Solved

Are there any OTS solutions for creating locked down VM's

Posted on 2016-09-08
13
125 Views
Last Modified: 2016-09-23
We have an project where we need to protect the rights of digital media that will form part of a workflow. Looking for some advice on how best to tackle this.

What we want to do is build Linux VM's with pre-configured software. We give the VDI / VHD to the developer which they then load with a Player using their own workstations as a host.

The VM's are locked down - internet access but only to a specified domain / server.
Disable all other means of getting data off the machine - only way for data to move is over the network to the specified domain / IP.
No access to override the above.

Just confirming that  the above is possible and relatively straight forward - what would be the best Linux distribution for this be?
Are there solutions out there already we can build on.

On the VM side - some of the software has activation keys that are bound to a MAC address. Is there a way for the software on the VM to see the MAC address of the host instead of the Virtual NIC - so that the software key still works?
0
Comment
Question by:Julian Hansen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
13 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 41789975
How a virtual machine is different from physical machine?

Exactly host MAC is one you cannot set on any other machine.

What you are trying will not work. Single site browser with money pipe gets removed from mobile app stores quickly.
0
 
LVL 58

Author Comment

by:Julian Hansen
ID: 41790047
@gheist,

I am not following your response - what do you mean by "Single site browser with money pipe gets removed from mobile app stores quickly" ?
0
 
LVL 62

Expert Comment

by:gheist
ID: 41790102
Customer can modify whatever you package to their liking. Like unzip OVA, change VMX and edit checksum in MF file.

Are you looking to implement access controls on your site?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 58

Author Comment

by:Julian Hansen
ID: 41790185
There is no site.

There is a repository that operates on a custom port. We have an application that communicates with that service.

The idea is to create a pre-configured environment but one that is locked down so that the only way of moving media is between the locked down VM and our server through the custom application.

I know you can get around anything - this is not meant as a guaranteed fail safe solution - just enough of deterrent that discourages most from trying to "hack" it.
0
 
LVL 62

Expert Comment

by:gheist
ID: 41790302
Are you looking to implement access controls on your site?

YES/NO ?
0
 
LVL 58

Author Comment

by:Julian Hansen
ID: 41790328
I am trying to understand your question.

There is no web site in this equation - if that is what you are referring to. There is an application that runs locally on the VM that communicates with a server to exchange information - mainly digital media. There is authentication that happens over that link - but the application does that - not the user.

Not sure if we are on the same page here - this discussion is not really going in the direction I was hoping.

I was looking for some pointers to either a solution that is already out there that allows for easy creation of locked down VM images - as well as some indication as to how difficult it would be to circumvent a VM image if it were locked down - i.e. how to make it as difficult as possible for someone to using the VM to get data off it other than through the specialised application that communicates with the central server.
0
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 41790422
VM image one can open as a disk image, there is nothing in the world that can prevent it.
What about VPN gateway to your application? Then you have indirect user identification even havind lax security on your stream server?
0
 
LVL 58

Author Comment

by:Julian Hansen
ID: 41790439
The problem is not the link but the possession of sensitive materials.
In order for developer to work on the files they need copies of them but we need to put as much in place as possible to prevent them from redistributing them (on the Net or elsewhere).

What if the data is encrypted within the VM? Then even if you can attach it you won't be able to access the data?
0
 
LVL 62

Expert Comment

by:gheist
ID: 41791650
You have to give them decryption key one or other way.
0
 
LVL 58

Author Comment

by:Julian Hansen
ID: 41791691
Granted but what if the encryption is run by a process inside the VM. When the VM is attached as a disk then it is just data - when it is booted an app runs that provides the encrypt decrypt.

I think we are diving into complicated territory though the drive of my question was to find out if there is a project (open source or proprietary) that has addressed the issue of virtualising an environment such that a level of security protects (to a certain extent) the IP (intellectual property) of the "work" done in that environment.

I work a bit with Vagrant which allows for virtualised development environments - which is perfect for what we want except for the security aspect of it.

If I understand you correctly there is nothing (that you are aware of) that fills this particular niche?
0
 
LVL 62

Expert Comment

by:gheist
ID: 41791753
No, there is no keyless encryption.
0
 
LVL 58

Author Closing Comment

by:Julian Hansen
ID: 41813028
Thanks - apologies for closing this late.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Teach the user how to configure vSphere Replication and how to protect and recover VMs Open vSphere Web Client: Verify vsphere Replication is enabled: Enable vSphere Replication for a virtual machine: Verify replicated VM is created: Recover replica…
Teach the user how to use configure the vCenter Server storage filters Open vSphere Web Client:  Navigate to vCenter Server Advanced Settings: Add the four vCenter Server storage filters: Review the advanced settings: Modify the values of the four v…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question