As attacks upon software systems become more sophisticated, it is crucial to adapt security measures to emerging threats. Virtualization is presently one of the most exciting technologies in the enterprise, but also among the most vulnerable.
At VMworld, Sourcefire, the security company that brought Snort to the market, has introduced a new product offering through its Sourcefire 3D. Most important, the release improves Real-time Network Awareness (RNA), a feature able to monitor both hardware and virtual environments.
First, RNA enables administrators to tailor the software to their compliance and policy requirements; the VM Detection feature combats the problem of VM sprawl by detecting all virtual machines and making them visible.
RNA is now supported by VMware’s support services, Technology Alliance Partner (TAP) program and VMsafe. VMsafe includes an application program interface (API), which enables other security applications to monitor for and catch intrusions that RNA cannot see.
RNA saves enterprise resources by identifying threats as they occur by continuously collecting information about virtual machine activity at the surface level of a virtual environment. Other security tools collect such data only during the day, allowing intruders greater opportunity to inflict harm on the system.
Novell Inc.’s recent coup of achieving bidirectional virtualization with Microsoft’s Hyper-V — SUSE Linux Enterprise can run as a guest on Hyper-V and Hyper-V on SUSE — is a huge step forward for interoperability.
Novell’s accomplishment begs for a response from Raleigh, N.C.-based Red Hat Inc., the largest open source vendor, which, publicly at least, has remained totally aloof from Microsoft, which, like it or not, has an overwhelming share of the server market.
So what’s Red Hat’s reaction? Is it going to use the Linux Integration Components that Novell and Microsoft created to boost performance between Linux and Microsoft virtualization platforms? These drivers and accessories are freely downloadable from Microsoft’s website.
What about cross-platform certification? Is Red Hat going to pursue certification through the Microsoft Server Virtualization Validation Platform to optimize Windows’ performance as a guest on Red Hat Enterprise Linux?
Finally, what are the implications for interoperability of Red Hat’s focus on the KVM hypervisor while the rest of the computing world (except for Ubuntu) is centered on Xen? Although Red Hat has pledged support for Xen until at least 2014, the thrust of its development efforts will be on KVM. And what happens after 2013? These are reasonable questions to ask of the leading open source vendor. Yet these questions went totally unanswered from mid-afternoon last Thursday until the following Monday morning. The answer: There would be no response. Total stonewalling.
According to a recent ZDNet article, Paul Cormier, Red Hat’s president of products and technologies, told a London press conference that Microsoft’s Hyper-V is targeting VMware. But that’s not the issue! The issue is: Is Red Hat going to become a Linux-only solution or is it going to reach some sort of accommodation with Microsoft?
I would really like to see Red Hat continue to thrive and gain market share on the giant from Redmond, Wash. Kick butt, even. So I hope that the reason for Red Hat’s evasion is not because Red Hat’s avoiding the interoperability issue but because Red Hat is in negotiations with Microsoft and can’t say anything until they’ve reached an agreement.
Only time will tell.
Citrix Systems Inc. is hardly shy about its presence at VMworld 2008, an event hosted by its major competitor, VMware Inc. “Citrix is providing virtualization software customers with a choice where before the options were limited,” said Matt Fairbanks, Citrix VP of product marketing. Citrix will make two releases at the event this week.
The first is XenServer 5, which acts as a platform for the second release, Citrix Cloud Center (C3). XenServer 5, or XenServer Cloud Edition, is an upgrade from previous versions of XenServer and will feature improved storage, disaster recovery, availability, performance and guest operating system support. It includes a feature called metadata tagging which identifies and categorizes individual virtual machines for easy virtual organization and management. It also offers expanded its application support to allow “hardware agnosticism,” said Fairbanks.
Citrix Cloud Center is a family of products that works together with XenServer5 to help software service providers deliver applications to end users in a cloudlike infrastructure. “Cloud computing is a new way of thinking about software,” said Fairbanks. “These products provide high–quality management and energy savings in the move to Web 2.0, 3.0, and Software as a Service.” Both products are part the Citrix Delivery Center line and are designed to help administrators run more servers on the same amount of hardware. Citrix Delivery Center includes as its core products XenServer, XenDesktop, XenApp and NetScaler.
Keeping track of the ever-changing ranks of the Ubuntu mascot menagerie is not for the faint of heart. My debut into LinuxLand was shortly before the introduction of the Hardy Heron and Ubuntu 8.04 LTS last April. Simple enough. Until today.
