Solved

Are there any OTS solutions for creating locked down VM's

Posted on 2016-09-08
13
103 Views
Last Modified: 2016-09-23
We have an project where we need to protect the rights of digital media that will form part of a workflow. Looking for some advice on how best to tackle this.

What we want to do is build Linux VM's with pre-configured software. We give the VDI / VHD to the developer which they then load with a Player using their own workstations as a host.

The VM's are locked down - internet access but only to a specified domain / server.
Disable all other means of getting data off the machine - only way for data to move is over the network to the specified domain / IP.
No access to override the above.

Just confirming that  the above is possible and relatively straight forward - what would be the best Linux distribution for this be?
Are there solutions out there already we can build on.

On the VM side - some of the software has activation keys that are bound to a MAC address. Is there a way for the software on the VM to see the MAC address of the host instead of the Virtual NIC - so that the software key still works?
0
Comment
Question by:Julian Hansen
  • 6
  • 6
13 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 41789975
How a virtual machine is different from physical machine?

Exactly host MAC is one you cannot set on any other machine.

What you are trying will not work. Single site browser with money pipe gets removed from mobile app stores quickly.
0
 
LVL 54

Author Comment

by:Julian Hansen
ID: 41790047
@gheist,

I am not following your response - what do you mean by "Single site browser with money pipe gets removed from mobile app stores quickly" ?
0
 
LVL 62

Expert Comment

by:gheist
ID: 41790102
Customer can modify whatever you package to their liking. Like unzip OVA, change VMX and edit checksum in MF file.

Are you looking to implement access controls on your site?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 54

Author Comment

by:Julian Hansen
ID: 41790185
There is no site.

There is a repository that operates on a custom port. We have an application that communicates with that service.

The idea is to create a pre-configured environment but one that is locked down so that the only way of moving media is between the locked down VM and our server through the custom application.

I know you can get around anything - this is not meant as a guaranteed fail safe solution - just enough of deterrent that discourages most from trying to "hack" it.
0
 
LVL 62

Expert Comment

by:gheist
ID: 41790302
Are you looking to implement access controls on your site?

YES/NO ?
0
 
LVL 54

Author Comment

by:Julian Hansen
ID: 41790328
I am trying to understand your question.

There is no web site in this equation - if that is what you are referring to. There is an application that runs locally on the VM that communicates with a server to exchange information - mainly digital media. There is authentication that happens over that link - but the application does that - not the user.

Not sure if we are on the same page here - this discussion is not really going in the direction I was hoping.

I was looking for some pointers to either a solution that is already out there that allows for easy creation of locked down VM images - as well as some indication as to how difficult it would be to circumvent a VM image if it were locked down - i.e. how to make it as difficult as possible for someone to using the VM to get data off it other than through the specialised application that communicates with the central server.
0
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 41790422
VM image one can open as a disk image, there is nothing in the world that can prevent it.
What about VPN gateway to your application? Then you have indirect user identification even havind lax security on your stream server?
0
 
LVL 54

Author Comment

by:Julian Hansen
ID: 41790439
The problem is not the link but the possession of sensitive materials.
In order for developer to work on the files they need copies of them but we need to put as much in place as possible to prevent them from redistributing them (on the Net or elsewhere).

What if the data is encrypted within the VM? Then even if you can attach it you won't be able to access the data?
0
 
LVL 62

Expert Comment

by:gheist
ID: 41791650
You have to give them decryption key one or other way.
0
 
LVL 54

Author Comment

by:Julian Hansen
ID: 41791691
Granted but what if the encryption is run by a process inside the VM. When the VM is attached as a disk then it is just data - when it is booted an app runs that provides the encrypt decrypt.

I think we are diving into complicated territory though the drive of my question was to find out if there is a project (open source or proprietary) that has addressed the issue of virtualising an environment such that a level of security protects (to a certain extent) the IP (intellectual property) of the "work" done in that environment.

I work a bit with Vagrant which allows for virtualised development environments - which is perfect for what we want except for the security aspect of it.

If I understand you correctly there is nothing (that you are aware of) that fills this particular niche?
0
 
LVL 62

Expert Comment

by:gheist
ID: 41791753
No, there is no keyless encryption.
0
 
LVL 54

Author Closing Comment

by:Julian Hansen
ID: 41813028
Thanks - apologies for closing this late.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 2012 STD Updates Issue 15 50
awk sed 8 40
Port group in esxi 6 74
error log using ftp 7 38
HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
HOW TO: Upload an ISO image to a VMware datastore for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere Host Client, and checking its MD5 checksum signature is correct.  It's a good idea to compare checksums, because many installat…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This video shows you how to use a vSphere client to connect to your ESX host as the root user. Demonstrates the basic connection of bypassing certification set up. Demonstrates how to access the traditional view to begin managing your virtual mac…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question