Security

You are currently browsing articles tagged Security.

Using pf on OS X Mountain Lion

Wednesday, May 15, 2013 in Macintosh, Security, UNIX by slowe | 5 comments

I’ve written before about adding an extra layer of network security to your Macintosh by leveraging the BSD-level ipfw firewall, in addition to the standard GUI firewall and additional third-party firewalls (like Little Snitch). In OS X Lion and OS X Mountain Lion, though, ipfw was deprecated in favor of pf, the powerful packet filter that I believe originated on OpenBSD. (OS X’s version of pf is ported from FreeBSD.) In this article, I’m going to show you how to use pf on OS X.

Note that this is just one way of leveraging pf, not necessarily the only way of doing it. I tested (and am currently using) this configuration on OS X Mountain Lion 10.8.3.

There are X basic pieces involved in getting pf up and running on OS X Mountain Lion:

Putting pf configuration files in place.
Creating a launchd item for pf.

Let’s look at each of these pieces in a bit more detail. We’ll start with the configuration files.

Putting Configuration Files in Place

OS X Mountain Lion comes with a barebones /etc/pf.conf preinstalled. This barebones configuration file references a single anchor, found in /etc/pf.anchors/com.apple. This anchor, however, does not contain any actual pf rules; instead, it appears to be nothing more than a placeholder.

Since there is a configuration file already in place, you have two options ahead of you:

You can overwrite the existing configuration file. The drawback of this approach is that a) Apple has been known to change this file during system updates, undoing your changes; and b) it could break future OS X functionality.
You can bypass the existing configuration file. This is the approach I took, partly due to the reasons listed above and partly because I found that pfctl (the program used to manage pf) wouldn’t activate the filter rules when the existing configuration file was used. (It complained about improper order of lines in the existing configuration file.)

Note that some tools (like IceFloor) take the first approach and modify the existing configuration file.

I’ll assume you’re going to use option #2. What you’ll need, then, are (at a minimum) two configuration files:

The pf configuration file you want it to parse on startup
At least one anchor file that contains the various options and rules you want to pass to pf when it starts

Since we’re bypassing the existing configuration file, all you really need is an extremely simple configuration file that points to your anchor and loads it, like this:

The other file you need has the actual options and rules that will be passed to pf when it starts. You can get fancy here and use a separate file to define macros and tables, or you can bundle the macros and tables in with the rules. Whatever approach you take, be sure that you have the commands in this file in the right order: options, normalization, queueing, translation, and filtering. Failure to put things in the right order will cause pf not to enable and will leave your system without this additional layer of network protection.

A very simple set of rules in an anchor might look something like this:

Naturally, you’d want to customize these rules to fit your environment. At the end of this article I provide some additional resources that might help with this task.

Once you have the configuration file in place and at least one anchor defined with rules (in the right order!), then you’re ready to move ahead with creating the launchd item for pf so that it starts automatically.

However, there is one additional thing you might want to do first—test your rules to be sure everything is correct. Use this command in a terminal window while running as an administrative user:

sudo pfctl -v -n -f <path to configuration file>

If this command reports errors, go back and fix them before proceeding.

Creating the launchd Item for pf

Creating the launchd item simply involves creating a properly-formatted XML file and placing it in /Library/LaunchDaemons. It must be owned by root, otherwise it won’t be processed at all. If you aren’t clear on how to make sure it’s owned by root, go do a bit of reading on sudo and chown.

Here’s a launchd item you might use for pf:

A few notes about this launchd item:

You’ll want to change the last <string> item under the ProgramArguments key to properly reflect the path and filename of the custom configuration file you created earlier. In my case, I’m storing both the configuration file and the anchor in the /etc/pf.anchors directory.
As I stated earlier, you must ensure this file is owned by root once you put it into /Library/LaunchDaemons. It won’t work otherwise.
If you have additional parameters you want/need to pass to pfctl, add them as separate lines in the ProgramArguments array. Each individual argument on the command line must be a separate item in the array.

Once this file is in place with the right ownership, you can either use launchctl to load it or restart your computer. The robust pf firewall should now be running on your OS X Mountain Lion system. Enjoy!

Some Additional Resources

Finally, it’s important to note that I found a few different web sites helpful during my experimentations with pf on OS X. This write-up was written with Lion in mind, but applies equally well to Mountain Lion, and this site—while clearly focused on OpenBSD and FreeBSD—was nevertheless quite helpful as well.

It should go without saying, but I’ll say it nevertheless: courteous comments are welcome! Feel free to add your thoughts, ideas, questions, or corrections below.

Tags: BSD, Macintosh, Security, UNIX

Technology Short Take #30

Tuesday, March 5, 2013 in General by slowe | 4 comments

Welcome to Technology Short Take #30. This Technology Short Take is a bit heavy on the networking side, but I suppose that’s understandable given my recent job change. Enjoy!

Networking

Ben Cherian, Chief Strategy Officer for Midokura, helps make a case for network virtualization. (Note: Midokura makes a network virtualization solution.) If you’re wondering about network virtualization and why there is a focus on it, this post might help shed some light. Given that it was written by a network virtualization vendor, it might seem a bit rah-rah, so keep that in mind.
Brent Salisbury has a fantastic series on OpenFlow. It’s so good I wish I’d written it. He starts out by discussing proactive vs. reactive flows, in which Brent explains that OpenFlow performance is less about OpenFlow and more about how flows are inserted into the hardware. Next, he tackles the concerns over the scale of flow-based forwarding in his post on coarse vs. fine flows. I love this quote from that article: “The second misnomer is, flow based forwarding does not scale. Bad designs are what do not scale.” Great statement! The third post in the series tackles what Brent calls hybrid SDN deployment strategies, and Brent provides some great design considerations for organizations looking to deploy an SDN solution. I’m looking forward to the fourth and final article in the series!
Also, if you’re looking for some additional context to the TCAM considerations that Brent discusses in his OpenFlow series, check out this Packet Pushers blog post on OpenFlow switching performance.
Another one from Brent, this time on Provider Bridging and Provider Backbone Bridging. Good explanation—it certainly helped me.
This article by Avi Chesla points out a potential security weakness in SDN, in the form of a DoS (Denial of Service) attack where many switching nodes request many flows from the central controller. It appears to me that this would only be an issue for networks using fine-grained, reactive flows. Am I wrong?
Scott Hogg has a nice list of 9 common Spanning Tree mistakes you shouldn’t make.
Schuberg Philis has a nice write-up of their CloudStack+NVP deployment here.

