Most companies by now have virtualized a large percentage of its datacenter infrastructure.One mistake that may be made is to rely on existing physical security devices only to protect your virtual infrastructure . A physical servers traffic normally traverses our physical network devices but inter vm traffic may never leave your hypervisor hence an intruder who gains access to one improperly secured Virtual Machine may be able to compromise additional virtual machines without being detected by a physical Intrusion prevention system or firewall,since inter vm traffic flows exists within virtual switches.In order to properly protect virtual machines hypervisor level firewalls are required,these Vfirewalls are virtual comstructs managed like a physical device and providing visibility into virtual network traffic flows.
Tag Archives: VMWARE
The Cloud means many things to many different persons,but personally I view a Cloud as a distinct pool of computing resources that can be manage centrally, provides the ability to scale resources via pre configured policies and lastly provides the ability to automate manual requests such as Virtual Machine creation and deployment.
Though not recommended by many IT professionals, I am planning on making our IT department an internal service provider. In this vain it is my vision to build out a Private Cloud that can provide self service to authorized internal clients such as our developers and application administrators.Currently we utilize a Vmware Vsphere platform, but in another few months this platform will possess all the attributes of a true cloud.To provide the functions necessary I have decided that we will look at the Open Source Eucalyptus platform.
Eucalyptus is Open Source so it reduces our initial capital expenditure ,it is compatible with Vmware and it has the ability to support Amazon based workloads thus providing a Hybrid platform mangement tool.
At Stage one, we will roll out a Private Cloud that will allow authorized internal clients to perform various tasks related to a an assigned blocked of computing resources.
At Stage two we will seek to allow the migration of workloads between Amazon and our Vmware based private cloud,this should provide Disaster recovery and scalability benefits to our group.
The I/O and CPU requirements of most malware solutions are a serious impediment to the optimal performance of virtual machines and older physical hosts. In a virtual environment consisting of many virtual machines each executing their own copy of a single malware protection package, the underlying hypervisor utilizes many I/O and CPU cycles that are sourced from each of its guests which are constantly scanning various files and memory pages. The memory, I/O and CPU cycles utilized to process calls generated by the Virtual Machine‘s malware software can be greatly reduced by eliminating the practice of installing malware software within a guest operating system.
A hypervisor Resident program (HRP) can be used to scan VM memory pages some of which are shared via transparent memory sharing (TPS) which essentially is a technique used to allow many virtual machines to share identical memory pages thus reducing the memory requirements of the host machine.
All writes and modification of guest memory pages should be examined by the HRP which should be developed to use signatures stored on shared solid state storage. The signatures required by the HRP will be transferred from central storage to memory as required, if possible all signatures should be memory resident. The HRP should also support Heuristic detection of malware as a means of reducing the amount of signatures needed and thus reducing the storage required for these said signatures.
The caching of memory pages that have already been scanned can be achieved by storing a checksum of each scanned memory page to a protected portion of memory, cached pages should only be re-scanned if the page has been modified. I/O requirements are reduced by eliminating on-access scanning of files being written and read from disk,it is assumed that all malware needs to be executed while stored in main memory
A Type I hypervisor essentially encapsulates our guest operating systems as just another application. The fact that our guest OS is being executed by another layer results in some latency that is impermissible in some use cases, for example heavily utilized transaction databases. However with the advances in CPU micro architectures and the inevitable reduction in the price of solid state storage the current execution and I/O latencies being experienced can be greatly reduced thus making more use cases virtualization friendly.
Taking a 30 foot view of future OS architectures, I see a TYPE I Hyper visor such as XENSERVER or VSPHERE becoming the physical servers Operating System while current server operating systems will evolve into lightweight hyper visor aware execution containers playing a role similar to the present day Java Virtual Machine.Future apps written written for windows are presented by the execution shell’s presentation layer (such as WPF) while access to hardware devices is transparently handled by the Hypervisor via the execution containers API functions which are implemented as interfaces that request hardware related services from the hyper visor.
The current server OS’s might evolve into hyper visor aware apps.This means they are now fully aware of their encapsulation within a hypervisor and are constructed to make calls directly to their hosting hyper visor instead of sending commands to virtual devices. Think how windows uses direct memory access today except that all hardware related calls would be sent directly to the Hyper Visor / primary operating system.
