Thursday, February 28, 2008

Virtualization == Security FUD starts to unravel

If you have ever had the opportunity to listen to VMware's marketing folks you'll have heard the crazy FUD that Virtualization by itself offers you a degree of added security. This is complete nonsense, so the guest VM is just as vulnerable as a system not running a virtual machine. You still have to secure it, and virtualization really only offers some kernel level separation between applications. If you are looking for application partitioning type security, you can get it with AppOS without incurring the overhead of virtualization.

Today though, the risks of having all your eggs in one virtualized basket are starting to be seen. The folks at Core Security issued this advisory along with C code for an exploit on how to access the Host system from within a Guest VM! As virtualization starts to get scrutinized more, I wonder how long it will be before VMware's virtual switch technology in ESX starts to show signs of vulnerabilities too! As a virtual layer 2 switch, it is likely subject to the same security problems physical layer 2 switches are.

Tuesday, February 26, 2008

Windows Server 2008 Core == Lame!

With Microsoft Windows Server 2008 actually coming out this week, I thought I would take a quick look at their offering. I had heard about the GUI-less Windows Server 2008 and thought maybe Microsoft had finally got their act together. Could Microsoft finally have some real competition for Linux on the server side?

Well the short answer is no. Microsoft Windows Server 2008 actually still has a GUI, in fact its not just a GUI, but something based on Windows Vista. Short of being seriously drunk or seriously stupid, putting anything based off Vista on a server is a flat out bad idea. Microsoft are rolling out Windows Server 2008 in the usual multiple flavors - Enterprise, Datacenter, and so on. The only version that offers the "GUI-less" version is Windows Server 2008 Core.

So when folks start saying Windows Server 2008 Core is competition for Linux, you can now officially just laugh! I was expecting something maybe interesting, like 64-bit DOS with advanced networking and filesystem capabilities. What do we get? We get the GUI, but instead of the explorer stuff with the task bar, start menu and other things. Your default shell is the command prompt. Yes folks, you read that right. All Microsoft has really done is stripped out the GUI tools and other things like .NET from the release, changed the default shell and added some command line utilities for you to get the job done.

Microsoft have made it so confusing that even their own pundits and experts are having a hard time doing basic configuration tasks such as setting up the hostname - click here to see an example on YouTube.

So if you need any of the key functionality in Windows Server 2008, such as .NET, you basically can't use core. Core is a very lame attempt at trying to say they have a CLI. Sure they have a CLI, but this would be like me starting X and loading xterm as the window manager! I'm still using tons of resources for the GUI.

So Windows Server 2008 still has the GUI, sure it has a "GUI-Lite" version thats got limited functionality, but this is no match for Linux. Windows Server 2008 looks like yet another flop from Microsoft. Microsoft shouldn't worry about Open Source, looks like they are taking themselves out between this and their efforts with Windows Vista!

Tuesday, February 12, 2008

AppOS not vulnerable to local root exploit

This week started off with this local root exploit in Linux. Today we saw some patches from rPath, whose Linux distribution was vulnerable, like any other Linux system running 2.6.17 and later. Those customers have been vulnerable to this attack, which could potentially be deployed remotely through an insecure service running on the system, there are many different ways that this could easily be turned into a remote attack. Even something as simple as weak passwords on a customer account. This might be okay for your box at home or that server in the lab that has no Internet access. Requiring an upgrade and then a reboot, resulting in downtime to fix this is a serious matter for a business.

While AppOS, was running the vulnerable kernel, the exploit could not be used against AppOS thanks to the security mechanisms built into AppOS. Maybe I should refer to them as the severely paranoid security mechanisms. In fact, there was no way for a remote user to even execute the exploit even if they had accessed a local users account, as it could not be written to the system providing the services, thanks to the unique approach to chroot jails that AppOS uses. Our customers enjoyed the comfort of our zero day attack protection, the kernel still has exploitable code, which is fixed with an AppOS update image. However, the severity is low, and not critical like it is with our competitors solutions. Our customers can upgrade during their maintenance window, at their own leisure.

A better solution..

Sales and Marketing people will sell you anything that moves, if you're paying, they're selling. They don't care if its the right solution, they don't even care if it does what you think it should do, they just want your money and make the sale. Companies don't keep using their products because its the best product, they keep using the product because they spent too much money on it and don't want to admit to their boss that it was a bad decision. I'm not too fond of technology marketing people!

Spliced Networks is a company built by engineers. Our mission statement is simple and accurate - "Build innovative and secure solutions for the Enterprise Network..", in other words a better solution. We won't sell you anything unless we believe it is the most innovative and most secure solution you can buy today. If its missing something you need, we'll create it and on many occasions, build you something even better.

Spliced Networks is dedicated to building faster, more secure and more innovative server and network appliance solutions. You won't find us mucking about with X-Windows, KDE or Gnome. The fact that we don't care about X-Windows or need to support it, enables us to offer far superior security solutions that other vendors have to sweep under the rug.

AppOS 4.0.0 is nearing FCS, when its released, servers will never be the same again!

SquashFS with LZMA integrated into AppOS 4.0

LZMA is one of the best compression algorithms out there. SquashFS, as we've known for years is one of the best compressed filesystems you can get for Linux. As well as its security side effect benefits that we use with AppOS. We have been looking at SquashFS w/LZMA and have decided to integrate it into AppOS 4.0. SquashFS w/LZMA offers about 20MB/sec transfer rates on decryption, and so there is no performance impact with using it in AppOS. However, its looking to offer a 10% improvement over regular gzip'd based SquashFS.

You can get a copy of SquashFS with LZMA from here.

Tuesday, February 5, 2008

Spliced Networks adds 100MBit/sec in Chicago

We are very pleased to announce that we have added 100MBit/sec of bandwidth and servers in Chicago. We expect the new addition to go into production by the weekend. This move wraps up Phase II of our network expansion. Chicago is a key location, as it fills a void, prior to this the mid-west was served by either Houston, Atlanta or Philadelphia. The bandwidth to our headquarters in Athens also terminates in Chicago, so this move enables us to provide fast access to additional services and equipment for our partners and customers.