JK News>
Computer Stuff Home
Shop JK | Amazon Store>
JK Amazon
Media
Website Design>
About>
JK II
My Favorites![Video Of My Cloudifornication Presentation [Microsoft BlueHat v9]](http://static.zemanta.com/readside/loader.js)
Cloud News
VMware’s (New) vShield: The (Almost) Bottom Line
Sep 1st
After my initial post yesterday (How To Wield the New vShield (Edge, App & Endpoint) remarking on the general sessions I sat through on vShield, I thought I’d add some additional color given my hands-on experience in the labs today.
I will reserve more extensive technical analysis of vShield Edge and App (I didn’t get to play with endpoint as there is not a lab for that) once I spend some additional quality-time with the products as they emerge.
Because people always desire for me to pop out of the cake quickly, here you go:
You should walk away from this post understanding that I think the approach holds promise within the scope of what VMware is trying to deliver. I think it can and will offer customers choice and flexibility in their security architecture and I think it addresses some serious segmentation, security and compliance gaps. It is a dramatically impactful set of solutions that is disruptive to the security and networking ecosystem. It should drive some interesting change. The proof, as they say, will be in the vPudding.
Let me first say that from VMware’s perspective I think vShield “2.0″ (which logically represents many technologies and adjusted roadmaps both old and new) is clearly an important and integral part of both vSphere and vCloud Director’s future implementation strategies. It’s clear that VMware took a good, hard look at their security solution strategy and made some important and strategically-differentiated investments in this regard.
All things told, I think it’s a very good strategy for them and ultimately their customers. However, there will be some very interesting side-effects from these new features.
vShield Edge is as disruptive to the networking space (it provides L3+ networking, VPN, DHCP and NAT capabilities at the vDC edge) as it is to the security arena. When coupled with vShield App (and ultimately endpoint) you can expect VMware’s aggressive activity in retooling their offers here to cause further hastened organic development, investment, and consolidation via M&A in the security space as other vendors seek to play and complement the reabsorption of critical security capabilities back into the platform itself.
Now all of the goodness that this renewed security strategy brings also has some warts. I’ll get into some of them as I gain more hands-on experience and get some questions answered, but here’s the Cliff Note version with THREE really important points:
- The vShield suite is the more refined/retooled/repaired approach toward what VMware promised in delivery three years ago when I wrote about it in 2007 (Opening VMM/HyperVisors to Third Parties via API’s – Goodness or the Apocalypse?) and later in 2008 (VMware’s VMsafe: The Good, the Bad, and the Bubbly…“) and from 2009, lest we forget The Cart Before the Virtual Horse: VMware’s vShield/Zones vs. VMsafe API’s…
_
Specifically, as the virtualization platform has matured, so has the Company’s realization that security is something they are going to have to take seriously and productize themselves as depending upon an ecosystem wasn’t working — mostly because doing so meant that the ecosystem had to uproot entire product roadmaps to deliver solutions and it was a game of “supply vs. demand chicken.”
_
However, much of this new capability isn’t fully baked yet, especially from the perspective of integration and usability and even feature set capabilities such as IPv6 support. Endpoint is basically the more streamlined application of APIs and libraries for anti-malware offloading so as to relieve a third party ISV from having to write fastpath drivers that sit in the kernel/VMM and disrupt their roadmaps. vShield App is the Zones solution polished to provide inter-VM firewalling capabilities.
_
Edge is really the new piece here and represents a new function to represent vDC perimeterized security capabilities.Many of these features are billed — quite openly — as relieving a customer from needing to use/deploy physical networking or security products. In fact, in some cases even virtual networking products such as the Cisco Nexus 1000v are not usable/supportable. This is and example of a reasonably closed, software-driven world of Cloud where the underlying infrastructure below the hypervisor doesn’t matter…until it does.
_ - vShield Edge and App are, in the way they are currently configured and managed, very complex and unwieldy and the performance, resiliency and scale described in some of the sessions is yet unproven and in some cases represents serious architectural deficiencies at first blush. There are some nasty single points of failure in the engineering (as described) and it’s unclear how many reference architectures for large enterprise and service provider scale Cloud use have really been thought through given some of these issues.
_
As an example, only being able to instantiate a single (but required) vShield App virtual appliance per ESX host brings into focus serious scale, security architecture and resilience issues. Being able to deploy numerous Edge appliances brings into focus manageability and policy sprawl concerns.There are so many knobs and levers leveraged across the stack that it’s going to be very difficult in large environments to reconcile policy spread over the three (I only interacted with two) components and that says nothing about then integrating/interoperating with third party vSwitches, physical switches, virtual and physical security appliances. If you think it was challenging before, you ain’t seen nothin’ yet.
_ - The current deployment methodology reignites the battle that started to rage when security teams lost visibility into the security and networking layers and the virtual administrators controlled the infrastructure from the pNIC up. This takes the gap-filler virtual security solutions from small third parties such as Altor which played nicely with vCenter but allowed the security teams to manage policy and blows that model up. Now, security enforcement is a commodity feature delivered via the virtualization platform but requires too complex a set of knowledge and expertise of the underlying virtualization platform to be rendered effective by role-driven security teams.
While I’ll cover items #1 and #2 in a follow-on post, here’s what VMware can do in the short term to remedy what I think is a huges issue going forward with item #3, usability and management.
Specifically, in the same way vCloud Director sits above vCenter and abstracts away much of the “unnecessary internals” to present a simplified service catalog of resources/services to a consumer, VMware needs to provide a dedicated security administrator’s “portal” or management plane which unites the creation, management and deployment of policy from a SECURITY perspective of the various disparate functions offered by vShield App, Edge and Endpoint. [ED: This looks as though this might be what vShield Manager will address. There were no labs covering this and no session I saw gave any details on this offering (UI or API)]
If you expect a security administrator to have the in-depth knowledge of how to administer the entire (complex) virtualization platform in order to manage security, this model will break and cause tremendous friction. A security administrator shouldn’t have access to vCenter directly or even the vCloud Director interfaces.
Since much of the capability for automation and configuration is made available via API, the notion of building a purposed security interface to do so shouldn’t be that big of a deal. Some people might say that VMware should focus on building API capabilities and allow the ecosystem to fill the void with solutions that take advantage of the interfaces. The problem is that this strategy has not produced solutions that have enjoyed traction today and it’s quite clear that VMware is interested in controlling their own destiny in terms of Edge and App while allowing the rest of the world to play with Endpoint.
I’m sure I’m missing things and that given the exposure I’ve had (without any in-depth briefings) there may be material issues associated with where the products are given their early status, but I think it important to get these thoughts out of my head so I can chart their accuracy and it gives me a good reference point to direct the product managers to when they want to scalp me for heresy.
