Security

This category contains posts with a security focus or security-related content.

A Couple Vendor Meetings at VMworld 2011

Wednesday, August 31, 2011 in Networking, Security, Virtualization by slowe | 3 comments

Over the last couple of days at VMworld, I’ve had the opportunity to meet up with a couple of vendors to discuss their product initiatives and offerings. I had lined up several more meetings, but due to my hectic schedule I was unable to make those meetings. To those companies that I missed, I apologize. There just aren’t enough hours in the day!

Bluesocket

One company that I met with is Bluesocket, whose link to VMware is through their vWLAN (virtual wireless LAN) product. What is a vWLAN, exactly? Don’t worry, I asked the same question; it sounded like bad marketing, to be honest. vWLAN is the name they use to describe a wireless network architecture that combines wireless APs with a fully virtualized wireless AP controller. Bluesocket has taken their wireless network architecture and built it in such a way that they’ve combined the traits of a “fat AP” and “thin AP” approach together, and leveraged virtualization on vSphere to provide the compute power. It’s an interesting approach, but—as I expressed to Bluesocket—I’m not sure how well it will hold off the bigger, more well-funded competitors in the wireless LAN space. For now, at least, Bluesocket has a first mover’s advantage.

HyTrust

HyTrust is a company I’ve written about before (just do a Google search for “HyTrust site:scottlowe.org”). HyTrust is in a very interesting space and doing some pretty cool things. I learned today, for example, that not only does HyTrust provide support for VMware vSphere and the Cisco Nexus 1000V, but also Cisco UCS. That’s pretty cool! If you are looking for some ways to enhance the security profile of your virtualized environment, it might be worthwhile for you to take a look at HyTrust.

Well, that’s it for now. I’ll have more VMworld 2011 coverage tomorrow.

Tags: , , , ,

VMware’s Launch Event

Tuesday, July 12, 2011 in Security, Storage, Virtualization by slowe | 20 comments

Today was a big day for VMware. I’m going to provide some summary coverage of the products launched today, but only a quick recap; I’ll have more in-depth analysis and information on the products and their key features and improvements in future blog posts. No doubt there is going to be plenty of other coverage on the launch as well, and I’ll likely produce a special “Short Takes” episode with a summary of some of the related links, so look for that as well.

Now, on to the product announcements!

vSphere 5

As fully expected, VMware today announced VMware vSphere 5, the next generation of their virtualization suite. VMware continues to drive virtualization “higher” in the data center as they target even the most mission critical applications, so vSphere 5 offers support for massive VMs (up to 32 vCPUs and 1 TB of RAM per VM). With vSphere 4, there were only a few instances where a mission critical application couldn’t be supported because of resource constraints. That already-slim window shrinks even more now with vSphere 5.

Also in the vSphere 5 release, VMware has added a lot of features to help simplify and automate the virtualization layer. This is fully expected and a natural part of vSphere’s continued maturation. Some of the features that VMware packed into this release for improved administration and management include:

  • vSphere Auto Deploy: VMware now offers a fully supported PXE boot solution that offers completely stateless ESXi hosts. Need to deploy a new ESXi host? No problem, with Auto Deploy it can be done in minutes. Need to deploy a new ESXi image? Change a few rules in the Auto Deploy engine and reboot your host—and you’re done. It’s pretty powerful stuff, in my opinion.
  • Storage DRS: vSphere DRS is the darling of many data centers, transparently moving VMs around to keep cluster workloads balanced. vSphere 5 introduces the same concept for storage, called Storage DRS. (Just as a side note, I’m not clear if the “DRS” in “Storage DRS” still stands for “Distributed Resource Scheduler,” since that’s not really applicable to storage. Anyone know?) Using information on storage capacity usage and (optionally) I/O response times, Storage DRS can shift virtual disks for VMs from datastore to datastore—using the concept of a datastore cluster—to keep storage utilization balanced. Like vSphere DRS, Storage DRS also performs initial placement, simplifying the VM storage provisioning process. This is something that has been in the works for years (I first heard about it from VMware in 2008), and it’s great to see it finally make it’s appearance.
  • Profile-Driven Storage: This is another killer feature. Building on the vSphere Storage APIs for Storage Awareness (more popularly known as VASA), profile-driven storage allows administrators to define VM storage profiles that describe the features or attributes that storage must possess in order to satisfy the requirements of the VM (RAID type, disk type, capacity, protection level, replication, snapshots, etc.). Then, based on VM storage profiles, when you create a new VM, perform a Storage vMotion, or clone a VM or template, vSphere will use the VM storage profile to show you which datastores are compatible (compliant with the profile) or incompatible (noncompliant with the profile). This provides a huge benefit to the vSphere administrator in ensuring that VMs are stored on the right storage with the right support.

