I came up in the network / security industry with the concept of "trust no one" at the forefront of my brain. Well, trust no one until you have been given assurance that you should trust someone or something.
So, do you trust "Virtual Disk Images" downloaded off the internet? Would you download an image from VMWare's Virtual Market Place or a web site called ThoughtPolice.com?
Have no clue about what I am talking about?
Well, one of the cool things about virtualizaiton is that servers and desktops now have the ability to go mobile. They can be copied from place to place and even be downloaded off the internet. This capability makes it easy for you to get a server up and running.
Remember the days when you had to install a Novell 3.11 server from 20-30 floppy disks? It was painful wasnt it? Worse than watching paint dry. You had to stare at a screen and wait for the next prompt to change the floppy disk. Then you would get to a question to enter some information that you didn't have a clue about and then have to rush to grab the manual.
Well, now with virtualization you or someone else can go through the installation process and once the server is installed, you can replicate it without having to ever install it again.
The problem with the above sentence is "someone else". Again, I trust no one else and I definitely don't trust someone I don't know installing a Linux server and publishing it on the internet for me to use.
But there are many people out there in the world that are ok with downloading "Virtual Disk Images" off the internet and placing them either in lab environments or production environments. The problem with this is that anyone could create a Virtual Disk Image of the latest Fedora Linux operating system, purposely embed a trojan or virus in it and make it readily available on VMWare's Virtual Market Place or sites like ThoughtPolice.com
Click Me Click Me
An unsuspecting, trusting individual could then download that "Virtual Disk Image", run it inside their VMWare environment and the next thing you hear is there data center or lab is attacked.
Downloading these virtual disk images are more dangerous than downloading a file off the internet or clicking on an attachment in an email from an unknown sender. Why do I say this? Because downloading a virtual disk image is a FULL ON operating system with many applications in it. If a hacker has control of a full operating system they can do things like schedule attacks that happen in the middle of the night, port scan your network for information and email the results to a BotNet Master and even run a packet capture of traffic and FTP that to a BotNet master. Imagine the possibilities and imagine being able to run any application not just a small file attachment. An application buried in a directory somewhere on the Virtual Disk Image.
Did I just bum you out and paint another picture of doom and gloom?
Well, its not all doom and gloom. Knowledge is power as they say and now with this knowledge you should think twice before downloading an image off the internet and use it without fully checking it out. Fully checking it out means running anti-virus software INSIDE the image and making sure you have VM to VM aware firewalls within your virtual environment to isolate traffic flows between VM's.
Lastly, I think downloading these images is pretty cool and would love to be able to take advantage of someone else watching the paint dry during an installation however, I think there needs to be a "Verisign" of Virtual Disk Images. This way someone who you trust can do the work of inspecting these images for me.
-JP
Hi JS,
I couldn't find your e-mail address on your blog, so posting here.
You make a good point - it is important to trust the vendor or person supplying the VM disk images, but you miss what I think is a very important point:
An application can do all of the bad things that you mention.
This is important because you cannot do much to watch if an application is doing something bad, but you *can* do this for a VM disk image. How?
First you would mount the disk image in a trusted environment (i.e. a trusted VM image), then you would verify the contents of the image. Do the checksums on the files match what you expect? Are there any extra files? What do they do? What applications are started at boot?
You can't really do this with an application..
But both VM disk images and applications have something in common: trust. If one person finds something is wrong with an application or VM disk image they have downloaded, they can tell others, or post it on their blog. Other people can investigate, and then the word is out. It's all down to trust, as always.
Simon
www.thoughtpolice.co.uk
Posted by: Simon | April 21, 2008 at 03:44 PM