There’s an enormous amount of detail that I want to/can get into. The last time I did that it ended up in a 150 slide presentation I delivered at Black Hat…
Allow me to reiterate what I said in the beginning:
You should walk away from this post understanding that I think the approach holds promised within the scope of what VMware is trying to deliver. I think it can and will offer customers choice and flexibility in their security architecture and I think it addresses some serious segmentation, security and compliance gaps. It is a dramatically impactful set of solutions that is disruptive to the security and networking ecosystem. It should drive some interesting change. The proof, as they say, will be in the vPudding.
…and we all love vPudding.
/Hoff
Related articles by Zemanta
- How To Wield the New vShield (Edge, App & Endpoint) (rationalsurvivability.com)
- VMWare launches six new vCloud products (zdnet.com)
- VMworld: New cloud security emphasis from VMware (v3.co.uk)
- VMware acquires Integrien, TriCipher for IT-as-a-Service Era (zdnet.com)
- Trend Micro Announces Trend Micro(TM) Deep Security 7.5: New Agentless Anti-Malware Module for VMware Environments Provides Unprecedented Security, Manageability and Performance for Dynamic Datacenters (newswire.ca)
| This post is a reprint of a post by beaker that originally appeared at Rational Survivability |
(No Ratings Yet)
Loading ...
Add to favorites
How To Wield the New vShield (Edge, App & Endpoint)
Aug 30th
- Image via CrunchBase
Today at VMworld I spent my day in and out of sessions focused on the security of virtualized and cloud environments.
Many of these security sessions hinged on the release of VMware‘s new and improved suite of vShield product offerings which can be simply summarized by a deceptively simple set of descriptions:
- vShield Edge – Think perimeter firewalling for the virtual datacenter (L3 and above)
- vShield App – Think internal segmentation and zoning (L2)
- vShield Endpoint – Anti-malware service offload
The promised capabilities of these solutions offer quite a well-rounded set of capabilities from a network and security perspective but there are many interesting things to consider as one looks at the melding of the VMsafe API, vShield Zones and the nepotistic relationship enjoyed between the vCloud (nee’ VMware vCloud Director) and vSphere platforms.
There are a series of capabilities emerging which seek to solve many of the constraints associated with multi-tenancy and scale challenges of heavily virtualized enterprise and service provider virtual data center environments.
I’ll be diving deeper into each of the components as the week proceeds (and more details around vCloud Director are made available,) but one thing is certain — there’s a very interesting amplification of the existing tug-of-war between the security capabilities/functionality provided by the virtualization/cloud platform providers and the network/security ecosystem trying to find relevance and alignment with them.
There is going to be a wringing out of the last few smaller virtualization/Cloud security players who have not yet been consolidated via M&A or attrition (Altor Networks, Catbird, HyTrust, Reflex, etc) as the three technologies above either further highlight an identified gap or demonstrate irrelevance in the face of capabilities “built-in” (even if you have to pay for them) by VMware themselves.
Further, the uneasy tension between the classical physical networking vendors and the virtualization/cloud platform providers is going to come to a boil, especially as it comes to configuration management, compliance, and reporting as the differentiators between simple integration at the API level of control and data plane capabilities and things like virtual firewalling (and AV, and overlay VPNs and policy zoning) begins to commoditize.
As I’ve mentioned before, it’s not where the network *is* in a virtualized environment, it’s where it *isn’t* — the definition of where the network starts and stops is getting more and more abstracted. This in turn drives the same conversation as it relates to security. How we’re going to define, provision, orchestrate, and govern these virtual data centers concerns me greatly as there are so many touchpoints.
Hopefully this starts to get a little more clear as more and more of the infrastructure (virtual and physical) become manageable via API such that ultimately you won’t care WHAT tool is used to manage networking/security or even HOW other than the fact that policy can be defined consistently and implemented/instantiated via API across all levels transparently, regardless of what’s powering the moving parts.
This goes back to the discussions (video) I had with Simon Crosby on who should own security in virtualized environments and why (blog).
Now all this near term confusion and mess isn’t necessarily a bad thing because it’s going to force further investment, innovation and focus on problem solving that’s simply been stalled in the absence of both technology readiness, customer appetite and compliance alignment.
More later this week.
/Hoff
Related articles by Zemanta
- HyTrust Cloud Control Unveiled to Enable Accelerated Cloud Adoption (eon.businesswire.com)
- Catbird and HyTrust Team to Provide End-to-End Protection and Compliance for Virtual Infrastructure (eon.businesswire.com)
- The Classical DMZ Design Pattern: How To Kill Security In the Cloud (rationalsurvivability.com)
- The Security Hamster Sine Wave Of Pain: Public Cloud & The Return To Host-Based Protection… (rationalsurvivability.com)
- CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity (rationalsurvivability.com)
- The Hypervisor Platform Shuffle: Pushing The Networking & Security Envelope (rationalsurvivability.com)
| This post is a reprint of a post by beaker that originally appeared at |
(No Ratings Yet) Loading ...Add to favorites
Why Is NASA Re-Inventing IT vs. Putting Men On the Moon? Simple.
Aug 26th
- Image via Wikipedia
I was struck with a sense of disappointment as I read Bob Wardspan’s (Smoothspan) blog today “NASA Fiddles While Rome Is Burning.” So as Bob was rubbed the wrong way by Alex Howard’s post (below,) so too was I by Bob’s perspective. All’s fair in love and space, I suppose.
In what amounts to a scathing indictment of new areas of innovation and research, he laments the passing of the glory day’s of NASA’s race to space, bemoans the lack of focus on planet-hopping, and chastises the organization for what he suggests is their dabbling in spaces they don’t belong:
Now along comes today’s NASA, trying to get a little PR glory from IT technology others are working on. Yeah, we get to hear Vinton Cerf talk about the prospects for building an Internet in space. Nobody will be there to try to connect their iGadget to it, because NASA can barely get there anymore, but we’re going to talk it up. We get Lewis Shepherd telling us, “Government has the ability to recognize long time lines, and then make long term investment decisions on funding of basic science.” Yeah, we can see that based on NASA’s bright future, Lewis.
Bob’s upset about NASA (and our Nation’s lost focus on space exploration. So am I. However, he’s barking up the wrong constellation. Sure, the diversity of different technologies mentioned in Alex Howard’s blog on the NASA IT Summit are wide and far, but NASA has always been about innovating in areas well beyond the engineering of solid rocket boosters…
Let’s look at Cloud Computing — one of those things that you wouldn’t necessarily equate with NASA’s focus. Now you may disagree with their choices, but the fact that they’re making them is what is important to me. They are, in many cases, driving discussion, innovation and development. It’s not everyone’s cup of tea, but then again, neither is a Saturn V.
