VMware has just updated their security hardening guide, which provides recommendations for hardening a VI3 environment.
In addition to the updates for virtual machines and the ESX Service Console, they have now added new recommendations for ESXi, VirtualCenter Add-on components (plug-ins) and for Client components.
Here’s a brief overview of the recommendations for VMs and ESX hosts that have been added to the guide. No new recommendations were made for VirtualCenter except for the Plug-in ones.
- Disable copy and paste operations between the guest operating system and remote console
- Do not use nonpersistent disks
- Ensure unauthorized devices are not connected
- Prevent unauthorized removal or connection of devices
- Avoid Denial of Service (DoS) caused by virtual disk modification operations
- Specify the guest operating system correctly
- Verify proper file permissions for virtual machine files
ESX Service Console:
- Secure the SNMP configuration
- Protect against the root file system filling up
- Disable automatic mounting of USB devices
There are some general recommendations when using plug-ins and some specific ones when using Update Manager, Converter and Guided Consolidation. The guide recommends that the Update Manager and Converter plug-ins not be installed on the VirtualCenter server but should instead be installed on a separate server or virtual machine.
Also added is a section on client components. The guide recommends against the use of Linux-based clients when using the RCLI, VI Perl Toolkit scripts, VM console access initiated from a web access browser session and programs written using the VI SDK. The reason for this is that communications with Linux clients are vulnerable to man-in-the-middle attacks because the Linux versions of these components do not perform certificate validation. This risk can be partially mitigated by ensuring that the management interfaces (ESX Service Console and VirtualCenter) are on trusted, isolated networks.
The guide suggests that client components are to verify the VI Client integrity because of the VI Client extensibility framework that was introduced into VirtualCenter 2.5 which provides the ability to extend the VI Client. It also recommends that one monitor the usage of the VI Client instances by inspecting log files on client systems. Both of these tasks can be quite difficult to do because there are no native methods for doing this.
Finally a section was added for securing the host-level management in ESXi. Many of the recommendations for ESXi are the same ones that were made for ESX. Some unique recommendations for ESXi include ensuring secure access to CIM (the hardware management api’s). Also, admins may want to audit or disable the special technical support mode which is designed to be used in case of an emergency but is sometimes used by administrators to access specific functions in ESXi.
You can read the updated guide in its entirety here.
A virtualization package is ready for prime time when it has a full array of device connectivity between the host and the guest virtual machine (VM). Let’s take a quick look at USB device redirection in Sun xVM VirtualBox 1.6.2.
The USB device functionality has a nice feature that allows a selective mapping of USB devices from the host to the guest. This can be beneficial if you want a USB device (such as a license key) to be available only to the guest VM and not the host, or vice versa. Within the VM’s configuration, you have the option to specify all devices or specified devices to be connected to the guest VM through USB device filters in the properties of the guest VM. These changes must be made offline, and for Windows hosts the VirtualBox USB controller needs to be added with the native driver. Likewise, the USB root hub that arrives via plug-and-play needs to be installed with the driver on the guest VM (which is automatic when guest additions is installed.) The figure below shows a specific device being permitted to be passed to the VM:
The filter icons highlighted on the right side allow the VM to be presented with all USB devices, remove a filter and to add a filter that is based on user entered criteria or a selection among the currently installed devices. The filters are incredibly versatile as you could redirect certain devices by many factors to be available to the guest VM.
When a device is designated to go to the guest VM, it becomes unavailable to the host system. So there may be some practice issues to get used to losing a device when the VM is powered on. One note of caution is that the mouse and keyboard devices, if USB, are inherently made available to both the host and guest. However, if you add a device filter to add the USB mouse to the guest VM, the mouse would be only available to the guest VM.
Likewise, when the VM is powered off, the USB device will arrive back to the host and then be available for use. If snapshots are being used on the VM, the hardware inventory and specific configuration is managed in the snapshot, so USB filters will be deleted if you are reverting to a snapshot made before the filter was made.
Overall, this USB functionality is quite granular and a strong offering for desktop installation. More information on VirtualBox’s USB support can be found in the VirtualBox online user manual.
A general rule of thumb in virtual environments is to always treat virtual machines the same as you would physical servers. While this rule holds true in many cases, IT administrators should be aware of some exceptions to this rule. Let’s go over some reasons that you would not treat your virtual machines like physical servers:
- Patching – You should apply all the same operating system and application patches to a virtual machine as you would a physical server. However it is best to stagger your patch deployments so you do not patch and restart all of your virtual machines at the same time. If you did this concurrently you can cause excessive resource utilization on your host servers which could impact other virtual machines running on the host.
