I’m sitting in Hoff’s Virtualization Securiy presentation, and he’s running at 200 MPH, so this will be a short one. A few bits for the day:

1. Yes, I was stuck in an elevator for 45 minutes at Caesar’s last night. I really should have gone to the bathroom before getting on that elevator. No fun at all.
2. Martin and I are microcasting live from the event. We have an overview post we recorded over the weekend, and a short one from this morning. We hope to get 1-2 short podcasts up a day, usually interviews. Keep an eye on netsecpodcast.com for the updates.
3. Kaminsky delivered the goods. Most of the information on the vulnerability was public, but there were still some interesting twists. He detailed the client attack and, while it’s not nearly as bad as the server attack, it gets the job done if you’re the target. On the server side, updating seems to be going well. On the attack side, it turns out that internal-only DNS may be vulnerable under the right conditions. A big chunk of the talk focused on implications if you don’t patch- everything from rerouting internal traffic, to messing with BGP, to… well, there are so many ways to do so many bad things with this attack that you absolutely don’t want to be the last one to patch. More later when I have time and Dan releases his slides.
4. Virtualization isn’t all evil, but many of the vendors are moving in the wrong direction and mis-marketing their products. It’s an incredibly complex issue that people (other than Hoff) aren’t thinking about. This is more than just pushing our physical security infrastructure into a virtualized infrastructure; we need to change our architectural approaches and stop pretending there isn’t anything “new” about virtualized network infrastructures. For example, want a high availability virtual appliance? Did you happen to know many of the HA kernel tweaks won’t work in a virtual machine? No? Bummer for you. How about chaining virtual appliances a la different physical boxes in a row? Umm… not so good for performance. This is a clincher- there aren’t any virtual security appliances that support HA/LB today. None Chris could find. Damn. Damn. FAIL!
5. Hoff makes very pretty slides.

Time to listen again… then get to work on my hangover for tomorrow…

UPDATE: More from Hoff- virtualizing security will cost more; you have to buy a lot of new stuff, can’t drop the old stuff, and it doesn’t all even work.

UPDATE 2: If you test this stuff it will not meet your performance requirements.

UPDATE 3: How about Vmotion? Will your virtsec policies move with the virtual machine?

Okay, I’m done. You really need to see his presentation.

Posted on August 6