Of course, that’s not all that vSphere 5 has to offer; there’s also a laundry list of other new features:

  • VAAI v2, which includes hardware offloads for NFS and new thin provisioning awareness
  • All-new framework for vSphere HA, which eliminates the primary/secondary model and provides significant new features
  • A new vSphere Storage Appliance, to turn local (DAS) storage into shared storage in environments where a dedicated SAN isn’t possible and performance is not the key consideration
  • A new version of VMFS that offers datastores up to 64TB in size without the use of extents
  • Significant performance enhancements for Storage vMotion, and the ability to relocate snapshots
  • Improvements in NFS to support scale-out NAS
  • Software FCoE initiator (only supported on Intel X520 NICs at initial release). I have a couple of the Intel X520 NICs that I’ll be doing some additional testing with against vSphere 5, so look for those results on this site soon.

As you can see, it’s quite a significant release. But wait, there’s more…

vCloud Director 1.5

VMware also announced vCloud Director 1.5, which offers a number of new features:

  • New APIs: vCloud Director will offer broadened “southbound” APIs, so that solutions like vCO, UIM, and others can provide further automation in highly virtualized environments
  • Linked Clone support: vCD 1.5 will support linked clones, so that deploying new workloads will happen faster and with less storage consumption.

Site Recovery Manager 5

In addition to vSphere 5 and vCD 1.5, VMware also unveiled SRM 5, with new features like:

  • Built-in automated failback: While vendors such as EMC provided failback plugins, those plugins didn’t provide the full functionality of SRM when performing a failback. SRM 5 now provides full failback support, a key feature that many organizations have been requesting.
  • Workload mobility workflows: SRM starts adding support for workload mobility workflows, to move workloads cold between sites. (Hmmm…think about VPLEX plus SRM workload mobility workflows…give you any ideas?)
  • vSphere host-based replication: vSphere 5 can now offer replication on a host-based level, for environments where array-based replication isn’t possible due to constraints (budgetary or otherwise). Naturally, there’s a trade-off in using host-based replication versus array-based replication, but it’s a nice feature to add for lower-end customers.

vShield 5

Last, but not least, VMware announced vShield 5. vShield 5 brings improved management to the table as well as some new features:

  • Static routing functionality in vShield Edge: This provides vSphere and vCloud Director administrators greater flexibility in modeling network topologies.
  • New product offering in the form of vShield Data Security: This is an integration of technology from RSA DLP (Data Loss Prevention), that offers administrators the ability to discover and report sensitive data in virtual machines.

All in all, VMware unveiled a lot of new functionality today that is targeted at driving the further adoption of virtualization and addressing concerns over virtualizing mission critical applications.

As I mentioned earlier, look for more in-depth articles on some of the new features and functionality in the coming days and weeks. Thanks!

Tags: , , ,

Some Technical Books I’m Reading

Thursday, April 14, 2011 in Security, Virtualization by slowe | 3 comments

My book reading queue has expanded tremendously over the past few weeks as a flurry of new books—some virtualization-related, some not—have landed in my laptop. I really appreciate the authors and publishers giving me the opportunity to review these books, and I wanted to give you a quick rundown of what I’ve been doing on this front.

NX-OS and Cisco Nexus Switching: Next-Generation Data Center Architectures

This book was a gift from one of the authors, Ron Fuller (aka @ccie5851 on Twitter). Like all the other books in this list, I’m not done reading it yet, but I have skimmed a couple of the chapters. I don’t know why, but networking fascinates me (almost as much as virtualization). So far, this book has been very informative and well-written, and I’m looking forward to finishing the whole book. Check it out here on Amazon.

VMware ESX and ESXi in the Enterprise, 2nd Edition

Author Edward Haletky is a well-known and recognized figure in the VMware virtualization space, and the first edition of this book was very good (read my book review of the first edition from April 2008). This book is now in its the second edition and includes content for vSphere 4.1. I haven’t finished reading it yet—my reading backlog is enormous—so I can’t say anything definitively, but I fully expect that it will be as complete and thorough as the first book. As I said in April 2008 about the first edition, readers seeking good reference material for vSphere should consider adding this to their bookshelf (after adding Mastering VMware vSphere 4 first, of course!). Here’s the book’s Amazon listing.

