L. V. Lammert wrote:
Certainly! That is not the point, however. The point is that users of
OTHER 'application domains' have better security with a VM (or one of
the other approaches discussed) because THEIR environment has no ability
to interact with the OTHER environments. The digression into VM vs.
separate machine vs. compoud vulnerabilities is totally tangent to the
original topic, and, while educational, is certainly no longer
productive at this time.
May be if you were trying to explain your points in a more 'meat
substance' some users may agree with you, or not, but at a minimum that
might be productive somewhat and I think I have seen that many times and
not be address properly.
I strongly suggest that we all retire with a lot of good information on
vulnerabilities and an agreement that there are different methods for
addressing security problems.
May be if put in more practical term it might help to make your point,
if I even get that properly.
So, here is an example that you may try to use that may actually be
somewhat valid. But again, I would have expected you to do so.
So, lets make it very simple and may be at the same time take a subject
real that come regularly on this lists and that this may help, or not.
Please do not take this as a judgment on the merit of it. I only offer
it as a way to make peace and may be at clarifying what may have been
your intent may be if I even get that right.
So, here is the problem I will take to make this example.
- May users always asked how they can make their PHP web setup secure.
Again, plenty of discussion on the subject, so lets not start this again.
- Also lets consider the fast that users at large are cheap and only
wants to pay as little as possible. Again real life situation.
- Also consider that an ISP needs to make a profit to stay in business
and as such can't make miracle.
So, what's to do next then.
Again, I am not saying it the right solutions as I will raise other
problem with it, but anyway, lets just take the idea.
1. One regular setup. Hosting ABC provide virtual hosting at $10/month
for a web site.
2. Hosting DEF provide the virtual hosting at $15/month with OpenBSD and
JAIL setup, etc.
3. Hosting GHI provide virtual hosting at $20/month with VM.
4. Hosting JKL provide dedicated hosting at $100/month.
Now thew users have the choice, but they are cheap...
Now these are in the order of security. I think we can all agree to this
right.
All/most would agree that when PHP is running on a virtual server,
unless you run one instance of apache per user, etc. then a php script
can access to space of others on the save server and it's not that hard
to do right.
So, what you explain is that the third setup would be the best, if we
consider costs in operations. 4 is the separated servers, witch is much
more expensive, because of hardware, space, AC, power, setup,
maintenance, etc, etc, etc.
1, 2 and 3 all use same space, most likely in small setup obviously to
keep this under control for the discussion, same power, same ac, almost
same maintenance, etc.
#1 and 2, someone sure could hack someone else web space and destroy it.
In case of #1 and 2, most likely is only one of the virtual hosting site
is compromise via PHP, witch is not that difficult if the script itself
is not well written and I will and do not want to argue this here, let
just say Joe Blow can't write properly and anyone can hack it in 5
minutes for the sake of discussions. Then all users on that box are
compromise. Now will the bad guy destroy them all, or just Joe Blow. It
is not relevant here and we should all agree to that. The bad guy can
after compromise Joe Blow, sure can compromise everyone else in no time
should (s)he choose to do so. That's the risk or using virtual hosting.
Sadly your security is not under your control. We all have to agree to
that no matter what.
Now #4, well it's all yours and is as good as you choose to do so, but
is also the most expensive setup. Just like it was explain many times
here on your question. So, we have the use of VM to save cost, witch all
agree. Also, it doesn't maximize the utilization of the hardware like VM
would, we all agree with that as well.
So, I guess so far, unless I didn't follow this properly. I would
venture to say that everyone would agree up to this point right?
If not, I have to say, that I would need to get educated myself then on
each one, but it is fair to say that's the case until now.
What's left now is the point #3, witch everyone beat it to death.
Why is that. I think because it is just not explain in a light that many
could relate to. I don't have an expression in English that would
translate as well as in French, but a direct translation would be that
"You are tripping on the flowers of the carpet".
I know it doesn't make sense, but see it as someone that walk on your
grandmother old carper that have flower design on it and you are walking
on it and falling down because your feet trip on them. (;> How can this
be right? Well, that's exactly what's going on here.
So, if I take your point or 'applications domain' and and translate this
in more practical term and stop using words out of the far fetch paper
and use more pragmatic day to day example. You argue that in this case,
if a setup is using VM for the virtual hosting would be more secure,
assuming disk space, IP's, CPU power, rack space, etc is not consider
here. That this setup would be more secure?
I think in this case, we can all agree yes it would be, more secure.
Absolutely secure however, no. I guess many are arguing that point and
that needs to be put in perspective.
Assuming you can use license free VM solutions and that you can use the
same hardware, same size box, same space, etc. The end results would be
more secure because to totally isolate each virtual host users in their
own VM. So, it's like for each one of them having a dedicated server and
they can do as they see fit.
The end results of this setup is that you eliminate the security problem
everyone try to eliminate when they do virtual hosting on the same
server. So, you did that and the end results is better. You eliminate a
security risk, the very simple and none secure PHP factor. So, now the
PHP brain dead user do not have the same impact on your virtual site as
it would have in a none VM setup.
So, you gain security.
But you do increase the security factor by having more complex setup and
most likely the number of bugs as well that can affect you.
Now is it more secure or less secure. Well it can be argue and that's
what is going on here.
What it does however, is increase the skill required to affect the other
users on that same box. So, the same scripts PHP kiddo will not have the
same impact on your setup as they would normally.
You also maximize the use of your hardware as it was argue here too.
But please note that I didn't consider the fact that, will you be able
to host the same number of virtual sites on that same box running VM as
you would on that same box without. I would say no. Just the amount of
space required on the drive to setup all the servers for each users is
definitely a logical explications everyone have to agree with for sure
and can't be argue.
In the end, the real question remain that you gain some and you loose
some. You gain more secure virtual hosting and you loose the number of
sites you can pout on that one same box. What's the factor here, I do
not know. May be 1/2, may be 1/10, may be 1/100. I have no clue.
Interesting question however.
But you make the security of each site better by raising the bar of the
skills required to hack the other users on that same box.
How ever you DIDN'T increase the security of each individual user taken
as an isolate user if they happen to be the single on on that box. You
reduce it. Because the setup of that single user have more software
running for him/here and as such get expose to more possible bugs.
At the same time however, YOU DID increase the security of that user
related to the other users on that same box as you isolate this user
from the stupidity of others on that same box.
So, I can only conclude logically that:
- If a user was already isolate on it's own server, putting it on a VM
setup, regardless of the hardware use, you reduce it's security.
- If a user was already on a share setup, you increase it's security by
isolating it from the other users on that same system, but at the same
time you introduce more possible source of attack to that user by doing
so. However the skills required to compromise that users needs to be
higher, so the end result is a positive factor. How much... Well, I sure
can't say, nor can you. But we can all agree that it is positive however
if we consider the bank of bad guys that can attack that server.
However, if like many have argue as well that is the number of bad guys
happen to be infinite, then you didn't help, but end up making it worst.
In a practical term, that can be debatable and I would say that it is
somewhat better because you reduce the number of bad guys that can
attack that system now and affecting the other users on that system, but
at the same time, you did nothing at all for the isolate user itself and
you also have to agree with that. You actually reduce the security if
you take that single user itself excluding the others on that system.
So, the question become interesting now. If your users are all great
quality users, then you actually adversely reduce the protection of each
one, but if they are bad one, then you increase the security of the good
one on that share server. (;> So, if I was trying to put bad judgment on
the users, then I could say that using VM actually protect bad less
qualify users and hurt good one and then it's up to the company that
decide to use VM to judge the type of users they higher, but I will not
do that as it would actually open yet an other can of worm, but the
question remains. What's the real reason to use VM in the first place? (;>
So, in very highly qualify users, it's worst, in lower qualify places,
it's better. Where each one fits is up to them to decide. (;>
Interesting outcome however isn't it and interesting questions as well.
So, someone that setup VM is doing it because they do not trust
themselves, or because they to not trust their co-workers!? (;>
They could do it too, to save on hardware, space, AC, power, cost, etc
but that wasn't the original question was it? So, it can't be use now to
defend the subject.
So, what's left then.
The only possible outcome of this example, in this specific question as
it looks like you really try hard to keep it on topic, for none of the
reason above, but for the reason below.
It was and is setup because of lack of trust and/or qualifications in
co-worker in a share environment, not in a way to increase security for
your own individual setup, as if it was, then there is a lack in one
self capability of managing a server in the first place.
Interesting isn't?
Now, before you come back and argue that point as well for the
application of a single user. As explain above you may increase the
security in the same way if you setup each applications for each users
in it's own VM, but again, is that done. I don't think so, but sure could.
This bring yet an other interesting question.
This mean that is a single user use a single server and need to setup a
web server, to stay in this example. He may set it up with example named
to speed it's reverse lookup, or what ever. Also setup yet an other VM
for apache and then a third one for MySQL use for his web site.
So, a single user can setup a VM for three applications on it's own
server and then gain security that way by isolate bugs in each
application from the other. But in reality, in any VM setup today, is it
done that way. I would say not. At best, may be in extreme case, may be
users base, but I don't think so. However, I would be very surprise that
a single user would go as far as also doing it per application in an
already enterprise VM setup. However possible.
So, far a single user, on a single server for the tree applications as
explain above would using a VM setup make it more secure or less secure?
I am not sure. It depend on the applications and the skills of the admin
for that setup.
If you setup, QMail, DJBDNS and PublicFile on that same server and set
them up each one in it's own VM, I would say you reduce the security as
neither of the three have been proven to be compromise yet. In theory
are you. I guess you could say yes, only based on the fact that you
isolate the three, but in practice are you really, I would say no in
this case as doing so,m you introduce bugs in the VM setup that wasn't
there before and it does nothing to increase the security of the three
applications above.
Now if you argue your point in practical term like I try to do may be
not so well, then may be you might get different feedback, but I still
haven't seen you doing it yet anyway.
So, my own conclusion until I have more to shew on based on the
situation describe at the start and along this email, are as follow.
- You reduce security in highly qualify work place.
- You increase security in poorly qualify or very disparate work place.
- You reduce security in high quality software choice.
- You increase security on poor quality software choice.
- You increase security in cheap work place setup using less servers.
- You reduce security in work place that are concern about security and
will go to the extend of splitting applications per servers as they
should if security is a must have.
- You raise the skills required to construct a more devastating attack
on the same 'share' setup environment.
But in all cases, without a question, you increase the complexity of the
setup and are adding bugs no matter what.
Now where are the benefit, it will depend where you actually fit in the
lists of conclusions above and the level of skills as well as the choice
of applications.
No one can come up with the same answer here. No one.
But be careful how you answer the question however as it may well put a
judgment on your qualifications and the qualifications of your work
place as well as a judgment from you on your co-workers as well. (;>
This makes it much more interesting now doesn't it? (;>
Now good reflexion on the subject.
There is one factor that remains, there isn't one single answer to the
question for sure as it depend on way to many outside factors. And to
what level one is welling to expose himself and it's own qualifications
and choices in the process.
I really do not have an answer to the question, but offer a lots to
reflect on for sure.
The rest is left to the user. (;>
Best,
Daniel