Today I learned that on Monday, Ubuntu founder Mark Shuttleworth announced the future addition of another mascot, the Jaunty Jackalope. A Jackalope, I learned, thanks to a folklore reference in the Gospel of Wikipedia, is a cross between a jackrabbit and an antelope.
The Jaunty Jackalope is just one in a series of Ubuntu motivational mascots. Intrepid Ibex the mountain goat, Jaunty Jackalope’s immediate predecessor, gets crowned for his work on Oct. 28 with the release of Ubuntu version 8.10. Jaunty Jackalope takes over from Ibex, and will lead the team until the release of Ubuntu 9.04 the following April. Then, of course there’s Hardy Heron 8.04, my first mascot acquaintance, whose reign began last April and lasts three years for desktops, five years for servers.
Shuttleworth must be placing a lot of stock in the Jaunty Jackalope, because his lofty goals for the Ubuntu team over the ensuing seven months include nothing less than catching up to Apple and Microsoft Windows in eye appeal and user-friendliness, and forging ahead of them in merging Web services and applications into “weblications” that straddle online/offline environments.
I suppose if you can keep track of herons, rabbit-antelopes and mountain goats, an ambitious software development track is no problem at all. Perhaps that’s Shuttleworth’s way of weeding out job candidates who aren’t great at multitasking.
Less than a week after Red Hat Inc.’s surprise $107 million purchase of Qumranet Inc., I remain mystified by this acquisition. Qumranet is the Israeli-based creator of the KVM open source hypervisor, which is incorporated into the Linux kernel; SolidIce virtual desktop, which Qumranet launched earlier this year but has yet to gain serious traction, and Spice, a super-fast communications protocol for transmitting bandwidth-heavy multimedia content at high speed that other vendors currently can’t match.
The first person to raise questions about this buy to me was George Weiss, executive vice president of Stamford, Conn.-based Gartner Inc., who said this dual hypervisor strategy would make life more difficult for Red Hat customers, who would have to buy a management console to control the two hypervisors, Xen, which is already in Red Hat Enterprise Linux (RHEL) 5, and KVM, which will be added in subsequent versions.
Burton Group analysts Chris Wolf and Richard Jones pointed out that KVM enters a crowded market late in the game. Despite a solid architecture, KVM is still immature and lacks the momentum and multi-vendor support of more-established Xen, Wolf said. To be the No. 2 virtualization vendor based on KVM, Red Hat must end its isolation from the Microsoft camp and attain certification under Microsoft’s Server Virtualization Validation Program so its hypervisor will be optimized for Microsoft guests, he said.
KVM needs the support of another big vendor or two, added Jones. The Qumranet acquisition will pull Red Hat in the direction of desktop virtualization while Xen will continue to dominate the server market, he predicted.
Tech blogger Jason Perlow said Red Hat told him that it plans to open source the Spice protocol and other components of the SolidIce desktop virtualization. If so, Red Hat will have positioned itself as a solid competitor to VMware and Citrix’s desktop and server virtualization, assuming an attractive pricing model, Perlow predicted. “At the end of the day, it’s not about raw technical merit. It’s about how well the vendor markets the solution and how palatable it is to end users,” he said.
Daniel Kusnetzky, principal analyst of Osprey, Fl.-based Kusnetzky Group, who recently counted Qumranet as a client, raised another rationale for Red Hat’s purchase of Qumranet: control over the hypervisor. Red Hat lost leverage over Xen when Xen was bought by Citrix; this acquisition gives Red Hat control over KVM, he said. Good point.
The bottom line: Maybe it’s just that I’m a frugal New England Yankee, but I wouldn’t pay $107 million for a giveaway hypervisor and a promising-but-wannabe desktop virtualization product. Especially since desktop virtualization is not yet ready for mainstream adoption since it shifts storage to the data center, which is more costly. This acquisition is all the more surprising since Red Hat hasn’t done much with the desktop to date. Kusnetzky may have hit the bull’s eye on Red Hat’s motivation but Wolf also is correct that it’s time for Red Hat to mend fences with Microsoft if it wants to be relevant to the overwhelming majority of the computing universe, desktop or server.
Some bloggers raised concerns that Microsoft would not release its Linux Integration Components on Sept. 8 as planned, concurrent with the release of its highly anticipated Hyper-V virtualization application. The components, which include special drivers for networking and storage, are expected to make Novell SUSE Linux Enterprise guests run as well on Hyper-V as Microsoft VMs and give SUSE a performance edge over rivals such as Red Hat Inc. and Ubuntu on Microsoft machines. But not to worry. Justin Steinman, Novell’s director of marketing, Open Platform Solutions, promised that the components will be available to download from prior to next Monday. Well, that one’s right down to the wire.
