[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 09/08/13 00:33, Tom Brough wrote: > I may be missing the point here but if the snapshot has a security > defect embedded in it (known or more likely unknown at present) then > surely you are loading the same defect every time you boot the VM > snapshot. So eventually someone will discover said defect and exploit > it and your snapshot. IMO the older the snapshot the more vulnerable > it becomes. > > True the trojan dies when the machine is switched off, but it can be > re-installed the second the machine is turned on again using the exact > same security hole, given that the snapshot faithfully reproduces good > and bad code alike every time its started. > > If I understand these bots correctly once they infect a machine they > call home to momma, failure to report in regularly would get an > instant re-infection attempt from the "controller" using the same > technique. DHCP might help here if your ip changes between reboots, > but even this isn't that helpful as ISP's use ranges of IP's that are > well known to crackers and users alike (whois). My DHCP IP address > hasn't changed since the ISP's last crash although my firewall/gateway > has been rebooted numerous times since then. > > Surely it would be better to keep your security fixes up to date even > if you run the risk of introducing new issues in the process? At least > that way you are keeping the crackers target moving. > > Or perhaps you are suggesting keeping the snapshot updated with latest > security patches? Now that might make more sense (to me), but then > keeping control of that process introduces admin headaches. > > All I know is nothings safe in the world of IT. Safety is an illusion. > You develop an unhealthy? paranoia if you spend too much of your life > working with computers. > > I guess what I am really saying is don't get comfortable with the idea > that a snapshot running on a VM makes you cracker proof. You're thinking all the right thoughts, but are failing to take several things into account here. Let me explain. Whilst you are right that *almost* nothing is safe in the world of IT (Bruce Schnier: security is a process, not a state), us sysadmins and security specialists have put in truly biblical amounts of effort into making sure we can push our systems into the very top 1% or so of hard targets out there - in fact, I would be effectively fired if I wasn't doing that. As such, it probably won't surprise anyone to realise that we've long since already dealt with all of your well-thought out but incredibly basic objections. Firstly, DHCP has got literally nothing to do with security in any sense whatsoever, even in the most liberal of "security-by-obscurity" interpretations, all of which are valueless anyway. DHCP is merely a tool for network addressing, nothing more. For some reason, you initially suggest it would be better to keep up to date with fixes: well, that's obvious isn't it? What sort of person worries about running VMs over Tor and then doesn't keep their OS up to date? The answer is obviously nobody. Both the host system and the VM(s) in this type of configuration will be religiously updated, and although not in Daniel's particular home-use case, in my environments, all vendor/internal updates aren't applied ad-hoc, they are cached locally to internal install servers, validated, checked on base dev images for compatibility and other issues and then signed off and pushed to clients via admin mechanisms such as GPO, etc. I'll grant you that this procedure does most certainly "introduce admin headaches"! That is however, my exact job - admining things. My situation is no different to the thousands? millions? of other admins out there, who have to work constantly with keeping our standard images, customised OS builds, VM templates and live machines all routinely updated and solid. Usually we will tend to version as we go, so even if we do accidentally include a bug or a patchfix that is later withdrawn by the vendor (Oracle love doing this, they never test anything before pushing it out live) we can always undo the issues or simply roll back to last months image and manually patch it. There are whole libraries full of documentation on how to properly manage this kind of standard admin work, and trust me, we've read them all. In contrast, a single home user running a single dedicated VM has very little work to do to keep it secure: install securely from a known good source (in this case, Debian's secure apt is completely trustworthy to get your initial system built) and snapshot. Update, customise and ready for action: snapshot. From there on, update regularly (us admins will go further than that - we have RSS feeds spitting constant feeds of package updates for multiple OS variants, full disclosure, Technet, etc at us so we know exactly what's going in the security world) snapshotting as you go, so you can always roll back if required. Viola: you are now maintaining a locked-down, updated, secured OS in a VM instance. Honestly, at this scale it's barely an issue at all, let alone difficult or expensive to maintain. To address other issues you raise, any sane admin is also going to do things like periodically mounting their VM's disk image manually to the host system and sweeping it with AV/rootkit hunters, etc, just to account for the almost infinitesimal chance it has been infected at some point. But using this system, trojans or other bad code have no chance of persisting on the VM - like I said, build a known good image, snapshot and discard all changes on closing: by definition, you're back to the known good state. Your general observations are all totally solid, but I guess I'm trying to say, we've got all of that covered already, fear not. We're barely even scratching the surface of a well admined setup either, we've got millions more tricks and techniques to much further lock things down remote syslog hosts, SELinux/AppArmour, tripwire, transparent in-line firewalls, IDS, monitoring and alert frameworks... In short, if you're half-smart, follow the basic best practices and keep your head together, yes, basically you CAN get completely comfortable with the idea that your VM snapshot is secure against all but the very, very worst of attackers. At this point, you're such a hard target that you're firmly in state-sponsored agency or legendary hacker territory to compromise. Regards PS> for what it's worth, I personally *don't* use a VM for browsing stuff, although I do use a lot of VMs for other purposes. I *do* use Tor. I do *not* use Internet Banking, and never will. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq