ie8 fix
Click Here

Virtually Speaking

Dan Kusnetzky, Paula Rooney and Ken Hess
Home / News & Blogs / Virtually Speaking

Neocleus secure access

By | September 25, 2008, 3:00am PDT

Summary: I’m doing my best to go through my VMworld notes and post on a few of the more interesting demonstrations seen there. While walking the trade show floor at VMworld, I saw an interesting presentation of how a type 1 hypervisor combined with isolated Windows virtual machine could add up to a way to create [...]

I’m doing my best to go through my VMworld notes and post on a few of the more interesting demonstrations seen there. While walking the trade show floor at VMworld, I saw an interesting presentation of how a type 1 hypervisor combined with isolated Windows virtual machine could add up to a way to create a secure environment even through the remote staff member is operating in an environment that offers little to no security (such as a coffee house or airport lounge WiFi network) or on a machine that is not secure (such as a kiosk.)

Here’s what the Neocleus product literature says

The Problem: Securing access to corporate resources from outside the corporate perimeter is a major headache for IT. Worries about data leakage, adherence to corporate computing compliance policies and the impact Internet services have on business continuity are a few challenges facing IT when providing remote access solutions.

The Solution: Neocleus leverages client-hosted, type 1 virtualization (also referred to as endpoint virtualization) to fundamentally change the way organizations secure the enterprise. With Neocleus multiple instances of isolated Windows environments run concurrently on a single device and work as secure “containers” of functionality safe from attack. Neocleus supports RDP ICA application and Web interfaces with the option to run other Windows-based applications. Applications and services maintain complete access to all the capabilities offered by the underlying hardware, while user experience and application performance are not compromised. Innovative approaches to authentication and configuration management provide IT with a secure remote access solution that is predictable and easy to control

Neocleus delivers secure access to corporate resources.

The Result: Neocleus is the best possible solution for protecting access to company resources inside and outside the corporate perimeter.

Snapshot analysis

Although there are many ways to create a secure environment, Neocleus appears to have developed something interesting and new. They’ve found a way to “slip” a type 1 hypervisor underneath an established operating system so that security can be enforced at a new level, one that is outside of the operating system itself. This approach also means that a secure container that encapsulates corporate applications and data can either be accessed remotely from a system whose security is in question or delivered down to that system.

Although I’m rather skeptical of add-on approaches to security rather than “baked in” models, this approach appears to address most, if not all, of the draw-backs of other methods.

If you’ve not had the opportunity to see their demo, it’s pretty impressive.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Virtually Speaking”

Topics

Information Technology, Environment, Neocleus, Remote Access, Virtualization, Microsoft Windows, Telecommunications, Security, Hardware, Operating Systems, Software, Dan Kusnetzky

Daniel Kusnetzky is a distinguished analyst and the founder of the Kusnetzky Group LLC.

Disclosure

Dan Kusnetzky

The Kusnetzky Group LLC is an independent technology industry research firm that focuses on system software, virtualization and cloud computing technology.

Dan's opinions are based upon research, personal experiences and actual use of technology. They are not based upon the relationships the company may or may not have with suppliers, end user organizations, the media, consultants or other analysts.

Dan's research is available on a subscription basis through the Kusnetzky Group LLC. Dan's attendance at industry events or at client meetings may be sponsored by the client. Clients may provide hardware or software for testing prior to the publication of analysis that includes that product. Clients may also provide shirts, jackets, coffee cups, folders, backpacks, pens and other event chotchkies. While nice, these don't effect Dan's opinions or insight about those clients or their products.

Biography

Dan Kusnetzky

Daniel Kusnetzky, Analyst and Founder of Kusnetzky Group LLC, is responsible for research, publications, and operations. Mr. Kusnetzky has been involved with information technology since the late 1970s. Mr. Kusnetzky has been responsible for research operations at the 451 Group; corporate and marketing strategy for Open-Xchange; system software and virtualization research at IDC; and program and product management at Digital Equipment Corporation.; Today, Mr. Kusnetzky focuses on system software, virtualization technology and cloud computing.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
2
Comments
Add Your Opinion

Join the conversation!

Just In

Think out of the box!
etay.bogner 26th Sep 2008
Neocleus developed the 1:1 memory mapping to specifically support the majority of computers in the market today which are non-IOMMU platforms. In fact, Neocleus utilizes an IOMMU if the platform of course has one. So our intent was not to "replace" IOMMUs; rather to overcome its absence in the platforms that are used by most users today.

