On the 8/9 Virtualization Security podcast, we continued our discussions on defense in depth with a look at end-user computing devices, specifically laptops and endpoint desktops, with Simon Crosby, CTO of Bromium. While we also discussed phones and tablets, we were focused more on the technology preview that now is Bromium vSentry. Bromium vSentry looks to protect laptops (and other machines) from unknown and zero-day attacks in a unique hardware-assisted way. There is now a new tool in our defense in depth toolbox that meets an ever-growing need. But what is the need, and what is the tool? Continue reading Defense in Depth: Bromium vSentry for End User Computing
Desktop security start-up Bromium announced the general availability of vSentry, at the Gartner Security and Risk Management management Summit in London today. Their first product to be based on the Bromium Microvisor designed to protect from advanced malware that attacks the enterprise through poisoned attachments, documents and websites.
On the 7/29 Virtualization Security podcast we continued our discussions on defense in depth. We discussed authentication and authorization with IdentityLogix. IdentityLogix provides a unique solution that correlates users and groups against VMware vSphere’s own role based access control stores. In other words, IdentityLogix can identify if a user or group within active directory has more access to VMware vSphere’s management tools than they were intended to be allowed based not only on the user’s username but on the groups in which the user belongs. Why is this important to know? Continue reading Defense in Depth: Authentication and Authorization
As I walked the VMworld 2012 show floor, I was looking for innovation or something new and interesting. I found it in several unexpected locations. There were quite a few of the expected vendors at VMworld, but there were gems here and there. There was innovation from HotLink to VMware. All in all a great show. Continue reading VMworld 2012: Innovation Wrap Up
VMware has listened to its community – which hated the vTax when it was introduced, and never warmed up to the whole idea over time. VMware has killed the vTax, removing the price on density which it represented.
More importantly, VMware has also gotten rid of the per VM pricing for its management solutions – a pricing model which exacted another tax upon success – as the cost of these solutions grew as the number of VM’s grew.
The New VMware Pricing Model
VMware has now standardized upon per CPU socket pricing for its key new product, the vCloud Suite. So now the product that combines vSphere 5.1, vCloud 5.1, vCenter Operations, and vShield is avaiable on one simple packaging and licensing model. There are no more virtual memory entitlements, no more core entitlements, and no more need to purchase licenses for management products as VM density increases.
There are several improvements in virtual networking and security within the latest vSphere and vCloud products. vCloud Networking and Security lowers of the overall cost to implement endpoint security within a vSphere environment. VMware has accomplished this by including vShield Endpoint into vSphere. There by lowering the cost to offloaded antivirus and malware to just the product chosen to implement antivirus and antimalware.
By far the biggest change is the implementation of VXLAN, which is implemented with in vSphere. VXLAN allows the ability to create a software defined network.
- VXLAN will span vSphere clusters, virtual switches, and layer 3 physical networks. How does this work? Because VXLAN is a layer-2 overlay network using MAC in UDP tunneling.
vCloud Networking and Security
VMware has also renamed vShield Edge to vCloud Networking and Security (vCNS) Edge Gateway and vShield App to vCNS App. But other than renamed products what has been added?
- High Available vCNS Edge Gateway with 10 user defined network interfaces. While vShield Edge provided single internal and external interfaces vCNS Edge 5.1 will allow you to define up to 10 internal or external interfaces, as well as logical groupings for internal vs external which makes use of the 10 vNICs that have been available on virtual machines since vSphere 4.x.
vCNS Edge Gateway in addition provides an active standby high availability pair with stateful session failover, automatic configuration syncing. In this way if one firewall dies, the standby firewall will take over in less than 10 seconds. This provides minimal loss of firewall functionality.
- Advanced load balancing features are now part of vCNS Edge Gateway. While in the past there was simple load balancing vCNS Edge Gateway now includes round robin load balancing that will verify the health of the target VMs and not send traffic if the health check fails with session persistence. In other words, if a session starts on a target VM, continued traffic for a given session stays on the target VM. The vCNS Edge Gateway load balancer natively handles HTTP and HTTPS, but also provides a pass-through mechanism for other protocols.
- SSL VPN is now a supported mode of VPN as well as the existing IPSec Tunneling protocols. An SSL VPN could be used for management traffic for a hybrid cloud or to access your individual vCloud tenant, or management features of your virtual environment making use of the vCNS Edge Gateway.
- The vCloud Service Automation framework allows the integration of third party security applications within the virtual environment. This framework provides a set of APIs for integration into the virtual environment.
- Inside the VM via vCNS endpoint security version 2 (EPsec v2) APIs.
- Edge of the VM via vCNS App APIs
- Edge of the virtual network via vCNS Edge Gateway APIs
- NETX 10 tuple based data redirection between physical and virtual or virtual and virtual security appliances.
- vCNS also includes a few updates to the vNetwork distributed switch such as:
- Netflow v9
- Network Health Checks which is a limited set of health checks to ensure the network is healthy and that all hosts in a cluster have the same network constructs.
But what do all these improvements mean?
In a nutshell they enable the software-defined datacenter.
Simply put, VXLAN widens the capabilities of a single vCloud virtual data center to span multiple clusters instead of being limited to just 32 hosts in a cluster. This will improve cloud implementations for service providers and larger private clouds. VXLAN may eventually allow for software-defined networks that span hybrid clouds. On the security side, the improvements and implementation of vCloud Service Automation framework allows for the creation of a software-defined security layer.
Both of these technologies are necessary if there is to be a software-defined data center.