IDS/IPS and VM/Cloud Migration
How many of you have ever used Clonezilla to move your servers to a VM setup quickly?
What happened to your IDS/IPS? Have those been repositioned accordingly?
To illustrate, if you have a network-based IPS that see traffic between hosts A, B, and C, by inspecting the appropriate LAN segment, once the hosts are moved to a VM environment, you are going to lose that visibility.
As a result, an attacker who compromises VM A can move on to VM B, and VM C, and your network-based IPS is not going to see anything!
But lets say you also had host-based IPS on VM A, VM B, and VM C. Is this going to be sufficient?
Well, not really, because an attacker can break out of the VM into the host OS using one of the known vulnerabilities.
For instance, CVE-2009-1244 (implemented in Canvas as cloudburst since 2009) or the Core Impact's VMware shared folders module let attacker make changes on the host OS of your VM environment from inside your guest VM A, B, or C.
Is there anything you can do?
First thing I'd recommend is positioning your IDS/IPS such that traffic between your VMs can be inspected. You can configure several virtual networks in VMWare to do so.
In terms of protecting host-based IDS/IPS, there is an insightful paper by Garfinkel and Rosenblum on migrating your IDS/IPS outside of VM while retaining visibility:
http://suif.stanford.edu/papers/vmi-ndss03.pdf
It's been a while but I still have not seen a commercial version of this yet. If you know of one, let me know.
