I would disagree with the premise that virtual servers conflict with the
single function requirement because the function of a virtual server is
to provide virtualized servers and as such is a logical equivalent of
mainframe logical partitions (a less mature equivalent, but similar model).

Yes i will agree that current virtualization is nowhere as mature as
mainframe logical partitions. However giving the need and path the
technology is going those controls will advance to such a point that
virtualization will have similar acceptance as logical partitions
currently do.

I would also point out that you can get mainframe based virtualization
from IBM and that shared hosting and mainframe systems are able to be
meet the intent of PCI and other compliant requirements.

So i basically see the host virtualization server as having one primary
service which is to run controlled virtualized servers, each of those
virtual servers would then have its own host requirements.

For it to meet the various compliance requirements the host server will
need to have extensive controls to mitigate the risks inherent to
virtualization, but i believe that the intent of the control
requirements can be met with existing tools and technologies.

As for the exploits out there...there will always be exploits and the
cat-n-mouse game between hackers and IT personnel but there is also the
balance between security and cost. I know many readers of this list
subscribe to a zero tollerance policy, but not every ecommerce site is
going to spend 2000+ per month plus 50k in hardware to sell online.

In fact if we follow the model of single use and prior exploits people
would have to use dedicated equipment for: Firewalls, Load Balancers,
Switches, Routers, Web Servers, Database Servers, DNS servers, etc...
Just about everything in the past has had exploits, but does that mean
we can't use them in a compliant environment? Or does it mean that we
are unable to use them in a hosted environment? Does that mean that we
have to get rid of all mainframes if they are providing virtual
configurations or not the same function on all logical partitions? How
about databases? With the use of stored procedures databases are more
than storage repositories, they are actually part of the applications
that use them. If we have multiple applications, all doing extensive
stored procedures and application hooks, does that mean we can't use
them in a compliant environment because it is not single function or
that an exploit in one application could effect the others?

So what is the solution? Totally secure the environment to a point where
operations and security cost more than the environment brings in, or
find a combination of best practices that allows a business to hopefully
make more than it costs to operate.

From an assessors viewpoint, i do not think that anyone can say
virtualization is plug-n-play accepted it will come down to
configuration standards, expertise of the team, tools and techniques in
use and how the assessment of these controls goes (the same controls
could be in use in multiple companies, but the level of expertise of the
staff and the deployment and use of tools can vary widely).

Like it was said before, it will come to a judges ruling if there was
negligence or incompetence involved in a compromise. Just saying broadly
that there are risks and possible exploits for a system do not make
someone negligent in their duties by deploying such a system.

So how about instead of just dissing the idea and looking for why it
can't be done, we instead have a discussion on how did these other
technologies become accepted for hosting use and what will it take to
meet the intent of the compliance requirements.

Regards
David M. Zendzian

PS And yes I have a vested interest in this as I am a Managing Partner
with ZZ Servers, a Business Hosting provider that provides not only
virtual firewalls but also virtual servers that are commonly used in
combination with collocated and leased services. I also am QSA
certified and would rather spend my time working with partners on how to
best secure and understand their environment than tell them that they
"can't do that" and to just close up shop or go out & spend 100K for a
"Real" solution :-D