Servers/Hardware

Alex Galbraith recently posted a two-part series on what he calls the “NanoLab,” a home lab built on the Intel NUC (“Next Unit of Computing”). It’s a good read for those of you looking for some very quiet and very small home lab equipment, and Alex does a good job of providing all the details. Check out part 1 here and part 2 here.
At first, I thought this article was written from a sarcastic point of view, but it turns out that Kevin Houston’s post on 5 reasons why you may not want blade servers is the real deal. It’s nice to see someone who focuses on blade servers opening up about why they aren’t necessarily the best fit for all situations.

Security

Nick Buraglio has a good post on the potential impact of Arista’s new DANZ functionality on tap aggregation solutions in the security market. It will be interesting to see how this shapes up. BTW, Nick’s writing some pretty good content, so if you’re not subscribed to his blog I’d reconsider.

Cloud Computing/Cloud Management

Although this post is a bit older (it’s from September of last year), it’s still an interesting comparison of both OpenStack and CloudStack. Note that the author apparently works for Mirantis, which is a company that provides OpenStack consulting services. In spite of that fact, he manages to provide a reasonably balanced approach to comparing the two cloud management platforms. Both of them (I believe) have had releases since this time, so some of the points may not be valid any longer.
Are you a CloudStack fan? If so, you should probably check out this collection of links from Aaron Delp. Aaron’s focused a lot more on CloudStack now that he’s at Citrix, so he might be a good resource if that is your cloud management platform of choice.

Operating Systems/Applications

If you’re just now getting into the whole configuration management scene where tools like Puppet, Chef, and others play, you might find this article helpful. It walks through the difference between configuring a system imperatively and configuring a system declaratively (hint: Puppet, Chef, and others are declarative). It does presume a small bit of programming knowledge in the examples, but even as a non-programmer I found it useful.
Here’s a three-part series on beginning Puppet that you might find helpful as well (Part 1, Part 2, and Part 3).
If you’re a developer-type person, I would first ask why you’re reading my site, then I’d point you to this post on the AMQP, MQTT, and STOMP messaging protocols.

Storage

There’s a good post here by Manish Patel on verifying VMFS heartbeat region corruption.
Jason Boche has a great, great post on VAAI and the “unlimited VMs per datastore” urban myth. Jason clearly and logically lays out the benefits of VAAI (specifically, he focuses most on hardware-assisted locking) and how those benefits don’t address other design considerations. Overall, an excellent article, and one I highly recommend.

Virtualization

Although these posts are storage-related, the real focus is on how the storage stack is implemented in a virtualization solution, which is why I’m putting them in this section. Cormac Hogan has a series going titled “Pluggable Storage Architecture (PSA) Deep Dive” (part 1 here, part 2 here, part 3 here). If you want more PSA information, you’d be hard-pressed to find a better source. Well worth reading for VMware admins and architects.
Chris Colotti shares information on a little-known vSwitch advanced setting that helps resolve an issue with multicast traffic and NICs in promiscuous mode in this post.
Frank Denneman reminds everyone in this post that the concurrent vMotion limit only goes to 8 concurrent vMotions when vSphere detects the NIC speed at 10Gbps. Anything less causes the concurrent limit to remain at 4. For those of you using solutions like HP VirtualConnect or similar that allow you to slice and dice a 10Gb link into smaller links, this is a design consideration you’ll want to be sure to incorporate. Good post Frank!
Interested in some OpenStack inception? See here. How about some oVirt inception? See here. What’s that? Not familiar with oVirt? No problem—see here.
Windows Backup has native Hyper-V support in Windows Server 2012. That’s cool, but are you surprised? I’m not.
Red Hat and IBM put out a press release today on improved I/O performance with RHEL 6.4 and KVM. The press release claims that a single KVM guest on RHEL 6.4 can support up to 1.5 million IOPS. (Cue timer until next virtualization vendor ups the ante…)

I guess I should wrap things up now, even though I still have more articles that I’d love to share with readers. Perhaps a “mini-TST”…

In any event, courteous comments are always welcome, so feel free to speak up below. Thanks for reading and I hope you’ve found something useful!

Tags: KVM, Linux, Networking, OpenFlow, OpenStack, Puppet, RedHat, SDN, Security, Storage, Virtualization, VMware, vSphere

Technology Short Take #28

Thursday, January 10, 2013 in Macintosh, Microsoft, Networking, Security, Storage, Virtualization by slowe | 3 comments

Welcome to Technology Short Take #28, the first Technology Short Take for 2013. As always, I hope that you find something useful or informative here. Enjoy!