Since the first commercially available Intel chipset that supported an IOMMU was Intel's Q35 which was released for Desktops only a year ago, and for laptops just recently (the Centrino 2) it is essential that any client-hosted, type 1, virtualization solution will support both non-IOMMU and IOMMU platforms. This dual support is especially critical given the pace of PC replacement may slow in light of today's economical situation.

I believe Neocleus is the only client-hosted, type 1, virtualization player supporting device pass-through on both non-IOMMU and IOMMU platforms. We believe it is required that a solution will feature all-around device pass-through (think Wireless, PC Cards/3G Cards, ACPI etc.). Supporting only Graphics pass-through (a difficult task as it is with or without an IOMMU) will not be enough to address real use cases (compared to a demo).

There is no "perfect" solution and there will never be one. An IOMMU is no golden bullet either as one can see below -- and it gets to be very difficult to create those attacks anyway. Neocleus' approach comes the closest to providing the usability, performance, device compatibility and security organizations want and need? And we at Neocleus are proud of our accomplishments.

Please see the following "un-biased" external links for additional background:

"Preventing and Detecting Xen Hypervisor Subversions":
http://invisiblethingslab.com/bh08/part2.pdf

For educational purposes, addressing specifically your remarks about security, here is one possible solution to the 1:1 DMA weakness (there are others):
http://www.invisiblethings.org/papers/cheating-hardware-memory-acquisition-updated.ppt
View in thread
0 Votes
+ -
Neocleus is not secure
DavidRottenberg 25th Sep 2008
Neocleus security architecture is flawed at its basic level. The architecture uses a software mechanism to provide direct physical device assignment to virtual machines, such as graphics cards and wireless networks. It does not support hardware based direct I/O assignment or hardware based IOMMU, it is known on Intel platform as VT-d technology. Instead Neocleus engineers came up with their own software based scheme, known in the Xen community as 1:1 mapping (http://www.xen.org/files/xensummit_4/Neocleus_HVM_PCI_Pass-through_Zana.pdf). Their scheme provides software based IOMMU, which is inherently flawed in its security model. An errant DMA transfer in one virtual machine is capable of writing into the memory of another virtual machine ? can you say, ?no more memory protection or isolation between virtual machines?? Given this huge security flaw, it would take no time to write a key stroke logger or denial of service attack against any VM running on this device. The only way to achieve true security and reliability between multiple virtual machines sharing the same piece of hardware is to use hardware support for direct assignment or VT-d, any other solution is not secure.
0 Votes
+ -
Think out of the box!
etay.bogner 26th Sep 2008
Neocleus developed the 1:1 memory mapping to specifically support the majority of computers in the market today which are non-IOMMU platforms. In fact, Neocleus utilizes an IOMMU if the platform of course has one. So our intent was not to "replace" IOMMUs; rather to overcome its absence in the platforms that are used by most users today.

Since the first commercially available Intel chipset that supported an IOMMU was Intel's Q35 which was released for Desktops only a year ago, and for laptops just recently (the Centrino 2) it is essential that any client-hosted, type 1, virtualization solution will support both non-IOMMU and IOMMU platforms. This dual support is especially critical given the pace of PC replacement may slow in light of today's economical situation.

I believe Neocleus is the only client-hosted, type 1, virtualization player supporting device pass-through on both non-IOMMU and IOMMU platforms. We believe it is required that a solution will feature all-around device pass-through (think Wireless, PC Cards/3G Cards, ACPI etc.). Supporting only Graphics pass-through (a difficult task as it is with or without an IOMMU) will not be enough to address real use cases (compared to a demo).

There is no "perfect" solution and there will never be one. An IOMMU is no golden bullet either as one can see below -- and it gets to be very difficult to create those attacks anyway. Neocleus' approach comes the closest to providing the usability, performance, device compatibility and security organizations want and need? And we at Neocleus are proud of our accomplishments.

Please see the following "un-biased" external links for additional background:

"Preventing and Detecting Xen Hypervisor Subversions":
http://invisiblethingslab.com/bh08/part2.pdf

For educational purposes, addressing specifically your remarks about security, here is one possible solution to the 1:1 DMA weakness (there are others):
http://www.invisiblethings.org/papers/cheating-hardware-memory-acquisition-updated.ppt

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix