The Virtualization Practice

Author Archive for Edward Haletky

Edward Haletky
Edward HaletkyEdward L. Haletky, aka Texiwill, is the author of VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization. [All Papers/Publications...]

I just finished writing all the content for my next book entitled VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers (2nd Edition) which continues the discussion on Dynamic Resource Load Balancing (DRLB). DRLB is the balancing of virtualized workloads across all hosts within a cluster of virtualization hosts without human intervention. This is the ultimate goal of automation with respect to virtualization and therefore the cloud. In effect, with DRLB the virtualization administrators job has been simplified to configuration and trouble shooting leaving the virtual environment to load balance work loads on its own.

During the Virtual Thoughts podcast on 6/29/2010, the analysts discussed various hardware aspects of virtualization trying to determine if the hypervisor was to move into the hardware? and if so how much of it? as well as whose hypervisor? and lastly such a move part of any business model?

Virtual Thoughts is a monthly podcast that looks at the entire scope of virtualization to discuss new trends and thoughts within the virtualization and cloud communities.

This weeks podcast started with a discussion of TPM/TXT and the boost it gives to virtualization security. Since TPM/TXT is based in the hardware and provides a measured launch of an operating system, the next logical discussion was on whether or not the hypervisor would be placed into the hardware?

During the Virtualization Security Podcast on 6/22, Steve Orrin of Intel and Dennis Morreau of RSA joined us to discuss the impact of Intel Westmere chips built-in Trusted Platform Module (TPM) and Trusted Execution Technology (TXT) on Cloud and Virtualization Security. TPM is not all that new, but TXT’s usage in virtualization security is new. Both together can form a hardware root of trust for the virtual environment.

At the moment however, these technologies are limited to just providing a secure launch of a well known hypervisor within the hardware. As such they have not been extended to the virtual machine. TXT however solves a very important issue that at the time the book VMware vSphere and Virtual Infrastructure Security was written had theoretical solutions, I speak of Blue Pill style attacks. There were rumors of Hyperguard or Guard Hype tools becoming available, but they are only research projects. TXT on the other hand, offers protection from Blue Pill style attacks.

There is nothing like fully understanding the protections inherent within your vNetwork and the Roles and Permissions you can set within the virtualization management tool suites to ensure your vNetwork is secured, audited, and monitored for issues. Just like you do now within the pNetwork. Unlike the pNetwork, the vNetwork provides a certain amount of introspection and capability that is missing from a pNetwork, and this will also help with security.

Can we use some of this Risky Social Behaviors post to aid us in finding an adequate definition for secure multi-tenancy? Perhaps more to the point it can define how we look at multi-tenancy today. On a recent VMware Communities podcast we were told two things that seem contradictory to current security thinking. The first is that going to the cloud reduces your risk, and the second was that the definition of the cloud must include multi-tenancy.

The security companies are looking into all aspects of virtual environment introspection to label, tag, or mark all objects for compliance reasons, inspect the contents of virtual machines for asset management (CMDB), and an early form of Root Kit detection.

Virtualization Security is not just about the firewall, it is about the entire ecosystem, auditing, compliance, and object management.

During the Virtualization Security Podcast on 5/13, IBM’s David Abercrombie joined us to discuss IBM’s Virtualization Security Protection for VMware (VSP) which contains several exciting uses of the VMsafe API for VMware vSphere. These being:

* Network: Network Monitoring, Firewall, Access Control, and a Protocol Analysis Module
* Memory: Rootkit Detection

The panel of the Virtualization Security Podcast on 5/27/2010 was joined by an attorney specializing in the Internet space. David Snead spoke at InfoSec and made it clear that there was more to secure multi-tenancy than one would imagine. The first question was “how would you define tenant?” which I believe is core to the discussion of SMT as without definitions we have no method of communicating. Before we get to David’s response, we should realize that nearly every one has their own definition of Tenant for a multi-tenant solution.

Google Circle
Join my Circle on Google+

Plugin by Social Author Bio