The Virtualization Practice

Author Archive for Edward Haletky

Edward Haletky
Edward HaletkyEdward L. Haletky, aka Texiwill, is the author of VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization. [All Papers/Publications...]

It is often very hard to plan which virtualization and cloud conferences to attend and why. You may need to start your planning now as justification from work could be hard to come by. It may mean you make the decision to go on your own dime. If you do the later, there are some alternative mechanisms that could work for the bigger conferences. The conferences and events I attend every year depend on my status with the organization hosting those events, and whether or not I can get a ‘deal’ as a speaker, analyst, or blogger. So what conferences do I find worth attending? That will also depend on your job role. There is one I would attend regardless of role, and a few I would attend as a Virtualization and Cloud Security person. All are good conferences.

This years Innovation Sandbox at RSA Conference was won by a little know company to virtualization and cloud security vendors, its name is Invincea. However, it makes use of virtualization to aid in security. This years finalists once more included HyTrust for the inclusion of what appears to be complete UCS support within the HyTrust Appliance, Symplified which provides a unified identity within a cloud, CipherCloud which encrypts bits of your data before uploading, but not enough encryption to mess with sort and other algorithms. Plus other non-cloud like products: Entersect (non-repudiation in the form of PKI), Gazzang (MySQL Encryption), Incapsula (collaborative security to browsers), Pawaa (embed security metadata with files), Quaresso (secure browsing without browser/OS mods), and Silver Tail (mitigation).

Unlike last year where there were many virtualization security vendors existed at RSA Conference, there was a noticeable lack of them within booths, yet all of them were here to talk to existing and potential customers. However, there were many vendors offering identity management in the cloud for these I asked the identity management product owners the following question:

How can you prove identity in the cloud?

Distributed Virtual Switch Failures: Failing-Safe

In my virtual environment recently, I experienced two major failures. The first was with VMware vNetwork Distributed Switch and the second was related to the use of a VMware vShield. Both led to catastrophic failures, that could have easily been avoided if these two subsystems failed-safe instead of failing-closed. VMware vSphere is all about availability, but when critical systems fail like these, not even VMware HA can assist in recovery. You have to fix the problems yourself and usually by hand. Now after, the problem has been solved, and should not recur again, I began to wonder how I missed this and this led me to the total lack of information on how these subsystems actually work. So without further todo, here is how they work and what I consider to be the definition for fail-safe.

On the second Virtualization Security Podcast of 2011, we had Doug Hazelman of Veeam as our guest panelist to discuss backup security. Since most of backup security relies on the underlying storage security, we did not discuss this aspect very much other than to state that the state of the art is still to encrypt data at rest and in motion. What we did discuss is how to determine where your data has been within the virtual or cloud environment. This all important fact is important if you need to know what disks or devices touched your data. An auditing requirement for high security locations. So we can take from this podcast several GRC and Confidentiality, Integrity, and Availability elements

You heard the buzzwords and drunk the kool-aid and now you want to move to the cloud, how do you do this? This has been the a fairly interesting question on the VMware Communities Podcast yesterday, when the vCloud team showed up to talk about the current reference architecture. Yet almost all the questions were about going to the cloud and not about the architecture. Does this mean people do not understand what is required to go to the cloud? I think so. So to take a few elements from the podcast and put them in writing is the goal of this article. The Simple Steps to move to the cloud.

Given the VNXe’s expandability to include fibre channel cards in the future. This storage looks very attractive to those SMBs who have made the investment previously to move towards fibre. Making use of your existing infrastructure whether fabric or Ethernet would lower the cost of adoption for the low-end EMC product. The VNXe’s expandability is one of those items that makes it an attractive tool for other uses. What are those other uses with respect to security, DR, BC, and disaster avoidance?

Chad Sakac mentions on his blog that VNXe “uses a completely homegrown EMC innovation (C4LX and CSX) to virtualize, encapsulate whole kernels and other multiple high performance storage services into a tight, integrated package.” Well this has gotten me to thinking about other uses of VNXe. If EMC could manage to “refactor” or encapsulate a few more technologies, I think we have the makings of a killer virtualization security appliance. Why would a storage appliance spur on thinking about virtualization security?

In the first Virtualization Security Podcast of 2011, we had Brad Hedlund with us once again. Not to talk about the Cisco Virtualization Security Gateway (VSG), but about the security of what I call physical-virtual devices that provide network virtualization within the hardware. Or what Brad Called Network ID Virtualization (NIV). Cisco has taken its VN-Link technology to extend the networking of a VM directly into the core switch when using vSphere.

Google Circle
Join my Circle on Google+

Plugin by Social Author Bio