RSA 2008: Securing Virtual Machines (and Olympic Torches) - 09 Apr 2008

Editor’s Note: If you’d like to continue to receive the Virtualization UPDATE newsletter, please click on the hyperlink at the bottom of this newsletter that reads: To continue receiving this newsletter please click here.

I’m typing this commentary from the press room at the RSA 2008 conference in San Francisco, already in the thick of attending my first day of the RSA security conference here. Security has increasingly become a more important topic for IT administrators and CIOs over the past few years, and that growth is reflected in this year’s RSA. A wide range of timely security topics are being covered, ranging from endpoint and mobile security to virus protection and spam prevention. Virtualization security will also be a big topic, with a number of vendors announcing new and improved products in the space. Sadly, all the security experts at RSA couldn’t prevent me from getting mugged by the San Francisco Marriott parking garage, which charged me a wallet-crushing $52 a night fee for the privilege of parking my lowly Kia Optima rental car in the hotel garage.

In a rather unlikely coincidence, another major security story is unfolding on the streets of San Francisco as I write this. The Olympic torch for the 2008 Olympic Games is passing through San Francisco this morning, and local police and other security officials have their work cut out for them. Keeping politics out of the discussion, the security task alone for the torch relay is considerable: How do you simultaneously keep a visible (and very important) symbol of the Olympic Games out in the open, while ensuring that the torch (and its wielders) reach their destination in safety, and can be easily viewed by peaceful onlookers? The security landscape is always filled with unforeseen threats and challenges, a situation that anyone involved in IT security could readily attest to.

IBM Announces PHANTOM Initiative
Managing emerging threats is of vital concern to any IT administrator or information security officer, a challenge made more formidable by the advent of virtualization. Existing security solutions may be optimized for physical devices and traditional software deployment, but how do you install, manage, and secure your burgeoning virtual infrastructure?

IBM thinks it has the answer in the form of a new initiative dubbed "PHANTOM," a security research project that was announced yesterday at RSA and is being worked on by IBM Research and IBM X-Force. According to IBM, PHANTOM relies on some cutting-edge host and network instruction protection technology to keep security threats at bay. IBM introduced virtualization to their mainframe products more than four decades ago, a history of experience that IBM hopes to leverage when managing virtualized resources at the server level with their PHANTOM initiative.

The PHANTOM approach situates the security functionality in an isolated part of the system and integrates closely with a hypervisor. The PHANTOM news release stresses that the hypervisor in any virtualization solution is "a critical point of vulnerability…once an attacker gains control of the hypervisor, they gain control of all the machines running on the platform." One answer to that potential vulnerability is to lock down the hypervisor, and the PHANTOM initiative will allow IT administrators to do that.

Controlling and monitoring communication between disparate virtual machines (VMs) and monitoring their execution states are also features of PHANTOM, with both features allowing administrators to have a better (and more actionable) view of the current security state of their VMs.

In a statement from the news release announcing PHANTOM, Val Rahmani, general manager IBM Internet Security Systems, urged enterprises to embrace security as a long-term strategic investment. "As sophisticated crime organizations infiltrate business processes and surreptitiously siphon off enterprise data, they are rapidly outpacing the advances of many of today's security offerings," said Rahmani. "In order to withstand and overcome the explosion of tomorrow's threats, enterprises must fundamentally change their security strategies and move to a model of business sustainability--a strategic approach in which security is designed into processes and systems to reduce risk and ensure long-term business enablement."

Editor’s Note: If you’d like to continue to receive the Virtualization UPDATE newsletter, please click on the hyperlink at the bottom of this newsletter that reads: To continue receiving this newsletter please click here.

Virtualization News
By Jeff James RSA 2008: Third Brigade Announces Licensing Changes
Third Brigade--a security vendor that specializes in instruction detection systems (IDSs) and intrusion prevention systems (IPSs)--has announced a new licensing model for their products that allows for an unlimited number of VMs to be protected on each physical server. In a news release announcing the licensing model change, Third Brigade President and CEO Wael Mohamed suggested that VM to VM security was the biggest threat facing a virtual infrastructure. "Omitting virtual machine-based security, or relying solely on virtual security appliances, \[introduces the possibility that\] one compromised virtual machine \[could\] be used to launch an attack against another virtual machine. An appliance or gateway model can’t see, and prevent, the malicious traffic between the VMs; Third Brigade can," said Mohamed. "We also believe sophisticated security coordination will be required between a security agent on a virtual machine and a security agent leveraging the VMsafe APIs, when they are available. We have created an attractive licensing model that will enable customers to take advantage of these advanced features." Third Brigade’s Deep Security platform is a host-based intrusion defense system that includes IDS and IPS support from the enterprise to individual device level. RSA 2008: Reflex Security Unveils VISability
Virtualization security is a hot topic at the RSA 2008 security conference, and VM security vendor Reflex Security hopes that a new security initiative will help IT pros keep their virtual infrastructures secure. The Reflex VSA (virtual security appliance) is the recipient of the VISability (virtual infrastructure security) effort, and will gain improved visual management and access control capabilities. According to the vendor, Reflex VSA provides administrators with a visual view of the virtual infrastructure--and related VM security details--in use across their enterprise. "Visibility and security have always gone hand-in-hand, and in today's regulatory and threat environment, that link is ever more crucial," said Hezi Moore, CTO of Reflex Security. "Reflex VSA's ability to expose the virtual network to the security manager and protect it from threats is a proven asset, and the first of its kind in the industry. Our development is building upon VSA's visibility functionality to add virtual server access control which will invoke permission-based controls for users that can add or remove virtual machines and virtual network components."
Microsoft Clustering and VMware High Availability
By Alan Sugano