On Friday, Aug. 22, openSUSE announced that its newest version, 11.1, will support Security Enhanced Linux, or SELinux. Novell’s security tools, AppArmor and SELinux, have traditionally been considered intense rivals. In this interview, openSUSE’s Andreas Jaeger, Roman Drahtmüller and Matthias Eckermann discuss openSUSE’s support of SELinux.
OpenSUSE now has basic enablement with SELinux. That’s great for SELinux users now, but will openSUSE be able to integrate new patches for SELinux?
Andreas Jaeger : OpenSUSE is developed with a community approach; We are proud to have opened the openSUSE build service to the community, with the option to develop and package open source software cross-distribution.
As SELinux is a cross-distribution effort, we encourage members of the SELinux community to participate in the openSUSE build service: to develop, test-drive and integrate new user land patches and tools into openSUSE and other distributions using our cross-distribution service. This way, all distributions running with SELinux enabled in the Linux kernel will benefit.
Is support of SELinux indicative of a larger industry trend toward interoperability?
Roman Drahtmüller: Novell observes a tendency in the industry to increase the security value of a system by introducing additional controls beyond the scope of the application. This means the application is exposed to these controls but cannot change them.
In moving from AppArmor to SELinux, does a company sacrifice compliance benefits?
Drahtmüller: AppArmor profiles for application containment and confinement are comparatively easy to manage throughout an infrastructure. Creating them is a distinct, low-pain checkmark item. The same applies to evaluating log messages that record possible violation attempts against protected system services.
For customers, the transition to SELinux may need a change in thinking and architecture, but also allows for the definition of a complete policy in a system. It helps to disallow actions that are not subject to a defined policy. There are environments that require such a functionality — regardless of the cost associated with it — for compliance reasons.
We anticipate that customers with these requirements will aim for a SUSE Linux Enterprise operating system, as it targets the special needs of customers working in compliance-bound environments.
Security tools have created a tradeoff between capability (SELinux) and usability (AppArmor). Is Novell’s approach to this tradeoff changing with its basic enablement of SELinux?
Matthias Eckermann: As in earlier releases of our product, openSUSE 11.1 reflects our belief in the value of additional security mechanisms in the operating system. The benefit of such mechanisms is maximized if the configuration and administration is as transparent, straightforward and as easy as possible for administrators.
Security needs that aim toward mandatory access control, mandatory integrity control or even multi-level security require a suitable architecture. With the basic SELinux enablement, we will allow our partners and customers to use such an architecture to implement solutions that fulfill their specific needs.
Nevertheless, we want our users to be able to choose their own priorities between administrative effort and functional benefit.
What do you think? Leave a comment below or contact firstname.lastname@example.org.
Waltham, Mass.-based Novell Inc. reported solid revenue growth in its third-quarter earnings call yesterday, with net revenues of $245 million, up from $236 million for the second quarter of 2008 and from $237 million the third quarter of the previous year. Third-quarter operating profit this year was $1 million, compared to a $10 million operating loss the previous year.
Quarterly revenues from SUSE Linux were even stronger, however, with a 30% year-over-year growth, climbing from $25 million in the third quarter of 2007 to $32.5 million in the third quarter of 2008. Third-quarter SUSE revenues also were higher than the previous quarter’s revenues of $30.5 million. Despite the revenue gains, Novell racked up third-quarter losses of $15 million in 2008 and $4 million in 2007 due to charges from auction-rate securities and negative currency exchange rates, respectively.
Microsoft sales of SUSE certificates continue to increase throughout 2008, with $176 million or 73% of the $240 million agreement invoiced to date, according to Ian Bruce, Novell’s director of public relations. Microsoft is so far ahead of schedule in sales of the SUSE certificates, which it agreed to resell within five years of November 2006, that Microsoft recently agreed to buy up to an additional $100 million in SUSE certificates. Last year, Microsoft certificate sales gave a hefty boost to Novell revenues and boosted SUSE’s market share by 3% to 29% and Red Hat Inc.’s declined proportionately.
As Al Gillen, research vice president of system software at Framingham, Mass.-based IDC pointed out recently, the certificates give Microsoft an alternative product to offer customers who prefer Linux to Windows. And the paid-support certificates can convince customers to switch from free software to paid-support subscriptions, which “levels the playing field” with proprietary software, he said. Novell CEO Ron Hovsepian said he is “pleased” with the overall results, which he said affirms that the company is on the right strategic path and should achieve further growth and higher profit margins in 2009. Consulting services will continue to decline but product sales will increase, keeping the company on target to earn $940 million to $970 million by the end of the fiscal year, he said. Last year’s net revenues were $932 million.
