Already gaining buzz and traction in actual usage at an impressive rate, Gartner research indicates that virtualization will be the most significant trend in IT infrastructure and operations over the next four years. A recent report by IT research firm IDC predicts the virtualization services market will grow from $5.5 billion in 2006 to $11.7 billion in 2011. With this growth in adoption, becoming increasingly common even for small and midsize businesses, security is becoming a much more serious concern, both in terms of how to secure virtualization and how virtualization can serve critical security objectives.
Titles exist and are on the way to fill the need for securing virtualization, but security professionals do not yet have a book outlining the many security applications of virtualization that will become increasingly important in their job requirements. This book is the first to fill that need, covering tactics such as isolating a virtual environment on the desktop for application testing, creating virtualized storage solutions for immediate disaster recovery and high availability across a network, migrating physical systems to virtual systems for analysis, and creating complete virtual systems to entice hackers and expose potential threats to actual production systems.
About the Technologies
A sandbox is an isolated environment created to run and test applications that might be a security risk. Recovering a compromised system is as easy as restarting the virtual machine to revert to the point before failure. Employing virtualization on actual production systems, rather than just test environments, yields similar benefits for disaster recovery and high availability. While traditional disaster recovery methods require time-consuming reinstallation of the operating system and applications before restoring data, backing up to a virtual machine makes the recovery process much easier, faster, and efficient. The virtual machine can be restored to same physical machine or an entirely different machine if the original machine has experienced irreparable hardware failure. Decreased downtime translates into higher availability of the system and increased productivity in the enterprise.
Virtualization has been used for years in the field of forensic analysis, but new tools, techniques, and automation capabilities are making it an increasingly important tool. By means of virtualization, an investigator can create an exact working copy of a physical computer on another machine, including hidden or encrypted partitions, without altering any data, allowing complete access for analysis. The investigator can also take a live ?snapshot? to review or freeze the target computer at any point in time, before an attacker has a chance to cover his tracks or inflict further damage.
John Hoopes, Senior Consultant for Verisign, is a graduate of the University of Utah. John's professional background includes an operational/support role on many diverse platforms, including IBM AS/400, IBM Mainframe (OS/390 and Z-Series), AIX, Solaris, Windows, and Linux. John's security expertise focuses on application testing with an emphasis in reverse engineering and protocol analysis. Before becoming a consultant, John was an application security testing lead for IBM, with responsibilities including secure service deployment, external service delivery, and tool development. John has also been responsible for the training and mentoring of team members in network penetration testing and vulnerability assessment. As a consultant, John has lead the delivery of security engagements for clients in the retail, transportation, telecommunication, and banking sectors.
One of the biggest buzzwords in the IT industry for the past few years, virtualization has matured into a practical requirement for many best-practice business scenarios, becoming an invaluable tool for security professionals at companies of every size. In addition to saving time and other resources, virtualization affords unprecedented means for intrusion and malware detection, prevention, recovery, and analysis. Taking a practical approach in a growing market underserved by books, this hands-on title is the first to combine in one place the most important and sought-after uses of virtualization for enhanced security, including sandboxing, disaster recovery and high availability, forensic analysis, and honeypotting.Already gaining buzz and traction in actual usage at an impressive rate, Gartner research indicates that virtualization will be the most significant trend in IT infrastructure and operations over the next four years. A recent report by IT research firm IDC predicts the virtualization services market will grow from $5.5 billion in 2006 to $11.7 billion in 2011. With this growth in adoption, becoming increasingly common even for small and midsize businesses, security is becoming a much more serious concern, both in terms of how to secure virtualization and how virtualization can serve critical security objectives. Titles exist and are on the way to fill the need for securing virtualization, but security professionals do not yet have a book outlining the many security applications of virtualization that will become increasingly important in their job requirements. This book is the first to fill that need, covering tactics such as isolating a virtual environment on the desktop for application testing, creating virtualized storage solutions for immediate disaster recovery and high availability across a network, migrating physical systems to virtual systems for analysis, and creating complete virtual systems to entice hackers and expose potential threats to actual production systems.About the TechnologiesA sandbox is an isolated environment created to run and test applications that might be a security risk. Recovering a compromised system is as easy as restarting the virtual machine to revert to the point before failure. Employing virtualization on actual production systems, rather than just test environments, yields similar benefits for disaster recovery and high availability. While traditional disaster recovery methods require time-consuming reinstallation of the operating system and applications before restoring data, backing up to a virtual machine makes the recovery process much easier, faster, and efficient. The virtual machine can be restored to same physical machine or an entirely different machine if the original machine has experienced irreparable hardware failure. Decreased downtime translates into higher availability of the system and increased productivity in the enterprise.Virtualization has been used for years in the field of forensic analysis, but new tools, techniques, and automation capabilities are making it an increasingly important tool. By means of virtualization, an investigator can create an exact working copy of a physical computer on another machine, including hidden or encrypted partitions, without altering any data, allowing complete access for analysis. The investigator can also take a live ?snapshot? to review or freeze the target computer at any point in time, before an attacker has a chance to cover his tracks or inflict further damage.