- Securing – Secure the virtual machine operating system as you would physical servers, in addition you should ensure that you have proper security setup on the host server’s management console that allows access to the VM as well as on the virtual machine files located on the host server’s disk system. It does no good to have tight security inside your VM and have weak security outside.
- System Monitoring – This is one area that can be very different for virtual servers. There is no need to monitor virtual machine hardware, if you have converted physical servers to virtual machines you should make sure you un-install any hardware management agents from them. In addition virtual machines boot much faster then physical servers. Because of this, many monitoring systems will not detect server re-boots because the boot process happens quicker then the monitoring interval. You may find that you need to adjust your polling interval for virtual servers so you can detect the faster re-boots.
- Performance Monitoring – Another area that is very different from physical servers. Traditional operating system performance reporting tools are often inaccurate when used on virtual machines because they are unaware of the virtualization layer and the underlying physical hardware. You should always use virtual server specific reporting tools to accurately measure performance on virtual machines.
- Anti-virus – Make sure you install anti-virus software on all your virtual machines the same as physical servers. Again one thing to be careful of is to stagger any on-demand scans and definition updates as to not overwhelm the host server. Having all your VMs running a full scan at the same time can completely bog down a host server.
- Backups – It’s OK to backup your virtual machines using traditional operating system backup agents. Always make sure you do not backup too many VMs on a single host at the same time. There are more efficient ways to perform backups in a virtual environment that you may look into to either complement or replace traditional backup methods.
- Disk defragging – You should periodically defrag virtual machine disks using traditional operating system tools for maximum performance. However be careful not to defrag a VM that has a snapshot running, doing this can cause the snapshots rapidly grow in size and degrade host performance. As usual do not defrag more then one VM on a host at a single time because of all the excessive disk activity that is causes.
Be careful not to do too many of the same operations concurrently. With physical servers, only a single server is effected, but in virtual environments many other servers running on a host server can be impacted.
So, earlier this week I wrote a blog about Clabby Analytics Analyst Joe Clabby’s report spelling out a handful of reasons why Microsoft’s Hyper-V is going to take the lead in the virtualization market away from VMware Inc. over the next five years.
I received a lot of feedback on this blog from people defending VMware, and thought, why not get some Hyper-V users to talk to me about the product – how it performs, its related management tools, features, etc. I asked Microsoft’s press team to send some users my way for interviews, and about a week later Microsoft’s “Rapid Response” team sent me a couple of links to case studies.
Thanks, but I would like to interview some users myself, outside of Microsoft filters. How about at least sending me the contact info for the users profiled in these case studies?
Microsoft’s response was, “Unfortunately regarding direct contact information for the Hyper-V case studies, we have no further information to share.”
This strikes me as odd because Microsoft’s competition, VMware and even smaller virtualization companies like Virtual Iron refer me to real users to interview about their products.
Does this mean that Microsoft doesn’t have the same level of product confidence as the competition? VMware has offered plenty of customer references, and while those users do complain about the acquisition cost of VMware’s software, I don’t think I’ve heard any serious gripes about the product itself.
So I am interested in hearing from Hyper-V users about its performance, because as users and analysts have said, Microsoft won’t sail past VMware on price alone.
The Sun xVM VirtualBox Guest Additions host and guest driver integration suite optimizes the guest experience in a way similar to the VMware Tools installation. The virtualization suite installs within the guest operating system with a small footprint on most of the supported platforms within VirtualBox. Let’s take a quick look at how the Guest Additions installation considerations on a Windows guest system within VirtualBox.
The Guest Additions installation is launched via the virtual machine (VM) console from the devices menu. During this task, one of the VM’s optical drives will be directed to use the Guest Additions .ISO image kept locally. The install is vary straightforward, and the native drivers are updated with the optimized drivers for the video, fixed disk, audio, optical drive and other system components. The networking drivers will likely remain unchanged after installing the Guest Additions package within the VM. Among the unique features of VirtualBox compared to other products is the option to choose among four device types presented to the VM. The Intel Pro and AMD PCnet device options will have different compatibilities with various guest operating systems. Check out last week’s SearchServerVirtualization blog entry about related networking topics on VirtualBox.
Once Guest Additions is installed, the experience is markedly improved on the guest VM. The easy way to see if it is running is to look in the Windows system tray as shown in the figure below:
Note that hovering over the tray icon also gives you the version running on the guest operating system. That is a nice feature if you are using VMs created in VirtualBox 1.6.0 or another mixed environment. If you want to retrieve the current version of Guest Additions in a scripted fashion, the following command would be run:
This command is located by default in the Program Files\Sun\xVM VirtualBox Guest Additions path. VirtualBox commands are generally the same across platforms, so the same command on a Linux host would retrieve the version running locally.
