Improving Virtualization and Cloud Management Security with Symantec CSP

The 3/22 Virtualization Security Podcast brought to light the capabilities of Symantec Critical System Protection (CSP) software. This software successfully implements a manageable version of mandatory access control policies based on role-based and multi-level security functionality within the virtual environment, more specifically on those systems that are critical to the well being and health of your virtual and cloud environments such as all your management and control-plane tools (VMware vCenter, Microsoft SCVVM, XenConsole, etc.). In addition, Symantec CSP will monitor your virtualization hosts for common security issues. This in itself is great news but why are we just hearing about this now? Is this a replacement for other security tools?We were joined by Alan Bolinger CTO of OnSystem Logic who worked with Symantec to develop CSP and to hook it into the virtual environments. As we discussed CSP we determined that is was the following elements all rolled into one:

• Whitelisting on Steriods
• A Manageable form of SELinux for all operating systems (the list is impressive)
• Used to protect those Management tools that directly touch the virtualization host
• Used to protect those Management Clients (ala vSphere Client) that talk to the Virtualization Central Management Servers
• Used by Tenants within a Cloud to add to their OWN security

But how does it work? The key is that the group that developed CSP all come from a Multi-Level Security (MLS) background and are familiar with the now out-dated Orange Book definitions of security and how to apply them. In essence the following happens:

1. Each application, executable, user, and system object is given a Token
2. The Token is then used to inquire of a role based access control (RBAC) repository if it has access to any other application, executable, user or system object
3. If access is granted then that application, executable, user, or system object can proceed within its own sandbox

This is the key, RBAC is used extensively, not just for users, but for all other objects within the system and, in addition, on launch the executable is launched within its very own sandbox environment – one per object.
So how does this work in reality? Let us use an example:

1. User Attempts to Launch vSphere Client
2. The User’s Token is looked up within the RBAC repository for access to the vSphere Client executable
3. Access is granted, so vSphere Client Executable loads within a sandbox which knows what ports, and files the vSphere Client uses
4. If there is a Hack against the vSphere Client to try and access something outside the sandbox (such as writing to a port not allowed, or to a directory not within the sandbox), that access is denied
5. If all goes as expected, the User is granted access to talk to the vCenter Server (but could be denied access to various plugins as they may be outside the scope of the ports and executables allowed within the sandbox).

All in all Symantec CSP offers a great leap forward in protecting your virtual environments as Symantec’s team has already done the heavy lifting to setup the sandboxes to work with normal virtualization management tools. But it does quite a bit more as well. CSP can also inspect various aspects of the vSphere hosts to determine if critical files have changed and if so, warn you about them. Granted, it will only look at files that vSphere itself allows you to access and not ones you would ultimately like to have (that would require modification of an XML file that controls what the vCLI tools are allowed to access). Even with these limitations, the list of files it can inspect for errors, changes, and security issues is pretty impressive: Minimally it will inspect key configuration files for the vSphere host, VM configuration files, as well as all log files (including ones not seen by syslog servers).
This is one more very useful tool within your security toolbox, but it is not a replacement for good architecture, and existing defense in depth measures. While we cannot apply CSP directly to a hypervisor (to protect against ‘escape the VMs’) we can apply it to all the management constructs that directly or indirectly touch those virtualization hosts.
Give the podcast a listen, lots of great details!