The Jamaica Government has plans to launch one huge network that spans all major Government agencies and ministries called Govnet.The economies of scale that can be created by Govnet are significant but our government should consider taking things a step further.All agencies of government are responsible for purchasing software and hardware to meet their respective needs. One of the main benefits of Virtualization and by extension multi tenant cloud infrastructure is the optimization of hardware resource utilization.
The cost of maintaining various IT infrastructures is significant so it would be wise to create on top of the E-Learning Jamaica physical network an MPLS based Govnet network which will interconnect all Government agencies. This Govnet can be used as the highway serving information from the governments cloud called J-Cloud or any suitable identifier. A J-Cloud can provide Desktops as a service,Email,Unified communications and host applications that are peculiar to each government agency. The infrastructure could be deployed using Flex Pods or Vblocks available from multiple vendors such as MS, Netapp and Vmware.
Flex Pods and Vblocks are integrated vendor certified solutions consisting of Storage, Hypervisors, virtualization and Network equipment that is used to deploy Cloud Infrastructures,they prevent the customer from having to build their clouds in piecemeal manner using equipment and software that is not certified to work together.
The benefits of a J-Cloud are:
1: Optimization of IT hardware utilization
2: Reduced Licensing cost since all agencies can potentially access one set of licenses
3: Effective collaboration and access to data via cloud hosted virtual desktops which can be accessed on many mobile devices
4: Increased access to applications by all agencies
5: Ability to Scale Up as needed by adding infrastructure components as needed
Future government wide infrastructure projects such as Internet Telephony encompassing all agencies.
For those of us who manage networks with Cisco 6500 series switches in their core, I am sure the wide array of high bandwidth switches from Cisco and their competitors have caught your attention. The 6500 series provides 10GB performance at 80Gig per slot when coupled with supervisor 2T modules. The question you should be asking ,is how much throughput do I need in the future?. If your bandwidth needs are growing exponentially and you want to have data center traffic traverse your core switches then upgrading your 6500 switch might not be a such a good idea since data center and its aggregated bandwidth demands can be significant in a medium to large organization.
However the drawback to acquiring new switches relate to their price, a Supervisor Upgrade would be much cheaper than acquiring a similar sized switch. Size though also does not truly reflect the state of affairs since they are now 2U sized switches that are able to out perform an upgraded 6509, example of such a devices can be found in the Nexus 5000 series switching line. If you run separate data center and user networks (as you should) then a 6509 with a supervisor 2T module results in a relatively inexpensive upgrade that will cause only minor disruptions and results in less headache at 3x your current performance. Upgrading your switch using a smaller unit will always pose challenges as it relate to re-cabling and re-arrangement of your core network which is always daunting due to the differences in the number of switch ports. Sometimes we need to stay put until we have a clear need for change, so if you are not oversubscribing your current infrastructure but want to future proof it then the supervisor 2T provides reasonable investment protection.
When designing a Virtual desktop solution IOPS is king. The rate at which data can be written and read from central storage is usually the main component that determines the acceptability of a Virtual Desktop Infrastructure (VDI) solution. Usually large amounts of fast hard disks are used to provide the necessary IOPS needed to serve data to our virtual machines, but eventually even the best designed systems struggle when confronted with boot storms.
A boot storm occurs when many users during a short time period, power on their virtual desktops. The IOPS required to load operating system and application files at boot usually surpasses the amount needed to perform daily tasks as such word processing. The entire system may grind to halt due to inadequate Storage performance.
Now how do we solve this issue ? We could throw more spindles (hard disks) at the problem which will result in a lot of wasted storage capacity or we could use solid state drives to store the files required by the Virtual Desktops at Boot. A solid state drive though expensive can be used to assist in dealing with boot storms since they are typically 25-30 time faster than the fastest hard disk. While wonderful solid state drives are not cheap, so you may also take a look at storage area networks that are able to cache frequently requested blocks of data, these systems can also be used to provide greater boot time performance for your VDI setup and ensure end user acceptance of this solution.