Front Cover 1
Virtualization for Security 4
Copyright 5
Technical Editor 6
Contributing Authors 7
Contents 12
Chapter 1: An Introduction to Virtualization 22
Introduction 23
What Is Virtualization? 23
The History of Virtualization 24
The Atlas Computer 24
The M44/44X Project 25
CP/CMS 25
Other Time-Sharing Projects 26
Virtualization Explosion of the 1990s and Early 2000s 27
The Answer: Virtualization Is… 29
Why Virtualize? 30
Decentralization versus Centralization 30
True Tangible Benefits 34
Consolidation 36
Reliability 38
Security 39
How Does Virtualization Work? 40
OS Relationships with the CPU Architecture 41
The Virtual Machine Monitor and Ring-0 Presentation 43
The VMM Role Explored 44
The Popek and Goldberg Requirements 45
The Challenge: VMMs for the x86 Architecture 46
Types of Virtualization 47
Server Virtualization 47
Storage Virtualization 50
Network Virtualization 51
Application Virtualization 52
Common Use Cases for Virtualization 53
Technology Refresh 53
Business Continuity and Disaster Recovery 55
Proof of Concept Deployments 56
Virtual Desktops 56
Rapid Development, Test Lab, and Software Configuration Management 57
Summary 59
Solutions Fast Track 59
What Is Virtualization? 59
Why Virtualize? 60
How Does Virtualization Work? 60
Types of Virtualization 61
Common Use Cases for Virtualization 61
Frequently Asked Questions 63
Chapter 2: Choosing the Right Solution for the Task 65
Introduction 66
Issues and Considerations That Affect Virtualization Implementations 66
Performance 67
Redundancy 67
Operations 68
Backups 68
Security 68
Evolution 69
Discovery 69
Testing 69
Production 69
Mobility 70
Grid 70
Distinguishing One Type of Virtualization from Another 71
Library Emulation 71
Wine 72
Cygwin 73
Processor Emulation 73
Operating System Virtualization 74
Application Virtualization 74
Presentation Virtualization 75
Server Virtualization 75
Dedicated Hardware 75
Hardware Compatibility 76
Paravirtualization 77
I/O Virtualization 78
Hardware Virtualization 78
Summary 80
Solutions Fast Track 81
Issues and Considerations That Affect Virtualization Implementations 81
Distinguishing One Type of Virtualization from Another 81
Frequently Asked Questions 82
Chapter 3: Building a Sandbox 83
Introduction 84
Sandbox Background 83
The Visible Sandbox 85
cwsandbox.exe 88
cwmonitor.dll 89
Existing Sandbox Implementations 92
Describing CWSandbox 94
Creating a Live DVD with VMware and CWSandbox 83
Setting Up Linux 98
Setting Up VMware Server v1.05 100
Setting Up a Virtual Machine in VMware Server 100
Setting Up Windows XP Professional in the Virtual Machine 101
Setting Up CWSandbox v2.x in Windows XP Professional 102
Configuring Linux and VMware Server for Live DVD Creation 103
Updating Your Live DVD 105
Summary 106
Solutions Fast Track 83
Sandbox Background 106
Existing Sandbox Implementations 107
Describing CWSandbox 107
Creating a Live DVD with VMware and CWSandbox 108
Frequently Asked Questions 109
Notes 110
Bibliography 110
Chapter 4: Configuring the Virtual Machine 111
Introduction 112
Resource Management 112
Hard Drive and Network Configurations 112
Hard Drive Configuration 113
Growing Disk Sizes 113
Virtual Disk Types 113
Using Snapshots 114
Network Configuration 114
Creating an Interface 114
Bridged 115
Host-Only 116
Natted 117
Multiple Interfaces 118
Physical Hardware Access 119
Physical Disks 119
USB Devices 123
Interfacing with the Host 124
Cut and Paste 124
