FreeBSD network monitor with VMware Workstation

Richard Bejtlich, a well-known security expert, published an insight on how to setup a FreeBSD network sensor for traffic sniffing:

Several of you have asked about my experiences using FreeBSD sensors inside VMware Workstation. I use VMs in my Network Security Operations class. I especially use VMs on the final day of training, when each team in the class gets access to a VM attack host, a VM target, a VM sensor, and a VM to be monitored defensively. As currently configured, each host has at least one NIC bridged to the network. The sensor VMs have a second interface with no IP also bridged to the network. When any VM takes action against another, the sensors see it. This scenario does not describe how a VM sensor might watch traffic from a tap, however.

I decided to document how to use VMware to create a sensor that sniffs traffic from a tap. I outline two scenarios. The first uses a port aggregator tap with a single interface out to a sensor. The second uses a traditional tap with two interfaces out to a sensor.

Read more at source.

Notice that performances could be slightly worst than in a physical box so you should test the solution before adopt it in production.
I would also perform a packet count on both physical and virtal machines during the wiretap.

Release: QEMU 0.8.0 released!

Another important release today: QEMU 0.8.0.
This new version brings in many wanted features:

  • Support for ARM Integrator/CP board system emulation
  • Support for MIPS R4K system emulation
  • Initial SMP support on x86 (up to 255 CPUs !)
  • Many new audio emulation features
  • Initial USB support
  • New networking options for VLAN support between several QEMU instances

The full changelog is here. The bits are here.

Major security vulnerability found in VMware products

A new major security issue was found and communicated to VMware before posting on SecurityFocus (as ethical bug hunting should always be).

The flaw permits a malicious guest OS configured to use VMware NAT networking (VMnet8) to execute arbitrary code on host OS.
VMware products afflicted are Workstation 5.5, GSX Server 3.2, ACE 1.0.1 and Player 1.0.0.

To track the issue monitor the related VMware Knowledge Base article.

While the VMware Player is just released as 1.0.1 to fix the vulnerability, VMware still expected to release updated bits for Workstation, GSX and ACE.

Meanwhile you should disable the VMware NAT networking device as explained in this VMware Knowledge Base article.

Update: All afflicted products are now updated:

  • Workstation 5.5.1 (b19175)
  • GSX Server 3.2.1 (b19281)
  • ACE 1.0.2 (b19206)

All of them are available for downloading here.

Release: VMware Player 1.0.1 released!

After just 9 days from 1.0 release, VMware already updated its Player product.

The new build (19317) addresses a major security issue discovered and communicated to VMware before posting on SecurityFocus (as ethical bug hunting should always be).
The flaw permits a malicious guest OS configured to use VMware NAT networking (VMnet8) to execute arbitrary code on host OS.
To track the issue monitor the related VMware Knowledge Base article.

Download Player 1.0.1 here as usual.

Thanks to Rich for the important news!

Release: PearPC 0.4 released!

PearPC is the Apple MacOS for PowerPC emulator on x86 architectures. After more than a whole year of silent development PearPC project reached 0.4 version:

It took a while but here is finally the long awaited 0.4.0 release. This is the first release with G4 support by Daniel Foesch (you have to enable it in your config). Other feature include support for native CD-ROMs (no need for images) and endianess safety (i.e. you can run PearPC on big-endian systems).

Changelog is here. The bits are here.

Leveraging virtual machines for Business Continuity

Quoting from Continuity Central:

Typically, discussions around server virtualization seem to focus on consolidation, easier management, and facilitation of older applications/operating systems on newer platforms. However, there are some interesting and, in fact, exciting business continuity solutions that are empowered through server virtualization.

Specifically, by combining virtual machines with a data protection/replication technology (which is the heart of most business continuity approaches), one can…

Read the whole article at source.

Thanks to VMTN Blog for the news.

High demand for virtualization competencies on IT jobs

VMTN Blog reports IT industry started asking for more virtualization competencies on job recruiment.
Earning a VMware Certified Professional credential can help to be employeed as soon as virtualization specialists increase in availability.

I personally have two thoughts about this:

  • Quite every person on the IT world tried at least once VMware Workstation or Microsoft Virtual PC or QEmu. And a lot of them works with these products often. This kind of virtualization experience is considered enough to claim to be a virtualization specialist.
    But the large majority of these claimed specialists never worked or even saw things like ESX, GSX, VirtualCenter, Blades, Fiber Channel SANs, etc. and never done things like capacity planning, P2V, virtual networks designing, etc.
    Modern virtualization is in its infancy and as usually happens in these cases, companies must be really aware of who is expert and who pretend to be so. Otherwise virtualization performances will be poor or unacceptable, and virtualization projects will eventually fail, slowing down progress.
  • In my country, Italy, the request for virtualization competencies is still near to zero. I suspect that apart U.S. few other countries already started to feel the need of virtualization knowledge. For every other world nation the large part of companies requests can still be managed by a small bunch (10-20) of consultant companies.
    Things are going to change but not sooner than another couple of years.

Whitepaper: Intel Virtualization Technology Specification for the IA-32 Intel Architecture

This whitepaper is quoted on the new Intel DevX article posted here, describing how Intel Virtualization Technology solves virtual machines privileges conflict.

It’s highly technical and could be useless for many, but gives you a great insight of how Intel VT really works:

This documents describes Intel Virtualization Technology for IA-32 processors, referred to as VT-x. VT-x constitutes a set of virtual-machine extensions (VMX) that support virtualization of processor hardware for multiple software environments by using virtual machines.

This document is organized as follows:

  • Chapter 1 gives an overview of the virtual-machine extensions.
  • Chapter 2 details the virtual-machine control structure (VMCS) and its usage.
  • Chapter 3 details processor behavior in VMX non-root operation.
  • Chapter 4 details the operation of VM entries.
  • Chapter 5 details the operation of VM exits.
  • Chapter 6 details VMX capability reporting.
  • Chapter 7 provides a reference for the new VMX instructions.
  • Chapter 8 details interactions between VMX operation and system-management mode (SMM).

Download it here.