NASA didn’t choose to cut space exploration and instead divert all available resources and monies toward improving the efficiency and access to computing resources and reducing their cost to researchers. This was set in motion years ago and was compounded by the global economic meltdown.
The very reasons the CIO’s (Chief Information Officers) — the people responsible for IT-related mission support — are working diligently on new computing platforms like Nebula is in many ways a direct response to the very cause of this space travel deficit — budget cuts. They, like everyone else, are trying to do more with less, quicker, better and cheaper.
The timing is right, the technology is here and it’s an appropriate response. What would you have NASA IT do, Bob? Go on strike until a Saturn V blasts off? The privatization of space exploration will breed all new sets of public-private partnership integration and information collaboration challenges. These new platforms will enable that new step forward when it comes.
The fact that the IT divisions of NASA (whose job it is to deliver services just like this) are innovating simply shines a light on the fact that for their needs, the IT industry is simply too slow. NASA must deal with enormous amounts of data, transitive use, hugely collaborative environments across multiple organizations, agencies, research organizations and countries.
Regardless of how you express your disappointment with NASA’s charter and budget, it’s unfortunate that Bob chose to suggest that this is about “…trying to get a little PR glory from IT technology others are working on” since in many cases NASA has led the charge and made advancements and innovated where others are just starting. Have you met Linda Cureton or Chris Kemp from NASA? They’re not exactly glory hunters. They are conscientious, smart, dedicated and driven public servants, far from the picture you paint.
In my view, NASA IT (which is conflated as simply “NASA”) is doing what they should — making excellent use of taxpayer dollars and their budget to deliver services which ultimately support new efforts as well as the very classically-themed remaining missions they are chartered to deliver:
- To improve life here,
- To extend life to there,
- To find life beyond.
I think if you look at the missions that the efforts NASA IT is working on, it certainly maps to those objectives.
To Bob’s last point:
What’s with these guys? Where’s my flying car, dammit!
I find it odd (and insulting) that some seek to blame those whose job is mission support — and doing a great job of it — as if they’re the cause of the downfall of space exploration. Like the rest of us, they’re doing the best they can…fly a mile in their shoes.
Better yet, take a deeper look at to what they’re doing and how it maps to supporting the very things you wish were NASA’s longer term focus — because at the end of the day when the global economy recovers, we’ll certainly be looking to go where no man and his computing platform has gone before.
/Hoff
Related articles by Zemanta
- Tracking the signal of emerging technologies (radar.oreilly.com)
- NASA to announce discovery of ‘intriguing planetary system’ (cnn.com)
- NASA Images Show Moon May Be Shrinking (informationweek.com)
- NASA’s SOFIA will likely help solve mysteries about our galaxy (physorg.com)
- Got a plan to get us back to the Moon? NASA’s got $30 million worth of motivation! [Commercial Spaceflight] (io9.com)
- Space IT, the final frontier (radar.oreilly.com)
- NASA Tests First Cylon [PHOTOS] (businessinsider.com)
| This post is a reprint of a post by beaker that originally appeared at Rational Survivability |
(No Ratings Yet) Loading ...Add to favorites
Dear Verizon Business: I Have Some Questions About Your PCI-Compliant Cloud…
Aug 24th
You’ll forgive my impertinence, but the last time I saw a similar claim of a PCI compliant Cloud offering, it turned out rather anti-climatically for RackSpace/Mosso, so I just want to make sure I understand what is really being said. I may be mixing things up in asking my questions, so hopefully someone can shed some light.
This press release announces that:
“…Verizon’s On-Demand Cloud Computing Solution First to Achieve PCI Compliance” and the company’s cloud computing solution called Computing as a Service (CaaS) which is “…delivered from Verizon cloud centers in the U.S. and Europe, is the first cloud-based solution to successfully complete the Payment Card Industry Data Security Standard (PCI DSS) audit for storing, processing and transmitting credit card information.”
It’s unclear to me (at least) what’s considered in scope and what level/type of PCI certification we’re talking about here since it doesn’t appear that the underlying offering itself is merchant or transactional in nature, but rather Verizon is operating as a service provider that stores, processes, and transmits cardholder data on behalf of another entity.
Here’s what the article says about what Verizon undertook for DSS validation:
To become PCI DSS-validated, Verizon CaaS underwent a comprehensive third-party examination of its policies, procedures and technical systems, as well as an on-site assessment and systemwide vulnerability scan.
I’m interested in the underlying mechanicals of the CaaS offering. Specifically, it would appear that the platform – compute, network, and storage — are virtualized. What is unclear is if the [physical] resources allocated to a customer are dedicated or shared (multi-tenant,) regardless of virtualization.
According to this article in The Register (dated 2009,) the infrastructure is composed like this:
The CaaS offering from Verizon takes x64 server from Hewlett-Packard and slaps VMware’s ESX Server hypervisor and Red Hat Enterprise Linux instances atop it, allowing customers to set up and manage virtualized RHEL partitions and their applications. Based on the customer portal screen shots, the CaaS service also supports Microsoft’s Windows Server 2003 operating system.
Some details emerge from the Verizon website that describes the environment more:
Every virtual farm comes securely bundled with a virtual load balancer, a virtual firewall, and defined network space. Once the farm is designed, built, and named – all in a matter of minutes through the CaaS Customer Management Portal – you can then choose whether you want to manage the servers in-house or have us manage them for you.
If the customer chooses to manage the “servers…in-house (sic)” is the customer’s network, staff and practices now in-scope as part of Verizon’s CaaS validation? Where does the line start/stop?
I’m very interested in the virtual load balancer (Zeus ZXTM perhaps?) and the virtual firewall (vShield? Altor? Reflex? VMsafe-API enabled Virtual Appliance?) What about other controls (preventitive or detective such as IDS, IPS, AV, etc.)
The reason for my interest is how, if these resources are indeed shared, they are partitioned/configured and kept isolated especially in light of the fact that:
Customers have the flexibility to connect to their CaaS environment through our global IP backbone or by leveraging the Verizon Private IP network (our Layer 3 MPLS VPN) for secure communication with mission critical and back office systems.
It’s clear that Verizon has no dominion over what’s contained in the VM’s atop the hypervisor, but what about the network to which these virtualized compute resources are connected?
So for me, all this all comes down to scope. I’m trying to figure out what is actually included in this certification, what components in the stack were audited and how. It’s not clear I’m going to get answers, but I thought I’d ask any way.
Oh, by the way, transparency and auditability would be swell for an environment such as this. How about CloudAudit? We even have a PCI DSS CompliancePack 
Question for my QSA peeps: Are service providers required to also adhere to sections like 6.6 (WAF/Binary analysis) of their offerings even if they are not acting as a merchant?
