October 27, 2011 at 12:36 am
Comments posted to this topic are about the item Virtualization for Security
October 27, 2011 at 12:57 am
Hehe interesting thoughts.
Reminds me about some Russian who published an article about blue pill. In a virtualized environment that should be even harder to detect I think.
October 27, 2011 at 1:03 am
Main issue I can see is with licensing...unless the virtualised PC runs Linux (which comes with its own issues with a mainly Windows shop) you'd have to buy a separate OS license for it, which adds up to a fairly heavy extra expense. Unless you're in the sort of industry where this level of security is desired and rigorously enforced, probably not an expense most people will go for!
October 27, 2011 at 6:55 am
The Windows license limits are the main problem, as already mentioned.
However, setting up a VM with *nix (I prefer FreeBSD for this), and using that for browsing unverified sites and other potentially higher-risk activities, that don't require Windows software or where WINE allows installation, allows for a very secure sandbox. A pain to administer (*nix is like that), but useful.
Want to open an e-mail attachment, but aren't sure it's safe? Fire up a VM with *nix and Thunderbird, open the attachment, test it there, and you're safer than opening it on your desktop.
But keep in mind that Virtual PC (free) won't run 64-bit guest OSes. VMWare Workstation will, but costs $199 for 1-host license.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
October 27, 2011 at 7:13 am
On the laptop I use to VPN into the office, I have separate boot and data partitions for personal use and then work, where one is not visible to the other. I chose that option over using Virtual PC or VMware, because it allows full use of my 2 GB memory, and I don't have a need to context switch between two.
As for surfing the web at work, allowing employees to keep virtual desktops would be problematic for a number of reasons.
It would be nice if web browsers had a builtin feature to run in a sort of "sandbox" mode that blocked access to the local file system and executable content from the internet. One option is to run your web browser under a different local account that has least privilages. In XP, you could right-click and choose "run as" or we could supply account credentials in the shortcut properties. That feature was removed in Vista and Windows 7, however, there is a Windows Sysinternals tool called ShellRunas that can be downloaded from Microsoft.
http://technet.microsoft.com/en-us/sysinternals/cc300361.aspx
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
October 27, 2011 at 7:21 am
Eric M Russell (10/27/2011)
On the laptop I use to VPN into the office, I have separate boot and data partitions for personal use and then work, where one is not visible to the other. I chose that option over using Virtual PC or VMware, because it allows full use of my 2 GB memory, and I don't have a need to context switch between two.As for surfing the web at work, allowing employees to keep virtual desktops would be problematic for a number of reasons.
It would be nice if web browsers had a builtin feature to run in a sort of "sandbox" mode that blocked access to the local file system and executable content from the internet. One option is to run your web browser under a different local account that has least privilages. In XP, you could right-click and choose "run as" or we could supply account credentials in the shortcut properties. That feature was removed in Vista and Windows 7, however, there is a Windows Sysinternals tool called ShellRunas that can be downloaded from Microsoft.
http://technet.microsoft.com/en-us/sysinternals/cc300361.aspx
Theoretically, Internet Explorer 7 and higher run in a sandbox on Vista and Win7. Have to give permissions to it to allow it to do anything to your system. Some people turn that off because of UAC-annoyance-syndrome.
There are also sandbox apps that will put your browser in an isolation state from the rest of the system for you.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
October 27, 2011 at 7:21 am
I worked a contract at government site and they did not allow us to connect to our corporate office via VPN. Our manager setup a Citrix ICA server at his house and published FireFox, Outlook, etc, as a shared application. Everything used outbound port 80, so it just looked like regular web surfing traffic on the firewall.
October 27, 2011 at 7:27 am
I think it is a great idea that really had potential many years ago and may have it in the future. However, right now I think that too may applications need access to the outside network to function. Widgets, gadgets, embeded FTP clients, SOAP applications, games, etc.
Things do seem to be moving to a cloud application base though, in which something like this would be perfect.
October 27, 2011 at 10:49 am
On apps that contain sensitive enterprise data it common (at least where I am) to have a "DMZ server" ("demilitarized zone") which also acts as a decoy server for the inbound traffic.
However, it is largely outside of us SQL guys playground because one of the top rules is that what is in place and why is on a need to know basis only.
I learned some of these things only because my database had traffic so heavy that it was causing problems on DMZ servers and security guys had to consult their setup with me.
October 27, 2011 at 11:04 am
Revenant (10/27/2011)
On apps that contain sensitive enterprise data it common (at least where I am) to have a "DMZ server" ("demilitarized zone") which also acts as a decoy server for the inbound traffic.However, it is largely outside of us SQL guys playground because one of the top rules is that what is in place and why is on a need to know basis only.
I learned some of these things only because my database had traffic so heavy that it was causing problems on DMZ servers and security guys had to consult their setup with me.
It's also a good idea to either disable the Browser Service or configure it so that the instance is hidden. It's hard to attack what can't be seen.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
October 27, 2011 at 11:30 am
That would be what Invincea is pushing http://www.invincea.com/. One of my cyber-security colleagues was telling me about them recently, as a way to reduce the risk of malware infection. If it works, great, but I'll believe it when I see it.
Viewing 11 posts - 1 through 10 (of 10 total)
You must be logged in to reply to this topic. Login to reply