Red Hat Inc. has declined to provide additional details on last week’s security breach on some Fedora servers that were illegally accessed. Although Red Hat said it did not believe that the package-signing key used to gain access to Fedora operating systems was compromised, the Raleigh, N.C.-based company issued a new Fedora signing key as a precaution. Fedora is Red Hat’s free operating system where innovations are introduced and tested before they are incorporated into production-ready Red Hat Enterprise Linux (RHEL).
Related to the Fedora intrusion, Red Hat also announced a breach into a few Open Secure Shell (SSH) security encryption packages for some versions of RHEL 4 and RHEL 5 that are not under the umbrella of a Red Hat network management system. As a precaution, Red Hat issued an updated version of the affected RHEL Open SSH security packages.
No big deal?
Reaction to the breach is muted at best.
Joe Clabby, a principal at Falmouth, Maine-based Clabby Analytics, said that a new signing key install “could be a real hassle” for a large install base without an automated deployment system, but he didn’t think it was a huge problem. “It’s good they found it and made it public so people can fix it and life goes on,” he said.
Charles King, a principal analyst at Hayward, Calif.-based Pund-IT Inc., agreed.
A security breach is “always disquieting,” he noted, but this one is probably of lesser impact, because most data centers do not run Red Hat exclusively. In one sense, the breach could be viewed as an indicator of Red Hat’s growing success. Hackers generally target only commercially successful distros, King said.
Well-known tech blogger Jason Perlow said that the breach is “standard stuff” that will be remedied quickly because the entire open source community will become engaged in developing a remedy, versus a breach with a proprietary vendor, which could take months to solve the problem.
I suspect that most large Red Hat installs run RHEL rather than Fedora, thus reducing the probable risk to businesses. Nevertheless, as an admittedly impatient journalist wired to ask questions and expect answers, Red Hat’s failure to be more forthcoming about the extent of the breach and the potential impact is disappointing. Users aren’t well served by a limited statement and a wall of silence.
A recent Business Week article said that Raleigh, N.C.-based Red Hat Inc. is ripe for a takeover bid because its pockets don’t bulge as quickly as those of proprietary vendors and suggested Palo Alto, Calif.-based VMware Inc. as a promising buyer. VMware has a heftier cash flow and doesn’t have an operating system, a gap that Red Hat would fill, the author argues.
But three IT analysts panned the idea for multiple reasons. Richard Jones, the vice president and service director of Burton Group in Midvale, Utah, and Charles King, a principal analyst of Pund-IT Inc. in Hayward, Calif., don’t think Red Hat’s relative flat stock price makes it vulnerable.
“I don’t think it’s a risk,” King said. “The players within the industry and those in investment live in separate realities. If Red Hat can’t be a success as the clear leader in the market, what could VMware do to make it more successful?”
Jones doesn’t think Red Hat is vulnerable either. Red Hat has only its brand to offer (since open source software is free) and the company would be too expensive to buy, he said. Instead of VMware, Jones thinks that Oracle Corp. would be the more likely buyer.
Joe Clabby, principal at Clabby Analytics in Yarmouth, Maine, said a VMware/Red Hat merger doesn’t make sense because the addition of an operating system would put Hopkinton, Mass.-based EMC Corp., VMware’s parent company, in conflict with the other major hardware vendors who distribute VMware.
“I don’t see Red Hat making a ton of money,” Clabby said. “‘But I don’t think anybody’s at risk.”
But Clabby admitted that his crystal ball is sometimes a bit cloudy. “I didn’t think EMC Corp. should have bought VMware. But that acquisition has paid off extremely well.”
Ironically, the Red Hat news alert that initially popped up this week linked to a Computerworld column suggesting that IBM buy Red Hat, while admitting the outcome was quite unlikely. But a closer look revealed that Google erred in listing the “recent” article, which was written in 2002. The author, Nicholas Petreley, a computer consultant in Hayward, Calif., said this week that he was one of the first to urge IBM to buy Red Hat in the mid-’90s but said the acquisition now would simply put it in competition with other distros, similar to Clabby’s argument against a VMware/Red Hat merger. And Petreley’s thoughts were the same as mine: somehow the VMware piece resurrected his IBM column out of the depths of time and presented it as something new.
Well, as we all know, technology doesn’t always work 100% of the time. And this is just one more example.
The bottom line: Red Hat appears not to be a takeover candidate for now. And that’s probably a good thing.