Visit us at www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our customers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, please visit www.syngress.com. Once registered, you can access your e-book with print, copy, and comment features enabled. ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable e-book format. These are available at www.syngress.com. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. Please contact our corporate sales department at corporatesales@elsevier.com for more information. CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Please contact our corporate sales department at corporatesales@elsevier.com for more information. This page intentionally left blank John Hoopes Technical Editor Aaron Bawcom Andreas Turriff Paul Kenealy Mario Vuksan Wesley J. Noonan Carsten Willems Craig A. Schiller David Williams Fred Shore Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media ® , Syngress ® , “Career Advancement Through Skill Enhancement ® ,” “Ask the Author UPDATE ® ,” and “Hack Proofing ® ,” are registered trademarks of Elsevier, Inc. “Syngress: The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. Unique Passcode 48305726 PUBLISHED BY Syngress Publishing, Inc. Elsevier, Inc. 30 Corporate Drive Burlington, MA 01803 Virtualization for Security Including Sandboxing, Disaster Recovery, High Availability, Forensic Analysis, and Honeypotting Copyright © 2009 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN 13: 978-1-59749-305-5 Publisher: Laura Colantoni Project Manager: Andre Cuello Acquisitions Editor: Brian Sawyer Page Layout and Art: SPI Technical Editor: John Hoopes Developmental Editor: Gary Byrne Cover Designer: Michael Kavish Indexer: SPI Copy Editors: Leslie Crenna, Emily Nye, Adrienne Rebello, Gail Rice, Jessica Springer, and Chris Stuart For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email m.pedersen@elsevier.com. Library of Congress Cataloging-in-Publication Data Hoopes, John. Virtualization for security : including sandboxing, disaster recovery, high availability / John Hoopes. p. cm. ISBN 978-1-59749-305-5 1. Virtual computer systems. 2. Virtual storage (Computer sciences)--Security measures. 3. Database security. I. Title. QA76.9.V5H66 2009 005.8--dc22 2008044794 John Hoopes is a senior consultant at Verisign. John’s professional background includes an operational/support role on many diverse platforms, including IBM AS/400, IBM mainframe (OS/390 and Z-Series), AIX, Solaris, Windows, and Linux. John’s security expertise focuses on application testing with an emphasis in reverse engineering and protocol analysis. Before becoming a consultant, John was an application security testing lead for IBM, with responsibilities including secure service deployment, external service delivery, and tool development. John has also been responsible for the training and mentoring of team members in network penetration testing and vulnerability assessment. As a consultant, John has led the delivery of security engagements for clients in the retail, transportation, telecommunication, and banking sectors. John is a graduate of the University of Utah. John contributed content to Chapter 4 and wrote Chapters 6–8, 12, and 14. John also tech-edited Chapters 3, 10, and 11. v Technical Editor vi Aaron Bawcom is the vice president of engineering for Reflex Security. Reflex Security helps organizations accelerate adoption of next-generation virtualized data centers. At Reflex, Aaron drives the technical innovation of market-leading virtualization technology. He architects and designs next-generation management, visualization, cloud computing, and application- aware networking technology. During his career, he has designed firewalls, intrusion detection/prevention, antivirus, antispyware, SIM, denial-of- service, e-mail encryption, and data-leak prevention systems. Aaron’s background includes positions as CTO of Intrusion.com and chief architect over the Network Security division of Network Associates. He holds a bachelor’s degree in computer science from Texas A&M University and currently resides in Atlanta, Georgia. Aaron wrote Chapter 2. Paul Kenealy (BA [Hons] Russian and Soviet Studies, Red Hat Certified Engineer) has just completed an MSc in information security at Royal Holloway and is an information security incident response handler with Barclays Bank in Canary Wharf, London. His specialities include security pertaining to Linux network servers, intrusion detection, and secure network architecture and design. Paul’s background includes positions as a programmer with Logica, and he has designed and implemented a number of VMware infrastructure systems for security monitoring and incident analysis. Paul contributed content to Chapter 5. Wesley J. Noonan (VCP, CISA) is a virtualization, network, and security domain expert at NetIQ, where he directly interfaces with customers to meet and understand their needs and to integrate his experiences with NetIQ’s development road map. With more than 14 years in the IT industry, Wesley specializes in Windows-based networks and network infrastructure security design and implementation. vi Contributing Authors vii Wesley is a continual industry