I was lucky enough to attend the first official Toronto VMWare Users Group (VMUG) meeting last week. And by "lucky" I mean I was invited via email because I actually register my VMWare Server downloads and had the time, and by "official" I mean it was the first one sponsored by VMWare, I gather there have been "unofficial" ones previously.
Overall it was a pretty good event. The talks were competent, but almost entirely focused on the newest features of the highest end of the latest generation of features in ESX and vSphere, which are cool and powerful products, but I've never used them or worked anywhere that used them. I plan to attend the next meeting (which I think they mentioned would be in September).
However, one thing in the presentations really grabbed my attention. I was lucky enough to catch Chris Hoff's presentation "The Four Horsemen Of the Virtualization Security Apocalypse: My Little Pwnie Edition" at SecTor 2008 (if you followed the first link, the picture Hoff is using on his front page is actually him speaking during a panel keynote at SecTor 2008 - not that you care). In that presentation Hoff's #2 Horseman - Death - was the virtualized switch and OMG OH NOES!!! WHAT IF you vMotion a VM away from the physical network switch on which you have configured ACLs, routes, VLANs, and all that sort of fun stuff. Now don't get me wrong, I'm not downplaying that as a problem, it really sounds like it is one. It just seemed like one of the features presented here was specifically built to address that very situation, the Cisco Nexus 1000v Virtual Switch.
I am not qualified to really assess this product as a complete security solution, and Hoff's objectivity may have been compromised of late. I know he's blogged about the performance and other features of the v1000 a few times, but I'd be interested to hear his take.
Anyways, the downside of the v1000 is to use it, you have to be licensed to the highest level of vSphere... Enterprise Plus or something, which is a pretty high price tag. No Enterprise Plus? Then sorry, your version of vSphere doesn't have the API enabled to allow v1000 to do it's thing. What that means for you and me is that even IF the Cisco Nexus line is the virtual switch John Conner to Hoff's death pwnie, it's only here to save the top tier of enterprise customers and the rest of us are still screwed and had better repent. :/
On another note, the surf was UP at the VMUG and I hung ten off a couple of BB junkies who couldn't stop leaking information the whole morning. To the guy in front of me during the second talk: I'm not sure when your netbook demo is coming in, lucky you for having the Enterprise Plus license already, and I'm sorry that they got doughnuts for you office when you weren't there, maybe they saved you some? I caught your email address and phone number, but I was bored and don't care, so I didn't write them down.
I changed seats between each talk and learned that touch screen devices (iPhones, BB Storm's) are harder to read over someone's shoulder because their fingers are in the way of the screen. Security by accident?
So I spent the better part of 2 years prior to the NX1KV (Nexus 1000v,) service profiles and DVS basically highlighting the fact via the pwnies that we need way of reconciling the fact that the policies associated with a VM were static and did not "travel" with it should it move.
ReplyDeleteIt just so happened that some very smart people also recognized this problem and did something about it. Further, with VN-Link/VN-Tag we get even closer to being able to bind policies in even more interesting ways and have traffic interact with external security controls.
Couple that with the arrival of VM-Safe and the first crop of solutions to take advantage of it, and we're getting closer to having better security in VMware virtualized environments.
...and my objectivity has ALWAYS been suspect. I am never to be trusted. ;)
/Hoff