Microsoft Clustering and VMware High Availability technologies both have their specific market segments. Both solutions provide high availability. Both solutions typically require a SAN--either iSCSI or Fibre Channel, with a heartbeat connection to the host nodes that resides on a network segregated from end-user traffic.

Microsoft Server Clusters are typically single application clusters. Often they are referred to as the "Exchange Cluster" or "SQL Server Cluster." Microsoft recommends that you set up an Active/Passive cluster where you have one or more active nodes and one or more passive nodes that are waiting to take over for a failed active node. A "heartbeat" connection is set up between all of the nodes (active and passive) to monitor the status of the nodes. If a passive node detects that an active node is down and the passive node is configured as the failover node, it will attempt to take the place of the active node. The failover process is usually completed within five minutes, depending on the node configuration and the services that must be started on the node. On a Microsoft Cluster the nodes are "potential" LUN owners on the SAN, however only one node can have access to a LUN at a time. This means that an active node must "release" the LUN before a passive node has access to it. Microsoft Server Clusters are good solutions when you have a very high load on the nodes, require a lot of memory on each node, and require a lot of CPU performance on the node. To run a Microsoft Cluster you typically have to purchase the Enterprise versions of Windows Server 2003 and the Enterprise version of the application you plan to cluster. However, you can run a two-node cluster with the standard version of SQL Server 2005.

It's possible to run Virtual Server 2005 on a Microsoft Cluster, however there are some limitations. You can run only 32-bit guests, and assuming that you have the virtual server guest files stored on the SAN, you must fail over all of the virtual server guests that reside on the same LUN at the same time. It's not possible to fail over virtual servers that reside on the same LUN to different nodes, because only one node can have access to the LUN at a given time. If you require granular failover, you have to carve out numerous LUNs on the SAN, which often ends up in a lot of wasted space.

VMware's Standard and Enterprise Infrastructure packages both include the High Availability Module. It usually makes more sense to purchase the Infrastructure package than buy the individual modules separately. In addition to the Infrastructure bundle, you will need at least one copy of VirtualCenter Server to manage the High Availability Feature. VirtualCenter is used to manage the ESX cluster nodes. Unlike Microsoft Server Clusters, all nodes on the cluster have simultaneous access to LUNs on the SAN. This gives you a lot more flexibility for the server cluster. Unlike Microsoft Clusters, which are typically single application clusters, ESX Server Clusters usually host different applications on the same cluster. This allows you to fail over guests to different hosts, even if they reside on the same LUN. If there is enough capacity on the remaining nodes, assuming one of the nodes fails, we don't design the cluster with an additional passive node.

If you purchase the Enterprise Version of the Infrastructure package, it includes VMotion and the Distributed Resource Scheduler (DRS). Using the VirtualCenter Server you can move virtual server guests to different hosts in real time. This allows you to take down an active node in the middle of the day by VMotioning off all of the virtual server guests on that node to different nodes. Then you can add memory, replace a power supply, update the BIOS, or perform other maintenance tasks on the host node without disrupting the users. The DRS package allows you to dynamically allocate host node resources and make sure you are effectively using existing hardware resources. You can create a pool of virtual guest servers and configure them to run on a pool of host nodes. DRS will automatically load balance the server guests based on the allocated resource pool, to ensure that no ESX host node gets overloaded while other hosts go underutilized.

VMware recently increased the memory limitation on a guest server from 16GB to 64GB. With the previous 16GB limit there were still a significant number of servers that required more than 16GB of memory--typically big Exchange and SQL Server clusters. Even with the increased guest memory limit, there are probably still a few nodes that require more than 64GB, but even today 64GB is a lot of memory for a server.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.