It’s really hybrid virtualization security

Finally I have some time to write about The Four Horsemen of the Apocalypse, the BlackHat version of Chris Hoff’s work in progress by the same name.  Since I have not actually heard the talk, I am only relying on the published presentation which gives me a lot of creative freedom …

First, this is probably the best overall tour of security in virtualized environments I have seen. Obviously it is not a technical paper but rather a (very necessary) propaganda  instrument.  The “Guidelines” at the end (pages 159-175 of the version linked above) are a nice hands-on summary of  where we should go. That propaganda is necessary and confirmed on a daily basis by conversations with VMware users. It is not uncommon to operate thousands of VMs in a single LAN without any separation.

Based on my fairly large sample, it basically boils down to whether networking and security specialists are involved in setting up the virtualized environment. More frequently than not, neither specialty is on board.

What I liked best in the technical area is the classification of security approaches (on pages 78-118, my numbering):

1. No security (the dominant reality, see above)
2. External security
3. Virtual security appliances (VSAs)
4. APIs (basically what will be in VMsafe)

This is mostly a tour that clarifies what can be done, spiced with a heavy dose of VSA-skepticism. Given that I (among other things) build VSAs for a living, it is a bit surprising that I mostly agree with him: VSAs actually have a fairly limited scope – and a number of problems.

My take is that we will run hybrid environments that combine all of the above for quite a while, with (2) the most important for now, and (4) catching up (as long as VMsafe is not released there are not many API-based options). (1) is, of course, unsatisfying, but a pretty dominant reality and (2) is really only completing the picture (but the heavily touted cases such as securing VM-to-VM traffic are mostly of theoretical interest).

No VMotion around virtual or physical firewalls, please

Chris Hoff’s BlackHat presentation titled “The Four Horsemen of the Virtualization Apocalypse” was described here by Ellen Messmer to Chris’ dislike. Her spin may have been slightly too negative, but in any case she reports interesting points, among them Chris’ comment that it just won’t work if you VMotion a virtual firewall (VFW). While Chris is right in general, moving a VFW will in fact work in some simple corner cases, basically when both locations are indistinguishable in networking terms (same subnet, same VLANs, no NAT on the VFW itself etc.). So you can VMotion a firewall, but just a little bit … if you are not so lucky all hell breaks lose.

What’s more worrying is that all the same problems will happen if you VMotion any VM in presence of any firewall (virtual or physical): either you VMotion between two locations that are identical in terms of routing, VLANs etc. or you are in trouble. Any relative motion between firewall and VM will create the same troubles.

The really revealing bit about Chris’ comment is that most VMware deployments are still so simple that all VMotion happens in the simple corner cases. So don’t get too close to your firewall when you do VMotion.

ps. I have, of course, my own agenda here.

IDC Virtualization Forum, Part III

Part I of this post was about the virtualization market, part II about technical vision, part III is about an upcoming product. HP presented Insight Dynamics as their multi-hypervisor virtualization solution. A vendor specific management solution is not inherently exciting, what makes it interesting is how HP tries to counter the threat that VMware might further commoditize server hardware.

In terms of features, many starups have more to offer, but this is about the fight over control of the data center. Here are the differentiators that I could see.

1. Multi-hypervisor support: HP-ID manages VMware, Xen and Hyper-V. Today it is only VMware that really matters, but the differentiation vs. VMware is evident. No differentiation vs. most startups.
2. Hybrid management: HP-ID manages both VMs and physical servers and can handle V2P and P2V migration on the fly. This is actually fairly unique, and has created a huge draw among attendants of the forum.
3. Deep hardware support: HP-ID supports HP blades and various server models at a level that vendor-neutral products will never reach.

From a technology perspective, it’s nothing too great, but operations people loved it for good reasons. While nobody is actually using Xen or Hyper-V, at least the latter is considered pretty much unavoidable. The HP lunch table on hybrid management was clearly beating all other topics. Next to nobody even dreams of a fully virtualized environment and there is clearly unmet demand for management software that crosses between virtual and physical. Practitioners uniformly praise the role of blade technology for dynamic data centers. One friendly user spoke about a standard rack that had only 12 cables running to the LAN and SAN switches; using standard 2U rack mounts the equivalent would be 120 cables. A factor ten is always cool and cabling is extremely manual and can be error prone depending on your setup.

The bottom-line: while technically a mostly unimpressive, hardware specific solution, HP-ID addresses the practical pain points.