"One significant issue with virtual machine security is
with virtual switch isolation," said Burton Group's Wolf."The current
all-or-nothing approach to making a virtual switch 'promiscuous' in
order to connect it to an IDS/IPS is not favorable to security." ...
This is an overall decent article but parts are very misleading.
I got in touch with Andrew Lambeth of VMware's Networking team for clarification. This is what he had to say:
... The vswitch-wide setting that probably confused
him is not the only way to enable promiscuous mode. The right way to
configure a vswitch for IDS/IPS is to create a separate portgroup from
those used for normal VMs and configure only that portgroup for
"Promiscuous Allowed". This prevents any normal VMs connected to the
other portgroups on the vswitch from being allowed to sniff traffic not
intended for them while allowing only the IDS/IPS VM to sniff.
Monthly Archives: September 2007
From Warren Ponder: Virtual Desktop Blog: VMware VDI - VDM 2.0 Beta now live.
VDM 2.0 is a new product. Over the last few months the team has been
hard at work so we can deliver on the design goals we set for this
release of the broker. At this stage we are really focused on
simplicity and scaleabilty.
One of the biggest changes for the
initial release from the original Propero technology is we have ported
to Windows. This release is only supported on Windows 2003. ...
In the coming weeks I wil be
sharing more on the architecture and available features. Anyone thats
interested in participating in the beta can find the registration page
this URL - VDM 2.0 Press Release
I was asked to co-present with an engineer from Sun
at an upcoming conference in October. I asked him to do his slides and
then shoot me over the presentation so I could fill in my half. I
noticed that his view of virtualization and mine were very different.
To put it into jargon speak, there is a difference between Redshift
virtualization and Blueshift virtualization. ...
Essentially it says that there are two different classes of business: “blueshift” companies that grow according to GDP
and are essentially over-served by Moore’s Law that computing power
doubles every two years, and “redshift” companies that grow off the
charts, and which are grossly under- served by Moore’s Law.
i.e., blueshift is server consolidation and redshift is dynamically bring new servers up quickly on your virtual infrastructure. Zen blade master Martin MacLeod says that is the wrong answer -- the value of virtualization is really in transforming your business process in both slow- and fast-growth businesses.
But where virtualization really brings benefits is in the non-technical
arena. The ability to turn it all around, to be a real business
enabler, that the IT infrastructure can grow and adapt in line with the
business need, that we move to a system of service provisioning where
IT handle everything and provide the business with the virtual
instance, a world where I can request a server for a month to test that
.NET framework 3.0 works ok with my application, then give it back,
where I can be allocated more processing power or memory in minutes not
weeks due to the purchasing process needing sign off, processing and
VMware has traditionally restricted access to its hypervisor code and, while the vendor has made no official announcement about the API sharing program tentatively called "Vsafe," VMware founder and chief scientist Mendel Rosenblum said that the company has started sharing some APIs
(application program interfaces) with security vendors.
"We would like at a high level for (VMware's platform) to be a better
place to run," he said. "To try and realize that vision, we have been
partnering with experts in security, like the McAfees and Symantecs,
and asking them about the security issues in a virtual world."
Rosenblum says that some of the traditional tools used to protect a hardware server work just as well in a virtualized environment, while others "break altogether."
"We're trying to fix the things that break, to bring ourselves up to
the level of security where physical machines are," he said. "But we
are also looking to create new types of protection."
Rosenblum said the APIs released as part of the initiative
offer security vendors a way to check the memory of a processor, "so
they can look for viruses or signatures or other bad things."
Others allow a security vendor to check the calls an
application within a virtual machine is making, or at the packets the
machine is sending and receiving, he said.
"I don't want to be reverse engineering our products to find
exploits or figure out signatures," Rosenblum said. "Fundamentally,
that means we have to partner. Fortunately, there is a bunch that are
happy to partner and I encourage that."
We all know you can run ESX Server in a VM (you know that, right?). Thomas Bishop already has the ESX Server 3i beta working in Fusion, and Eric Sloof has it going in Server. Thomas also has an interactive shell running at boot. See this forum thread for all the acrobatics, where pbraren and others are contributing. It's quite a fascinating mix of technical step-by-step investigation and rumination on the significance of 3i and where the hypervisor is going.