Craig Wright wrote:
> From a compliance perspective, separate devices is just that. It does not matter if virtual hosts do or do not work, the are the same device and thus are a single device with multiple purposes.
>
> Whether you can or if it will work is irrelevant. This is something where a breach is decided in court. As usch all that matters is how a judge will read this.
>
> Craig
>
>
> Craig Wright
> Manager, Risk Advisory Services
>
> Direct : +61 2 9286 5497
> Craig.Wright (at) bdo.com (dot) au [email concealed]
> +61 417 683 914
>
> BDO Kendalls (NSW-VIC) Pty. Ltd.
> Level 19, 2 Market Street Sydney NSW 2000
> GPO BOX 2551 Sydney NSW 2001
> Fax +61 2 9993 9497
> http://www.bdo.com.au/
>
> The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system.
>
> Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator (at) bdo.com (dot) au. [email concealed]
>
> BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation.
> -----Original Message-----
>
> From: Dan Lynch [mailto:DLynch (at) placer.ca (dot) gov [email concealed]]
> Sent: Tuesday, 13 May 2008 2:53 AM
> To: Craig Wright; Terry; firewalls (at) securityfocus (dot) com [email concealed]
> Subject: RE: virtual firewalls -- compliance
>
> I find this discussion interesting from a slightly different angle than
> the perspective of PCI or other standards compliance.
>
> I tend to agree with Craig's view that there is inadequate segregation
> between guests running on different VMs of the same host, whether they
> be application servers or virtualized security appliances. There are
> multiple demonstrated guest breakout techniques for nearly all
> virtualization technologies.
>
> Still, let me directly quote the supervisor of our Windows admin team:
>
>
>> "Department of Homeland Security and NSA have
>> certified the VMware virtual switch and OS as being
>> equivalent to physical separation."
>>
>
> He's referring to ESX3 -- the platform on which his group hopes to run
> multiple virtualized DMZ-based public Windows Server 2003 web servers,
> with the host OS directly connected to a private internal network. This
> is a strategy on which I requested comments from the list only a few
> weeks ago.
>
> Thoughts?
>
>
> Dan Lynch, CISSP
> Information Technology Analyst
> County of Placer
> Auburn, CA
>
>
>
>> -----Original Message-----
>> From: listbounce (at) securityfocus (dot) com [email concealed]
>> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Craig Wright
>> Sent: Friday, May 09, 2008 4:51 PM
>> To: Terry; firewalls (at) securityfocus (dot) com [email concealed]
>> Subject: RE: virtual firewalls -- compliance
>>
>>
>> PCI-DSS v1.1 states at 1.4
>> "Prohibit direct public access between external networks and
>> any system component that stores cardholder data"
>>
>> A virtual system is a direct access. You have trusted and
>> untrusted on the same component. HIPAA is worse. You have a
>> number of hosts at different levels shared. This is a law
>> suit waiting to occur.
>>
>> Other standards are the same. All I have to say is this is a
>> BAD idea. BAD!
>>
>> Regards,
>> Craig Wright (GSE-Compliance)
>>
>>
>> Craig Wright
>> Manager, Risk Advisory Services
>>
>> Direct : +61 2 9286 5497
>> Craig.Wright (at) bdo.com (dot) au [email concealed]
>> +61 417 683 914
>>
>> BDO Kendalls (NSW-VIC) Pty. Ltd.
>> Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney
>> NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/
>>
>> The information in this email and any attachments is
>> confidential. If you are not the named addressee you must not
>> read, print, copy, distribute, or use in any way this
>> transmission or any information it contains. If you have
>> received this message in error, please notify the sender by
>> return email, destroy all copies and delete it from your system.
>>
>> Any views expressed in this message are those of the
>> individual sender and not necessarily endorsed by BDO
>> Kendalls. You may not rely on this message as advice unless
>> subsequently confirmed by fax or letter signed by a Partner
>> or Director of BDO Kendalls. It is your responsibility to
>> scan this communication and any files attached for computer
>> viruses and other defects. BDO Kendalls does not accept
>> liability for any loss or damage however caused which may
>> result from this communication or any files attached. A full
>> version of the BDO Kendalls disclaimer, and our Privacy
>> statement, can be found on the BDO Kendalls website at
>> http://www.bdo.com.au/ or by emailing mailto:administrator (at) bdo.com (dot) au. [email concealed]
>>
>> BDO Kendalls is a national association of separate
>> partnerships and entities. Liability limited by a scheme
>> approved under Professional Standards Legislation.
>> -----Original Message-----
>>
>> From: listbounce (at) securityfocus (dot) com [email concealed]
>> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Terry
>> Sent: Friday, 9 May 2008 5:37 AM
>> To: firewalls (at) securityfocus (dot) com [email concealed]
>> Subject: virtual firewalls -- compliance
>>
>> Hello all,
>>
>> I am throwing around the idea of using linux firewalls in
>> vmware for customer environments. The customers may or may
>> not have HIPAA/PCI/sOX/etc requirements. This is in the
>> planning stages. Any of you have experience heading down
>> this route? PCIDSS doesn't explicitly state problems with
>> virtual firewalls, it seems to focus on the logic of the rules.
>>
>> Thanks!
>>
>>
>>
>
>
>

[ reply ]