The Virtualization Practice

Author Archive for Edward Haletky

Edward Haletky
Edward HaletkyEdward L. Haletky, aka Texiwill, is the author of VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization. [All Papers/Publications...]

The Virtualization Security Podcast on 8/5 was all about VMware vShield Zones and how the currently beta version will provide defense in depth, be a lever to achieve Secure Multi-Tenancy, and its impact on the virtualization security echo system. Dean Coza, Director of Product Management for Security Products at VMware joined us to discuss the vShield Zones Beta which consists of 3 parts given names and a nameless third part that was hinted at and we shall see more about at VMworld.

In the End-to-End Virtualization Security Whitepaper we review various aspects of server security with an eye to determining how the products would work together to create a secure virtual environment. While some of these tools are cross-platform, the vast majority of them are geared specifically to VMware vSphere.

In this post we will look at Server Security, and we will follow-up with another post about Desktop Security? Are these very different? I believe so, desktops have daily, second by second user interactions. For desktops, one of the most important aspects is look and feel such as response time for actions. So things need to be as fast as possible. With Servers however, user interactions are limited and therefore have slightly different performance and security requirements. What may be acceptable for a server may not be acceptable for a desktop. So what do the tools provide for servers?

The Wall Street Journal had an interesting article on the United States General Services Administration has approved the acquisition of some cloud services for use by the Federal Government including many of the Google Apps such as Gmail, Google Docs, etc. Since these services are for sale as well as freely available this sounds more like an admission that they can be used. Will other governments follow suit? But should they be used? That is really the question.

There are two sides to any government, the classified and the unclassified. These are general terms that quantify how the government can use services. While all services require quite a bit of security, classified utilization requires even more, in many cases what most would consider to be “uber-security” requirements. The types of requirements that impact usability in some way. Can these tools provide adequate security?

The Virtualization Security Podcast on 7/22 was all about the news of the week with our panelists discussing how this news affects everyone and anyone with respect to Virtualization Security. The news discussed:

* NIST Released their Guide to Security for Full Virtualization Technologies (Draft)
* There is a Security issue with VMware vSphere 4.1
* VMware discussed the new vShield Zones Edge and vShield App products
* HyTrust and Catbird announced a cooperative effort

When you read books on virtualization, cloud computing, security, or software product sheets a common word that shows up is Policy. Tools often claim to implement Policy, while books urge you to read or write your Policy. But what does Policy imply?

Webster (webster.com) defines policy as:

1 a : prudence or wisdom in the management of affairs b : management or procedure based primarily on material interest
2 a : a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions b : a high-level overall plan embracing the general goals and acceptable procedures especially of a governmental body

When you read policy in product literature and books we are looking at definition number 2 and often a over b. But what does this mean to those who administer and run virtual environments or make use of cloud services?

vSphere 4.1 Released – More Dynamic Resource Load Balancing

With the release of vSphere 4.1, VMware has added to their Dynamic Resource Load Balancing (DRLB) suite of tools that I hinted at in my post on Dynamic Resource Load Balancing that I wrote last week as well as providing new memory over commit and other functionality. In essence, vSphere 4.1 is more than a point release, this update includes many features that aid in security, reliability, and is a direct response to customer requests.

Encryption is important, encryption within a VM even more important. But the question is how to do this securely without allowing the encryption keys to be seen by an administrator of the virtual environment and that supports vMotion or LiveMigration. The solution is per VM encrypted memory, but something more robust that makes use of hardware, out of band key exchange, and supports vMotion or LiveMigration.

During the Virtualization Security Podcast on 7/8, Vizioncore’s Thomas Bryant joined us to discuss the state of virtualization backup security and forensic use of such backups. In the world of virtualization, backups are performed mostly by 4 distinct vendors: VMware Data Recovery (VDR) and VMware Consolidated Backup (VCB), Vizioncore vRanger, Veeam, and PHD Virtual Backup for vSphere. Each of these provide the most basic of security capabilities:

* Encrypted tunnels for data movement (SSL)
* Encryption of the backup

But in the increasing global nature of businesses and the difference in privacy laws between townships, states, and the need for Secure Multi-Tenancy, backup companies fall short with their products while making it increasing harder to use backups as a source of forensically sound data.

Google Circle
Join my Circle on Google+

Plugin by Social Author Bio