/Hoff
Related articles by Zemanta
- PCI DSS Compliance and IT Security: Harmony or Discord? (prweb.com)
- Brief PCI Council Interview in Regards to PCI DSS 2.0 (chuvakin.blogspot.com)
- Revisions to Credit Card Security Standard on the Way (pcworld.com)
- Data Encryption for PCI 101: Introduction (securosis.com)
- Why your QSA should not be your Security Partner (brandenwilliams.com)
- Ask HN: Are you PCI DSS compliant? (pcisecuritystandards.org)
- Can You Have a PCI Compliant Virtualized Web Site? (securecloudreview.com)
| This post is a reprint of a post by beaker that originally appeared at Rational Survivability |
(No Ratings Yet) Loading ...Add to favorites
Hoff’s 5 Rules Of Cloud Security…
Aug 21st
Mike Dahn pinged me via Twitter with an interesting and challenging question:
I took this as a challenge in 5 minutes or less to articulate this in succinct, bulleted form. I timed it. 4 minutes & 48 seconds. Loaded with snark and Hoffacino-fueled dogma.
Here goes:
- Get an Amazon Web Services [or Rackspace or Terremark vCloud Express, etc.] account, instantiate a couple of instances as though you were deploying a web-based application with sensitive information that requires resilience, security, survivability and monitoring. If you have never done this and you’re in security spouting off about the insecurities of Cloud, STFU and don’t proceed to step 2 until you do. These offerings put much of the burden on you to understand what needs to be done to secure Cloud-based services (OS, Apps, Data) which is why I focus on it. It’s also accessible and available to everyone.
- - Take some time to be able to intelligently understand that as abstracted as much of Cloud is in terms of the lack of exposed operational moving parts, you still need to grok architecture holistically in order to be able to secure it — and the things that matter most within it. Building survivable systems, deploying securable (and as secure as you can make it) code, focusing on protecting information and ensuring you understand system design and The Three R’s (Resistance, Recognition, Recovery) is pretty darned important. That means you have to understand how the Cloud provider actually works so when they don’t you’ll already have planned around that…
- - Employ a well-developed risk assessment/management framework and perform threat modeling. See OCTAVE, STRIDE/DREAD, FAIR. Understanding whether an application or datum is OK to move to “the Cloud” isn’t nuanced. It’s a simple application of basic, straightforward and prudent risk management. If you’re not doing that now, Cloud is the least of your problems. As I’ve said in the past “if your security sucks now, you’ll be pleasantly surprised by the lack of change when you move to Cloud.”
- - Proceed to the Cloud Security Alliance website and download the guidance. Read it. Join one or more of the working groups and participate to make Cloud Security better in any way you believe you have the capacity to do so. If you just crow about how “more secure” the Cloud is or how “horribly insecure by definition” it is, it’s clear you’ve not done steps 1-3. Skip 1-3, go to #5 and then return to #1.
- - Use common sense. There ain’t no patch for stupid. Most of us inherently understand that this is a marathon and not a sprint. If you take steps 1-4 seriously you’re going to be able to logically have discussions and make decisions about what deployment models and providers suit your needs. Not everything will move to the Cloud (public, private or otherwise) but a lot of it can and should. Being able to layout a reasonable timeline is what moves the needle. Being an idealog on either side of the tarpit does nobody any good. Arguing is for Twitter, doing is for people who matter.
Cloud is only rocket science if you’re NASA and using the Cloud for rocket science. Else, for the rest of us, it’s an awesome platform upon which we leverage various opportunities to improve the way in which we think about and implement the practices and technology needed to secure the things that matter most to us.
/Hoff
(Yeah, I know. Not particularly novel or complex, right? Nope. That’s the point. Just like ”How to Kick Ass in Information Security — Hoff’s Spritually-Enlightened Top Ten Guide to Health, Wealth and Happiness“)
Related articles by Zemanta
- Talking with George Reese about Cloud Security, CloudAudit, and enStratus (cloudofdata.com)
- The Security Hamster Sine Wave Of Pain: Public Cloud & The Return To Host-Based Protection… (rationalsurvivability.com)
- If You Could Have One Resource For Cloud Security… (rationalsurvivability.com)
- What You Can Do About Cloud Computing Security (deurainfosec.com)
- Hoff says SaaS Vendors Should Eat Their Own Dog Food. Is Security SaaS an Exception? (securecloudreview.com)
- The Classical DMZ Design Pattern: How To Kill Security In the Cloud (rationalsurvivability.com)
- Risk is not a Synonym for “Lack of Security” (devcentral.f5.com)
- CloudAudit Effort Gaining Momentum (securecloudreview.com)
- CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity (rationalsurvivability.com)
- Incomplete Thought: The DevOps Disconnect (rationalsurvivability.com)
- Friday Cloud Poetry: “On the Bullshit That is False Cloud” (rationalsurvivability.com)
- Incomplete Thought: The DevOps Disconnect (rationalsurvivability.com)
- Friday Cloud Poetry: “On the Bullshit That is False Cloud” (rationalsurvivability.com)
| This post is a reprint of a post by beaker that originally appeared at Rational Survivability |
(No Ratings Yet) Loading ...Add to favorites
VMworld – v0dgeball Deathmatch Details: vSquirrels vs. Sakacc’s Army…
Aug 19th
So – a little more detail?
- The game = dodgeball, 10-person teams, following official NADA dodgeball rules here.
- The location = VMware vGym has been graciously offered (here)
- The date/time = Thursday, Sept 2nd, 8pm PT
Here’s all the FAQ you could possibly need:
Q: Will it be broadcast?
A: DAMN STRAIGHT – I want to televise destroying Chad
Q: What do I need to bring refreshment wise?
A: Nada, I’m bringing the beer kegs (still working out details on this one)
Q: What do I need to know about dodgeball to follow the exciting matches?
A1: That people wearing gold shorts and knee high socks are acutely aware of just how cool that makes them.
A2: In the immortal words of Patches O’Houlihan: “If you’re going to become true dodgeballers, then you’ve got to learn the five d’s of dodgeball: dodge, duck, dip, dive and dodge!”
…Oh and Chad – BRING IT.
NOTE: If you want to sign up for the vSquirrels team, add your name in the comments below. The team size is 10, but if more people sign up, we’ll feign injury and do substitutions.
Remember, you get to bounce balls off Sakacc and his army of EMC Cloud’sperts. For free. With beer. [some of that sounds appealing, other bits quite wrong.]
| This post is a reprint of a post by beaker that originally appeared at Rational Survivability |
(No Ratings Yet) Loading ...Add to favorites
Video Of My Cloudifornication Presentation [Microsoft BlueHat v9]
Aug 16th
In advance of publishing a more consolidated compilation of various recordings of my presentations, I thought I’d post this one.
