Clarification from Catbird’s CTO on HypervisorShield…
I was having difficulty understanding some of the points raised in the press release/product brief, so I reached out to Michael Berman, Catbird’s CTO (also a blogger,) for a little clarification.
Michael was kind enough to respond to the points in my blog posting.
Rather than repost the entire blog entry, I have paraphrased the points Michael responded to and left his comments intact. I think some of them invite further clarification and I’ll be following up with a Take5 interview shortly. Some of the answers just beg for a little more digging…
Just to ground us all, here’s the skinny on HypervisorShield:
Catbird, provider of the only comprehensive security solution for virtual and physical networks, and developer of the V-Agent™ virtual appliance, today announced the launch of HypervisorShield™, the industry’s first dedicated comprehensive security solution specifically designed to guard against unauthorized hypervisor network access and attack.
Here are my points and Michael’s responses:
- Hoff: The press release speaks to HypervisorShield’s ability to protect both the hypervisor and the "hypervisor management network" which I assume is actually referring to the the virtual interface of the management functions like VMware’s service console? Are we talking about protecting the service console or the network functions provided by the vKernel?
Berman: We’ve built a monitor function that uses VMware APIs to watch for changes to/management of the virtual machines. We also have signature templates and customizable policies for network connections to the service console and the host.
- Hoff: The press release makes it sound like protecting the hypervisor is accomplished via an IPS function that isolates VM’s from one another like Reflex and Blue Lane?
Berman: With all due respect to our colleagues in this space, intrusion detection and protection is one element. Catbird combines several technologies to extend separation of duties, dual control and strict change control to the virtual infrastructure. Deploying a signature for VMSA-2008-0001 is nice, but detection or prevention of a rogue virtual center administrator from pulling off a Societe Generale hack is priceless.
- Hoff: What exactly does Catbird do (in partnering with IPS companies like SourceFire) that folks like Reflex and BlueLane? don’t already do.
Berman: Rather than talk about the differences, let’s talk about the most important similarity. I think I speak for all of us when I say that it’s like we are in a time warp to 1996 and I am explaining why you need a firewall for your DMZ. Customers have little appreciation for the magnitude of the threats facing their virtual infrastructure. Once we get past that, then we can talk about why Catbird is the best. (hint: we’re smarter, faster and stronger)
- Hoff: How do you monitor the Hypervisor?
Berman: We deploy a virtual machine that hooks into the vSwitch environment and that also monitors the ESX hypervisor via the VI API.
- Hoff: You say in the press release that "hypervisor exploits have grown 35% in the last several years." Which hypervisor exploits, exactly? You mean exploits against the big, fat, Linux-based service console from VMware? That’s not the hypervisor!
Berman: I believe that the real threat to the virtual infrastructure comes from the collapse of separation of duties and the breakdown in implicit and explicit security controls within the virtual data center. That being said, the hypervisor management application is probably the most significant area of the attack surface. If I can own the management GUI I own the hypervisor. If I can pull a stack smash against the ESX web server I own the hypervisor. If some poor shlemozzle configures Samba and NFS for the storage network then they become part of the attack surface too. You can blame us for some hyperbole, but the stat came from the CVE database. Gartner/451/Edison report that virtual infrastructure (VI) is less secure than physical and we have private data that shows people are deploying VI with no network security at all – this is just wrong. I also think that writing about, or writing off the only risk as being some sort of red pill/blue pill hack is also wrong.
Thanks again to Michael for responding. Look for a follow-on Take5 shortly to dig a little deeper.