From the editors Virtual Desk
Security is something that we all care about but may take for granted when it comes to our virtual infrastructure. While our security team may have secured the physical environment and the perimeter of the network the lack of integration and visibility in the virtual environment often means that this part goes on as normal without any additional security. From a security standpoint it is generally accepted that a defence in depth methodology is usually a great way to minimize the attack surface for internal or external breaches and the virtual environment provides an excellent opportunity to embrace this and provide a much greater depth of security for your environment.
In keeping with our weekly trend of looking at a particular technology that can assist you with your virtual infrastructure this week our featured product is the vShield family of technologies. Rather than a replacement for your existing solutions vShield provides many additional benefits to work in conjunction with your existing security solution to make your virtual infrastructure even more secure and easy to manage that your physical infrastructure.
In addition to this, we are also featuring a section from this week onwards regarding standardising on ESXi and how we can assist you with this process. ESXi is the future of the VMware hypervisor and provides many benefits over the traditional ESX hypervisor including a much smaller footprint providing a code base that requires fewer patches and therefore decreases downtime and increases reliability.
I hope that you find all of this information useful as we try and provide as much information as possible for you each week.
Take care until next time
Neil Isserow (Newsletter Editor), Paul James
Secure your Cloud with Virtualization-aware Security
Strengthen your application and data security, improve visibility and control and accelerate IT compliance efforts across the entire organization with virtualization-aware protection for virtual datacenters and cloud environments from the VMware vShield family of security solutions.
Learn more about vShield Security:
VMware vShield App: Application protection against network-based threats
VMware vShield Edge: Network security for the perimeter
VMware vShield Endpoint: Offloaded and streamlined anti-virus
VMware vShield Zones: Basic protection from network-based threats
VMware vShield Manager: Complete security management
Secure the Cloud with VMware vShield
Achieve Better-than-Physical Security: Adaptive security travels with virtual machines as they migrate from host to host providing secure support for virtual machines in dynamic cloud environments. Applications run efficiently while maintaining trust and network segmentation of users and sensitive data.
Improve and Simplify Security Management in a Single Framework: A single comprehensive framework secures virtual datacenters and cloud environments at all levels—host, network, application, data and endpoint, in a management framework that integrates with VMware vCenter™ Server.
Reduce Complexity and Eliminate Bottlenecks:Reduce the complexity of endpoint, application and edge network security by consolidating your security infrastructure and eliminating the “sprawl” associated with software agents, security policies, dedicated security appliances and “air gapped” solutions with VMware vShield.
Improve Visibility and Accelerate Compliance: Leverage the unique introspection capabilities of VMware vShield and the VMware vSphere platform to help identify hard-to-detect problems precisely and efficiently while controlling file integrity monitoring, rootkit protection, and data leak prevention.
Leverage Existing Security Solutions: vShield works seamlessly with existing enterprise IT security measures through REST APIs. Get customized integration of vShield capabilities into third-party security solutions, including existing antivirus and anti-malware solutions.
It is Time to migrate from ESX to ESXi
ESXi is VMware’s next-generation bare metal hypervisor that delivers industry-leading performance and scalability while setting a new bar for reliability, security and management efficiency
VMware ESXi the thinnest, most advanced hypervisor architecture. It is the only hypervisor purpose-built for virtualization that runs independently from a general purpose operating system like Linux or Windows
By migrating existing ESX deployments to ESXi, customers will drastically improve the reliability, security and efficiency of their virtual environments while continuing to take advantage of the full power of vSphere
Improved Reliability and Security – with fewer lines of code and independence from general purpose OS, ESXi drastically reduces the risk of bugs or security vulnerabilities and makes it easier to secure your hypervisor layer
Streamlined Deployment and Configuration - ESXi has far fewer configuration items than ESX, greatly simplifying deployment and configuration and making it easier to maintain consistency.
Higher Management Efficiency - The API-based partner integration model of ESXi eliminates the need to install and manage third party management agents. You can automate routine tasks by leveraging remote command line scripting environments such as vCLI or PowerCLI.
Simplified Hypervisor Patching and Updating - Due to its smaller size and fewer components, ESXi requires far fewer patches than ESX, shortening service windows and reducing security vulnerabilities.
