2.11. VM Virtual Patch¶
2.11.1. Overview¶
VM-Virtual Patch is a service that detects and/or protects the VM from attacks on vulnerabilities. For OS and application vulnerabilities, it is a service that provides signatures that provide solutions equivalent to the security patches provided by application vendors.
2.11.2. Features¶
The following features are available for VM Virtual Patch.
| Feature | Overview |
| VM Virtual Patch | A feature that detects or protects against (blocks) attack traffic directed against vulnerabilities. |
| Recommended Scan | A feature that scans VM system information, checks whether there are vulnerabilities, and automatically applies VM Virtual Patch corresponding to those vulnerabilities. |
2.11.2.1. VM Virtual Patch¶
You can select “Detection” mode or “Prevention” mode.
| Mode | Overview |
| Detection | Attack traffic is detected.
However, traffic is not blocked even though attack traffic is detected.
|
| Prevention | Attack traffic is detected.
Traffic is blocked when attack traffic is detected.
|
Virtual Patching is a feature to verify packets contents by using kernel mode driver bound to Layer 2 (data link layer) and matches them to the patterns of protocol violation and signature. It identifies and/or prevents the packets matching the pattern as packets attacking vulnerabilities.
2.11.2.2. Recommended Scan¶
Recommended scan scans system information of a VM periodically and checks vulnerability existence. It can also automatically apply virtual patches which corresponding to those vulnerability.
The Virtual Patches are effective against vulnerability in OS and installed general applications (e.g. apache).
You can specify the schedule by one of the following parameters.
| Items | Overview |
| Hourly | You can specify “X minutes after the hour” every hour. |
| Daily | You can specify “Every day”, “Weekdays” or “Every X days” and time. |
| Weekly | You can specify “Every Yday of the week” or “Yday of every X weeks” and time. |
| Monthly | You can specify “The Xth of each month” or “The Xth Yday of each month” and time. |
Note: Xs represent numbers and Ydays represent days of the week in the table above.
The Virtual Patch is applied to the detected vulnerabilities. If you have applied a legitimate patch, the virtual patch will be removed during the recommendation scanning.
2.11.3. Restrictions¶
Restrictions relating to OS and resources- The following table shows the system requirements of software agent. Availability of service providing also depends on supported OS of Enterprise Cloud itself and kernel version of Linux OS. You should ask the availability of them to NTT Com Group.
| Items | Requirements | |
|---|---|---|
| Memory size | Minimum Value: 512 MB | |
| Disk size | Minimum Value: 1GB | |
| OS | Windows | Windows 8 (32bit/64bit) |
| Windows server 2012 (64bit) | ||
| Windows 7 (32bit/64bit) | ||
| Windows server 2008 R2 (64bit) | ||
| Windows Server 2008 (32bit/64bit) | ||
| Windows Vista (32bit/64bit) | ||
| Windows Server 2003 SP1 (32bit/64bit) with patch “Windows Server 2003 Scalable Networking Pack” | ||
| Windows XP (32bit/64bit) | ||
| Linux | Red Hat 5 (32bit/64bit) | |
| Red Hat 6 (32bit/64bit) | ||
| CentOS 5 (32bit/64bit) | ||
| CentOS 6 (32bit/64bit) | ||
| SuSE 10 (32bit/64bit) | ||
| SuSE 11 (32bit/64bit) | ||
| Ubuntu 10.04 LTS (64bit) | ||
| Ubuntu 12.04 LTS (64bit) | ||
- You are responsible for the installation of agents to their VMs.
- You cannot use other antivirus software than VM Anti-Virus together with this service. Make sure to uninstall other antivirus software before using this service.
- Do not upload agents by mounting ISO image files or CD/DVD drives when uploading it to the VMs.
- When the target VM is in a segment which is not directly connected to the vFW/INA, an additional server segment is required to directly connect the vFW/INA and the VM.
- You need to apply the legitimate security patches provided by each application vendor for the fundamental solutions because virtual patches are not software code corrections, but temporary measures.
- You are responsible for activation confirmation (constant monitoring) of agents.
- Please set IPv6 to ON or OFF correctly when using VM Anti-Virus.
- Please use a VM without this service installed for Create Template feature of Private Catalog menu. If a template is created from a VM where the agent is installed or installation and activation is completed, when a VM is replicated from that template, this service will no longer be available for the newly replicated VM and the VM used for creating that template. The same applies when used for image backup.
- VM Virtual Patch does not guarantee that the provided VM Virtual Patch feature has integrity or accuracy, or is suitable for your use. Furthermore, the suitability of the signatures (algorithms that judge the degree of danger and attack traffic) provided by the developers or distributors of the devices making up the VM Virtual Patch feature is not guaranteed.
- The following information might be provided to the developers or distributors of the devices making up the VM Virtual Patch feature.
- Configuration information obtained from providing VM Virtual Patch
- Information obtained from controlling VM Virtual Patch, etc.
- We cannot guarantee recovery from failures that might occur due to incompatibility between the VM Virtual Patch feature and your environment, or failures that occur due to your operations other than those specified by NTT Com group.