When working with VMware ESX there are some tips that I can share that can help you manage your environment. This tips are not anything really new or exciting but rather a reinforcement of some best practices to live by in order to improve auditing for compliance and troubleshooting. Use of the following in conjunction with remote logging functionality will improve your compliance stance and improve your ability to troubleshoot over a period of time.
How you may ask? By using a tool that logs all local administrator actions to a remote logging host. There are two ways to do this today for ESX (SUDO and the HyTrust Appliance) and only one mechanism for ESXi and vCenter (the HyTrust Appliance).
When using virtualization technology system administrators have a lot of tools available to make our day-to-day operation and administration of our environments easier to work with and speeds up the time it takes to do a lot of administration tasks. Take for example, the ability we have to add resources to a virtual machine. You can add processors, memory and or increase disk space within a matter of minutes and very little downtime. On a physical host you would need to purchase the hardware first and wait for it to arrive and then schedule the downtime to add the resources to the machine. This speed and power can be both a blessing and a curse. Once application owners understand how easy it is to add resources to the virtual machines then comes the requests for additional resources any time the application owners think there is the slightest bit of need for any additional resources.
I recently spoke at the InfoSec World 2010 Summit on Virtualization and Cloud Security and also attended the main conference sitting in on many Virtualization discussions. Perhaps it was the crowd, which was roughly 30-40% auditors. Perhaps it was the timing as SourceBoston was also going on, as well as CloudExpo in NY. But I was surprised to find that people are still ‘just starting’ to think about Virtualization Security. Since I think about this subject nearly every day, this was disappointing to me at best. I found ideas around virtualization security ranging from:
- Virtualization Security is not part of an architecture/design, what do I bolt on?
- My Physical Security will work
- Virtual Environments NEED More security than physical environments
- There are no new threats, so why have something more
- Security is a hindrance
I participated in GestaltIT‘s TechFieldDay which is a sort of inverse conference, where the bloggers and independent analysts go to the vendors and then discuss the information they have received. We visited the following virtualization vendors:
- vKernel where we were introduced to their Predictive Capacity Planning tools
- EMC where we discussed integration of storage into the virtualization management tools as well as other hypervisor integrations
- Cisco where CVN and CVE were discussed in detail.
At the reception at Fenway Park we also had a chance to further our discussion with all these vendors as well as Akorri with their BalancePoint software.Of these vendors what I found interesting is that all have noticed that Hyper-V is now of interest to their customer base so all either have products ready for Hyper-V or are working on products for Hyper-V. Akorri and vKernel have Hyper-V ready products. Cisco and EMC are working with Hyper-V at some level I suspect.
One thing I have learned in the time I have spent working in IT is that no software product, out of the box, will do everything that you want it to do. This especially goes for VMware’s vCenter Server. This is a great product but yet still has its shortcoming. vCenter will perform a lot of the tasks that we need to do and has the ability to report on a information we need to know about in our virtual environments but unfortunately not everything we need to know about can be easily found in bulk about multiple servers.
Security baselines and security health checks are an important part of any modern day infrastructure. These checks are done periodically throughout the year, usually ever quarter. In my opinion this is a good thing to check and make sure your security settings are following the guidelines that the company has set out to achieve. Here is where I do have a problem. When setting up the guidelines for the different technologies in your infrastructure it would make the most sense that the people establishing the guidelines need to fully understand the technology they are working with. After all, would you really want the midrange or mainframe group to write the policies and guidelines for the Microsoft Windows Servers in your environment?