Complete set of management capabilities – With vSphere 4.1, VMware added significant enhancements to ESXi and the core tools used to manage it. Most notably: AD integration, support offor scripted and PXE installations, support for boot from SAN, Tech Support Mode for host troubleshooting and diagnostic and many others. These features make ESXi an even more complete, robust and powerful foundation for virtual environments and cloud computing
Latest news and reviews
Today the Support Insider brings you another new Mind Map we expect to be popular— vSphere Troubleshooting Network Issues!
These new, Flash-embedded PDFs are clickable so that you can expand sections and drill down to the problem you may be experiencing. We’re also trying to make them a little easier on the eyes. Let us know what you think of the new look.
If you recall, a Resolution Path is a collection of KB articles sequenced in a specific order to resolve a specific issue. Since many steps are repeated for different problems, we create separate articles for those steps and reuse them as needed.
Today’s Mind Map details our Resolution Paths for vSphere Network issues.
Oracle is supported on VMware– apps and databases, both single instance and RAC. And plenty of customers have been virtualizing their Oracle workloads on VMware with confidence. In case you’ve heard confusing opinions, let’s just review some facts.
While most customers understand these nuances, even those who had lingering concerns have been assured with the new VMware policy for Oracle support. With this policy, VMware is providing an absolute commitment to support customers virtualizing Oracle on VMware vSphere. If required, VMware will take ownership of the support request and ensure rapid resolution, in collaboration with the Oracle support organization as needed. Since VMware’s customers virtualize all types of Tier1 applications, there is no question that providing a seamless support experience is an area of expertise for VMware.
Today it is my pleasure to announce that VMware has hired the team and acquired assets behind EMC’s Mozy cloud-based data protection service. VMware will operate the Mozy service on behalf of EMC without interruption. However, the strategic relevance of today’s news is what this group brings to VMware. Over the past 5 years, Mozy has built one of the best examples of a globally distributed, large-scale cloud offering. We believe that, by being directly engaged with the delivery of such a service, VMware will further ramp our own cloud-related learning and accelerate new IP, scale, and capabilities into the products that we provide to our customers and public cloud partners.
Visit bit.ly - Kit Colbert, lead engineer on vCenter Operations, gives an in-depth overview of the vCenter Operations Standard edition.
VMware would like to announce the availability of the final release of the vSphere 4.1 Security Hardening Guide. The Introduction section describes the scope, structure, recommendation levels, and other aspects of the guide in more detail. Please read this section first before diving into the rest of the guide, as it provides important context.
Although this version of the guide can be considered as "final" and appropriate for use in production environments, we recognize that there is always room for improvement. We will continue to welcome comments and corrections on this guide, and we will publish updated versions of the guide from time to time as feedback is accumulated. This feedback of course will also be incorporated into the hardening guide for future releases of vSphere.
My friends over at the VMware Security Blog posted an article yesterday that the Security Hardening Guide for vSphere 4.1 has been released. Coiincidentally Richard Garsthagen posted an articleabout all the ESX/ESXi hosts he found directly attached to the internet, I guess you could say that that goes against every best practice out there. But that is not entirely the reason for this article. I wanted to point out an excellent script by William Lam that assesses your environment based on the recommendations made in the Security Hardening Guide and produces a nice report with a scoring card.
I had a discussion on the VMTN forums about this last week and the question basically was, what should my das.failuredetection time be set to when the isolation response is set to “Shut down”.
Lets first explain what the das.failuredetectiontime is, I described it on our book as follows:
We had a discussion internally about ESX/ESXi caching I/Os. In particular this discussion was around caching of writes as a customer was concerned about consistency of their data. I fully understand that they are concerned and I know in the past some vendors were doing write caching however VMware does not do this for obvious reasons. Although performance is important it is worthless when your data is corrupt / inconsistent. Of course I looked around for data to back this claim up and bust this myth once and for all. I found a KB article that acknowledges this and have a quote from one of our VMFS engineers.
The posts that are done with integrated demonstrations are quite popular – these are useful for customers, EMC partners, and EMCers themselves.
The vSpecialist and VNX teams (big shout out to vSpecialist Joel Sprouse) worked together to create a tight, 15 minute demonstration that shows the highlights of the current VMware/EMC integration capabilities in the VNX platform which are all provided at no additional cost. It covers:
OpSource Cloud is an enterprise-class Infrastructure-as-a-Service cloud backed by the reliability and performance of VMware vSphere. It’s a bulletproof environment that is suitable for virtually any workload, offering a 100% uptime SLA and guaranteed sub-millisecond network latency. This infrastructure cloud runs on the latest release of vSphere and also offers the ability to import and export ESX virtual machines in OVF format for easy transfer of workloads from your own VMware private cloud.
