Tuesday
Jun032008

Kudos to Vanity Fair. Nice job!

Thanks to a tweet from Paul Kedrosky, I got to end the evening reading (and listening to) a really fun, oral history. They had me at the lead-in picture of Len Kleinrock, Paul Baran and Larry Roberts.

How the Web Was Won: Entertainment & Culture: vanityfair.com

To observe this year’s twin anniversaries, Vanity Fair set out to do something that has never been done: to compile an oral history, speaking with scores of people involved in every stage of the Internet’s development, from the 1950s onward. From more than 100 hours of interviews we have distilled and edited their words into a concise narrative of the past half-century—a history of the Internet in the words of the people who made it. ...

Paul Baran: At the beginning there was a different attitude
than today. Now everyone is concerned about making money, or
reputation. It was different then. We all wanted to help one another.
There was no competition, really, on most things. It was a total open
flow of information. There were no games. There are so many others who
did equally good work, and their names are just forgotten. We were all
a bunch of young whippersnappers.


Bob Metcalfe: It was nerd city.

Tuesday
Jun032008

Critically Under-damped Oscillations

Chris Hoff has a great, common-sense post on security and where in the data center it will eventually end up residing.  (If you don't want me to give away the plot, go directly to the post.  Don't read the snippet I've enclosed.)

Along with the "dampened oscillation" graphic that he alludes to (but doesn't actually draw), I'd like to add my two-cents about where security resides when dealing with server virtualization, and the network.  Server virtualization, and particularly hot migration (likeVMware's VMotion), has definitely changed the relative workload and tsuris (a technical term of art) experienced within the data center by the persons responsible for, respectively, server administration, storage administration, and network administration. 

In the days before widespread adoption of server virtualization, making a new application "production ready" was a PITA (another term of art) for the server admin, who had to specify servers, install the apps, move the appropriate data for use by the apps, test, stage, re-test, etc. 

The storage admin had a modest workload, requiring attention to allocation of storage space, setting quotas, setting policies, ... but once done at the planning stage, required modest tweaking thereafter. 

The network admin had it easiest (IMHO).  Over the course of the weeks (if not months) it took to arrange for a new application to be put into production, the network admin might have to allocate ports, set VLANs, set policies, and be present when doing the lash up with the network equipment.

Fast forward to the day when a new application goes through development, test, staging and cut-over into production ... ALL using server virtualization.  Besides the fact that the time horizon for the production deployment has likely been compressed from weeks to days, the relative workloads as this cut-over approaches is radically different from the one described above. 

  • The server admin has a relative cakewalk: extend VME cluster, copy the image, or use a hot migration to herd the app into the new spot. 
  • The storage admin has pretty much the same level of work in allocating space, setting quotas, etc.,  and will soon be using SAN "hot migration" (e.g. VMware's Storage VMotion).
  • The network admin, however, just got a rude awakening.  If he's got SLAs to which his organization must commit, the network admin must allocate ports, set VLANs and VLAN policies, set up NIC teaming in both the virtual switches and physical server access switch, and set up trunking on the vSwitch and pSwitch.   Oh, and by the way... it has to be "right" for every physical server in the data center to which a virtualized application MIGHT migrate in the future.

Holy smoke, Chris!  It's not a single, oscillating signal.  It's (at least) three of 'em.  (... and if I were a better graphics hack, I'd drop in a jpg right about now.)

Rational Survivability: Security Will Not End Up In the Network...

... Here's the reality we actually already know and should not come to you as a surprise if you've been reading my blog: we will always need a blended investment in technology, people and process in order to manage our risk effectively.  From a technology perspective, some of this will take the form of controls embedded in the information itself, some will come from the OS and applications and some will come from the network.

Anyone who tells you differently has something to sell you or simply needs a towel for the back of his or her ears...

Tuesday
Jun032008

Is Co-Administration the Answer?

Rick Vanover, blogging at TechRepublic's Network Administrator site, suggests a solution to the problem of overlapping between the span of administrative control normally provided to the network admin, and that required of a VM server admin.  It's a solution that might appeal to a network administrator, but I'm dubious.  I'd very much like to hear from the network crowd as to how this might work in practice.

Here's my take.  In our investigations at Replicate, we've noted that VM admins are often unwilling to dig into the network management systems. (There are a number of reasons, which we won't go into here.)  So, how would a network admin view this solution?  These seem to be the implications of Vanover's approach:

  • the network admin must be cross-trained in the use of the VME's management system (e.g. VMware's Virtual Center or Citrix' XenCenter)
  • the network admin is required, at installation setup, to establish consistent configurations on the virtual switches and (in separate management system) the physical switches.
  • The configuration settings on the vSwitches are supposed to remain inviolate and untouched by the VM admin in order to prevent configuration problems.
  • the network admin thereafter is relegated to a passive, read-only audience for the VM management system reports, unless ...
  • when there is a physical network issue (a problem or need to reconfigure), the network admin is reinstated with the necessary privileges to make those changes.