contributor, having authored Hardening Network Infrastructure, coauthored Hardening Network Security, The CISSP Training Guide and Firewall Fundamentals, and acted as the technical editor for Hacking Exposed: Cisco Networks. Previously, Wesley has presented at VMworld 2008, TechMentor, and Syracuse VMUG; taught courses as a Microsoft Certified Trainer; and developed and delivered his own Cisco training curriculum. He has also contributed to top tier industry publications such as the Financial Times, Redmond magazine, eWeek, Network World, and TechTarget’s affiliates. Wesley currently resides in Houston, Texas, with his family. Wesley wrote Chapters 10 and 11, contributed content to Chapter 5, and tech-edited Chapters 2, 4–9, 12, 13, and 14. Craig A. Schiller (CISSP-ISSMP, ISSAP) is the chief information security officer at Portland State University, an adjunct instructor of digital forensics at Portland Community College, and president of Hawkeye Security Training, LLC. He is the primary author of Botnets: The Killer Web App (Syngress, ISBN: 1597491357) and the first Generally Accepted System Security Principles (GSSP). He is a contributing author of several editions of the Handbook of Information Security Management and Data Security Management. Craig was also a contributor to Infosecurity 2008 Threat Analysis (Syngress, ISBN: 9781597492249), Combating Spyware in the Enterprise (Syngress, ISBN: 1597490644), and Winternals Defragmentation, Recovery, and Administration Field Guide (Syngress, ISBN: 1597490792). Craig was the senior security engineer and coarchitect of the NASA Mission Operations AIS Security Engineering Team. He cofounded two ISSA U.S. regional chapters, the Central Plains Chapter and the Texas Gulf Coast Chapter, and is currently the director of education for ISSA- Portland. He is a police reserve specialist for the Hillsboro Police Department in Oregon. Craig is a native of Lafayette, Louisiana. He currently lives in Beaverton, Oregon, with his wife, Janice, and family ( Jesse, Sasha, and Rachael). Both Janice and Craig sing with the awesome choir of St. Cecilia’s Catholic Church. Craig contributed content to Chapter 3 and wrote Chapter 9. viii Fred Shore is a customer support analyst for the HealthCare Partners Medical Group. He provides specialized and expert support for Windows- based operating systems. His expertise on Windows systems is grounded in more than 17 years of hands-on technical support experience. His background includes extensive troubleshooting and problem solving. His background also includes stints at Portland State University’s Office on Information Technology and Vivendi Games, North America. Fred holds a bachelor’s degree in business administration: information systems from Portland State University. He now lives in Southern California with his dog, Chance. Fred contributed content to Chapter 3. Andreas Turriff (MCSE, MCSA, CNE-5, CNE-6, MCNE) is a member of the IT security team at Portland State University, working for the CISO, Craig Schiller. Andreas integrates the tools for computer forensics analysis on bootable media for internal use; his current main project is the development of a Linux Live-DVD employing both binary and kernel- level hardening schemes to ensure the integrity of the forensics tools during analysis of malware. Andreas is currently in his senior year at Portland State University, where he is working toward earning a bachelor’s degree in computer science. He also has worked previously as a network administrator for a variety of companies. Andreas contributed content to Chapter 3. Mario Vuksan is the director of research at Bit9, where he has helped create the world’s largest collection of actionable intelligence about software, the Bit9 Global Software Registry. He represents Bit9 at industry events and currently works on the company’s next generation of products and technologies. Before joining Bit9, Vuksan was program manager and consulting engineer at Groove Networks (acquired by Microsoft), working on Web-based solutions, P2P management, and integration servers. Before joining Groove Networks, Vuksan developed one of the first Web 2.0 applications at 1414c, a spin-off from PictureTel. He holds a BA from Swarthmore College and an MA from Boston University. In 2007, he spoke at CEIC, Black Hat, Defcon, AV Testing Workshop, Virus Bulletin, and AVAR Conferences. Mario wrote Chapter 13. ix Carsten Willems is an independent software developer with 10 years’ experience. He has a special interest in the development of security tools related to malware research. He is the creator of the CWSandbox, an automated malware analysis tool. The tool, which he developed as a part of his thesis for his master’s degree in computer security at RWTH Aachen, is now distributed by Sunbelt Software in Clearwater, Florida. He is currently working on his Ph.D. thesis, titled “Automatic Malware Classification,” at the University of Mannheim. In November 2006 he was awarded third place at the Competence Center for Applied Security Technology (CAST) for his work titled “Automatic Behaviour Analysis of Malware.” In addition, Carsten has created several office and e-business products. Most recently, he has developed