The Virtualization Practice

Author Archive for Edward Haletky

Edward Haletky
Edward HaletkyEdward L. Haletky, aka Texiwill, is the author of VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization. [All Papers/Publications...]

As of this writing just a few of the regulatory compliance groups are working to encompass Virtualization. However, they are not close to anything publishable yet. What does this mean for companies that must enforce regulatory compliance? What does this mean to an auditor? The big question many are asking, is if the Compliance documents to which they must adhere do not mention virtualization, are they compliant when they virtualize? Currently whether you get down checked or not during an audit depends entirely on the auditor’s interpretation of the current non-specific guidelines. In most case its negative as there is no guidance from the compliance groups with regards to virtualization. There are also virtualization security products out there that try to enforce and report upon current compliance guides with respect to virtualization.

There is a great debate on which hypervisor vendor works with ISVs and which do not. You have a number of ISVs working with VMware that are just now starting to work with Hyper-V. A number of ISVs that are struggling to catch up in the virtualization space. Hypervisor Vendors that are directly competing with ISVs as well as welcoming ISVs. This story is not about any of this, but about how easy is it to launch a new product for each of the hypervisors available with or without help from the hypervisor vendor. In essence, is there enough documentation, community, and code out there to be interpreted as welcoming ISVs.

While at VMworld I was suddenly hit with a blast of heat generated by the 40,000 VMs running within the VMworld Datacenter of 150 Cisco UCS blades or so. This got me thinking about how would VMsafe fit into this environment and therefore about real virtualization security within the massive virtual machine possible within a multi-tenant cloud environment. If you use VMsafe within this environment there would be at least 40,000 VMsafe firewalls. If it was expanded to the full load of virtual NICs possible per VM there could be upwards of 400,000 virtual firewalls possible! At this point my head started to spin! I asked this same question on the Virtualization Security Podcast, which I host, and the panel was equally impressed with the numbers. So what is the solution?

VMsafe – Vendor Implementations at VMworld

With the advent of existing VMsafe products from Altor Networks, Reflex Systems, and ones on the horizon from Trend Micro and others in the security space, all administrators should have a clear understanding of how they work under the covers. Where does VMsafe appear within the stack? Is VMsafe on the incoming physical NICs, within the vSwitch, portgroups, or before or after the vNIC? Can we expect the other aspects of VMsafe to be the same? While I was discussing VMsafe with the vendors, VMware was also going around and talking to all the VMsafe vendors for VMware TV shots.

Is VMware trying to remake itself? To Compete with Microsoft?

With all the rebranding going on with VMware, I find it interesting that the new logo for VMware is similar to Microsoft’s logo. A single name instead of the cool boxes they used to have. Did VMware’s brand loose its focus while we were not watching? Is this why VMware is rebranding everthing? Is VMware really trying to remake itself to be more like Microsoft?

Veeam, Vizioncore, and PhD Virtual all showed there latest released products as well as the future products that integrate with VMware vSphere at much deeper levels that previously available, ala the VMware vStorage API. Talk was also about expanding their products into Microsoft Hyper-V as well as Citrix XenServer. This space has become so important that even the traditional backup vendors such as Symantec (BackupExec) as well as HP (DataProtector) are getting into the act. This shows ecosystem as well as market maturity not seen at last years VMworld.

There have been several interesting posts in the blogosphere about virtualization security and how to measure it. Specifically, the discussions are really about the size of the hypervisor footprint or about the size of patches. But hypervisor footprints from a security perspective are neither of these. The concern when dealing with hypervisor security is about Risk not about the size of the hypervisor or the size of a patch it is purely about the Risks associated with the hypervisor in terms if confidentiality, availability, and integrity.

Google Circle
Join my Circle on Google+

Plugin by Social Author Bio

Top