This sounds workable, at most, for a short period of time, an installation that changes almost never, or a very small installation.


Co-Administration is the new virtualization endpoint | Network Administrator | TechRepublic.com

Almost every organization has embraced some amount of virtualization, and the network has surely been a hot topic as a virtual environment scales upward. Most virtual host systems (VMware ESX, Citrix XenServer, etc.) offer host-based switches that implement 802.1Q tagging on the ports to the virtual machines. This poses a unique question: Who administers the virtual switch when the network and server administration are handled by different groups?

...
One creative way to solve this dilemma is with a co-administration approach. This would give the network engineers access to the virtual environment for configuration during a change and read-only access for ongoing checks of configuration and for assurance that a virtual machine is not breaking any network rules, such as having a virtual network adapter on two interfaces where one is a secured or external network. In most situations, the network administrator has no visibility into the configuration of the network within virtualization installations, and the co-administered approach can change that.   ...

Monday
Jun022008

VMware Server Virtualization, Compliance & Data Security

This is Catbird's announcement of the new assessment "service."
It seems couched primarily in the context of "making you safe" when
doing P2V.

While a number of the "virtsec" vendors address compliance, I've noticed a particular increase in the use of this theme with new product announcements over the past weeks. The compliance boogeyman is being hauled out by a number of vendors to make sure
potential customers remember that they may need special assessments with respect to
HIPAA, PCI DSS, et. al. when using VMware server virtualization.


This theme was apparent in EMC's
announcement of the new Application Discovery Manager 6.0
offering, which works in concert with
other EMC SMARTS offers ... particularly their newly announced IT
Compliance Analyzer -- Application Edition
.

Catbird Offers Industry's First-Ever Comprehensive Virtual Security Assessment

SCOTTS VALLEY, Calif.--(BUSINESS WIRE)--Catbird, the pioneer in comprehensive security for virtual and physical networks and developer of the V-Agent™ virtual appliance, announced today the industry’s first and only state-of-the-art Virtual Infrastructure Security Assessment (VSA). Catbird’s VSA helps IT administrators identify and close the potential gaps in security and compliance created in the move from “P to V”. The 30-day assessment includes a thorough security analysis, detailed reports with actionable intelligence and a comprehensive plan to mitigate risk and protect critical virtual systems, networks, desktops and processes.

Catbird’s VSA combines traditional security assessment methodologies with unique virtual infrastructure telemetry gathered through Catbird’s stateless, non-invasive V-Agents to deliver robust scrutiny previously unachievable with existing mechanisms. The VSA identifies the scope and magnitude of the virtualization compliance gap through qualitative and quantitative analysis of the new architecture’s impact on change control, separation of duties, network visibility and segmentation, and secondary validation.

Friday
May302008

VirtSec ... the real issue is Management (... maybe.)

Jon Oltsik at the CNET News blog may be oversimplifying the issue of virtsec.  Nope.  Take that back.  He's DEFINITELY oversimplifying the issues of virtual server security.  It's not that he isn't correct in laying the issue squarely at the feet of management and security controls, but it's just too facile to make that the one and only issue of virtualization security.  I'm rather certain that I'm not the only other person in the industry with this point of view.  (... and I'm not referring only to the vendors of v12n security technologies like Blue Lane or Catbird Networks. )

Update:  Guess I was right about the reaction.  Here's one.

The real issue around server virtualization security | Tech news blog - CNET News.com

... So what is it about server virtualization that should really keep chief information security officers up at night? A more pedestrian worry--lack of control. In a virtual server world, IT administrators can clone virtual hosts, move them around, or turn them on and off by accident or with malicious intent. What happens when an IT administrator moves a critical database server instance without re-configuring application servers or the network? How about when someone mistakenly adds a test server to the production network? The security "uh-oh" possibilities are endless.

The real threat here is that server virtualization takes on a life of its own without proper management and security controls. This is why VMware is investing in its virtual infrastructure, Citrix is keen on its Citrix Delivery Center, and Microsoft is pushing its System Center Virtual Machine Manager (SCVMM) architecture. Systems and operations management vendors like BMC Software, CA, Hewlett-Packard, and IBM are also paying close attention and adding virtualization capabilities to tools, processes, and services. Given its 30-plus years with mainframe virtualization, IBM for one has seen this movie before.  ...