Identifying and Remediating Rogue Services Within a Cloud Based Virtual Machine

Abstract

While the benefits of Cloud computing are well known, often the security risks involved are new and substantial. The hosts of choice in the cloud, the virtual machine (VM), are created in large numbers. This means that it becomes very difficult to keep track of each service running within the cloud. Fortunately, commands exist within the LINUX operating system that can be used to evaluate the purpose of transport layer ports related to the services running on a given host (VM). The example utilized in this paper is a complex remote procedure call (RPC) service, which generates multiple dynamically defined ports that will be evaluated using LINUX commands. Besides the expected legitimate ports there were also suspected rogue ports. These ports were created as a function of the RPC software, but were not traceable to a process ID or the originating executable. The fact that these ports forked from a kernel level process made it difficult to trace their origins. Fortunately, because these ports were generated dynamically and their purpose was not known to the system administrator the firewall block definition was not updated and traffic to that port remained blocked. Simply stated by default the firewall was in place to automatically block unknown traffic whether legitimate or not. In this case the default definition served well. To remediate this problem more care needs to be used when defining/evaluating policy. Additionally, it is suggested that the port evaluation procedure be recorded and automated through the use of LINUX scripts.

Keywords: Cloud Computing, Virtual Machines, Remote Procedural Call (RPC), Port Evaluation

View PDF