Networking

Ivan Pepelnjak recently wrote a piece titled “Edge and Core OpenFlow (and why MPLS is not NAT)”. It’s an informative piece—Ivan’s stuff is always informative—but what really drew my attention was his mention of a paper by Martin Casado, Teemu Koponen, and others that calls for a combination of MPLS and OpenFlow (and an evolution of OpenFlow into “edge” and “core” versions) to build next-generation networks. I’ve downloaded the paper and intend to review it in more detail. I’d love to hear from any networking experts who’ve read the paper—what are your thoughts?
Speaking of Ivan…it also appears that he’s quite pleased with Microsoft’s implementation of NVGRE in Hyper-V. Sounds like some of the other vendors need to get on the ball.
Here’s a nice explanation of CloudStack’s physical networking architecture.
The first fruits of Brad Hedlund’s decision to join VMware/Nicira have shown up in this joint article by Brad, Bruce Davie, and Martin Casado describing the role of network virutalization in the software-defined data center. (It doesn’t matter how many times I say or write “software-defined data center,” it still feels like a marketing term.) This post is fairly high-level and abstract; I’m looking forward to seeing more detailed and in-depth posts in the future.
Art Fewell speculates that the networking industry has “lost our way” and become a “big bag of protocols” in this article. I do agree with one of the final conclusions that Fewell makes in his article: that SDN (a poorly-defined and often over-used term) is the methodology of cloud computing applied to networking. Therefore, SDN is cloud networking. That, in my humble opinion, is a more holistic and useful way of looking at SDN.
It appears that the vCloud Connector posts (here and here) that (apparently) incorrectly identify VXLAN as a component/prerequisite of vCloud Connector have yet to be corrected. (Hat tip to Kenneth Hui at VCE.)

Servers/Hardware

Nothing this time around, but I’ll watch for content to include in future posts.

Security

Here’s a link to a brief (too brief, in my opinion, but perhaps I’m just being overly critical) post on KVM virtualization security, authored by Dell TechCenter. It provides some good information on securing the libvirt communication channel.

Cloud Computing/Cloud Management

Long-time VMware users probably remember Mike DiPetrillo, whose website has now, unfortunately, gone offline. I mention this because I’ve had this article on RabbitMQ AMQP with vCloud Director sitting in my list of “articles to write about” for a while, but some of the images were missing and I couldn’t find a link for the article. I finally found a link to a reprinted version of the article on DZone Enterprise Integration. Perhaps the article will be of some use to someone.
Sam Johnston talks about reliability in the cloud with a discussion on the merits of “reliable software” (software designed for failure) vs. “unreliable software” (more traditional software not designed for failure). It’s a good article, but I found the discussion between Sam and Massimo (of VMware) as equally useful.

Operating Systems/Applications

I found this article on the use of Chef and Soloist to automate the setup of OS X 10.8 to be quite interesting. I hadn’t heard of Soloist before reading this article.
Perhaps it shows my lack of Unix/Linux experience, but I’m not familiar with RCS, so reading this post about using RCS to “version control everything” was interesting to me. I’m going to have to give RCS a spin and see how I like it. I suppose the real question is whether it is worth trying to use RCS (or its equivalent) to version control everything, or just put everything into a configuration management system like Puppet or Chef.
I think I mentioned this on Twitter, but this PDF-to-Keynote conversion tool looks like it might be useful from time to time.

Storage

Want some good details on the space-efficient sparse disk format in vSphere 5.1? Andre Leibovici has you covered right here.
Read this article for good information from Andre on a potential timeout issue with recomposing desktops and using the View Storage Accelerator (aka context-based read cache, CRBC).
Apparently Cormac Hogan, aka @VMwareStorage on Twitter, hasn’t gotten the memo that “best practices” is now outlawed. He should have named this series on NFS with vSphere “NFS Recommended Practices”, but even misnamed as they are, the posts still have useful information. Check out part 1, part 2, and part 3.
If you’d like to get a feel for how VMware sees the future of flash storage in vSphere environments, read this.

Virtualization

This is a slightly older post, but informative and useful nevertheless. Cormac posted an article on VAAI offloads and KAVG latency when observed in esxtop. The summary of the article is that the commands esxtop is tracking are internal to the ESXi kernel only; therefore, abnormal KAVG values do not represent any sort of problem. (Note there’s also an associated VMware KB article.)
More good information from Cormac here on the use of the SunRPC.MaxConnPerIP advanced setting and its impact on NFS mounts and NFS connections.
Another slightly older article (from September 2012) is this one from Frank Denneman on how vSphere 5.1 handles parallel Storage vMotion operations.
A fellow IT pro contacted me on Twitter to see if I had any idea why some shares on his Windows Server VM weren’t working. As it turns out, the problem is related to hotplug functionality; the OS sees the second drive as “removable” due to hotplug functionality, and therefore shares don’t work. The problem is outlined in a bit more detail here.
William Lam outlines how to use new tagging functionality in esxcli in vSphere 5.1 for more comprehensive scripted configurations. The new tagging functionality—if I’m reading William’s write-up correctly—means that you can configure VMkernel interfaces for any of the supported traffic types via esxcli. Neat.
Chris Wahl has a nice write-up on the behavior of Network I/O Control with multi-NIC vMotion traffic. It was pointed out in the comments that the behavior Chris describes is documented, but the write-up is still handy, and an important factor to keep in mind in your designs.

I suppose I should end it here, before this “short take” turns into a “long take”! In any case, courteous comments are always welcome, so if you have additional information, clarifications, or corrections to share regarding any of the articles or links in this post, feel free to speak up below.

Tags: Automation, HyperV, KVM, Macintosh, Microsoft, Networking, NFS, Security, Storage, Virtualization, VMotion, VMware, vSphere, VXLAN

Problem with Markdown Files in BoxCryptor on iOS

Friday, November 30, 2012 in Interoperability, Macintosh, Security, Storage by slowe | 2 comments

About a week ago, I published an article showing you how to use EncFS and BoxCryptor to provide client-side encryption of Dropbox data. After working with this configuration for a while, I’ve run across a problem (at least, a problem for me—it might not be a problem for you). The problem lies on the iPad end of things.