Also, the ESX Server 3i session presentation from VMworld is available from us. (hat tip to Mike Laverick, who knew about it before I did. I can tell you that the rest of the VMworld presentation pdfs should be available on the new VMworld.com very soon, and most of the streaming sessions are already available. You must have a conference login to view them for now.)
A bit of commentary as well. J Hicks says in the comments on the last 3i post:
Don't get me wrong, 3i is a great next step. Avoiding the RH based
service console and the associated patching is fantastic. However, what
really matters is not just the hypervisor itself, but the way its
managed. And 3i = 3, same code, different delivery, same management
Its very interesting to see the corner we're turning here. Initially
VMware was touting "repurpose the hardware you have" - but now the
hardware vendors are delivering boxes that may only make sense for
virtulized hosts. (not that that's a bad thing, just something to
And the always-insightful Massimo Re Ferre has an essay on what he sees as the significance of ESX Server 3i -- in short, it's a step forward in the natural evolution of the product, but for now it's still the ESX Server we know and love.
So what does this buy you as an end user? Yes me too I think... not so
much. Sure it has a much smaller attack surface for viruses and
security vulnerability that means less updates so less troubles for
system administrators. Also it finally allows to get rid of these
legacy 2 hard disk drives in rack servers and more importantly blades
transforming them in true stateless devices ... as they should be. Yet
not really something you would go through the streets of San Francisco
screaming "oh boy what they managed to invent!?!"
In conclusion, I didn't certainly want to diminish the value that 3i is
bringing into the industry. I am very excited about it because I think
it's a step towards the right direction. However I think it is
important to clarify some of the rumors and misinformation that have
been circulating and that I am sure will circulate even after the
details are disclosed.
Massimo is worried that an excited sales force will be overhyping 3i as the ultimate hypervisor. I saw a lot of science fictional speculation before the announcement, but the reporting post-announcement has been pretty sober -- pointing out the clear advantages in deployment and patch reduction and architectural simplicity, but not proclaiming that we've reached the promised land. So don't worry, Massimo, you can be excited about 3i without overhyping it. You know VMware is not a company given to too much hype -- but as kimono says in the discussion thread, 3i is "a seriously hot piece of kit."
Chris Wolf at the Burton Group with some very insightful coverage of VMworld 2007, and I don't say that just because he says "Last week's VMworld conference was arguably the most significant virtualization event to date."
To me, VMworld 2007 marked the coming out party for enterprise
virtualization. x86 virtualization's past, present, and future were
clearly on display. For IT architects, the challenge is clear - hedge
your bets on virtualization's future and align today's technology
decisions based on those assumptions. My future data center has the
- Is managed by system administrators that focus on business value supported by applications - IT as a service
- Utilizes standards-based management
- Supports all virtual machines regardless of the platform which packaged them
- Leverages embedded hypervisors or hypervisors that fully reside in
memory (as with Virtual Iron) to ensure better security and power
- Pools hardware resources (server, storage, network) and uses them
when needed to meet workload demand and dramatically save on power and
- Includes a management layer capable of provisioning server,
storage, and network resources and associated security settings on
- Includes rollback technology that empowers users to recover from system or application failures without IT intervention
VMworld showed me the future of server virtualization and data centers. What did it show you?
More from Chris Wolf:
Eric Sloof has some of the first notes in the wild talking about booting his ESX Server 3i that he got at VMworld. I believe many of the details are under NDA, but here's a peek:
Also Dell has been talking about its forthcoming VESO servers:
- VESO: How Dell Will Simplify Virtualization (at Direct2Dell Blog, this is a nice video of the demo system used at the VMworld 2007 keynote) [via DABCC]
- uberpulse posts a pic inside the box with a quote from a Dell product manager: "this is not your typical 2 sockets server"
Although this is not a hardware blog, I'm happy to pass along tidbits from other OEMs who will be shipping ESX Server 3i -- and I'm talking to you, HP, IBM, Fujitsu, and NEC.
hicksj has taken a look and is already jaded in this thread at the VMTN Community.
Eric Sloof created some video impressions of VMworld as well as doing a few interviews. Check them out if you couldn't make it this year!
- VMworld 2007 the last day
- VMware party at Treasure Island
- Bouke Groenescheij presented at VMworld 2007
- Mike Laverick about the BOOK !!!