This is from Microsoft’s BlueHat v9 and is from my “Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure” presentation.
The direct link is here in case you have scripting disabled.
The follow-on to this is my latest presentation – “Cloudinomicon: Idempotent Infrastructure, Building Survivable Systems, and Bringing Sexy Back To Information Centricity.”
Related articles by Zemanta
- CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity (rationalsurvivability.com)
- See You At Black Hat 2010 & Defcon 18? (rationalsurvivability.com)
- The Hypervisor Platform Shuffle: Pushing The Networking & Security Envelope (rationalsurvivability.com)
- If You Could Have One Resource For Cloud Security… (rationalsurvivability.com)
- Airing Private Cloud’s Dirty Laundry… (rationalsurvivability.com)
| This post is a reprint of a post by beaker that originally appeared at Rational Survivability |
(No Ratings Yet) Loading ...Add to favorites
Airing Private Cloud’s Dirty Laundry…
Aug 7th
- Image via Wikipedia
It’s 10:13pm on a Friday night and as the highlight of my day begrudgingly reveals itself, I discover in preparation for the inevitable appearance of tomorrow, that I am once again out of clean underwear.
There are many potential remedies for this situation.
Option number one suggests I could borrow a pair of my wife’s low-cuts. She’s out of town and would never know, except perhaps discovering upon her return the horribly awkward and uncomfortable remnants of chafing in places we simply and politely just don’t talk about at parties.
Option number two involves what I call ‘The Braveheart.” Commando fashionista. Rivets on Levis put a quick end to that potential.
Option number three. CVS. It’s open 24 hours. They sell boxers. I saw them last week when I ran out of toothpaste in a similarly-themed domestic challenge. However, it’s now 10:16pm and whilst the pharmacy is only 10 minutes away, I’d prefer not to have to explain or even acknowledge to the cashier — silently with a sheepish grin and a telling nod — why it is I am buying underwear instead of beer at 10pm on a Friday night.
Option number four. The uncomfortable reconciliation of fact. Laundry.
Laundry is not an altogether alien concept to me.
In a house where I am surrounded by a fortress of estrogen-themed daily drama, couture — or namely the availability of fresh sources of same, not found strewn around the house in piles resembling Inuit housing — is a constant and simultaneous source of both amusement and utter distress.
I know how it works. More specifically I know how it *should* work. It’s not that difficult a concept to master.
I contemplate, strangely, what it would be like if option number four required something other than a modest jaunt to the basement where lives the ominous apparatus that does diligent battle with the detritus threatening the sanctity of my linens.
I reckon back to the days of college and of single life in an apartment where this capability was not installed, where I had to pack up my dirty vestments, remember the detergent, fabric softener, dryer sheets and a thousand dollars in quarters and trek to…
The laundromat.
I re-imagine the hours I’ve spent there.
Strangely-timed appearances meant to avoid the rush which is met with the soul-crushing realization that everyone else uses the same random number generator to decide when to show. The ludicrous rituals of basket placement and folding table land-wars. The hope that at some point in the next 12 hours, the illusion of infinite laundry scale will avail itself to me.
I remember these things.
I remember the rust-stained linoleum flooring. Faded pictures and warning emblems threatening sure and certain death from things like asphyxiation, electrocution, strangulation and loss of appendages. I am particularly disturbed and most concerned with the latter.
The community bulletin board is always a symbolic mecca for the cultural awesomesauce around which a neighborhood is formed; an eclectic mix of lost pets, waterbed auctions, spanish and math tutoring services, guitar or tuba lessons (your choice) and a never-ending supply of for-sale-by-owner-1984-in-good-condition-runs-perfectly-Honda Civics.
And yoga lessons.
Because with a wash-rinse-dry-fold cycle time of approximately 2 hours, down dog and vinyasas are a natural way to pass the time. I must admit to never having witnessed yoga in a laundromat. Unless you consider two newlyweds making out in the corner as Yoga.
I recall the sweet and confusingly intoxicating smell of Downy. That earthy, hot, suffocating perfumed humidity of 1000 dryers tumbling in a rhytmic chant of anti-moistness. Low frequency undulating serenity drummed into my consciousness, starkly punctuated with the the alarming and syncopated rupture of tempo by unrecovered pocket change falling out of jeans, producing a staccato “pitta-chank, pitta-chank, clink, donk.”
And then, the fear. The fear that I don’t have enough quarters and that the change machine doesn’t take ten dollar bills and that I’ve forgotten to bring something to read, nourishment, hydration, motivation…
I recollect the homeless man curled up in the corner under the flickering TV that only gets Korean soap operas with a vertical lock problem and the industrial-sized machines used for washing tents, small couches or horse blankets. There’s the cigarette, whiskey and cruely time-stained woman in 50 cent curlers in her high-fashion and Heathcliff slippers, unshaven legs and a hawaiian print moomoo reading People magazine, snickering at the misfortunes of multi-millionaire actresses jilted by their spoiled no-talent actor suitors. Venom.
But most fondly I smile — almost vindictively — at the memory of the man staring hopelessly at the bank of identical washers, each in spin cycle, wondering which three were his and hopelessly wondering why it is that he is mesmerized and distracted then by the one pink sock in a load of all black washing, flitting back and forth through the porthole in the jumbo drier.
It’s then that I flash forward to the now, staring at the highly advanced, extremely efficient and 100% available and dedicated GE Monogram front-loading washer and dryer standing before me in my basement. They’re color matched in a silver hue not unlike that of a fighter jet — beautiful, sexy and — if you paid attention to the warnings in the laundromat — potentially deadly.
Speaking of which, I’m quite sure it *is* possible to drown in a front-loader, but the process eludes me. Perhaps out of respect for the grieving family of anyone stupid enough who has managed to kill his or herself in a running washing machine. Perhaps because I’m thinking way too much about how this can be done.
The physical attractiveness is not the most compelling element of my dirt-ridding-appliances. It’s the fact that they belong to me.
Mine.
Now.
Forever.
No waiting.
No vehicular excursions. No lady in a moomoo. No territorial battles waged over timing issues between washing machine to dryer transfer latency.
All. Mine.
You see, although I recognize the idealistic beauty and utility of the laundromat, it’s beaten down and mocked selfishly by the bully that is the convenience of dedicated capacity.
The convenience of discretionary load times. The availability of highly-customized wash/dry settings. Knowing that I didn’t just put my clothes in a vessel that rid unmentionables from someone’s love-stained sheets.
