Nov 09

Baby, what time is it? The importance of time with VMware SSO

By mike in Infrastructure, IT, RSA, vCloud, Written while at RSA

For the past week or so, in my copious spare time, I’ve been re-building my vLab at work. It’s a cobbled together menagerie of hardware that makes me wish I had a healthier budget so I could spend more time on learning and less on reconfiguring, scrounging and breaking out the baling wire and chewing gum. Dealing with old hardware is distracting and takes your mind off this things that are critical for success. This happened to me. I know plenty of friends in the vCommunity that also have dealt with this. (I hear your heads nodding)

One of the things I’m playing with in in the lab is configuring VMware vCloud Director 5.1 with vCenter 5.1’s SSO functionality. I’m finding that this is one of those times when you really should RTFM and plan ahead more. But that’s ok, I like diving in without docs because then I get to learn more by breaking things and then I have something to share.

Single Sign On

In vSphere 5.1 there is a new feature called Single Sign On. With the new vCenter client now being web based, SSO now allows VMware to leverage industry standards like SAML so that an admin can log once to vCenter and be automatically signed on to other resources like vShield Manager and vCloud Director. There’s a great overview of VMware SSO from Justin King here. You can read more about troubleshooting SSO here.

Not Kirk’s Federation

With vCenter and the SSO components up and running I installed the vCloud virtual appliance OVA and proceeded to set up federation between vCenter and vCloud. You can read more about federation in the Wikipedia article, but in a nutshell, it’s a way of linking identities. So, mike@foo.com and mike@bar.com can be linked. A trust relationship is set up so that if I log in from foo.com and hit a web page that needs my bar.com identity I get logged in using my bar.com account without having to provide the credentials.

Back to my lab, when I tried to do this, I ran into some trouble. I kept getting the following error.

Long story short, I had screwed up. I hadn’t been as diligent as I should have been with setting up my systems. The distractions I mentioned earlier had come back to bite me. Having recently added a couple of disk-less ESXi servers, I didn’t finish configuring them. I hadn’t been leveraging NTP as much as I should. What I now had was a number of systems trying to talk to each other but not agreeing on the time. And with SAML, time is critical. You are issued a token and part of that token is a timestamp. If vCloud thinks it is 9pm and vCenter thinks it is 8pm, the token with a short lifetime will come back as already expired. Just what happened to me.

The Time/Space Continuum is restored

I fixed the problem by setting all the ESXi servers to pull from an NTP server. In addition I also set up my vCenter, SQL server and domain controller to pull from NTP. Just like DNS has become a critical infrastructure component that just needs to be there, NTP is now jumped to the “required” list. Valid, consistent time stamps across your datacenter are needed for the operation of your infrastructure. They are also critical for security in things like authentication and log analysis, especially when you are trying to correlate lots of information!

NTP is critical to other vCloud operations as well. My friend Chris Colotti called this out in this blog article.

If you haven’t set up your datacenter with NTP, now’s the time. Oh, and DNS too. It’s time to ditch the hosts files. (yes, there’s still plenty of people using them!!) Going forward, more and more of your datacenter are going to rely on these key components. Ensuring that you use them consistently will help a LOT in troubleshooting large and complex installations.

Thanks for reading!

mike

Oct 10

Dude, that’s so Meta

By mike in IT Security, Written while at RSA

This isn’t going to be a blog posting about me writing a blog post. No, I’m referring to metadata. I recently read an article on Digg about Apple’s new Maps app and the accumulation of metadata. The amount of stuff Google, Apple, Amazon, etc are collecting is huge. Read about this recent Apple patent on metadata and what sorts of things they are planning to use it for. (this is a must-read by the way)

If you’ve been following my rants…er…blog, you’ll remember a posting recently where I talked about metadata in a virtual environment. Well, for a change and because this is a short post, I’m not going to talk about virtualization..

Nope, I’m thinking of the metadata itself. More and more applications and devices are generating metadata. Location information, accelerometer data, usage patterns, etc…(see that Apple patent I mentioned earlier!) Lots of great data that I believe will eventually be consumed by security vendors. Many in the industry are investigating the use of metadata to provide multi-factors of authentication. But here’s my worry. How much of that data can you trust? Meaning, is the data valid? Was the device that generated the metadata compromised? Was the email and calendar server that we’re storing our work and home life compromised and some data changed (example: location data of a meeting last week)? If we are using metadata for factors of authentication, can we live with some of it being compromised or of questionable value? I say “Yes”. Read on…

My new security term – The Tidbit

tid·bit

[tid-bit]

noun

1. a delicate bit or morsel of food.

2. a choice or pleasing bit of anything, as news or gossip.