- The man behind the virtual MAC tool
- VMworld 2007 Day One Video
Check out professional photographer and Dutch VMUG member Viktor van den Berg's Flickr set for VMworld 2007 as well. And for the full stream of everybody's snapshots from their San Francisco vacations, just search for VMworld 2007 on Flickr.
VMware's Richard Garsthagen: VMware introduces ESX 3i
The real cool thing I like about ESX 3i is that it has support for SATA disks!! meaning it runs on your notebook
Jippie!!!! I have successfully tested ESX 3i on my older Dell laptop
and it works awesome on my IBM x60. The IBM has a really good SATA
controller, that by default is not even supported by Windows XP, but
ESX 3i has no problem what so ever with it Also the notebook NICs seem no problem for ESX 3i.
Gordon Haff: Embedding Hypervisors
Expect all this activity to kick off another round of “Where does the hypervisor live?”
Microsoft, in particular, is still determined to own the entire
software stack from the VMM to the application. As a result, they’re
still promoting Viridian—however delayed.
It’s a misdirected quest. Although a VMM intermediates between the
hardware and the operating system—and usurps some low-level
functions—it hardly replaces the OS. The APIs and libraries of the OS
are still the “application contract” that underpins the software that
users actually care about. And Microsoft sells a lot of that
higher-level software as well. In other words, it’s hard to see why
Microsoft really needs to own the VMM any more than it needs to own a
server’s BIOS firmware or hardware. In fact, software that abstracts
messy hardware details from Windows would simplify Microsoft
development in a number of ways by reducing myriad complexifying
hardware dependencies. And, in any case, playing King Canute seems an
increasingly pointless exercise as the tide of embedded hypervisors
starts to wash in.
Write down September 11, 2007 on your calendar as a landmark day for
virtualization. ...By shipping the hypervisor on bootable flash
within the server, it fundamentally changes the way we buy applications,
operating systems and hardware platforms. In this scenario, the hypervisor
becomes the operating system, while traditional operating systems become
application run-time environments. Thus, in the future, we won't buy servers
with traditional OSes pre-installed on the hardware platform. Customers will
buy servers that are virtualization-ready, customizing their purchase with wide
variety of pre-configured VHDs that bundle the application and the operating
system as a solution. You may hear these bundles called "application
blades", "software blades" or "virtual appliances".
Whatever you call them, they represent a new way IHVs will deliver OSV and ISV
Joe Hernick: Honey, I Shrunk the Hypervisor
So be on the lookout for
the new thin hypervisor from your favorite hardware vendor. Saying that
this will change the landscape in an already quickly shifting market is
an understatement. If you haven't started a virtualization project in
your enterprise, an embedded hypervisor that requires no installation
and yields a short order infrastructure deployment should making it
that much harder to stay away.
The Inquirer quoting VMware's Steve Jackson: VMware's ESX Server 3i does support AMD's nested paging tables
To clarify the situation with regards to VMware’s support for AMD’s
Barcelona chipset, I would like to say that I made an error in
describing the level of support that is present for Nested Paging
Tables, or Rapid Virtualisation Indexing as AMD is now calling this
feature, within VMware’s product line-up and particularly within VMware
ESX Server 3i. ESX Server 3i does support the new feature, and
customers will automatically benefit from support for RVI when they buy
any server with the Barcelona chipset and ESX Server 3i installed. ESX
Server 3i is shipping later in the year as part of servers from the
likes of Dell, IBM, HP and Fujitsu Siemens as well as other hardware
Almost my favorite part of the show -- watching the artists build this enormous mural as people arrived down the escalator, stopped, and stared. And then giggling as the images were repeated throughout the show. This picture by Viktor van den Berg gives you just a glimpse -- it was huge (15 x 60 ft?) and close scrutiny was very well rewarded.
Gordon Haff: Art at VMworld
But there’s one other thing that I have to mention. VMware hired a New York artist named Brian Rea
to handle the artwork for the show. His line drawings are omnipresent,
incredibly clever, and add a real sense of style and fun to the show.
Multi-core is a tree growing apple cores. Disembodied hands pat a
Labrador for the “Hands-On Lab” sign. And a huge blackboard has been
sporting an increasingly dense collection of pictorial jokes throughout
the week. Kudos to the artist and to VMware for looking beyond the
often oh-so-serious world of technology!
Some closeups of the banner images from Tony.