No nickel-and-diming me for quarters because the spin cycle was too short or where I end up paying twice as much for the utility of centralized community resources that do only 80% of what I need in drying cycles because my heavy thread-count towels are just too damned thick. Nobody else gets to mistakenly touch my loads or scowl at me because I wasn’t neurotically hawking over the dwell times and exfiltrating things the microsecond a cycle was complete.
It is true, however, that I had to pay for the privilege of doing my laundry when and however I see fit and yes, frankly, sometimes the demand for use outstrips the supply, but ultimately, unless it’s comforter day, I can just plan better to make better use of what I have available to me. Or I’ll make use of the industrial sized washers for my comforters in well-planned, more reasonably strategic washing sessions for when I need that scale, bulk or don’t really need a delicate cycle.
I can’t tell you what it *actually* costs per load of laundry in my basement. I admit I’ve long written off the books the initial investment of purchase. It seems less than what it costs per load to visit the laundromat. Perhaps that’s just wishful thinking or perhaps it’s worth every penny not to have to share folding space with a man who reeks of kielbasa and Marlboro lights. That’s not to say I don’t find him amusing in a cinema-verite sort of way.
Nor do I write off the efficiency and service this place provides. It’s just that it doesn’t provide all things to all people and that’s OK. The point is, those that need or like this place come here but you don’t hear them espousing that the only one true way to do laundry is at the laundromat, nor do they speak of the “laundromat revolution” whilst sipping hot chocolate or gatorade and finger-snap clapping to the pretentious preaching of bitter launderers.
It just is and I’m cool with that. Just like my washing own washer and dryer is. This simply isn’t about religion, righteousness, idealogs or dogma. It’s about getting my underwear clean.
I visit the laundromat still. Because it’s useful to me. Because it offers utility for things that are important to me. But not because of some idealistic need to share space with others or make someone else money. Afterall, utility is about choice. There’s no right or wrong if a solution meets my needs.
So my underwear is washed and prior to drying it — at my leisure — I have managed to consume a snack in between watching something on Netflix, playing with my dog and — surprisingly — contemplating those guitar lessons. I can’t say I miss the lady in curlers, but the dead potted plant that exists in both realities — my house and the laundromat — offers some comfort through familiarity.
Do I feel guilty for the inefficient hoarding of resources in my basement and not suggesting to my neighbor that they abandon their machines or pool them with mine to produce a kibbutz-like washing utility for the neighborhood at large?
No.
However, I would consider having a folding party if that makes you feel any better.
Utility is in how you use things, not necessarily how it’s offered.
Lather. Rinse. Repeat.
| This post is a reprint of a post by beaker that originally appeared at Rational Survivability |
(No Ratings Yet) Loading ...Add to favorites
If You Could Have One Resource For Cloud Security…
Aug 4th
I got an interesting tweet sent to me today that asked a great question:
I thought about this and it occurred to me that while I would have liked to have answered that the Cloud Security Alliance Guidance was my first choice, I think the most appropriate answer is actually the following:
“Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance” by Tim Mather, Subra Kumaraswamy, and Shahed Latif is an excellent overview of the issues (and approaches to solutions) for Cloud Security and privacy. Pair it with the CSA and ENISA guidance and you’ve got a fantastic set of resources. I’d also suggest George Reese’s excellent book “Cloud Application Architectures: Building Applications and Infrastructure in the Cloud”
I suppose it’s only fair to disclose that I played a small part in reviewing/commenting on both of these books prior to being published
/Hoff
| This post is a reprint of a post by beaker that originally appeared at Rational Survivability |
(No Ratings Yet) Loading ...Add to favorites
See You At Black Hat 2010 & Defcon 18?
Jul 25th
This year looks to be another swell get-together in Vegas. I had to miss last year (first time in…forever) so I’m looking forward to 112 degrees, recirculated air, and stumble-drunk hax0rs jackpotting ATMs and commandeering elevators.
I’ll be getting in on the 27th. I have a keynote at the Cloud Security Alliance Summit on the 28th (co-located within Black Hat,) a talk on the 29th at Black Hat (Cloudinomicon) from 10am-11am and I’ll be on another FAIL panel at Defcon with the boys. I’ve got a bunch of (gasp!) customer meetings and (gasp! x2) work stuff to do, but plenty of time for the usual.
I’m going to try to hit Cobra Kai, Xtreme Couture or the Tapout facilities whilst there for some no-gi grappling or even BJJ if I can find a class. Either way, there are some hard core P90X’ers that I’m sure I can con into working out in 90 degree, 6am weather.
Rumors of mojitos and cigars at Casa Fuente are completely unfounded. Completely.
Oh, parties? They have parties?
See y’all there!
/Hoff
Related articles by Zemanta
- CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity (rationalsurvivability.com)
| This post is a reprint of a post by beaker that originally appeared at Rational Survivability |
(No Ratings Yet) Loading ...Add to favorites
Reflections on SANS ’99 New Orleans: Where It All Started
Jul 25th
A few weeks ago I saw some RT’s/@’s on Twitter referencing John Flowers and that name brought back some memories.
Today I sent a tweet to John asking him if I remembered correctly that he was at SANS in New Orleans in 1999 when he was still at Hiverworld.
He responded back confirming he was, indeed, at SANS ’99. I remarked that this was where I first met many of today’s big names in security: Ed Skoudis, Ron Gula, Marty Roesch, Stephen Northcutt, Chris Klaus, JD Glaser, Greg Hoglund, and Bruce Schneier.
John responded back:
I couldn’t agree more. That was an absolutely amazing time. I was on my second security startup (NodeWarrior Networks,) times were booming and this generation of the security industry as we know it was being given birth to.
I remember many awesome things from that week:
- Sitting in “Intrusion Detection Shadow Style” with Stephen Northcut and Judy Novak for something like 8 hours going cross-eyed reading tcpdump packet traces and getting every question Stephen asked wrong. Well, some of them, anyway
- Asking Ron Gula’s wife something about Dragon and her looking back at me like I was a total n00b
- Asking Ron Gula the same question and having him confirm that I was, in fact, a complete tool
- Staying up all night drinking, writing code in Perl and doing dangerous things on other people’s networks
- Participating in my first CTF
- Almost getting arrested for B&E as I tried to rig the CTF contest by attempting to steal/clone/pwn/replace the HDD in the target machine. The funniest part of that was almost pulling it off (stealing the removable drive) but electrocuting myself in the process — which is what alerted my presence to the security guard.
- Interrupting Lance Spitzner’s talk by stringing a poster behind him that said “www.lancespitznerismyhero.com” (a domain I registered during the event.)
