Home > Virtualization > Catbird Says It Has a Better Virtualization Security Mousetrap – “Dedicated Hypervisor Security Solution”

Catbird Says It Has a Better Virtualization Security Mousetrap – “Dedicated Hypervisor Security Solution”

February 13th, 2008 Leave a comment Go to comments
Catbirdspoof
I spent quite a bit of time in the Catbird booth at VMworld, initially lured by their rather daring advertising campaign of "running naked."  I came away intrigued by the Security SaaS-like business model provided by their V-Agent offering and saw that as the primary differentiator.

I was particularly interested today when I read a latest press release from Catbird that suggests that their new "HypervisorShield" is specifically designed to secure the hypervisor from network access and attack:


Catbird, provider of the only comprehensive security solution for virtual and physical networks, and developer of the V-Agent virtual appliance, today announced the launch of HypervisorShield, the industrys
first dedicated comprehensive security solution specifically designed
to guard against unauthorized hypervisor network access and attack.

The paragraph above seems to be talking about protecting the "hypervisor" itself from network-borne compromise which is very interesting to me for reasons that should be obvious at this point. 

However, the following paragraph seems to refer to the "hypervisor management network" which I assume is actually referring to the the virtual interface of the management functions like VMware’s service console?   Are we talking about protecting the service console or the network functions provided by the vKernel? 

HypervisorShield, the latest service in Catbirds V-Security product, extends best practice security protection to virtualizations
critical hypervisor layer,
thwarting both inadvertent management error
and malicious threats. Delivering continuous, automated 24×7 monitoring
focused on the precise vulnerabilities, known attack signatures and
guest machine access of the hypervisor management network,
HypervisorShield is the only service to proactively secure this
essential component of a virtualization deployment.

Here’s where it gets a little more confusing because the wording seems again to suggest they are protecting the hypervisor itself — or do they mean the virtual switch as a component of the Hypervisor?:

HypervisorShield is the first virtualized security technology which
can monitor and control access to the hypervisor network, detect
malicious network activity directed at the hypervisor from virtual
machines and validate that the hypervisor network is configured
according to best practices and site security policy.

…sounds like an IPS function that isolates VM’s from one another like Reflex and Blue Lane? 

OK, but here’s where it gets really interesting.  Catbird is suggesting that they are able to "…see inside the hypervisor" which implies they have hooks and exposure to elements within the hypervisor itself versus the vSwitch plumbing that everyone has access to.

Via the groundbreaking Catbird V-Agent virtual appliance, protection
is delivered within the virtual network itself. By contrast,
traditional security solutions retrofitted for virtual deployments
cannot see inside the hypervisor. Monitoring from the inside yields
significantly more effective coverage and eliminates the need to
reroute traffic onto the physical network for validation. As an example
of the benefits of running right on the virtual subnet, HypervisorShields exclusive network access control (NAC) will instantly quarantine unauthorized devices on the management network.

They do talk about NAC from the VM perspective, which is something I’ve been
advocating.

From Catbird’s website we see some more detail regarding HypervisorShield which again introduces an interesting assertion:

How do you monitor the Hypervisor?

Securing a virtual host does not only involve applying the
same security controls to virtual networks as were applied to their
physical counterparts. Virtualization introduces a new layer of
abstraction entirely—the Hypervisor. Hypervisor exploits have grown 35%
in the last several years, with more surely on their way.
Catbird’s
patent-pending HypervisorShield protects and defends this essential
component of a virtual deployment.

Really?  Hypervisor exploits have grown 35% in the last several years?  Which hypervisor exploits, exactly?  You mean exploits against the big, fat, Linux-based service console from VMware?  That’s not the hypervisor!

I’m trying to give Catbird the benefit of the doubt here, but this is confusing as heck as to what exactly Catbird does (with partnering with companies like SourceFire) that folks like Reflex and BlueLane don’t already do.

If anyone, especially Catbird, has some clarification for me, I’d be mighty appreciative.

/Hoff


Categories: Virtualization Tags:
  1. KaosPunk
    February 13th, 2008 at 18:47 | #1

    Wow. I think the wording and sensationalism really scream out snake oil.
    The repeated mention and focus on network also has me a bit perplexed. Are they talking about actual network stack or are they implying that the guest to hypervisor channel is a "network"?
    However, with a name like Catbird how can you not take them seriously? ..grin..

  2. M.
    February 19th, 2008 at 07:43 | #2

    The market is full of companies dropping the word Hypervisor and it seems that many are quite confused about what a hypervisor actually is.
    Unless Catbird has reverse engineered Vmware and managed to run their software somewhere other than as a guest/ virtual appliance, they are not able to "see inside the hypervisor" or inside anything else. This is just an attempt at confusing people with overloaded terms and marketing speak.
    If VMware, or any other virtualization vendor, allowed guests the ability to hook into hypervisor internals, the negative security implications would be unimaginable. Keeping VM's segregated at hypervisor / virtual machine level is a corner stone to VM security.
    What a security appliance *CAN* do is monitor the virtual network for exploits and other anomalous activity. Should a VM escape exploit surface, the first step to successful attack will probably require compromising a VM using a known network vulnerability.

  1. No trackbacks yet.