The Virtualization Practice

Author Archive for Edward Haletky

Edward Haletky
Edward HaletkyEdward L. Haletky, aka Texiwill, is the author of VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization. [All Papers/Publications...]

I was upgrading my nodes from VMware VI3 to VMware vSphere and used the VMware Update Manager to perform the update. Given that my existing filesystems were implemented to meet the requirements of the DISA STIG for ESX, as well as availability. I was surprised to find that when the upgrade of the first node of my cluster completed, that the install did NOT take into account my existing file system structure, but instead imposed the default file system used by the standard VMware vSphere ESX 4 installation.

I was recently on an island and it got me thinking of how would I move my company to the island. The company services people around the world, but would also service local to the island. Does virtualization really help me here? Why do I ask this, because an island is often prone to the vagaries of mother nature: Lava, Flooding, Typhoon, Hurricane, Earthquakes, humidity, desert, power fluctuations, etc. The list is pretty endless. So how would you move a business to or from an Island? Is this where the Cloud becomes a mature component? If so how much cloud do you need?

With the advent of VMware Go, vCloud Express, and the vCloud API, VMware’s marketing message is that all SMBs should use the cloud to either deploy their free hypervisor (VMware Go), or use the Cloud to run their servers (vCloud Express). VMware claimed at VMworld that we are no longer looking for ROI with Virtualization from a pure power and equipment costs, no we are now looking at virtualizing to save funds within the operational space of your company. Where best to do this than for SMBs to instead of owning their own equipment move their servers into the waiting vCloud Express providers such as Savvis, Terremark, Hosting.com, etc.

The known virtualization security vendors Reflex Systems, Catbird Security, Altor Networks, HyTrust, Symantec, Trend Microsystems, Tripwire, and VMware all showed their wares at VMworld. Even Checkpoint was showing off their firewall integration within the virtualized environment. Are these really competing products or products that have unique uses within the virtual environment with just a bit of overlap?

As of this writing just a few of the regulatory compliance groups are working to encompass Virtualization. However, they are not close to anything publishable yet. What does this mean for companies that must enforce regulatory compliance? What does this mean to an auditor? The big question many are asking, is if the Compliance documents to which they must adhere do not mention virtualization, are they compliant when they virtualize? Currently whether you get down checked or not during an audit depends entirely on the auditor’s interpretation of the current non-specific guidelines. In most case its negative as there is no guidance from the compliance groups with regards to virtualization. There are also virtualization security products out there that try to enforce and report upon current compliance guides with respect to virtualization.

There is a great debate on which hypervisor vendor works with ISVs and which do not. You have a number of ISVs working with VMware that are just now starting to work with Hyper-V. A number of ISVs that are struggling to catch up in the virtualization space. Hypervisor Vendors that are directly competing with ISVs as well as welcoming ISVs. This story is not about any of this, but about how easy is it to launch a new product for each of the hypervisors available with or without help from the hypervisor vendor. In essence, is there enough documentation, community, and code out there to be interpreted as welcoming ISVs.

While at VMworld I was suddenly hit with a blast of heat generated by the 40,000 VMs running within the VMworld Datacenter of 150 Cisco UCS blades or so. This got me thinking about how would VMsafe fit into this environment and therefore about real virtualization security within the massive virtual machine possible within a multi-tenant cloud environment. If you use VMsafe within this environment there would be at least 40,000 VMsafe firewalls. If it was expanded to the full load of virtual NICs possible per VM there could be upwards of 400,000 virtual firewalls possible! At this point my head started to spin! I asked this same question on the Virtualization Security Podcast, which I host, and the panel was equally impressed with the numbers. So what is the solution?

VMsafe – Vendor Implementations at VMworld

With the advent of existing VMsafe products from Altor Networks, Reflex Systems, and ones on the horizon from Trend Micro and others in the security space, all administrators should have a clear understanding of how they work under the covers. Where does VMsafe appear within the stack? Is VMsafe on the incoming physical NICs, within the vSwitch, portgroups, or before or after the vNIC? Can we expect the other aspects of VMsafe to be the same? While I was discussing VMsafe with the vendors, VMware was also going around and talking to all the VMsafe vendors for VMware TV shots.

Is VMware trying to remake itself? To Compete with Microsoft?

With all the rebranding going on with VMware, I find it interesting that the new logo for VMware is similar to Microsoft’s logo. A single name instead of the cool boxes they used to have. Did VMware’s brand loose its focus while we were not watching? Is this why VMware is rebranding everthing? Is VMware really trying to remake itself to be more like Microsoft?

Google Circle
Join my Circle on Google+

Plugin by Social Author Bio