Virtualization and Cloud Advisor

Expert analysis and advice on server virtualization technologies, deployments and management.

RSS
All Posts | RSS

Our blogger: Bernard Golden is CEO of consulting firm HyperStratus, which specializes in virtualization, cloud computing and related issues. He is also the author of "Virtualization for Dummies," the best-selling book on virtualization to date.

Mon, August 04, 2008

VMware webAccess Man-in-the-Middle Vulnerability and How to Dodge It

By Edward L. Haletky

Keywords: VMware, man in the middle, virtualization security

I have written in previous blogs that VMware webAccess suffers from a SSL MiTM [Man in the Middle] vulnerability. Actually more to the point the client side of the webAccess suffers from this and it has nothing really to do with VMware however they could alleviate the issue.

The vulnerability is best known and most obvious when certificates are used over the web.

These certificates are displayed to the user to allow for authentication. Unfortunately, and hopefully you are not one of them, most people will just click the Ignore, OK, or "Hey, I Checked This and it's Good" buttons. Then the Web application will hum merrily on it way whether it's safe to do so or not.

The user doesn't know whether the certificate is incorrect or, worse, a fraud supplied by a malicious party.

So it behooves the user to be savvy about known certificates, or for the software to be smarter about how this is handled. In effect the malicious party can see all the data transferred in clear text. This includes passwords, account numbers and other credentials.

As I said this is not a new vulnerability and protecting from it is very important but at the same time very difficult.

And that's without virtulization to complicate things. Add in the VMware VI SDK and the proliferation of user-designed and third-party code and you do have a problem. These users depend on the VI SDK to properly handle the connection to the webAccess in order to control various features of the VMware Virtual Infrastructure.

The solution? Use client code that authenticates the server certificate. Don't leave this up to a user who may not know any better.

The SDKs need to be updated to do this as they do not currently authenticate the server. webAccess should contain some client side code that does this as well.

But for now the best you can do is be vigilant about the certificates you see within the VMware Virtual Infrastructure and pretty much any web application.

Look at them, inspect them, and verify them. Do not just press ignore in the VIC or your web browser and hope for the best. Also limit which machines can access webAccess using standard Linux TCP Wrappers functionality.

Virtualization expert Edward L. Haletky is the author of "VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers," Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.
Loading...
Virtualization Vendor Matrix

Find out what vendors offer the products you need.

View the Vendor Matrix »
Virtualization ABCs

Get up to speed on virtualization.

Learn More »
Virtualization MarketSpace
White Papers
Learn how to address key cloud computing challenges
Learn how your organization can face the challenges of: lack of interoperability, security, compliance and application compatibility. Learn more »
VMware: Clearing the fog, a look into the Clouds
Read about VMware's compelling vision & set of products that can help clarify all of the confusion surrounding Cloud Computing. Learn more »
Cloud Computing: A fundamentally new way to deploy IT services
Learn how the VMware vCloud initiative enables you to move to the cloud how you want, when you want, and as much as you want. Learn more »
Calculate Your Specific Potential Virtualization Savings
Discover how organizations are reducing operational costs, and improving efficiency and availability. Learn more »
Forecast: Cloud Computing Looms Big on the Horizon
Read this Executive Guide to learn more about what IT leaders are saying about "Cloud Computing". This is one time when it makes good, practical business sense to have your head in the clouds. Learn more »
 
SPONSORED LINKS
 

Developing A Dynamic, Real-Time IT Infrastructure

Mid-Sized Company CIO Community: infoBOOM!

Read about virtualization and consolidation effort best practices

Building the Virtualized Enterprise with VMware Infrastructure

8 Key Ingredients to Building an Internal Cloud

White Paper: The Building Blocks for Cloud Computing

Taking the Service Desk to the Next Level

Why Data Loss is Increasing--and What You Can Do About It

Data Loss Prevention: A Better Way to Approach Security

Learn how to managing client systems in the enterprise.

Enterprise PBX Buyer's Guide

Secondary Market Primer: Your Network at Half Price

Losing Ground: 2009 TMT Global Security Survey

Accenture IT Consulting: Logical meets technological. More . . .

Stop Application Fraud at the Source with Device Reputation

Top 10 Business and IT Drivers for the Wealth Management Sector

Oracle's Application Grid Technical Demo

Next-Generation Application Servers and Infrastructure

Application Infrastructure at Enterprise Organizations

Achieving Business Agility with Application Grid

Learn about The Information Technology Infrastructure Library.

Achieving Pervasive Performance Management

Automating the Generation and Secure Distribution of Excel Reports

Introducing the new HP ProLiant G6 server family

Accenture: Outsourcing for Competitive Advantage. More...

Cloud Computing: Read about VMware's compelling vision & set of products

White Paper: 8 Key Ingredients to Building an Internal Cloud

Learn how a virtualized enterprise can help your company reduce costs

Why Isn't Server Virtualization Saving Us More?

Bottom-Line Benefits of Virtualization

A CIO Executive Guide: Cloud Computing Looms Big on the Horizon

Seven Ways ITIL Can Help You in an Economic Downturn

Maximizing the Business Value of the PC Infrastructure

Communications and Collaboration Needs at Business Organizations

Using Open Source to Deploy Web Applications

Enterprise PBX Comparison Guide

Getting Value from Outdated Networking Equipment

Top-line Performance that's Bottom-line Efficient

Accenture: Outsourcing for uncertain times. Click to learn more.

Learn about the VMware vSphere (TM) & Intel (R) Xeon (R) Processor 5500 Series

Data Center Optimization: Three Key Strategies

Oracle WebLogic Server Technical Demo

Data Grids and Service-Oriented Architecture

Achieving the Impossible: Unlimited Application Scalability

A Middleware Foundation for Application Grid

Tips for successful virtualization management.

Smart Decisions: The Role of Key Performance Indicators

Gartner Shares Predictions for 2009

Accenture IT Consulting: Enabling high performance. More...

Top Five CIO Challenges

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords