« Wired Scenes -- Netsec and Virtualization | Main | Server virtualization... it's business critical »

MAC Attacks and Disguise

When I started reading this, I thought it was going to go in a completely different direction... something akin to providing VMs with a unambiguous name/identifier that would potentially ease some of the burdens of VM management.  Whoa... was I wrong on that one.

Kutz posits that in order to defend VMs from malicious attacks, administrators might disguise the VM by establishing a disguise -- a MAC address of a type of server other than what it really is.  This, he posits, would make it less amenable to programmatic attacks.  Well... that might be the case, but it raises the other issue of VM management, administration and discovery by legitimate third parties.  It also would place a distinct burden on VM management systems (such as VMware's VirtualCenter) to support this kind of disguise without, itself, getting confused about what kind of device is sitting out on the network.

Return of the MAC — Server Virtualization Blog

... Virtualization vendors also produce Ethernet adapters — virtual network interface cards (NICs). Most VMs would be rather useless if they could not access some sort of network, so virtualization vendors must create virtual NICs in order for the VMs to get on the big wide world of Webs. And since these virtual NICs have to participate on the network just as if they were physical, they must use MAC addresses. Because the first 24 bits of these MAC addresses, the OUI, is organization-specific, there is a real potential for network administrators to detect not only if a machine on the network is virtual by its MAC address, but also what type of virtual machine it is (what vendor’s software is hosting it). While best practices dictate that you do not change the MAC address of VMs, enterprise virtualization solutions do present this as an option, and, because of this, here is the scenario I see occurring.

One way to harden the Apache Web server is to use mod_security to alter the Web server’s signature. For example, you can fool clients into thinking that the Web server hosting their favorite videos is actually a Microsoft Internet Information Systems (IIS) 5.0 server instead of Apache 2.2. Administrators do this in order to fool attackers into attempting the wrong types of attack vectors. Even though best management practices dictate that administrators NOT alter their VMs’ MAC addresses, I forsee them doing so anyway in order to fool would-be hackers into attempting the incorrect attack vectors on VMs. For example, if a VM is hosted on ESX and its MAC address has an OUI registered by Microsoft, then a would-be attacker may try known Microsoft Virtual Server or Hyper-V exploits on the VM instead of ESX exploits.

Who knows? Twelve months from now altering a VM’s MAC address to be that of another vendor may be considered a best practice, but right now, with the already complex problem of managing virtual hardware, IT administrators are best served to leave their VM MAC addresses well enough alone.

Of course, that doesn’t stop the idea from being completely and utterly cool!

Powered by ScribeFire.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Hyperlinks will be created for URLs automatically.