VMware vSphere PowerCLI Reference

This is a much-anticipated title by an all-star collection of PowerCLI experts: Alan Renouf, Luc Dekens, Glenn Sizemore, Arnim van Lieshout, and Jonathan Medd. I expect this book will be a huge best-seller for PowerCLI. Just from the limited reading that I’ve been able to do so far, it’s looking like this book will be the definitive reference guide for using PowerCLI with VMware vSphere. Order the book via Amazon here.

VMware vSphere 4.1 HA and DRS Technical Deep Dive

What more can be said about this book that hasn’t already been said? The authors, Duncan Epping and Frank Denneman, are considered among the top experts on VMware HA and VMware DRS, so having them write a deep dive on these topics is like the ideal opportunity. They definitely deliver a true “deep dive”; there is a wealth of in-depth technical information here. As with all the other titles in this post, I haven’t yet finished reading the whole thing yet, but this is one to keep on your list of virtualization books. Like most of the other books, VMware vSphere 4.1 HA and DRS Technical Deep Dive is available on Amazon.

OpenVPN 2 Cookbook

I’ve written about OpenVPN, the open source SSL VPN software, a couple of times before (I wrote about a Mac OS X OpenVPN client named Viscosity and about an issue with OpenVPN and mt-daapd). To be perfectly honest, I’m really impressed with OpenVPN and how well it works, and both Viscosity as well as Shimo are good, Mac OS X-native VPN clients (I generally prefer Viscosity, but Shimo is more versatile). So when Packt Publishing contacted me about reviewing a copy of a book titled OpenVPN 2 Cookbook, I was definitely interested. I’m just getting started looking over the book, but it looks like it is a good resource for users interested in getting to know more about OpenVPN. This title is available via Amazon, and the publisher has a sample chapter available online as well.

VMware vSphere Design

I would be remiss if I didn’t at least mention that a book to which I contributed was also recently published. VMware vSphere Design, which I helped author along with Forbes Guthrie and Maish Saidel-Keesing, hit the shelves in mid-March. So far, the reviews have been generally positive, although when the topic is design there are always a few who disagree (and that’s OK). You can pick up VMware vSphere Design via Amazon.

UPDATE: I forgot to add one other book, a networking book, that I’m also working on reading. Sorry Ron, and thanks for the reminder Andy!

Disclaimer: Where applicable, the publishers and/or authors of all of the books listed here provided me with free copies, either physical or electronic.

Tags: , , , , ,

What Does it Take to Keep Windows Secure?

Monday, April 4, 2011 in Microsoft, Security by slowe | 74 comments

My son’s Windows 7 laptop was recently infected with some malware (adware/spyware). Mind you, I try to follow the generally-accepted recommendations for trying to prevent this sort of thing:

  • My son uses Mozilla Firefox (not Internet Explorer) with all updates installed.
  • I keep Windows 7 patched with updates from Microsoft.
  • He runs as a non-administrative user, and doesn’t know the administrator credentials.
  • The Windows 7 firewall is enabled and configured with a fairly strict set of rules.
  • The network has open source proxy server with content filters, so I can be reasonably confident he’s not visiting the really nasty sites. Obviously, content filters are never perfect and always in need to be updated, but they’re better than nothing.
  • The network itself is protected by a hardware firewall (not a simple NAT router, but a true stateful firewall), which requires that all web traffic go through the proxy (so he can’t bypass the proxy).
  • I installed Microsoft Security Essentials on his laptop to protect against malware, adware, etc., and I keep it updated.

Yet, despite all these layers of protection, I find that my son’s laptop was still infected with malware.

So I ask, in all seriousness—meaning I’m not trying to start some sort of flame war about how Mac OS X or Linux is better than Windows or vice versa—how does one protect their Windows installations against this sort of thing? I mean, what does it take, anyway? I feel like I am taking some pretty serious steps to protect Windows, and yet it still gets infected. What am I missing here?