If you haven’t read the earlier post, the basic gist of the idea is to use EncFS—an open source encrypting file system—and OSXFUSE to provide file-level encryption of Dropbox data on your OS X system. This is client-side encryption where you are in the control of the encryption keys. To access these encrypted files from your iPad, you’ll use the BoxCryptor iOS client, which is compatible with EncFS and decrypts the files.

Sounds great, right? Well, it is…mostly. The problem arises from the way that the iPad handles files. BoxCryptor uses the built-in document preview functionality of iOS, which in turn allows you to access the iPad’s “Open In…” functionality. The only way to get to the “Open In…” menu is to first preview the document using the iOS document preview feature. Unfortunately, the iOS document preview functionality doesn’t recognize a number of files and file types. Most notably for me, it doesn’t recognize Markdown files (I’ve tried several different file extensions and none of them seem to work). Since the preview feature doesn’t recognize Markdown, then I can’t get to “Open In…” to open the documents in Byword (an iOS Markdown editor), and so I’m essentially unable to access my content.

To see if this was an iOS-wide problem or a problem limited to BoxCryptor, I tested accessing some non-encrypted files using the Dropbox iOS client. The Dropbox client will, at least, render Markdown and OPML files as plain text. The Dropbox iOS client still does not, unfortunately, know how to get the Markdown files into Byword. I even tried a MindManager mind map; the Dropbox client couldn’t preview it (not surprisingly), but it did give me the option to open it in the iOS version of MindManager. The BoxCryptor client also worked with a mind map, but refuses to work with plain text-based files like Markdown and OPML.

Given that I create the vast majority of my content in Markdown, this is a problem. If anyone has any suggestions, I’d love to hear them in the comments. Otherwise, I’ll post more here as soon as I learn more or find a workaround.

Tags: Encryption, Interoperability, Macintosh, OSS, Privacy, Security

Technology Short Take #25

Friday, October 5, 2012 in Networking, Security, Storage, Virtualization by slowe | 1 comment

Welcome to Technology Short Take #25, my irregularly-published collection of links, articles, thoughts, and rants. It’s been a while since my last Technology Short Take (almost three months!); my apologies for that. This is my first time publishing a Technology Short Take with my new filesystem-based approach of managing resources. We’ll see how well it goes…

In any case, let’s get on with it!

Networking

Some folks from Nicira (now part of VMware) recently published a blog post discussing the OVSDB IETF draft (see here). It’s a valid point—people get all worked up over OpenFlow, but OpenFlow doesn’t address the management plane (only the control plane). Unfortunately, the management plane is often the place where vendors choose to “innovate” and “differentiate” their offerings, which—in my humble view—makes any sort of standardization in the management plane extremely difficult. I could be wrong (wouldn’t be the first time).
I think this three-part series on new network models for cloud computing (part 1, part 2, and part 3), while almost a year old, is quite good. James Urquhart, the author of the series, does a good job of breaking down some of the commonly-discussed “disruptive” technologies like Quantum (part of OpenStack) and OpenFlow. Worth a read if you are trying to get up to speed on these efforts, in my opinion.
There’s some additional information on the Quantum release on Folsom here.
Erik Smith, notably known for his outstanding posts on storage and FCoE, takes a stab at describing some of the differences between SDN and network virtualization in this post.
I found this series of posts to be helpful when I was working on configuring LACP with Open vSwitch (I hope to have a blog post on that up soon).
Reading these early OpenFlow meeting notes (via Brent Salisbury, aka @networkstatic on Twitter) was very fascinating. There’s a lot to digest there (for me, anyway, there is a lot to digest).

Servers/Hardware

Nothing this time around—but I’ll keep my eyes peeled for interesting information to include next time!

Security

I came across this post on CloudFoundry’s User Account and Authentication Service (the UAA). If you’re seeking more information on UAA, this looks like a good place to start.

Cloud Computing/Cloud Management

This is an awesome overview of the OpenStack Folsom architecture, courtesy of Ken Pepple. Definitely worth reading, in my view.

Operating Systems/Applications

I haven’t had much time to spend working with Puppet (a shame, I really enjoy the product—hopefully I’ll get back to it soon). When I do get back into working with Puppet again, I’m going to do my best to follow this advice regarding Puppet modules.

Storage

Sean Thulin has a nice write-up on configuring VASA for use with a VNX.
Is Cisco’s Insieme effort producing a storage product? Some interesting speculation can be found here and here (hat tip to Erik Smith).
Speaking of Erik Smith…this post on the impact of bit errors on I/O consolidation is a great post. I learn something from just about every one of Erik’s posts.
Another great post by Jason Boche on thin provisioning and VAAI UNMAP support. He does a great job of pulling together resources and explaining how it all works, including some great practical advice for real-world usage.
If storage is your thing—especially in VMware environments—I’d recommend having a look at Cormac Hogan’s blog for his series on vSphere 5.1 storage enhancements. It starts here.
There’s an interesting write-up here on a globally distributed OpenStack Swift cluster. What wasn’t clear to me—I guess I’m just dense—was whether the functionality SwiftStack was describing in their post was actually in current releases of Swift (and, if so, is it only in their commercial Swift release, or the open source Swift versions) or if this was “pie-in-the-sky” thinking about functionality that should be added at some point in the future. Anyone have any clarification here?