In the previous post, you saw an overview of the OpSource Cloud, a VMware vSphere-backed public IaaS cloud. Today we take a look at connecting to virtual machine instances for managing and consuming services.
OpSource networking is based on Cisco switches and security; cloud users have various options for configuring access for management or public services. When new virtual machines are instantiated, they are assigned private IP addresses and cannot be accessed from the Internet directly. This is a good thing for security, but how does an administrator manage workloads in the cloud?
So far in this series on the OpSource Cloud, you’ve seen how to get started and how to manage workloads securely over the Internet. Now let’s look at connectivity and performance between the cloud virtual machines.
Layer 2 Networking
If you are a vSphere administrator, it may come as a surprise to find out that some public clouds do not permit layer 2 connectivity between virtual machines. Actually, you may be even more surprised to learn that it is very typical for your VMs to be instantiated on completely different subnets. That means that all data must flow through another device on the network — an Ethernet bridge or IP router, filtering traffic — even if two virtual machines are on the same IP subnet.
It’s the end of my financial year, and I’ve in the last couple of months started writing a new version of the SRM book. So its with great pleasure that I can now announce that the PDF version of the SRM 4.0 book will free to download from this date. You can still order a hard-copy of the book from LULU if you so wish at cost price. Of course you welcome to make your own donation to UNICEF should you wish.
I will start totting up how much money I raised in total for UNICEF, and will make a donation within the next couple of days.
When you are configuring vCO, one of the requisite steps is to configure LDAP. While vCO has some pretty nifty search buttons, you can still get this info and more using DSquery.
Here’s a few examples:
Find a Specific Group
PS C:\> DSquery OU -name "ProVMware Users"
Update Manager is VMware’s patching product, and is used for updating ESX/ESXi hosts, virtual appliances and guest machines. It is a companion product to vCenter and installed via the vCenter Installer. In smaller deployments VUM would be installed on the vCenter server, but in larger environments could be run as a dedicated server.
The application can run scheduled download of patches from VMware and Shavlik (for Microsoft updates) and store them in a local repository. Patches can also be imported from ZIP files, or via an intermediary machine running Update Manager Download Service (UMDS).
The VMware vSphere 4.1 HA and DRS Technical Deepdive is available as an eBook for the Kindle now. So if you buy it once, you can read it everywhere. The price of the Kindle version is even lower (only $ 7.50) than the paperback which was already a good bargain. In fact it's the cheapest and most cool vSphere book on the market. So hop over to Amazon.com and get your Kindle version of the VMware vSphere 4.1 HA and DRS Technical Deepdive written by the famous authors Frank Denneman and Duncan Epping.
Some of my colleagues over at VMware US, Scott Jobe (Desktop Specialist) and Josh Spencer (Sr. Systems Engineer), teamed up to address the need to automatically assign VM’s to a particular VLAN in VMware View during refresh or recompose cycles.
When the Parent VM is configured administrators need to assign a VLAN or Port Group. This VLAN will follow the cloned (full-clones or linked-clones) virtual desktops whenever they are created, refreshed or recomposed.
Administrators are able to manually move the desktops to various VLAN’s. It is also possible to automate VLAN change through PowerShell scripting after the desktop is created. However, none of these methods allow the newly assigned VLAN to survive a refresh or recompose operation.
On day 1 of Hitachi Data Systems Geek Day 2.0, we met with Michael Heffernan, Global Product Manager – Virtualization. You might know him as @virtualheff on Twitter. I was pleased to listen to Heff as he discussed HDS integration with VMware vSphere vStorage API for Array Integration (VAAI for short and most easily pronounced “vee·double-ehh·eye”). For those who aren’t aware, VMware introduced VAAI with the GA release of vSphere 4.1 on July 13th of last year. In short, VAAI allows the burden of certain storage related tasks to be offloaded from the ESX/ESXi hypervisor to the storage array. Generally speaking, the advantages touted are performance improvement of intrinsic tasks and increased scalability of the storage array. HDS is one of a few storage vendors who supported VAAI integration on the July launch date and in February of this year, theyannounced VAAI support with their VSP (see also Hu Yoshida’s writing on the announcement).
VMware Capacity Planner