- Watching Bruce Schneier scream at the book store guy because they, incredulously, did not stock “Practical Cryptography“
- Sitting down with Ed Skoudis (who was with SAIC at the time, I believe,) looking at one another and wondering just what the hell we were going to do with our careers in security
- Spending $14,000 (I shit you not, it was the Internet BOOM time, remember) by hitting 6 of the best restaurants in New Orleans with a party of hax0rs and working the charge department at American Express into a frenzy (not to mention actually using the line from Pretty Woman: “we’re going to spend obscene amounts of money here” in order to get in…)
- Burning the roof of my mouth by not heeding the warnings of the waitress at Cafe Dumonde, biting into a beignet which cauterized my mouth as I simultaneously tried to extinguish the pain with scalding hot Chicory coffee.
I came back from that week knowing with every molecule in my body that even though I’d been “doing” security for 5 years already, it was exactly what I wanted to for the rest of my life.
I have Stephen Northcut to thank for that. I haven’t been to a SANS since 1999 (don’t ask me why) but I am so excited about going back in August in DC (SANS What Works In Virtualization and Cloud Computing Summit) and giving a keynote at the event.
It’s been a long time. Too long.
/Hoff
| This post is a reprint of a post by beaker that originally appeared at Rational Survivability |
(No Ratings Yet) Loading ...Add to favorites
On Amrit Williams’ (BigFix) Beyond The Perimeter Podcast
Jul 18th
My good friend Amrit Williams (@amrittsering) from BigFix (congrats on the IBM acquisition!) has an awesome Podcast titled “Beyond the Perimeter.”
He was nice enough to invite me to record episode 93 titled “Is Trust the Real Barrier To Cloud Computing?” (ultimately points you to an iTunes subscription.)
We spoke for almost an hour on all sorts of great discussion points related to Cloud Computing, specifically focusing on Trust (which I define in context as Security, Compliance, Control, Reliability and Privacy.)
We also spoke about the Cloud Security Alliance, CloudAudit and the HacKid conference — three things I am very passionate about.
Thanks Amrit, great conversation as usual.
/Hoff
Related articles by Zemanta
- IBM secures BigFix for network visibility and compliance (deals.venturebeat.com)
- CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity (rationalsurvivability.com)
- Security: In the Cloud, For the Cloud & By the Cloud… (rationalsurvivability.com)
- IBM to Acquire BigFix – Hallelujah! Can I Get a Witness?! (techbuddha.wordpress.com)
- Introducing The HacKid Conference – Hacking, Networking, Security, Self-Defense, Gaming & Technology for Kids & Their Parents (rationalsurvivability.com)
| This post is a reprint of a post by beaker that originally appeared at Rational Survivability |
(No Ratings Yet) Loading ...Add to favorites
Incomplete Thought: Why We Need Open Source Security Solutions More Than Ever…
Jul 17th
- Image via Wikipedia
I don’t have time to write a big blog post and quite frankly, I don’t need to. Not on this topic.
I do, however, feel that it’s important to bring back into consciousness how very important open source security solutions are to us — at least those of us who actually expect to make an impact in our organizations and work toward making a dent in our security problem pile.
Why do open source solutions matter so much in our approach to dealing with securing the things that matter most to us?
It comes down to things we already know but are often paralyzed to do anything about:
- The threat curve and innovation of attacker outpaces that of the defender by orders of magnitudes (duh)
- Disruptive technology and innovation dramatically impacts the operational, threat and risk modeling we have to deal with (duh duh)
- The security industry is not in the business of solving security problems that don’t have a profit motive/margin attached to it (ugh)
We can’t do much about #1 and #2 except be early adopters, by agile/dynamic and plan for change. I’ve written about this many times and built and entire series of talks presentations (Security and Disruptive Innovation) that Rich Mogull and I have taken to updating over the last few years.
We can do something about #3 and we can do it by continuing to invest in the development, deployment, support, and perhaps even the eventual commercialization of open source security solutions.
To be clear, it’s not that commercialization is required for success, but often it just indicates it’s become mainstream and valued and money *can* be made.)
When you look at the motivation most open source project creators bring a solution to market, it’s because the solution generally is not commercially available, it solves an immediate need and it’s contributed to by a community. These are all fantastic reasons to use, support, extend and contribute back to the open source movement — even if you don’t code, you can help by improving the roadmaps of these projects by making suggestions and promoting their use.
Open source security solutions deliver and they deliver quickly because the roadmaps and feature integration occur in an agile, meritocratic and vetted manner than often times lacks polish but delivers immediate value — especially given their cost.
We’re stuck in a loop (or a Hamster Sine Wave of Pain) because the problems we really need to solve are not developed by the companies that are in the best position to develop them in a timely manner. Why? Because when these emerging solutions are evaluated, they live or die by one thing: TAM (total addressable market.)
If there’s no big $$$ attached and someone can’t make the case within an organization that this is a strategic (read: revenue generating) big bet, the big companies wait for a small innovative startup to develop technology (or an open source tool,) see if it lives long enough for the market demand to drive revenues and then buy them…or sometimes develop a competitive solution.
Classical crossing the chasm/Moore stuff.
The problem here is that this cycle is broken horribly and we see perfectly awesome solutions die on the vine. Sometimes they come back to life years later cyclically when the pain gets big enough (and there’s money to be made) or the “market” of products and companies consolidate, commoditize and ultimately becomes a feature.
I’ve got hundreds of examples I can give of this phenomenon — and I bet you do, too.
That’s not to say we don’t have open-source-derived success stories (Snort, Metasploit, ClamAV, Nessus, OSSec, etc.) but we just don’t have enough of them. Further, there are disruptions such as virtualization and cloud computing that fundamentally change the game that we can harness in conjunction with open source solutions that can accelerate the delivery and velocity of solutions because of how impacting the platform shift can be.
I’ve also got dozens of awesome ideas that could/would fundamentally solve many attendant issues we have in security — but the timing, economics, culture, politics and readiness/appetite for adoption aren’t there commercially…but they can be via open source.
I’m going to start a series which identifies and highlights solutions that are either available as kernel-nugget technology or past-life approaches that I think can and should be taken on as open source projects that could fundamentally help our cause as a community.
Maybe someone can code/create open source solutions out of them that can help us all. We should encourage this behavior.
We need it more than ever now.
