Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Sandboxing security: A cure-all strategy for virtual environments?

Sandboxing is a limited technology. Expert Brad Casey explores the margins and supplemental products organizations can use in virtual environments.

Brad, I know you've been an advocate for using virtualization/sandboxing to detect malware, but I've seen other security analysts say that sandboxing is limited because of the inability to cover all platforms and targeted attacks. Would you agree with this assessment? What would you say the limitations to virtualized environments are from a security perspective, and how should they be supplemented?

Ask the expert

Have questions about network security for our expert? Send them via email today! (All questions are anonymous.)

I would certainly agree with this assessment. While I am a big fan of offloading packets that contain executables to a separate device, executing them, and testing for malicious code, I am not fond of utilizing this solely. Much like your investment portfolio, your security strategy should be diversified, namely via a network security defense-in-depth paradigm.

In terms of limitations, many of these concepts have to do with application sandboxes that execute files on the same box on which the sandbox resides, which is a little different than my offloading scenario mentioned above. There are some profound limitations with application sandboxing. Many -- if not all -- of these limitations are directly related to inherent weaknesses existing within the underlying operating system.

A number of recent kernel-sidestepping scenarios are directly related to weaknesses in the Windows kernel. Perhaps the most infamous of these kernel exploits is a piece of malware known as Duqu. In a nutshell, Duqu exploits a characteristic in Microsoft Word that requires the Word application to make a call to the kernel and manipulate the underlying font engine. Admittedly, kernel exploits require a unique degree of sophistication to write, but they are nonetheless a threat to be monitored.

With regard to sandbox supplementation, I suggest pairing strict access control lists at the firewall with some sort of deep packet inspection mechanism. While sandboxing may have limitations, it can still run executables and look for callouts within the code. If the callouts are known to be malicious, your sandboxing efforts are not for nothing, and you can subsequently use this information as a means of discarding the accompanying packet.

This was last published in April 2014

Dig Deeper on Endpoint protection and client security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.