necessarily a threat to the environment but once users are involved the threat does rise. There are also tools to mitigate these threats. While hinted at they were not mentioned, the most notable are Catbird V-Security and Reflex VMC.

• Matthew Johnson wanted to know how to implement Two-Factor authentication? Since there are several places this should exist should it exist at all levels, just the client machine, or at the virtual desktop?
  We concluded after much discussion, that if you can implement at all levels, things are better. A prime example was the US Government CAC card that implements multi-factor at the desktop but also can be passed through RDP to the virtual desktop. The concern is that if you do not have multi-factor authentication within the desktop then anyone can plug-in a laptop and access the virtual desktops. But what was also brought up was that multi-factor authentication is also required within the connection broker.

• Also brought up from the chat was the fact that protocols after the Connection broker or security server are unencrypted, is that a huge issue?
  The panelists brought up that most companies do not want encrypted protocols within their firewalls as it impacts the ability to perform IDS and IPS and deep packet inspection. So no it hinders more than it would help. However, your virtual network design needs to account for this.

• Should they be considered as hostile as physical desktops?
  We concluded that they are no more hostile than physical desktops.

• Is VMware View Linked Clones a threat source? Is it not easier to propogate a virus through the parent?
  Yes it is a much juicer target but the parent is not often running so the user would need access to the parent to propagate a virus. But we decided that configuration issues that allow zero day attacks are an issue, and that takes good change control to manage.

• What about DoS due to performance increases within desktop? Specifically due to disk defragmentation within a Vista virtual desktop, if it was enabled?
  We conclused that while this is possible, we are not storage experts. After the podcast I posed the same question to a previous guest, Christopher Kusek, and received an answer that it is something to test.

There are quite a few other things we could have discussed but we ran out of time!

Panelist BIOs

• Hezi Moore Hezi Moore, the founder and Chief Technology Officer of Reflex Systems, brings more than 15 years experience in security, networking and entrepreneurial expertise to Reflex Systems. In his role of CTO, he is responsible for shaping the company's technology strategy and defining the roadmap for future design and development of innovative, integrated network security solutions and delivering them to market. Moore led the effort to develop the industry's first Virtual Security Appliance (VSA) that provides visibility and security for virtual network infrastructure. Prior to founding Reflex Systems, Moore was president and co-founder of MicroTech Systems - a firm specializing in network design and configuration of point-of-sale systems - which was subsequently acquired by Retail Technologies International of Sacramento, California. He has also held such diverse occupations as a technical support and research analyst for GE Technology. Moore was a pioneer of the automated network intrusion response system, the concept out of which Reflex Systems grew. Hezi graduated with Honors from the Georgia Institute of Technology, in Atlanta, Georgia with a Bachelor of Science degree in Computer Engineering.
• Michael Berman is the CTO of Catbird, with over 20 years experience in system engineering, architecture, design and implementation of secure computing. Michael's experience includes implementation of C2 UNIX; Fortune 100 enterprise security; and expert support in the prosecution of computer crimes. He is a member of the Electronic Crimes Task Force and High-Tech Crime Investigation Association and a Certified Information Security Systems Professional (CISSP). Michael is a frequent speaker on the topic of virtualization and security.
• Chris Hoff is Unisys Corporation’s Systems & Technology division chief security architect. Hoff has over 15 years of experience in high-profile global roles in network and information security architecture, engineering, operations and management. Prior to Unisys, he served as Crossbeam Systems' chief security strategist, was the CISO for a $25 billion financial services company and was founder/CTO of a national security consultancy and led the security engineering team of one of the first global managed network security service providers. Hoff is a prolific blogger and sought after speaker at leading security conferences.
• Iben Rodriguez is an Infrastructure Consulting Professional with over 20 years experience working in complex IT environments. Iben has an extensive knowledge of VMware-specific environments having spent 2 years working for VMware in various roles. Iben has led and delivered very complex projects for Fortune 500 companies, including Switzerland based pharmaceutical companies, one of the world's largest online auction companies and a large city government in southern California. Iben is considered one of the foremost industry experts in VMware-based security and infrastructure design.
• Edward L. Haletky is the author of VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers. Haletky owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development. Haletky is also a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions, prolific blogger, and is working on new books on Virtualization.

Comments

Sean Clark said ...

Back to main podcast site

Podcast audio improvements by Tim Pierson of DataSentry, Inc.