I’m a foodie so let’s run with the “morsel of food” analogy, shall we? One morsel isn’t going to make a meal. But, like going to a tapas bar, when you order up a bunch of tasty morsels you’ve got yourself a meal. Let’s think of that in the context of security. Now, just one tidbit, in this case, your current GPS location, isn’t going to get you thru the VPN, but what about multiple tidbits? Will that be “good enough” to replace passwords for some folks? (probably. I’ve seen crazier things happen) Will that make a “secure” meal? Obviously, that’s a decision of for you to choose. I always like to say “apply the right level of security based on the sensitivity of the data”. For some things like accessing a corporate web page that only contains reference information then a couple of tidbits might be ok. But for VPN, because it’s far more intrusive into the corporate infrastructure, I might need two or more tidbits PLUS SecurID.

But what if the metadata is compromised?

Ok, now that we’re looking for that security meal that will allow me access to what I need to get to, we have to start to think of how it can be compromised. Like a meal, will one bad tasting tidbit kill me? Probably not. I’ll probably spit it out and push it off to the side of my plate.

Well, if I’m using all these cool geek tidbits like GPS, accelerometers, photos, meeting information, etc, I can then safely toss any that are suspect and maybe bring a new tidbit online to replace them. Or maybe, I’ll change from the server side what tidbits I’m looking for randomly, ensuring that I’m staying one step ahead of the bad guys. (Hey, that’s adaptive authentication!) After all, what I’m looking for is a sum of the parts, not the parts themselves. Just like a bunch of unclassified data, when put together, can produce classified data.

The point being here is that no longer will we have a one size fits all methodology to authentication. There are new methods for verifying people on the horizon. Mash that up with Big Data and you get a world where in order to confirm a transaction on your mobile phone the app (and back-end server) knows you’re in Lowe’s and tells you to go to Aisle 16 and scan the bar code of a specific product before it processes your transaction.

Feasible? Sure. Practical? Well, we’ll see, won’t we?

Your thoughts?

mike

Geek, MetaData, RSA-Authored, Security
1 comment

Sep 27

Would you pay for the TruCoat?

By mike in IT Security, Written while at RSA

“I’m saying, that TruCoat, you don’t get it you get oxidation problems it’ll cost you a heck of a lot more than $500…”

For those of you playing along, you probably remember this line from the movie “Fargo”. William H. Macy, playing car salesman Jerry Lundgaard, is arguing with a couple about tacking on an unwanted option called “TruCoat” for $500. It’s one of those things that car dealers use to increase their margins. Watch the video here but be warned, there’s a part at the end that’s NSFW.

Jerry Lundgaard selling the TruCoat

So what’s all this got to do with virtualization and cloud security?

Well, in my talking with customers and cloud service providers, the topic of tiered offerings always comes up. You know, the “Gold, Silver & Bronze”. I’ve asked Cloud Service Providers about including security in those tiers and have been met with “Well, maybe, but it would have to re-coup the investment.” (It IS all about the Benjamin’s, isn’t it?)

That got me thinking about TruCoat. A product that Jerry Lundgaard is selling not because it adds value but because it’s got a GREAT profit margin. Not unlike doing the least amount of “security” (Checkbox Security) and charging the most for it. Not really bringing value but charging like you do. I’m not accusing anyone of doing that, but I wonder if maybe some less than reputable vendors (Joey’s Transmission and Cloud?) would head in that direction?

You see, this goes back to security being bolted on .vs. built in. If, in the Gold tier, you add in network packet monitoring and two-factor authentication, you as the cloud service provider are making a significant investment. You need to get that investment back and start to make a profit. How do you explain the TRUE value of the service you offer? Or, like Joey, you just upsell a little anti-virus and firewalling that you’d do anyways because, at scale, it’s not a big hit on the bottom line? Just like the TruCoat.

Clarification: AV and Firewalls are absolutely part of a good defense in depth story. But they are now, especially with the capabilities of vShield, a “commodity” item that is easy to set up and doesn’t impact the bottom line like other security products would.

Buying Value

Customers will pay money for something of value. I haven’t met many people who buy junk intentionally after all! That said, trying to meld security and value together in a cloud environment will be an interesting journey. Today I think it’s a bit of a chicken and egg. Many customer SAY they want secure clouds but how many are willing to pay for it? Cloud Service providers would like to offer security but, let’s face it, it’s not cheap and, as I said, how many are willing to pay for it?

What are your thoughts? Will customers start to demand things like GRC, packet inspection, two-factor authentication? Or will firewalls and anti-virus “check the box” for them?

For some, the response will be “Ya! You betcha!”

Cloud, RSA-Authored, Security

Category: IT