How to Install the VMware Tools in a Virtual Machine 125
How to Install the Virtual Machine Additions in Virtual PC 132
Summary 133
Solutions Fast Track 133
Hard Drive and Network Configurations 133
Physical Hardware Access 134
Interfacing with the Host 134
Frequently Asked Questions 135
Chapter 5: Honeypotting 137
Introduction 138
Herding of Sheep 138
Honeynets 140
Gen I 140
Gen II 141
Gen III 141
Where to Put It 141
Local Network 142
Distributed Network 142
Layer 2 Bridges 143
Honeymole 145
Multiple Remote Networks 146
Detecting the Attack 150
Intrusion Detection 150
Network Traffic Capture 151
Monitoring on the Box 152
How to Set Up a Realistic Environment 153
Nepenthes 154
Setting Up the Network 154
Keeping the Bad Stuff in 160
Summary 161
Solutions Fast Track 161
Herding of Sheep 161
Detecting the Attack 161
How to Set Up a Realistic Environment 162
Frequently Asked Questions 163
Note 163
Chapter 6: Malware Analysis 165
Introduction 166
Setting the Stage 166
How Should Network Access Be Limited? 167
Don’t Propagate It Yourself 167
The Researcher May Get Discovered 168
Create a “Victim” That Is as Close to Real as Possible 168
You Should Have a Variety of Content to Offer 168
Give It That Lived-in Look 169
Making the Local Network More Real 169
Testing on VMware Workstation 171
Microsoft Virtual PC 173
Looking for Effects of Malware 174
What Is the Malware’s Purpose? 174
How Does It Propagate? 175
Does the Malware Phone Home for Updates? 175
Does the Malware Participate in a Bot-Net? 176
Does the Malware Send the Spoils Anywhere? 176
Does the Malware Behave Differently Depending on the Domain? 177
How Does the Malware Hide and How Can It Be Detected? 177
How Do You Recover from It? 178
Examining a Sample Analysis Report 179
The < Analysis>
Analysis of 82f78a89bde09a71ef99b3cedb991bcc.exe 180
Analysis of arman.exe 182
Interpreting an Analysis Report 187
How Does the Bot Install? 188
Finding Out How New Hosts Are Infected 189
How Does the Bot Protect the Local Host and Itself? 191
Determing How/Which C& C Servers Are Contacted
How Does the Bot Get Binary Updates? 195
What Malicious Operations Are Performed? 196
Bot-Related Findings of Our Live Sandbox 201
Antivirtualization Techniques 203
Detecting You Are in a Virtual Environment 204
Virtualization Utilities 204
VMware I/O Port 204
Emulated Hardware Detection 205
Hardware Identifiers 205
MAC Addresses 205
Hard Drives 206
PCI Identifiers 206
Detecting You Are in a Hypervisor Environment 207
Summary 208
Solutions Fast Track 208
How Should Network Access Be Limited? 208
Looking for Effects of Malware 208
Antivirtualization Techniques 208
Frequently Asked Questions 209
Chapter 7: Application Testing 211
Introduction 212
Getting Up to Speed Quickly 212
Default Platform 213
Copying a Machine in VMware Server 213
Registering a Machine in Microsoft Virtual Server 215
Known Good Starting Point 216
Downloading Preconfigured Appliances 217
VMware’s Appliance Program 217
Microsoft’s Test Drive Program 218
Debugging 219
Kernel Level Debugging 219
The Advantage of Open Source Virtualization 227
Summary 228
Solutions Fast Track 228
Getting Up to Speed Quickly 228
Debugging 228
Frequently Asked Questions 229
Chapter 8: Fuzzing 231
Introduction 232
What Is Fuzzing? 232
Virtualization and Fuzzing 234
Choosing an Effective Starting Point 234
Using a Clean Slate 234
Reducing Startup Time 235
Setting Up the Debugging Tools 235