Tags: , ,

Keep Your Eyes on HyTrust

Thursday, September 9, 2010 in Security, Virtualization by slowe | No comments

I’m not a security expert (I’ll leave that to Ed or the Hoff), but if there’s a security company out there to keep your eyes on it is, in my opinion, HyTrust. Since releasing their security appliance in April of 2009, HyTrust has continued to expand their reach. Last week at VMworld 2010 in San Francisco, HyTrust made a few announcements to note:

  • On August 30, HyTrust announced HyTrust Cloud Control and out-of-the-box integration between the HyTrust Appliance and VMware vCloud Director. This combination brings HyTrust’s strong authentication, role-based access control, and visibility to vCloud Director environments. Other specific capabilities enabled by HyTrust Cloud Control include persistent zoning for multi-tenancy; detailed audit logging for compliance; and hardening and monitoring of the cloud services platform.
  • On August 31, HyTrust announced integration with RSA enVision (disclaimer: I work for EMC, RSA’s parent company). This means that HyTrust’s detailed logging and auditing information is passed to enVision for security information and event management purposes. The HyTrust Appliance offers granular role-based access controls, strong authentication, directory services integration, and command authorization, and with this integration passes all of its detailed logging information over to enVision to be rolled up into a broader set of logs that also include information from the VMware ESX/ESXi hosts, VMware vCenter Server, and VMware View connection servers for a holistic view of the entire virtualized environment. You can read the full press release here.
  • On September 1, HyTrust announced an update to the HyTrust Appliance that added new functionality. Significant new features in the update include support for smart card two-factor authentication; support for complex, multi-domain directories; single sign-on via Windows passthrough authentication; improvements to audit logs and new vCenter event archiving; application-level high availability for the HyTrust Appliance; support for VMware vSphere 4.1; and support for command-line management of the Cisco Nexus 1000V. This last item is particularly important; it enables the HyTrust Appliance to perform authorization of Nexus 1000V command line statements on a very granular basis. This functionality actually extends to the entire Nexus family, although the focus at this point is on the Nexus 1000V.

All in all, it looks to me like a pretty impressive set of updates. Based on a conversation between Eric Chiu (CEO of HyTrust), well-known analyst Chris Wolf, and me, I’d say that HyTrust has other impressive updates on the roadmap. Based on what they’ve delivered so far, I’m of the opinion that this is a company to watch. Keep up the great work, Eric and team!

Disclosure: I have no financial interest in HyTrust nor have I received any compensation from HyTrust. These views and opinions of HyTrust are mine and mine alone.

Tags: , , , ,

VMworld Announcements, Day 1

Monday, August 30, 2010 in Networking, Security, Storage, Virtualization by slowe | 1 comment

A flurry of virtualization-related product announcements flew into my Inbox today, thoroughly disrupting the empty Inbox I’d cultivated before the show. Anyway, I thought readers might be interested in some of the announcements, so here they are:

  • Akorri announced they’ve achieved VMware Ready status with their BalancePoint product. If you’re at VMworld and want to talk to Akorri, stop by booth 1331.
  • Similarly, Avere Systems has also been awarded VMware Ready status for its FXT 2700 appliance. Avere is also at VMworld in San Francisco, but I don’t have their booth number available to me.
  • Start-up company DeskStream has launched a product called Dynamic Virtual Desktop (yes, the acronym is DVD). It’s a “Desktop as a Service” product, according to their information. No word on whether DeskStream is at the VMworld conference. Follow this link for the full launch announcement.
  • Yet another company, CompuWare, has gotten VMware Ready status for CompuWare Vantage. As with DeskStream, I don’t have any indication as to whether CompuWare is at the VMworld conference.
  • I continue to be impressed by security startup HyTrust. Their latest announcement, HyTrust Cloud Control, brings strong authentication, role-based access control, and integration between HyTrust Appliance and VMware vCloud Director.
  • BLADE has announced VMready 3.0 with Virtual Vision, which allows physical networks to “see” virtual machines as they migrate (or are migrated) around the data center. At first glance, it kind of sounds like Arista’s VM Tracer, but I have a meeting with BLADE later this week and intend to find out more about the product. I’ll post more after that meeting.
  • EMC’s RSA division is also announcing the RSA Solution for Cloud Security and Compliance. This solution integrates technologies from Archer into a solution that is intended to help customers have greater confidence that their environments are properly secured and audited according to standards and policies. The full press release is also available here.

I think that’s about it for now. More VMworld 2010 coverage to come, so stay tuned!

Tags: , , , , , ,

Technology Short Take #2

Saturday, August 28, 2010 in Networking, Security, Storage, Virtualization by slowe | 4 comments

Welcome to Technology Short Take #2, a collection of links, thoughts, ideas, and items pertaining to data center technologies—virtualization, networking, storage, and security. I hope you find something useful or interesting!