/Hoff
Related articles by Zemanta
- The Security Hamster Sine Wave Of Pain: Public Cloud & The Return To Host-Based Protection… (rationalsurvivability.com)
- New Commercially-Supported Open-Source Network Sensors: nPulse Technologies and Partners Deliver the High-Performance Dragonfly FlowMeter (prnewswire.com)
- Intelligence Services Using Open Source (brighthub.com)
- Security: In the Cloud, For the Cloud & By the Cloud… (rationalsurvivability.com)
- The Hypervisor Platform Shuffle: Pushing The Networking & Security Envelope (rationalsurvivability.com)
| This post is a reprint of a post by beaker that originally appeared at Rational Survivability |
(No Ratings Yet) Loading ...Add to favorites
CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity
Jul 7th
I’m hurrying to polish up the next in my series of virtualization and cloud computing security presentations which I’m going to give at this year’s Black Hat conference in Las Vegas on July 29th. I’m speaking from 10-11am on day two up next to folks like Jeremiah Grossman, Moxie Marlinspike, Ivan Ristic, Haroon Meer…quite the “power hour” as someone said on the Twitter.
At any rate, I started the series a couple of years ago with the following progression:
- The Four Horsemen of the Virtualization Security Apocalypse
- The Frogs Who Desired a King: A Virtualization & Cloud Computing Fable Set To Interpretative Dance
- Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure
I proudly present numero quatro:
CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity
Mass-market, low-cost, commodity infrastructure-as-a-Service Cloud Computing providers abstract away compute, network and storage and deliver hyper-scaleable capabilities.
This “abstraction distraction” has brought us to the point where the sanctity and security of the applications and information transiting them are dependent upon security models and expertise rooted in survivable distributed systems, at layers where many security professionals have no visibility.
The fundamental re-architecture of the infostructure, metastructure and infrastructure constructs in this new world forces us back to the design elements of building survivable systems focusing on information centricity — protecting the stuff that matters most in the first place.
The problem is that we’re unprepared for what this means and most practitioners and vendors focused on the walled garden, perimeterized models of typical DMZ architecture are at a loss as to how to apply security in a disintermediated and distributed sets of automated, loosely-coupled resources.
We’re going to cover the most salient points relating to how IaaS Cloud architecture shifts how, where and who architects, deploys and manages security in this “new world order” and what your options are in making sustainable security design decisions.
It’s progressing nicely. Hope to see you there (and at Defcon)
| This post is a reprint of a post by beaker that originally appeared at Rational Survivability |
(No Ratings Yet) Loading ...Add to favorites
The Security Hamster Sine Wave Of Pain: Public Cloud & The Return To Host-Based Protection…
Jul 7th
- Image via Wikipedia
This is a revisitation of a blog I wrote last year: Incomplete Thought: Cloud Security IS Host-Based…At The Moment
I use my ‘Security Hamster Sine Wave of Pain” to illustrate the cyclical nature of security investment and deployment models over time and how disruptive innovation and technology impacts the flip-flop across the horizon of choice.
To wit: most mass-market Public Cloud providers such as Amazon Web Services rely on highly-abstracted and limited exposure of networking capabilities. This means that most traditional network-based security solutions are impractical or non-deployable in these environments.
Network-based virtual appliances which expect generally to be deployed in-line with the assets they protect are at a disadvantage given their topological dependency.
So what we see are security solution providers simply re-marketing their network-based solutions as host-based solutions instead…or confusing things with Barney announcements.
Take a press release today from SourceFire:
Snort and Sourcefire Vulnerability Research Team(TM) (VRT) rules are now available through the Amazon Elastic Compute Cloud (Amazon EC2) in the form of an Amazon Machine Image (AMI), enabling customers to proactively monitor network activity for malicious behavior and provide automated responses.
Leveraging Snort installed on the AMI, customers of Amazon Web Services can further secure their most critical cloud-based applications with Sourcefire’s leading protection. Snort and Sourcefire(R) VRT rules are also listed in the Amazon Web Services Solution Partner Directory, so that users can easily ensure that their AMI includes the latest updates.
As far as I can tell, this means you can install a ‘virtual appliance’ of Snort/Sourcefire as a standalone AMI, but there’s no real description on how one might actually implement it in an environment that isn’t topologically-friendly to this sort of network-based implementation constraint.*
Since you can’t easily “steer traffic” through an IPS in the model of AWS, can’t leverage promiscuous mode or taps, what does this packaging implementation actually mean? Also, if one has a few hundred AMI’s which contain applications spread out across multiple availability zones/regions, how does a solution like this scale (from both a performance or management perspective?)
I’ve spoken/written about this many times:
Where Are the Network Virtual Appliances? Hobbled By the Virtual Network, That’s Where… and
Dear Public Cloud Providers: Please Make Your Networking Capabilities Suck Less. Kthxbye
Ultimately, expect that Public Cloud will force the return to host-based HIDS/HIPS deployments — the return to agent-based security models. This poses just as many operational challenges as those I allude to above. We *must* have better ways of tying together network and host-based security solutions in these Public Cloud environments that make sense from an operational, cost, and security perspective.
/Hoff
Related articles by Zemanta
- Sourcefire Expands Real-Time Application Awareness, Extending Leadership of Intelligent Cybersecurity Solutions (eon.businesswire.com)
- Securing the public cloud (news.cnet.com)
- Amazon Security Groups for EC2 (kinlane.com)
- You Can’t Secure The Cloud… (rationalsurvivability.com)
- Security: In the Cloud, For the Cloud & By the Cloud… (rationalsurvivability.com)
- The Hypervisor Platform Shuffle: Pushing The Networking & Security Envelope (rationalsurvivability.com)
- Incomplete Thought: The DevOps Disconnect (rationalsurvivability.com)
- Dear SaaS Vendors: If Cloud Is The Way Forward & Companies Shouldn’t Spend $ On Privately-Operated Infrastructure, When Are You Moving Yours To Amazon Web Services? (rationalsurvivability.com)
- The Four Horsemen Of the Virtualization (and Cloud) Security Apocalypse… (rationalsurvivability.com)
- Incomplete Thought: The DevOps Disconnect (rationalsurvivability.com)
- Dear SaaS Vendors: If Cloud Is The Way Forward & Companies Shouldn’t Spend $ On Privately-Operated Infrastructure, When Are You Moving Yours To Amazon Web Services? (rationalsurvivability.com)
- The Four Horsemen Of the Virtualization (and Cloud) Security Apocalypse… (rationalsurvivability.com)
* I “spoke” with Marty Roesch on the Twitter and he filled in the gaps associated with how this version of Snort works – there’s a host-based packet capture element with a “network” redirect to a stand-alone AMI:
@Beaker AWS->Snort implementation is IDS-only at the moment, uses software packet tap off customer app instance, not topology-dependent
and…
they install our soft-tap on their AMI and send the traffic to our AMI for inspection/detection/reporting.
It will be interesting to see how performance nets out using this redirect model.
| This post is a reprint of a post by beaker that originally appeared at Rational Survivability |
(No Ratings Yet) Loading ...Add to favorites