Preparing to Take Input 237
Preparing for External Interaction 238
Taking the Snapshot 238
Executing the Test 239
Scripting Snapshot Startup 239
Interacting with the Application 240
Selecting Test Data 241
Checking for Exceptions 242
Saving the Results 243
Running Concurrent Tests 243
Summary 245
Solutions Fast Track 245
What Is Fuzzing? 245
Virtualization and Fuzzing 245
Choosing an Effective Starting Point 245
Preparing for External Interaction 246
Executing the Test 246
Frequently Asked Questions 247
Chapter 9: Forensic Analysis 249
Introduction 250
Preparing Your Forensic Environment 251
Capturing the Machine 252
Preparing the Captured Machine to Boot on New Hardware 258
What Can Be Gained by Booting the Captured Machine? 259
Virtualization May Permit You to Observe Behavior That Is Only Visible While Live 262
Using the System to Demonstrate the Meaning of the Evidence 262
The System May Have Proprietary/ Old Files That Require Special Software 262
Analyzing Time Bombs and Booby Traps 263
Easier to Get in the Mind-Set of the Suspect 263
Collecting Intelligence about Botnets or Virus-Infected Systems 264
Collecting Intelligence about a Case 264
Capturing Processes and Data in Memory 265
Performing Forensics of a Virtual Machine 265
Caution: VM-Aware Malware Ahead 267
Summary 269
Solutions Fast Track 269
Preparing Your Forensic Environment 269
Capturing the Machine 270
Preparing the Captured Machine to Boot on New Hardware 270
What Can Be Gained by Booting the Captured Machine? 271
Frequently Asked Questions 273
Chapter 10: Disaster Recovery 275
Introduction 276
Disaster Recovery in a Virtual Environment 276
Simplifying Backup and Recovery 277
File Level Backup and Restore 277
System-Level Backup and Restore 278
Shared Storage Backup and Restore 279
Allowing Greater Variation in Hardware Restoration 281
Different Number of Servers 282
Using Virtualization for Recovery of Physical Systems 282
Using Virtualization for Recovery of Virtual Systems 283
Recovering from Hardware Failures 285
Redistributing the Data Center 285
Summary 287
Solutions Fast Track 288
Disaster Recovery in a Virtual Environment 288
Simplifying Backup and Recovery 288
Allowing Greater Variation in Hardware restoration 288
Recovering from Hardware Failures 289
Redistributing the Data Center 289
Frequently Asked Questions 290
Chapter 11: High Availability: Reset to Good 291
Introduction 292
Understanding High Availability 292
Providing High Availability for Planned Downtime 293
Providing High Availability for Unplanned Downtime 294
Reset to Good 295
Utilizing Vendor Tools to Reset to Good 295
Utilizing Scripting or Other Mechanisms to Reset to Good 297
Degrading over Time 297
Configuring High Availability 298
Configuring Shared Storage 298
Configuring the Network 298
Setting Up a Pool or Cluster of Servers 299
Maintaining High Availability 300
Monitoring for Overcommitment of Resources 300
Security Implications 301
Performing Maintenance on a High Availability System 302
Summary 304
Solutions Fast Track 305
Understanding High Availability 305
Reset to Good 305
Configuring High Availability 305
Maintaining High Availability 305
Frequently Asked Questions 307
Chapter 12: Best of Both Worlds: Dual Booting 309
Introduction 310
How to Set Up Linux to Run Both Natively and Virtually 310
Creating a Partition for Linux on an Existing Drive 311
Setting Up Dual Hardware Profiles 315