  • The release of FLARE 30 and DART 6 by EMC (formally announced last week) introduces some new concepts and new functionality. Matt Hensley recently did a write-up on some of the new functionality in this post on virtual provisioning, storage pools, and FLARE 30. It’s worth a read if you aren’t already familiar with these technologies and need a primer.
  • If you are looking for the definitive guide on connectivity between various VMware vSphere components and the TCP/UDP ports required, you need only look here. Great information!
  • Here’s a great guide from Cisco on deployment options when deploying 10 Gigabit Ethernet on VMware vSphere 4.0 with the Nexus 1000V or the VMware vNetwork Distributed Switch. I’ve read through it, but I’ve added it to my list of documents to go back and study more carefully; there’s lots of useful information in here.
  • Way back in March Dave Convery posted this article on limitations with VMware vShield Zones. While re-reading that article today, I noted in the comments that the Nexus 1000V has a feature called Virtual Service Domains that help address some of the limitations of vShield Zones (at that time). As pointed out in the comments, this makes vShield Zones usable in two NIC scenarios such as with Cisco UCS. If anyone has any additional links on Virtual Service Domains, please share them in the comments. This is a topic that I think needs some additional attention.
  • This article is a good breakdown of the differences in storage identifiers between ESX 3.x and ESX 4.1.
  • Jeff Woolsey at Microsoft finally wraps up his series of articles on Hyper-V Dynamic Memory with Part 6. I’ve been reading this series pretty faithfully as Jeff systematically lays out the various ways in which memory is handled in a virtualization scenario, and I’ve been consistently struck by the impression that Jeff was working really hard to distinguish what Microsoft was doing with Hyper-V from what VMware does with ESX/ESXi. In the end, though, I can’t help but see all the similarities between the two. Dynamic Memory allocates additional memory to a VM as it needs it (much the same way ESX/ESXi does by allocating memory only as requested by the VM) and reclaims free pages from the VMs (just like ESX/ESXi reclaims idle pages via idle page reclamation). When under memory pressure, Hyper-V might force the guests to page out to disk; ESX/ESXi’s memory balloon driver achieves the same effect. What’s missing, obviously, is that with Hyper-V the hypervisor itself won’t swap pages out to disk (ESX/ESXi will do this under extreme circumstances). Am I missing something, or is Microsoft’s Dynamic Memory a lot more like VMware’s memory management technologies than Microsoft wants to admit? Feel free to enlighten me (courteously and with full disclosure) in the comments if I’m missing something.
  • Via Geert Verbist’s site, I found this article on application consistent quiescing via VMware’s VSS integration in VMware Tools. (For more information on VSS support within VMware Tools, check out my liveblog from Partner Exchange earlier this year.) This is good to hear, but what’s still not clear is whether the application consistent snapshots will truncate transaction logs. If anyone has more information, speak up in the comments.
  • I think I pointed this out a week or two ago on Twitter, but I thought I’d mention here at well. If you ever need to help decode which WWPNs map to which ports on an EMC CLARiiON array, this article is quite helpful. Anyone have matching articles for EMC Symmetrix, NetApp, HP, HDS, or other arrays?
  • With the formal announcement by VMware that vSphere 4.1 will be the last major release that includes ESX, ESXi is naturally getting much more attention. With that, there’s been a flurry of ESXi-related articles:
    Using vMA As Your ESXi Syslog Server
    The Migration From ESX to ESXi is Happening: Moving Configurations, Part 1
    The Migration from ESX to ESXi is Happening: Moving Configurations, Part II
    My VMware ESXi Installation Checklist
    Virtually Ghetto: ESXi 4.1 – Major Security Issue (also documented here in the VMware KB)
    ESXi 4.1 – Major Security Issue – The Sequel and the Workaround
    ESXi 4.1 Active Directory Integration
  • If you’re into Cisco UCS but like Hyper-V instead of VMware vSphere, Cisco has a white paper on Cisco UCS with Hyper-V for delivery of virtualized Exchange 2010.
  • I’m a command-line junkie, so I liked this article on how to put an ESX host into maintenance mode from the CLI.
  • For those seeking to get up to speed on the Nexus 7000 switches, “Fryguy” posted some training documents on his site. I haven’t read them (yet), but they’re on my list of documents to read (a list that grows ever longer…)

I guess that will do it for this time around. I hope that you’ve found something useful and, as always, feel free to add more useful links or tidbits in the comments. Thanks for reading!

