The invention generally relates to generating a chain of trust for a virtual endpoint.
Due to ever-increasing processing speeds of modern servers, traditional multiple server functions may be consolidated using a virtual environment. In the virtual environment, a virtual machine monitor (VMM) creates virtual machines that are essentially self-contained platforms, as each virtual machine has its own instance of an operating system stack. The virtual machines may therefore, as an example, function as independent servers, while remaining isolated from each other.
Besides increasing server utilization, the virtual environment may be advantageous in other aspects. For example, the virtual machines are isolated from software faults. Therefore, duplicate virtual machines may serve as redundant database servers, with one of the servers being the active server and the other being the backup server. The software isolation that is provided by the virtual environment also thwarts security threats from propagating among the virtual machines.
Referring to FIG. 1, a particular virtual machine may desire to connect to or communicate data with an external address space, such as a network 7 (for example), as a client, or virtual endpoint 5. However, connection to the network 7 may not be allowed until the network 7 trusts the endpoint 5 to some degree. To achieve this trust, the endpoint 5 may furnish integrity, or posture, data to a verifier, such as a policy decision point (PDP) 8. The PDP 8 evaluates the posture data to ascertain if the endpoint 5 meets a minimum level of trust for the intended operation or data communication.
For example, the posture data that is provided by the endpoint 5 may indicate such information as the current virus definition file being used by the endpoint 5, the versions of virus and firewall software that are currently executing on the endpoint 5, the patch levels of certain software executing on the endpoint 5, etc. If the posture data does not reveal criteria that is required for connection to the network 7, then the PDP 8 may refuse the connection; or alternatively, the PDP 8 may refer the endpoint 5 to a server 12 so that updated software may be downloaded to the to the endpoint 5 to bring the endpoint 5 into compliance.
A potential vulnerability to the above-described trust verification scheme is that a rogue process of the endpoint 5 may be aware of the “correct” posture data to furnish to the PDP 8. For example, the endpoint 5 may be infected with a particular virus that provides posture data to the PDP 8, which incorrectly indicates that the endpoint 5 is immune to the virus.
Thus, there is a continuing need for better ways to establish trust for a virtual endpoint.