In my virtual environment recently, I experienced two major failures. The first was with VMware vNetwork Distributed Switch and the second was related to the use of a VMware vShield. Both led to catastrophic failures, that could have easily been avoided if these two subsystems failed-safe instead of failing-closed. VMware vSphere is all about availability, but when critical systems fail like these, not even VMware HA can assist in recovery. You have to fix the problems yourself and usually by hand. Now after, the problem has been solved, and should not recur again, I began to wonder how I missed this and this led me to the total lack of information on how these subsystems actually work. So without further todo, here is how they work and what I consider to be the definition for fail-safe. Continue reading Distributed Virtual Switch Failures: Failing-Safe
My conference schedule kept pace with the changes in the virtualization security ecosystem throughout the year. What are those changes?
- Auditors were educated at an ISACA event in Florida about the intrinsic security of most modern Type-1 hypervisors. Through out the year we saw auditors educated and becoming more involved in virtualization and cloud security. The advent of CloudAudit and the ISACA and other educational events surrounding virtualization have increased through out the year. Continue reading Virtualization Security: Year in Review
Last week, there were several major virtualization security announcements, that taken singularly may only apply to the specific products, but taken together show the growth of the virtualization security ecosystem.
- VMware vSphere has attained CC EAL 4+ certification. To view the certificate and completion letter, visit http://www.vmware.com/security/certifications/
- Trend Micro has shipped Deep Security 7.5 with vShield Endpoint support for Anti-Virus. To download visit http://downloadcenter.trendmicro.com/
- HyTrust releases HyTrust Appliance 2.1. For the Press Release visit http://www.hytrust.com/news/press-releases/hytrust-releases-hytrust-appliance-update/
The Virtualization Security Podcast on 9/16 was the first in a series of Virtual Desktop Security discussions we will be having. The special guest panelist was Bill McGee from Trend Micro who helped us to understand their implementation of Deep Security 7.5’s Anti-Virus and Anti-Malware (AV collectively) within the virtual desktop.
Trend Micro’s product makes use of enabling technology within vShield Endpoint to provide offloaded AV and Anti-Malware scanning of virtual machines using only one set of rules and one VM to do the actual scanning. Removing the per VM rule set and processing that currently takes place within the VM. Continue reading Virtual Desktop Security: Best Practices
Virtualization Security was one of the BIG Deals at VMworld with several announcements:
- VMware vShield Edge, App, and End Point
- Trend Micro will have the first product making use of vShield End Point
- Cisco Virtual Security Gateway (VSG)
- HyTrust and their growing list of technology partners
But the biggest news is that Virtualization Security is finally on the radar of most if not all C-level as it is now seen as the gate to entering the cloud. But before we can solve the cloud security issue we have to solve the virtualization security issues. VMware’s announcement has the most impact on the virtualization security ecosystem. At once they are competing head-to-head with some vendors while providing a platform to use for other vendors.
I wonder how many of us remember when VMware bought BlueLane and their technology, good things were promised, we saw the first part with the release of vSphere when they introduced vShield Zones. This was a “Free” product for those of you that had any version above Advanced vSphere and to be fair for a 1.0 release was a nice weapon to have in your armoury when dealing with Security during a design and implementation phase.
At VMworld 2010 San Francisco VMware announced and released the expanded and improved vShield family of products. it however now a costed product, now the good news is that vShield Zones been not been removed from the vSphere suite, and are still “Free” the the correctly licensed level of vSphere.
A quick synopsis of the products, the technology has been split into three products these being:
- VMware vShield App – Protect Applications from Network-Based Threats
- VMware vShield Edge – Secure the Edge of the Datacenter
- VMware vShield Endpoint – Endpoint Security for Virtual Datacenters Continue reading VMware vShield 4.1, not for the SMB