Tags: , , , , , , , , ,

Windows 7, Microsoft Security Essentials, and Proxy Servers

Monday, August 23, 2010 in Microsoft, Security by slowe | 12 comments

On the recommendation of a number of Twitter users, I decided to install Microsoft Security Essentials (MSE) on a couple of laptops running 64-bit Windows 7. These laptops are used by my kids for their school work (they are home-schooled), and I just wanted to make sure that the laptops don’t get infected with some nasty bug. More than a few Twitter users recommended MSE, so I figured it couldn’t be all bad, right?

The install was quick and painless. And that’s where the fun started. MSE wanted to do an update immediately; OK, that’s fine. The problem is, it won’t connect. I use a Squid proxy server to control outbound web access, so I figured that somewhere was a setting that told MSE to use a proxy server. There’s nothing within MSE itself. Could it be that I had forgotten to configure Internet Explorer? I did make Firefox the default browser, after all. Nope, a quick check shows that the Internet Explorer settings are configured for the right outbound proxy as well. Both Internet Explorer and Firefox are working fine, so I know it’s not the network, the proxy, or the firewall. It must be MSE itself.

Google turns up the first part of the puzzle; even though your proxy support might be configured correctly for Internet Explorer (and thus most of the rest of Windows), MSE won’t take those settings. Instead, you have to use netsh, like this:

netsh winhttp import proxy source=ie

Unfortunately, in its efforts to be “helpful,” Windows 7 won’t allow you to run that command without elevated privileges. All you get when you try is a nondescript error message that vaguely implies that you don’t have permission. However, instead of being able to elevate that one command (a la sudo in the UNIX/Linux/BSD world), you have to run the entire command prompt with administrative privileges, like explained here (and probably countless other places on the ‘Net).

Once you get a command prompt running with administrative credentials, then you can run the netsh command and it will successfully import the IE proxy configuration. Once the IE proxy configuration is successfully imported, then MSE will fetch updates from the Internet and function properly. Wasn’t that fun?

This little episode brings up a couple questions/thoughts:

  1. Why in the world wouldn’t MSE use IE’s proxy configuration? Most of the rest of Windows does.
  2. Even if Microsoft wanted MSE to have its own proxy settings, why force users down a rathole of command prompts and administrative privileges? Why not put it in the GUI?
  3. Windows 7 has made great strides in making Windows more secure, but does this enhanced security posture come at the price of decreased flexibility for the power user?
  4. If so, does Microsoft even care? After all, the default settings are probably fine for most users.

Anyway, there you have it. If you use a proxy server on your network and you also want to use MSE, you’ll need to use netsh (with administrative privileges) to configure your proxy settings properly.

Tags: , , ,

Partner Exchange 2010 Session TECHDV0721

Thursday, February 11, 2010 in Security, Virtualization by slowe | 4 comments

This is a two-hour session on VMware View security architecture and security benefits titled “VMware View Security Benefits, Architecture, and Best Practices”.

So what is VMware’s security strategy? First, start with core platform security. This encompasses all the various features and functions of the hypervisor like memory protection and isolation, kernel module protections, hypervisor attack surface, etc. Next, continue with operational security. This is about integrating VMware’s products into your organization’s existing operational security policies and includes things like the vSphere Security Hardening Guide that was recently released. Using security virtual appliances is another step that enables broad-based security for all VMs in the environment. Finally, VMware is striving for a “better than physical” model where virtual security is better than physical security. Consider VMsafe as an effort in this area.

The presenter next reviewed the VMware View infrastructure and all the various components that are included in this infrastructure. To ensure security, all of these various components need to be reviewed with an eye on security. For example, componentizing the different parts of a View infrastructure—for example, separating access points, user data, applications, data, and operating system helps to secure each of these different pieces.

A further benefit of this separation is that it allows for the creation of a true “gold master” for VMs. Products like ThinApp and VMware View Composer helps to simplify this process and help maintain a true “gold master” image. This means that all the various security guidelines can be more easily incorporated into this master image, the master image can be patched more easily, configuration drift is reduced, and you can recover more easily and more quickly after an attack.

Using virtual desktops also allows organizations to more easily create “desktop security zones” that help isolate higher-risk PCs from lower-risk PCs, thus containing potential security risk to a limited subset of all desktops. This might also help with meeting compliance requirements (the presenter specifically mentioned PCI).

