VMWare Hacking Uncovered

As I’ve mentioned earlier this year i was looking at specialized virtualization security training options aiming to attend one or more throughout the year. Fortunately i was not only able to find a course close to me, i also managed to convince my boss to fund the training (thanks boss). Originally my favourite was SANS 577 but at the time it was not offered in EMEA. Of course as soon as i committed to VMWare Hacking Uncovered SANS announced they would run their “Virtualization Security Fundamentals” during SANS London.

Originally called “VMWare Hacking Uncovered” the course owner VMTraining meanwhile decided to re-brand it to “Advanced VMWare Security” which didn’t affect the actual course content. In the UK the training is formally provided by Firebrand but the course material and trainer are from VMTraining. With the scene set let’s look at the details.

Training facilities & organisation

As said VMTraining is leveraging Firebrand to host their training. What this means is that the booking, organisation, facilities, etc. is provided by Firebrand. Firebrand has quite a good reputation and from my experience rightfully so; their training advisor did his best in a pre booking conversation to ensure the training is suitable for me (or rather that I’m able to keep up with the course material) and kept in contact once the training was booked to inform me of changes. The training location, a conference/training centre somewhat north of London, was a perfect environment to study long hours. Three very edible meals a day were included in the training fee (as well as a constant supply of fresh fruit) and, much to my delight, hot filter/drip coffee – not that despicable instant stuff out of a push button machine – was provided throughout the day (so were tea, water and various soda drinks). The class rooms were modern pretty modern sporting new’ish 20″+ TFT screens and air condition.

Curriculum & course material

There were no real surprises with the actual course content as it was quite close to what’s listed in the course description. I was a bit disappointed that the course is not quite up to date which means that, at least in courses running late 2010, VMWare ESX 4.1 vShield technologies (App,Endpoint,Edge) are not actually part of the material; VMSafe/vShield zones is however. The trainer, a knowledgeable and nice chap called Aman, made sure that he understood the background and experience of each student to tailor the focus for week accordingly. As expected the obligatory virtualization and VMWare administration basics took most of Sunday evening (yes, you’re starting Sunday 6pm. Don’t expect much leisure time while you’re on this course) and Monday/Tuesday. Depending on your experience and background (VI, storage, network) this can be a bit of a drag but in my case the trainer managed to keep it interesting for everyone.

The mid week deals mainly with penetration testing topics progressing through footprinting, scanning, enumeration and penetration. There are several labs on these topics which are scheduled to take most of the afternoons. The problem with this is that if you are already familiar with the tools discussed you’re are likely spending most of the day bored and wondering what they have to do specifically with virtualization security. If you were always wondering what NMAP, Cain & Able, Nessus, Saint, etc. are and what they do you’re gonna enjoy this part of course. The best part in my view was playing with Metasploit’s VASTO module and discussing the background, implementation and implications.

Towards the end of the week the focus shifts to the hands on/operational topics – namely ‘Hardening’. This is exactly what you’d expect and if you are looking for information what to watch out for and how to increase the security posture of your VI environment the sections and labs are just the thing for you. That said, if you are already very familiar with Linux and or ESX console security (e.g. SSH, SUDO, …) you might want to get an extra cup of coffee. The last chapter consists of a selection of 3rd party security solutions for VMWare (usual suspects – Catbird, Hytrust, Altor, TrendMicro,..) and what they do/don’t do for you. I found this section to be somewhat shallow and half hearted which resulted in a bit of a ‘meh’ feeling but if you never looked at these vendors it certainly is a good starting point to go off and read (a lot) more about their respective solutions.

The exam

So you want to be a Certified Virtualization Security Expert (CVSE)? We’ve been warned (more a heads up really) by the trainer that the exam, which you are going to take on Friday afternoon, is a difficult one. What i realized during the quiz (sample questions for the exam) that wrapped up each day is that the exam is not difficult as in – need to be smart and experienced – but more as in – have to be lucky enough to think like the guy who authored the question. The students and the trainer got into more than one intense discussion about the answer and the way questions were formulated sometimes resulting in the conclusion on both sides that the question is rubbish. Lots of feedback was provided how to improve exam questions and – not entirely surprising – none of the students passed the exam. It is very much possible however but a bit frustrating experience; that said i will probably give it another try in a few weeks when our feedback was hopefully included in the exam pool. (I missed by 1% in case you wondered)

So would i recommend this course to someone who is interested in virtualization security in general and VMWare security specifically? Absolutely. I would recommend to wait another few months however to see if the new security features of ESX 4.1 are then integrated in the course material and – if that is of importance to you – whether the exam matured somewhat more. And now lets see how i get onto that SANS 577.