Virtualization

Need to add an alias to your vCloud Director cell? Jason Boche shows you how.
This is kind of a nice feature in Hyper-V 3: DHCP Guard. According to this article by Rick Vanover, this feature allows you to protect your network against rogue/unauthorized DHCP servers. Anyone actually tried this feature out yet (other than in a lab)?
William Lam shows you how to use ovftool to copy VMs directly between ESXi hosts. That’s pretty handy.
Only a true geek would be interested in this, but here’s some information on running OpenBSD in KVM on Linux. Given my past interest in OpenBSD and my present interest in KVM on Linux, this might be something I’ll be trying myself soon. Sadly, it looks like that post is the author’s last post in three years…shame.
I’m not sure if this should be considered “storage” or “virtualization,” as the lines continue to blur every day. In any case, this article by Frank Denneman on Storage DRS load balancing frequency might be useful to you.
This post describes some of the benefits of KVM’s VirtIO driver and how to use VirtIO with OpenStack. You’ll note, by the way, that Nova uses libvirt to manipulate KVM. This is one of the reasons I’ve been spending some time with libvirt—as part of the “glue” between Nova and KVM, I think it’s important to understand how libvirt works. (This is also why I’ve been spending time with Open vSwitch, which is a critical construct in Quantum.)

I suppose I should wrap things up now. Feel free to speak up in the comments if you found something I included here useful, or if there’s additional information that would benefit other readers. All courteous comments are welcome!

Tags: Automation, KVM, Linux, Networking, OpenStack, OSS, OVS, Security, Storage, vCloud, Virtualization, VMware

SFTS012: Designing a Trusted Cloud with OpenStack

Thursday, September 13, 2012 in General, Security by slowe | No comments

This is session SFTS012, titled “Designing a Trusted Cloud with OpenStack.” It is, unfortunately, my last session of the conference; I’m leaving from here to head to the airport to catch my flight home. The speaker for the session is Vin Sharma, who helps lead open source software strategies at Intel. The focus of this session, as you can tell from the title, is on security and trust (presumably talking about how to leverage Intel TXT with OpenStack).

Intel’s “Cloud 2015″ vision recognizes there will be more users, more devices, and more data, and is shooting toward an ecosystem of open, interoperable cloud operating environments (OEs) built on open APIs and open standards. (That’s a lot of “open”.)

Based on feedback from ODCA (Open Data Center Alliance) members, security issues are top of mind for cloud implementations. These issues are second only to concerns on how to migrate applications to cloud OEs (or, in Sharma’s terms, “how to cloudify applications”). 20% of ODCA members included security-related issues as top challenges for cloud implementations.

Sharma reviews again some of the ODCA cloud computing usage models. In the security space, there are a number of different usage models available. Sharma will focus on the “Security Provider Assurance” usage model during this presentation.

The challenges in this space include:

Proving compliance with an audit record
Provide visibility or control over placement of workloads in the cloud

Sharma (and Intel) believes that “trusted compute pools” are the answer to these challenges. Using Intel technologies like TXT (Trusted Execution Technology) along with a policy engine and related components such as TPM, providers can build “trusted compute pools” to help solve security-related issues in a cloud OE.

The problem, according to Sharma, is that the natural evolution of open source projects–which are playing an increasingly influential role in the direction of data centers, cloud OEs, and provider implementations/services–is often at odds with what enterprises need. This means that there must be some sort of “driving force,” such as a vendor or organization, that helps shape and focus open source development in the right development. Intel believes OpenStack is the right cloud OE, and believes that the support of OpenStack across the industry provides the right “shape and focus” to ensure that OpenStack starts to address enterprise data center needs. For this reason, Sharma states, Intel believes OpenStack is the right vehicle to address the ODCA usage models and the right place to implement trusted compute pools.

While Sharma believes OpenStack is the right vehicle, it still has a way to go. He shows a couple of slides that demonstrate that users expect a certain level of functionality, but OpenStack is (today) only prepared to deliver a subset of that functionality. This gap provides a number of opportunities, not only for Intel but also for other vendors. This is especially true in areas like auditing and security incident event management (SIEM). (RSA, are you listening?)

At the heart of enabling trusted compute pools is the scheduler, and that’s where Intel started. The scheduler needs to be able to make intelligent decisions about where a VM should be provisioned, so that it can provision workloads on the basis of platform characteristics (is this a trusted host or an untrusted host, in this particular instance). While the initial changes to the scheduler are focused on trusted compute pools, there are additional directions to take the scheduler (power consumption, workload characteristics, and performance, for example). In order to be able to determine the trust status of a host, OpenStack needs an attestation service. This allows the scheduler to determine if a host is trusted/untrusted, and therefore be able to make intelligent scheduling decisions based on trust and security policy.

So how does this open attestation service that Intel has created work? It uses something called the Trousers stack (I’m not familiar with this one) and a host agent to determine trusted/untrusted status. The attestation server uses HTTPS to communicate with the host agent’s API, and provides an API by which OpenStack can communicate with the attestation server (in order to check status). Sharma indicates that a white paper is under development that will provide more details on exactly how this is implemented. The OpenAttestation code is available on Github. The other components required to make this work will either be delivered in Folsom (where changes in the scheduler are available) or already in the Linux kernel (like the tboot functionality/support).

At this point Sharma wraps up the session.

Tags: IDF2012, Intel, OpenStack, Security

Technology Short Take #24

Monday, July 30, 2012 in Networking, Security, Storage, Virtualization by slowe | 1 comment

Welcome to Technology Short Take #24, another instance of my irregularly-published collection of links, thoughts, and rants on various data center technologies like networking, operating systems, security, hardware, virtualization, and cloud computing. This is a slightly shorter version of my Technology Short Takes; I’m trying to pare down since some readers have indicated the previous Short Takes weren’t short enough. Anyway, I hope you find something useful.

Networking

This page is a decent reference to the open source software-defined networking (SDN) projects that are out there. While I’m sure it’s not comprehensive—open source projects can be difficult to track sometimes—it’s at least a good starting point.
Here’s an older article by Brad Hedlund on building a leaf-spine design with either 40G or 10G. Which is better? As usual, the IT answer is, “It depends.” It’s a good article overall, although it reminds me that I still have so much to learn in networking. It’s a good thing there are smart folks like Brad who are willing to share their knowledge.