Thin clients are helpful in reducing complexity at the edge, which can (in some cases) help reduce the attack surface and limit the amount of work that IT organizations need to do to help secure the endpoints.

What about backing up data? Using View to centralize desktops allows organizations to more easily implementation full data backups for the various types of data that are being created within the virtual desktop environment.

The presenter next moves on to vSphere security. Because VMware View depends upon vCenter and ESX/ESXi, the security of View is dependent upon the security of vCenter and ESX/ESXi. This led into a discussion of the benefits of virtualization vs. the security impact of virtualization. The topics covered here include all the usual suspects: greater impact of misconfiguration or attack; loss of visibility in the network access layer; loss of separation between network admins and server admins; potential VM sprawl without consistent configurations and properly defined procedures; possible security problems resulting from VM mobility; and unauthorized access to VMs because of VM encapsulation (users copying a VM by copying the VM’s files).

So how does one protect the virtual infrastructure? You use existing techniques such as hardening and lockdown; defense in depth; and authorization, authentication, and accounting.

The same goes for protecting virtual machines. Use anti-virus, IDP/IDS systems, firewalls, etc. VMsafe and the functionality enabled by VMsafe will be very helpful here.

Be sure to isolate the management interfaces using physically separate management networks or by using VLANs. You should also control access to the management network using ACLs, jump boxes, VPNs, or other access controls. Only authorized individuals should have access to the management network and “ordinary end-users” should absolutely not have access.

The separation of duties is also important. Use vCenter Server’s built-in roles to enable the principle of least privilege to help enforce separation of duties. Third-party products like HyTrust might also be helpful.

The presenter argues that moving to a vNetwork Distributed Switch is a security benefit. One big plus is the mitigation of the risk associated with misconfiguration. In addition, there is support for private VLANs (PVLANs), inbound traffic shaping, Network VMotion, and (with the Nexus 1000V) ACLs and a natural separation of duties.

At this point the presenter moves on to a discussion of secure access to virtual desktops.

Authentication is one key area; View supports AD authentication as well as RSA SecurID. View Manager does not store any of the authentication information; this is all offloaded to Active Directory or the RSA Authentication Manager. Smart Card authentication is an alternative to standard username and password authentication. The certificate on the Smart Card contains a Subject Alternative Name (SAN); the SAN is matched against the User Principal Name (UPN) in Active Directory. Smart Card authentication is not supported with PCoIP.

View does support a form of single-sign on so that users log on to the View Client and is authenticated all the way down to the virtual desktop.

Future support with regard to authentication will include Kerberos realm authentication; UPN authentication; RADIUS support in the View Connection Server; and improved SSO to virtual desktops.

Moving on to access options, PCoIP requires direct access to the virtual desktop; it won’t work with SSL tunneling. Fortunately, PCoIP is already encrypted (wirespeed encryption using AES 128-bit encryption). For non-PCoIP connections, HTTPS tunneling of RDP is supported by VMware View. This can greatly simplify firewall configuration (only TCP port 443 is required). Secure tunneling also has the benefit of helping to maintain sessions in the event of a dropped connection.

Some advantages of PCoIP is the built-in encryption and support for blocking USB Plug events (to control USB device usage).

The View Security Server enables you to create a DMZ infrastructure that prevents end points from having direct access to virtual desktops or the Connection Server. The use of load balancers is supported with both Security Servers and Connection Servers.

VMware does recommend replacing the self-signed certificates that are supplied with VMware View with valid SSL certificates. Note that the specific SSLv3/TLSv1 ciphers that are used with secure connections can be configured to enable or disable specific ciphers.

The use of a VPN can also help provide a single point of entry and simply the firewall configuration.

The next topic is VMware View’s entitlements model. View uses Microsoft ADAM on Windows Server 2003 or Microsoft AD LDS on Windows Server 2008. Back-end Active Directory is still leveraged for authentication. View uses the idea of foreign security principals (FSPs), which means that Active Directory doesn’t have to be synchronized with the local LDAP instance. In addition, user authorizations and entitlements don’t have to be stored in Active Directory (which would require schema extensions).