Issues with Running Windows Both Natively and Virtualized 316
Precautions When Running an Operating System on Both Physical and Virtualized Platforms 316
Booting a Suspended Partition 316
Deleting the Suspended State 317
Changing Hardware Configurations Can Affect Your Software 317
Summary 319
Solutions Fast Track 319
How to Set Up Linux to Run Both Natively and Virtually 319
Issues with Running Windows Both Natively and Virtualized 319
Frequently Asked Questions 320
Chapter 13: Protection in Untrusted Environments 321
Introduction 322
Meaningful Uses of Virtualization in Untrusted Environments 322
Levels of Malware Analysis Paranoia 328
Using Virtual Machines to Segregate Data 336
Using Virtual Machines to Run Software You Don’t Trust 338
Using Virtual Machines for Users You Don’t Trust 341
Setting up the Client Machine 342
Installing Only What You Need 342
Restricting Hardware Access 342
Restricting Software Access 342
Scripting the Restore 343
Summary 345
Solutions Fast Track 345
Using Virtual Machines to Segregate Data 345
Using Virtual Machines to Run Software You Don’t Trust 345
Using Virtual Machines for Users You Don’t Trust 346
Frequently Asked Questions 347
Notes 348
Chapter 14: Training 349
Introduction 350
Setting Up Scanning Servers 350
Advantages of Using a Virtual Machine instead of a Live-CD Distribution 351
Persistence 351
Customization 351
Disadvantages of Using a Virtual Machine instead of a Live-CD 352
Default Platforms As Well to Use a Variety of Tools 352
Scanning Servers in a Virtual Environment 353
Setting Up Target Servers 354
Very “Open” Boxes for Demonstrating during Class 355
Suggested Vulnerabilities for Windows 355
Suggested Vulnerabilities for Linux 356
Suggested Vulnerabilities for Application Vulnerability Testing 356
Creating the Capture-the-Flag Scenario 359
Harder Targets 359
Snapshots Saved Us 360
Require Research to Accomplish the Task 361
Introduce Firewalls 361
Multiple Servers Requiring Chained Attacks 361
Adding Some Realism 362
Loose Points for Damaging the Environment 362
Demonstrate What the Attack Looks Like on IDS 363
Out Brief 363
Cleaning up Afterward 363
Saving Your Back 364
Summary 365
Solutions Fast Track 365
Setting Up Scanning Servers 365
Setting Up Target Servers 365
Creating the Capture-the-Flag Scenario 365
Out Brief 366
Cleaning Up Afterward 366
Saving Your Back 366
Frequently Asked Questions 367
Index 369
| Erscheint lt. Verlag | 24.2.2009 |
|---|---|
| Sprache | englisch |
| Themenwelt | Informatik ► Betriebssysteme / Server ► Virtualisierung |
| Informatik ► Netzwerke ► Sicherheit / Firewall | |
| Informatik ► Office Programme ► Outlook | |
| Mathematik / Informatik ► Informatik ► Web / Internet | |
| Mathematik / Informatik ► Mathematik | |
| Wirtschaft ► Betriebswirtschaft / Management ► Wirtschaftsinformatik | |
| ISBN-10 | 0-08-087935-7 / 0080879357 |
| ISBN-13 | 978-0-08-087935-2 / 9780080879352 |
| Haben Sie eine Frage zum Produkt? |
PDF (Adobe DRM)Größe: 13,3 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
EPUB (Adobe DRM)Größe: 3,3 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: EPUB (Electronic Publication)
EPUB ist ein offener Standard für eBooks und eignet sich besonders zur Darstellung von Belletristik und Sachbüchern. Der Fließtext wird dynamisch an die Display- und Schriftgröße angepasst. Auch für mobile Lesegeräte ist EPUB daher gut geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