Security

Bromium finally “opened the kimono” to talk about what they’re doing. I had the chance to chat with Simon Crosby, and I must say that it’s pretty cool stuff. If you haven’t yet read it, check out Simon’s post at BrianMadden.com.
While I was in Indianapolis last week for the Indianapolis VMUG, I sat in on a session by Lancope on the use of Netflow to secure your network. The presenter showed a list of open source Netflow tools. I haven’t gotten the specific list that the presenter used, but I did find this list—perhaps it will be useful.

Storage

In 2009 I wrote a piece explaining NPIV and NPV. In May Tony Bourke posted a write-up of NPIV and NPV as well, and did a good job of drawing some analogies about these technologies. There’s a great discussion going on in the comments as well, so I recommend reading the comments too.
This article is titled “Understanding IO,” but it really seems like more of a write-up on various IO analysis tools. Still quite useful, even though it seems to be a bit focused on Solaris.
I finally got around to reading Stephen Foskett’s I/O Blender series (part 1, part 2, and part 3), in which he describes the current state of storage and virtualization as a introduction to some of the ideas that VMware described in their “next-generation” storage presented last year at VMworld 2011; in particular, the demultiplexer.

Virtualization

Maish Saidel-Keesing has a three-part write-up on installing and configuring OpenIndiana in a VM (part 1, part 2, and part 3). This is not something I’ve had the opportunity to work with, although I have worked some with Solaris in the past. (In fact, this weekend I tried to find a Solaris 10 x86 ISO I used to have somewhere because I was going to build a Solaris 10 VM for some Puppet testing and couldn’t find it. Bummer.)
Via Vladan Seget, I saw that VMware vSphere 5.0 has achieved Common Criteria EAL4+ certification.
This VMware KB article has a great PDF attached that covers vSphere’s various memory management techniques.
Working your way toward taking the VCAP-DCD exam? This site, while a bit dated, has some good resources for VDCD410 (the vSphere 4 version of the exam). Of course, there’s also this little video training course that was recently released…
Here’s a Citrix Knowledge Center article that provides more information on SR-IOV (Single Root I/O Virtualization) support within XenServer (and, by extension, Xen Cloud Platform/XCP).
There’s an interesting note here about interactions between SIOC and SRM 5.

That’s it for this time around; feel free to add your own thoughts in the comments below. Courteous comments are always welcome!

Tags: Networking, Security, Storage, Virtualization, VMware, vSphere, Xen

Technology Short Take #23

Tuesday, June 12, 2012 in Linux, Microsoft, Networking, Security, Storage, Virtualization by slowe | 5 comments

Welcome to Technology Short Take #23, another collection of links and thoughts related to data center technologies like networking, storage, security, cloud computing, and virtualization. As usual, we have a fairly wide-ranging collection of items this time around. Enjoy!

Networking

A couple of days ago I learned that there are a couple open source implementations of LISP (Locator/ID Separation Protocol). There’s OpenLISP, which runs on FreeBSD, and there’s also a project called LISPmob that brings LISP to Linux. From what I can tell, LISPmob appears to be a bit more focused on the endpoint than OpenLISP.
In an earlier post on STT, I mentioned that STT’s re-use of the TCP header structure could cause problems with intermediate devices. It looks like someone has figured out how to allow STT through a Cisco ASA firewall; the configuration is here.
Jose Barreto posted a nice breakdown of SMB Multichannel, a bandwidth-enhancing feature of SMB 3.0 that will be included in Windows Server 2012. It is, unexpectedly, only supported between two SMB 3.0-capable endpoints (which, at this time, means two Windows Server 2012 hosts). Hopefully additional vendors will adopt SMB 3.0 as a network storage protocol. Just don’t call it CIFS!
Reading this article, you might deduce that Ivan really likes overlay/tunneling protocols. I am, of course, far from a networking expert, but I do have to ask: at what point does it become necessary (if ever) to move some of the intelligence “deeper” into the stack? Networking experts everywhere advocate the “complex edge-simple core” design, but does it ever make sense to move certain parts of the edge’s complexity into the core? Do we hamper innovation by insisting that the core always remain simple? As I said, I’m not an expert, so perhaps these are stupid questions.
Massimo Re Ferre posted a good article on a typical VXLAN use case. Read this if you’re looking for a more concrete example of how VXLAN could be used in a typical enterprise data center.
Bruce Davie of Nicira helps explain the difference between VPNs and network virtualization; this is a nice companion article to his colleague’s post (which Bruce helped to author) on the difference between network virtualization and software-defined networking (SDN).
The folks at Nicira also collaborated on this post regarding software overhead of tunneling. The results clearly favor STT (which was designed to take advantage of NIC offloading) over GRE, but the authors do admit that as “GRE awareness” is added to the cards that protocol’s performance will improve.
Oh, and while we’re on the topic of SDN…you might have noticed that VMware has taken to using the term “software-defined” to describe many of the services that vSphere (and related products) provide. This includes the use of software-defined networking (SDN) to describe the functionality of vSwitches, distributed vSwitches, vShield, and other features. Personally, I think that the term software-based networking (SBN) is far more applicable than SDN to what VMware does. It is just me?
Brad Hedlund wrote this post a few months ago, but I’m just now getting around to commenting about it. The gist of the article—forgive me if I munge it too much, Brad—is that the use of open source software components might dramatically change the shape/way/means in which networking protocols and standards are created and utilized. If two components are communicating over the network via open source components, is some sort of networking standard needed to avoid being “proprietary”? It’s an interesting thought, and goes to show the power of open source on the IT industry. Great post, Brad.
One more mention of OpenFlow/SDN: it’s great technology (and I’m excited about the possibilities that it creates), but it’s not a silver bullet for scalability.

