Archive for March, 2012
Minotaur uses several visualization technologies from different vendors. In case this is useful for others setting up their own dynamic analysis environments, I thought it would be a good idea to chronicle some of our efforts here.
On our workstations we run a combination of VMWare, VirtualBox, and Parallels. Depending on the specific needs and the analyst. I think on the workstation side, these solutions are so similar that we don’t really have a favorite.
Our dynamic analysis is split into two parts, one side runs samples through ZeroWine on 24 VMs running in Proxmox, and the main Windows runtime analysis is performed in CuckooBox, running in VirtualBox on a dedicated server.
Our primary infrastructure is run on two Proxmox nodes. This infrastructure covers the collectors, databases, analyst workstations VMs, and the data environments. Proxmox allows Minotaur to have great VM density and allows us to run more than 60 active virtual machines on two off-the-shelf hardware nodes. Until very recently, all of the storage was local on the servers, so even though Proxmox features live migration capabilities, we were unable to use this in-house.
Enter our new storage array from Synology, the DS1812+. The Synology box gives us the ability to centralize our storage using iSCSI LUNs while still being a pretty affordable solution.
So the idea was I would just migrate some of the Proxmox nodes to central storage so that we would have better availability and load balancing capabilities. But then I became aware of some of Citrix’s current offerings, namely XenServer and XenDesktop, including the free versions of each. I especially took notice of the management capabilities of the systems using windows consoles. I can also see how direct citrix access to the workstations would be of great value to our analysts. So I decided to start a pilot. I’ve since offloaded two of our physical servers that were running internal infrastructure to the Synology box and loaded Xenserver on the first and will load the second one up as a windows server to run the XenDesktop components in the near future.
So far the setup was very easy after getting used to the different conventions. Setting up all the VLANs was easy, and setting up the iSCSI LUN was a snap as well. I decided to try running a conversion for the first box, so I converted a linuxMint VM from VMWare Workstation. This did not go so well, but I would not use a converted machine for production anyway, always best to build a clean image on the architecture. I would also guess that a windows workstation would have gone smoother, as that’s usually what conversion tools are catered toward.
Having installed the first sever VM and setting up the guest tools, everything looks to be running pretty smoothly now.
Minotaur is up for a rewrite of the backend components as we move to the current versions of cuckoobox that include MAEC reporting (among other significant improvements) which will hopefully increase Minotaur’s benefit to the community. With major components being upgraded and re-tooled for this environment, now seemed like a good time to review our options for the entire infrastructure. It will be a while before any decisions are made and we know what fits our needs best but I do like playing with new technologies.