At this point the presenter moves into a discussion of View security best practices:

  • Harden the base OS within the virtual desktops and enforce refresh intervals and OS patching.
  • Choose the proper authentication model and use a Security Server or VPN for secure remote access.
  • Be sure to understand the firewall requirements and configure the firewall accordingly.
  • Be sure to harden the Connection Server and the underlying Windows Server OS upon which it is installed.
  • Replace the default self-signed certificates.
  • Set appropriate entitlements within the Connection Server. Zone users according to use case and risk.
  • Avoid direct remote access to virtual desktops where possible. Don’t allow users to connect without going through the Connection Server.
  • Control USB access, redirection of clipboard, printers, and drives.
  • Leverage Active Directory Group Policy to help with virtual desktop OS lockdown and some View-specific settings. (You might need to use Loopback Policy Processing in this instance.)
  • Know the different ports and the directions that are required when configuring firewalls. Refer to the View Architecture Planning Guide for full details.
  • Install anti-virus, but use a minimal installation to reduce bloat.
  • Use a staggered or randomized scanning policy to avoid overwhelming the infrastructure. Use policies or corporate configuration tools to enforce staggered scanning and signature updates and to configure exclusion lists (only need to scan the user data disk; the base OS is locked down through the use of linked clones).
  • Consider a VMsafe Ready AV product.
  • Include Network Access Control (NAC) management agent in the parent VM prior to cloning.
  • Use ThinApp to gain some security benefits (prevents the OS from getting infected through the actions of a ThinApped application). Consider using ThinApp for browsers.
  • Specific to ThinApp and anti-virus, don’t install AV on the Capture/Build system if at all possible. If AV is installed, no on-demand scanning of the ThinApp project directory.

The next topic of the session was a discussion of using VMware vShield Zones. vShield Zones provide virtual firewalls that operate as transparent Layer 2 bridges and allow you to create different security zones. This can provide some technological enforcement of zones for different user environments (different pools for web browsing vs. internal CRM access and these pools cannot communicate with each other because of vShield Zones).

The presenter wrapped up the session with an overview of VMsafe and how VMsafe can help contribute to the security of a VMware View environment. VMsafe enables greater protection of VMs through APIs that allow deepened inspection of CPU/memory, networking, and storage. For example, VMsafe allows knowledge of specific CPU state or inspection of specific memory pages. VMsafe allows networking traffic to be inspected, intercepted, modified, or even replicated (consider vShield Zones integrated with the VMsafe APIs). With regard to storage, VMsafe allows the ability to mount VMDKs, inspect storage I/Os, and do so transparently and inline to the storage stack.

The session wrapped up with a list VMsafe-integrated solutions from companies like Altor Networks, TrendMicro, McAfee, and Checkpoint.

Tags: , , , ,

HyTrust Appliance 1.5

Monday, August 24, 2009 in Networking, Security, Virtualization by slowe | No comments

Numerous other sites and numerous other bloggers have already covered the fact that HyTrust released version 1.5 of the HyTrust Appliance a couple of weeks ago. If you’re attending VMworld 2009 in San Francisco, I believe that HyTrust will be demonstrating the new version and some of its new features at the show, so be sure to stop by.

I actually had the opportunity to sit down with Eric Chiu, President and CEO of HyTrust, when I was in San Jose a few weeks ago. We talked extensively about the features that were coming in version 1.5 of the HyTrust appliance. He’s really excited about the features that have been added and the future plans that HyTrust has in place for the product.

Some of the new features included in version 1.5 include:

  • Full support for VMware vSphere (both ESX and ESXi)
  • Full support for VMware vCenter Server 2.5 and 4.0
  • Support for two-factor authentication using RSA SecurID
  • Label-based policy (akin to Web 2.0-style tagging)
  • VM-to-host control
  • VM-to-network segment control

Those last three features are pretty cool. The label-based policy engine is a new way for virtualization administrators to apply policy to VMs, hosts, and network segments that breaks out of the old tree or container styles of applying policy. For example, you could label (or tag) a VM as “PCI”, and then specify that VMs labeled “PCI” can only be started on ESX/ESXi hosts also labeled as “PCI”, or attached to network segments also labeled “PCI”. This latter functionality—the ability to control network segment attachment based on HyTrust’s labels—was functionality that HyTrust developed in close coordination with Cisco’s Nexus 1000V development team. Further integration between HyTrust and the Nexus 1000V includes the ability to apply policy based on VNtag information.

Taken together, you can see that this new functionality is quite powerful and gives administrators a very flexible yet extensive ability to apply policy throughout the environment in a consistent fashion.

For more information, please visit the HyTrust site directly, or stop by and see them at VMworld 2009 in San Francisco next week.

Tags: , , ,

« Older entries