Security

I came across this interesting post on a security attack based on VMDKs. It’s quite an interesting read, even if the probability of being able to actually leverage this attack vector is fairly low (as I understand it).

Storage

Chris Wahl has a good series on NFS with VMware vSphere. You can catch the start of the series here. One comment on the testing he performs in the “Same Subnet” article: if I’m not mistaken, I believe the VMkernel selection is based upon which VMkernel interface is listed in the first routing table entry for the subnet. This is something about which I wrote back in 2008, but I’m glad to see Chris bringing it to light again.
George Crump published this article on using DCB to enhance iSCSI. (Note: The article is quite favorable to Dell, and George discloses an affiliation with Dell at the end of the article.) One thing I did want to point out is that—if I recall correctly—the 802.1Qbb standard for Priority Flow Control only defines a single “no drop” class of service (CoS). Normally that CoS is assigned to FCoE traffic, but in an environment without FCoE you could assign it to iSCSI. In an environment with both, that could be a potential problem, as I see it. Feel free to correct me in the comments if my understanding is incorrect.
Microsoft is introducing data deduplication in Windows Server 2012, and here is a good post providing an introduction to Microsoft’s deduplication implementation.
SANRAD VXL looks interesting—anyone have any experience with it? Or more detailed technical information?
I really enjoyed Scott Drummonds’ recent storage performance analysis post. He goes pretty deep into some storage concepts and provides real-world, relevant information and recommendations. Good stuff.

Cloud Computing/Cloud Management

After moving CloudStack to the Apache Software Foundation, Citrix published this discourse on “open washing” and provides a set of questions to determine the “openness” of software projects with which you may become involved. While the article is clearly structured to favor Citrix and CloudStack, the underlying point—to understand exactly what “open source” means to your vendors—is valid and worth consideration.
Per the AWS blog, you can now export EC2 instances out of Amazon and into another environment, including VMware, Hyper-V, and Xen environments. I guess this kind of puts a dent in the whole “Hotel California” marketing play that some vendors have been using to describe Amazon.
Unless you’ve been hiding under a rock for the past few weeks, you’ve most likely heard about Nick Weaver’s Razor project. (If you haven’t heard about it, here’s Nick’s blog post on it.) To help with the adoption/use of Razor, Nick also recently announced an overview of the Razor API.

Virtualization

Frank Denneman continues to do a great job writing solid technical articles. The latest article to catch my eye (and I’m sure that I missed some) was this post on combining affinity rule types.
This is an interesting post on a vSphere 5 networking bug affecting iSCSI that was fixed in vSphere 5.0 Update 1.
Make a note of this VMware KB article regarding UDP traffic on Linux guests using VMXNET3; the workaround today is using E1000 instead.
This post is actually over a year old, but I just came across it: Luc Dekens posted a PowerCLI script that allows a user to find the maximum IOPS values over the last 5 minutes for a number of VMs. That’s handy. (BTW, I have fixed the error that kept me from seeing the post when it was first published—I’ve now subscribed to Luc’s blog.)
Want to use a Debian server to provide NFS for your VMware environment? Here is some information that might prove helpful.
Jeremy Waldrop of Varrow provides some information on creating a custom installation ISO for ESXi 5, Nexus 1000V, and PowerPath/VE. Cool!
Cormac Hogan continues to pump out some very useful storage-focused articles on the official VMware vSphere blog. For example, both the VMFS locking article and the article on extending an EagerZeroedThick disk were great posts. I sincerely hope that Cormac keeps up the great work.
Thanks to this Project Kronos page, I’ve been able to successfully set up XCP on Ubuntu Server 12.04 LTS. Here’s hoping it gets easier in future releases.
Chris Colotti takes on some vCloud Director “challenges”, mostly surrounding vShield Edge and vCloud Director’s reliance on vShield Edge for specific networking configurations. While I do agree with many of Chris’ points, I personally would disagree that using vSphere HA to protect vShield Edge is an acceptable configuration. I was also unable to find any articles that describe how to use vSphere FT to protect the deployed vShield appliances. Can anyone point out one or more of those articles? (Put them in the comments.)
Want to use Puppet to automate the deployment of vCenter Server? See here.

I guess it’s time to wrap up now, lest my “short take” get even longer than it already is! Thanks for reading this far, and I hope that I’ve shared something useful with you. Feel free to speak up in the comments if you have questions, thoughts, or clarifications.

Tags: Citrix, FCoE, HyperV, iSCSI, Linux, LISP, Microsoft, Networking, NFS, Security, Storage, vCloud, Virtualization, VMware, vSphere, VXLAN, Windows, Xen

Technology Short Take #22

Thursday, May 3, 2012 in Microsoft, Networking, Security, Virtualization by slowe | 5 comments

Welcome to Technology Short Take #22! Once again, I find myself without too many articles to share with you this time around. I guess that will make things a bit easier for you, the reader, but it does make me question whether or not I’m “listening” to the right communities. If any readers have suggestions on sources of information to which I should be subscribing or I should be following, I’d love to hear your suggestions.

In any case, let’s get into the meat of it. I hope you find something useful!

Networking

Trying to learn MPLS? (I am.) I found this article on basic MPLS/VPN on Cisco IOS to be helpful.
If you think your network is appropriately protected against bridging loops, read this article by Ivan Pepelnjak.
Derick Winkworth does a write-up on Infineta and parallelization and how it enables their data center interconnect (DCI) acceleration platform.

Security

I have to agree with Tom Hollingsworth that we often create backdoors by design simply out of our own laziness. I’ve heard it said—in fact I may have used the statement myself—that no amount of security can fix stupidity. That might be a bit strong, but it does apply to the “shortcuts” that we create for ourselves or our customers in our designs.

