Solved

Are there any OTS solutions for creating locked down VM's

Posted on 2016-09-08
13
91 Views
Last Modified: 2016-09-23
We have an project where we need to protect the rights of digital media that will form part of a workflow. Looking for some advice on how best to tackle this.

What we want to do is build Linux VM's with pre-configured software. We give the VDI / VHD to the developer which they then load with a Player using their own workstations as a host.

The VM's are locked down - internet access but only to a specified domain / server.
Disable all other means of getting data off the machine - only way for data to move is over the network to the specified domain / IP.
No access to override the above.

Just confirming that  the above is possible and relatively straight forward - what would be the best Linux distribution for this be?
Are there solutions out there already we can build on.

On the VM side - some of the software has activation keys that are bound to a MAC address. Is there a way for the software on the VM to see the MAC address of the host instead of the Virtual NIC - so that the software key still works?
0
Comment
Question by:Julian Hansen
  • 6
  • 6
13 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 41789975
How a virtual machine is different from physical machine?

Exactly host MAC is one you cannot set on any other machine.

What you are trying will not work. Single site browser with money pipe gets removed from mobile app stores quickly.
0
 
LVL 52

Author Comment

by:Julian Hansen
ID: 41790047
@gheist,

I am not following your response - what do you mean by "Single site browser with money pipe gets removed from mobile app stores quickly" ?
0
 
LVL 61

Expert Comment

by:gheist
ID: 41790102
Customer can modify whatever you package to their liking. Like unzip OVA, change VMX and edit checksum in MF file.

Are you looking to implement access controls on your site?
0
 
LVL 52

Author Comment

by:Julian Hansen
ID: 41790185
There is no site.

There is a repository that operates on a custom port. We have an application that communicates with that service.

The idea is to create a pre-configured environment but one that is locked down so that the only way of moving media is between the locked down VM and our server through the custom application.

I know you can get around anything - this is not meant as a guaranteed fail safe solution - just enough of deterrent that discourages most from trying to "hack" it.
0
 
LVL 61

Expert Comment

by:gheist
ID: 41790302
Are you looking to implement access controls on your site?

YES/NO ?
0
 
LVL 52

Author Comment

by:Julian Hansen
ID: 41790328
I am trying to understand your question.

There is no web site in this equation - if that is what you are referring to. There is an application that runs locally on the VM that communicates with a server to exchange information - mainly digital media. There is authentication that happens over that link - but the application does that - not the user.

Not sure if we are on the same page here - this discussion is not really going in the direction I was hoping.

I was looking for some pointers to either a solution that is already out there that allows for easy creation of locked down VM images - as well as some indication as to how difficult it would be to circumvent a VM image if it were locked down - i.e. how to make it as difficult as possible for someone to using the VM to get data off it other than through the specialised application that communicates with the central server.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 41790422
VM image one can open as a disk image, there is nothing in the world that can prevent it.
What about VPN gateway to your application? Then you have indirect user identification even havind lax security on your stream server?
0
 
LVL 52

Author Comment

by:Julian Hansen
ID: 41790439
The problem is not the link but the possession of sensitive materials.
In order for developer to work on the files they need copies of them but we need to put as much in place as possible to prevent them from redistributing them (on the Net or elsewhere).

What if the data is encrypted within the VM? Then even if you can attach it you won't be able to access the data?
0
 
LVL 61

Expert Comment

by:gheist
ID: 41791650
You have to give them decryption key one or other way.
0
 
LVL 52

Author Comment

by:Julian Hansen
ID: 41791691
Granted but what if the encryption is run by a process inside the VM. When the VM is attached as a disk then it is just data - when it is booted an app runs that provides the encrypt decrypt.

I think we are diving into complicated territory though the drive of my question was to find out if there is a project (open source or proprietary) that has addressed the issue of virtualising an environment such that a level of security protects (to a certain extent) the IP (intellectual property) of the "work" done in that environment.

I work a bit with Vagrant which allows for virtualised development environments - which is perfect for what we want except for the security aspect of it.

If I understand you correctly there is nothing (that you are aware of) that fills this particular niche?
0
 
LVL 61

Expert Comment

by:gheist
ID: 41791753
No, there is no keyless encryption.
0
 
LVL 52

Author Closing Comment

by:Julian Hansen
ID: 41813028
Thanks - apologies for closing this late.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It Is not possible to enable LLDP in vSwitch(at least is not supported by VMware), so in this article we will enable this, and also go trough how to enabled CDP and how to get this information in vSwitches and also in vDS.
In this article, I show you step by step with screenshots to assist you - HOW TO: Deploy and Install the VMware vCenter Server Appliance 6.5 (VCSA 6.5), with some helpful tips along the way.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now