SAGE GS-SHOP, a client-server online shopping system that has been installed over 10,000 times. Carsten contributed content to Chapter 3. David Williams is a principal at Williams & Garcia, LLC, a consulting practice based in Atlanta, Georgia, specializing in effective enterprise infrastructure solutions. He specializes in the delivery of advanced solutions for x86 and x64 environments. Because David focuses on cost containment and reduction of complexity, virtualization technologies have played a key role in his recommended solutions and infrastructure designs. David has held several IT leadership positions in various organizations, and his responsibilities have included the operations and strategy of Windows, open systems, mainframe, storage, database, and data center technologies and services. He has also served as a senior architect and an advisory engineer for Fortune 1000 organizations, providing strategic direction on technology infrastructures for new enterprise-level projects. David studied music engineering technology at the University of Miami, and he holds MCSE+I, MCDBA, VCP, and CCNA certifications. When not obsessed with corporate infrastructures, he spends his time with his wife and three children. David wrote Chapter 1. [...]... 349 xix Chapter 1 An Introduction to Virtualization Solutions in this chapter: ■■ What Is Virtualization? ■■ Why Virtualize? ■■ How Does Virtualization Work? ■■ Types of Virtualization ■■ Common Use Cases for Virtualization ˛ Summary ˛ Solutions Fast Track ˛ Frequently Asked Questions 1 2 Chapter 1 • An Introduction to Virtualization Introduction Virtualization is one of those buzz words that... 24 The Challenge: VMMs for the x86 Architecture 25 Types of Virtualization 26 Server Virtualization 26 Storage Virtualization 29 Network Virtualization 30 Application Virtualization ... wishes to deliver the benefits of virtualization to their organization or customers This chapter will introduce you to the core concepts of server, storage, and network virtualization as a foundation for learning more about Xen This chapter will also illustrate the potential benefits of virtualization to any organization What Is Virtualization? So what exactly is virtualization? Today, that question... to Virtualization • Chapter 1 While the most common form of virtualization is focused on server hardware platforms, these goals and supporting technologies have also found their way into other critical—and expensive—components of modern data centers, including storage and network infrastructures But to answer the question “What is virtualization? ” we must first discuss the history and origins of virtualization, ... micro-partitioning CPU resources for LPARs, became possible IBM’s LPAR virtualization offerings include some unique virtualization approaches and virtual resource provisioning A key component of what IBM terms the Advanced POWER Virtualization feature, is the Virtual I/O Server Virtual I/O servers satisfy part of the VMM, called the POWER Hypervisor, role Though not responsible for CPU or memory virtualization, the... may configure virtual server SCSI devices for Virtual I/O Server partitions, and virtual client SCSI devices for Linux and AIX partitions The Answer: Virtualization Is… So with all that history behind us, and with so many companies claiming to wear the virtualization hat, how do we define it? In an effort to be as all-encompassing as possible, we can define virtualization as: A framework or methodology... Apply different security settings to each partition An Introduction to Virtualization • Chapter 1 Consolidation Three drivers have motivated, if not accelerated, the acceptance and adoption of virtualization technologies—consolidation, reliability, and security The goal behind consolidation is to combine and unify In the case of virtualization, workloads are combined on fewer physical platforms capable... Presentation Virtualization 55 Server Virtualization 55 Dedicated Hardware 55 Hardware Compatibility 56 Paravirtualization 57 I/O Virtualization 58 Hardware Virtualization. .. hardware, software, and communications, for a nominal cost In many cases, the technology is freely available (thanks to open-source initiatives) or included for the price of products such as operating system software or storage hardware Well suited for most inline business applications, virtualization technologies have gained in popularity and are in widespread use for all but the most demanding workloads... financial impact of virtualization, be sure not to over-commit the hosts with a large number of virtual machines Depending on the workload, physical hosts can manage as many as 20 to 30 virtualization machines, or as little as 4 to 5 Spend time upfront gathering performance information about your current workloads, especially during peak hours, to help properly plan and justify your virtualization strategy . Corporate Drive Burlington, MA 01803 Virtualization for Security Including Sandboxing, Disaster Recovery, High Availability, Forensic Analysis, and Honeypotting. Certified Engineer) has just completed an MSc in information security at Royal Holloway and is an information security incident response handler with Barclays