Solved

Are there any OTS solutions for creating locked down VM's

Posted on 2016-09-08
13
108 Views
Last Modified: 2016-09-23
We have an project where we need to protect the rights of digital media that will form part of a workflow. Looking for some advice on how best to tackle this.

What we want to do is build Linux VM's with pre-configured software. We give the VDI / VHD to the developer which they then load with a Player using their own workstations as a host.

The VM's are locked down - internet access but only to a specified domain / server.
Disable all other means of getting data off the machine - only way for data to move is over the network to the specified domain / IP.
No access to override the above.

Just confirming that  the above is possible and relatively straight forward - what would be the best Linux distribution for this be?
Are there solutions out there already we can build on.

On the VM side - some of the software has activation keys that are bound to a MAC address. Is there a way for the software on the VM to see the MAC address of the host instead of the Virtual NIC - so that the software key still works?
0
Comment
Question by:Julian Hansen
  • 6
  • 6
13 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 41789975
How a virtual machine is different from physical machine?

Exactly host MAC is one you cannot set on any other machine.

What you are trying will not work. Single site browser with money pipe gets removed from mobile app stores quickly.
0
 
LVL 55

Author Comment

by:Julian Hansen
ID: 41790047
@gheist,

I am not following your response - what do you mean by "Single site browser with money pipe gets removed from mobile app stores quickly" ?
0
 
LVL 62

Expert Comment

by:gheist
ID: 41790102
Customer can modify whatever you package to their liking. Like unzip OVA, change VMX and edit checksum in MF file.

Are you looking to implement access controls on your site?
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 55

Author Comment

by:Julian Hansen
ID: 41790185
There is no site.

There is a repository that operates on a custom port. We have an application that communicates with that service.

The idea is to create a pre-configured environment but one that is locked down so that the only way of moving media is between the locked down VM and our server through the custom application.

I know you can get around anything - this is not meant as a guaranteed fail safe solution - just enough of deterrent that discourages most from trying to "hack" it.
0
 
LVL 62

Expert Comment

by:gheist
ID: 41790302
Are you looking to implement access controls on your site?

YES/NO ?
0
 
LVL 55

Author Comment

by:Julian Hansen
ID: 41790328
I am trying to understand your question.

There is no web site in this equation - if that is what you are referring to. There is an application that runs locally on the VM that communicates with a server to exchange information - mainly digital media. There is authentication that happens over that link - but the application does that - not the user.

Not sure if we are on the same page here - this discussion is not really going in the direction I was hoping.

I was looking for some pointers to either a solution that is already out there that allows for easy creation of locked down VM images - as well as some indication as to how difficult it would be to circumvent a VM image if it were locked down - i.e. how to make it as difficult as possible for someone to using the VM to get data off it other than through the specialised application that communicates with the central server.
0
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 41790422
VM image one can open as a disk image, there is nothing in the world that can prevent it.
What about VPN gateway to your application? Then you have indirect user identification even havind lax security on your stream server?
0
 
LVL 55

Author Comment

by:Julian Hansen
ID: 41790439
The problem is not the link but the possession of sensitive materials.
In order for developer to work on the files they need copies of them but we need to put as much in place as possible to prevent them from redistributing them (on the Net or elsewhere).

What if the data is encrypted within the VM? Then even if you can attach it you won't be able to access the data?
0
 
LVL 62

Expert Comment

by:gheist
ID: 41791650
You have to give them decryption key one or other way.
0
 
LVL 55

Author Comment

by:Julian Hansen
ID: 41791691
Granted but what if the encryption is run by a process inside the VM. When the VM is attached as a disk then it is just data - when it is booted an app runs that provides the encrypt decrypt.

I think we are diving into complicated territory though the drive of my question was to find out if there is a project (open source or proprietary) that has addressed the issue of virtualising an environment such that a level of security protects (to a certain extent) the IP (intellectual property) of the "work" done in that environment.

I work a bit with Vagrant which allows for virtualised development environments - which is perfect for what we want except for the security aspect of it.

If I understand you correctly there is nothing (that you are aware of) that fills this particular niche?
0
 
LVL 62

Expert Comment

by:gheist
ID: 41791753
No, there is no keyless encryption.
0
 
LVL 55

Author Closing Comment

by:Julian Hansen
ID: 41813028
Thanks - apologies for closing this late.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Unable to remove VSphere from Host Machine 5 48
Patching ESXi Host via PowerCLI 10 40
Offsite Replication Solution 7 61
Redhat upgrade 1 20
HOW TO: Upload an ISO image to a VMware datastore for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere Host Client, and checking its MD5 checksum signature is correct.  It's a good idea to compare checksums, because many installat…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
This Micro Tutorial walks you through using a remote console to access a server and install ESXi 5.1. This example is showing remote access and installation using a Dell server. The hypervisor is the very first component of your virtual infrastructu…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question