Servers/Hardware

Kevin Houston (who works for Dell) posted an article about a recent test report comparing power usage between Dell blades and Cisco UCS blades. If you’re comparing these two solutions, find a comparable report from Cisco and then draw your own conclusions. (Always get multiple views on a topic like this, because every vendor—and I know because I work for a vendor, too—will spin the report in their favor.)

Virtualization

Andre Leibovici has a couple of great posts on VMware View. In this article, he discusses how CBRC metadata is handled when the RecomputeDigest_Task is invoked. The second article I saw discusses automating the “Already Used” state in VMware View.
Luc Dekens has a post on how to test if you can unmount a VMFS datastore.
Sammy Bogaert has a nice post summarizing some recommended BIOS settings for HP ProLiant DL580 G7 servers for vSphere.
Ben Armstrong discusses storage migration performance in the upcoming release of Microsoft Hyper-V. He also discusses some storage migration configuration settings in a separate post.
Here’s a “how to” on using esxcli to mask a LUN from ESXi.
This article touts the “benefits” that Windows 8 will bring to virtualized environments, but somehow this seems even more complicated—and more difficult to track—than before. Is it just me?
Duncan Epping helps us understand the need for the das.maskCleanShutdownEnabled setting when we’re also taking advantage of the disk.terminateVMOnPDLDefault advanced setting (very useful in stretched cluster scenarios).
Frank Denneman has a good write-up on the considerations around aggregating multiple storage arrays in a single datastore cluster.
Cody Bunch has launched a new series of articles about running vSphere on an OpenCompute platform. Part 1 is here. I’m looking forward to future installations of this series.
Here’s a nice summary of CLI commands for manipulating VMs on ESXi 5.
Mounting VMFS from Ubuntu Linux? Interesting…
How many people out there have played with/are using VirtualBox? I’m interested in getting any feedback.
Adrian Costea provides a “how to” on adding a vCenter Server to Microsoft SCVMM.
Here’s a design by Paul Kelly that presents a highly redundant vSphere 5 network layout. It’s a sweet layout, leveraging mutliple 10Gb Ethernet links, Nexus 2000s, and Nexus 5000s. At least he admits that it’s costly.
This site has what appears to be some good instructions for getting up and running with oVirt. I say “what appears to be good instructions” because I haven’t yet had the opportunity to walk through these instructions to see how useful they are.

That’s it for this time around. I hope that you have found something useful here. If anyone has any suggestions for sites/forums they’ve found helpful with data center-focused topics, I’d love for you to add that information in the comments.

Tags: Hardware, Microsoft, Networking, Security, VDI, Virtualization, VMware, vSphere, Windows

Technology Short Take #21

Thursday, April 12, 2012 in Networking, Security, Storage, Virtualization by slowe | 1 comment

It’s been a while since I published my last Technology Short Take (found here), and in browsing my list of saved links I find that I don’t really have that many to share. Which then leads to me to ask the question, “Why?” I think it’s because I’ve been sharing lots of stuff via my Twitter account.

In any event, here are some older links that I’ve been saving up to share with you. Many of these posts are a bit older, but I’m including them here just in case someone missed them earlier. As usual, I hope that you find something useful here!

Networking

Derick Winkworth describes data center networking as “a messy pile of discombobulated garbage” in his post on the sad state of data center networking. As someone simply observing developments in data center networking from the outside while desperately trying to keep up, now I don’t feel so bad that I don’t necessarily get all of it.

Security

Pardon me for the self-promotion, but in order to prevent the ranks of the 600K Macs infected with Flashback from growing, I’d recommend you have a look at this list of 8 things to help secure your Mac. Also, for more details on the latest Flashback variant, see here.
Interesting information on a potential VMware security vulnerability is available here. vSphere 5 is not affected.

Storage

I posted this article on Twitter, but wanted to share it here as well. This post by Richard Elling on IOPS and latency is, in my opinion, a must-read.

Virtualization

I’ve really enjoyed several of Frank Denneman’s SDRS-related articles. His article on SDRS initial placement and datastore cluster defragmentation was really good and in-depth (as are most, if not all, of his articles). Also good was the article on anti-affinity rules and HA interoperability and the post on SDRS load balancing with array-based auto-tiering. Good stuff—thanks Frank.
Speaking of array-based auto-tiering, Michael Webster clears up any potential confusion about support for using Storage I/O Control with EMC FAST.
A couple of Michael Webster’s other posts also made it into my list of “things to mention”: this post on jumbo frames on vSphere 5 (with more results from vSphere 5 Update 1) and this post on CA SSL certificates and vCenter 5.
Dave Hill has a great series on vCloud Director going on. Check out the different parts of this series (part 1, part 2, part 3, and part 4 on his site.

That’s going to do it this time around. Feel free to speak up in the comments below to add your thoughts, other links you’ve found useful, or anything else. Thanks!

Tags: Networking, Security, Storage, Virtualization, VMware

« Older entries

Security

Putting Configuration Files in Place

Creating the launchd Item for pf

Some Additional Resources

Networking

Servers/Hardware

Security

Cloud Computing/Cloud Management

Operating Systems/Applications

Storage

Virtualization

Networking

Servers/Hardware

Security

Cloud Computing/Cloud Management

Operating Systems/Applications

Storage

Virtualization

Networking

Servers/Hardware

Security

Cloud Computing/Cloud Management

Operating Systems/Applications

Storage

Virtualization

Networking

Security

Storage

Virtualization

Networking

Security

Storage

Cloud Computing/Cloud Management

Virtualization

Networking

Security

Servers/Hardware

Virtualization

Networking

Security

Storage

Virtualization

Site Sponsors

Recent Posts

Recent Comments

Support My Books!

Additional Site Sponsors

Tags

Other Links

Site Admin