Guest Additions is available on Windows NT, 2000, Server 2003, Vista and XP. Windows Server 2008 functions correctly in my experience, though it is not explicitly listed as a supported platform in the VirtualBox documentation. It is also is available for Linux and Solaris platorms.
Guest Additions is included with the VirtualBox 1.6.2 product and is available for download from the Sun website.
Speculations are overflowing within the virtualization community following Diane Greene’s resignation from VMware. As a glass-half-full kind of guy, I’d like to offer my reasons why VMware may thrive in the next several years.
First and foremost, I feel that VMware’s technology has the potential to continue to be superior to the competition. While price is among the more important decision points, the superior product will hold its own in the marketplace despite the higher price. The standing example in this arena is enterprise databases. Oracle is a better database platform than Microsoft’s offerings, yet both hold good position in the market place. A certain amount of normalization of market share for VMware is to be expected as other hypervisors and management products enter the market, but more organizations have yet to enter the market as a customer.
Storage integration will continue to drive the richest virtualization platforms. The most underrated technology that VMware has ever produced is the virtual machine file system or VMFS. VMware’s implementation of this technology will improve over time, and the competition is not yet there in this space.
VMware will have a lower host hardware cost per VM for the same performance deliverables. While this is incredibly difficult to precisely quantify, my experience is that VMware can run more virtual machines than Hyper-V on the same hardware. Again, because price is among the most important decision points, this point may help VMware as hardware becomes more capable for virtualization technologies.
VMware can continue to innovate within the virtualization space. VMware has the virtualization expertise to provide new products into the market, and among the major players in the field they would be the most suited to innovate at this point.
It is a given that the other platforms will make gains in market share with the relative flood of products into the space. But considering VMware’s proven ability to innovate in this space, they have the chance to retain their lead and keep going in the correct direction. We will see!
Clabby Analytics analyst Joe Clabby is 100% convinced that Microsoft’s Hyper-V will take over VMware in market share over the next three to five years, and makes some strong points for this in his recent report, Six Reasons Why Microsoft’s Hyper-V will Overtake VMware to Become the Major Player in the x86 Server Virtualization Marketplace.
The report came out prior to the shake-up at VMware on July 8, when the company announced that its Board of Directors replaced VMware co-founder and CEO Diane Greene was being replaced, and then lowered its revenue forecast.
VMware had the vision to see the value of virtualization and took the technology to the top unchallenged due to strategy, innovation and sales execution, but that ride is about to come to an end, Clabby said.
“With the introduction of Hyper-V by Microsoft, VMware is about to experience some very serious competition from a vendor with deep pockets, with a massive worldwide marketing and sales organization, with major market penetration across Fortune 500 and small and medium business markets, and with extensive and complementary infrastructure and management product depth,” Clabby reported.
Among the reasons Clabby believes Microsoft will crush VMware are that Microsoft already has an expansive installed base, a mammoth network of direct sales and indirect business partners, and is offering lower prices alternatives to VMware’s hypervisor and related infrastructure/management software products.
Unfortunately, I have to agree. History tends to repeat itself, and this has been Microsoft’s strategy for a very long time: see a great technology, copy it, and outprice the rest of the market.
Vanity Fair‘s July issue had a great article that illustrates this, called “How the Web was Won” that looks at the eveolution of the Internet over the past 50 years, including details of how Microsoft took over Netscape Navigator by developing Internet Explorer.
The computer programmer known for founding Netscape Communications, Lou Montulli, told Vanity Fair, “From a scientific point of view none of us really respected Microsoft. There was definitely a sense of: They’ve put out of business three or four major companies, and they did it simply by copying what they did and outpricing or outmaneuvering them in the market. This is a general feeling of computer scientists everywhere, that Microsoft doesn’t tend to innovate as much and really just enters the market late, takes it over, and then stays at the top.”
Pricing aside, Microsoft already has a massive installed base.
“It will leverage this installed base, and price its products to out-function/undercut VMware’s pricing,” Clabby wrote. “The computing industry saw this same situation arise when Citrix built a leadership base for its terminal server products — only to have Microsoft enter the market and claim significant marketshare after Citrix pioneered the terminal server marke umbrella. Almost the exact same situation is about to happen again — this time between VMware and Microsoft.”
Microsoft also has a packaging advantage with its Hyper-V hypervisor, as it can be delivered with every single version of 64-bit Windows Server 2008, and installing Hyper-V is a cake walk, according to Clabby.
“A box simply needs to be checked during installation and Hyper-V becomes active. By not requiring IT buyers to find/acquire/download additional virtualization software, the job of deploying and testing virtualization within a Windows Server 2008 is greatly simplified. VMware cannot counter this packaging advantage,” Clabby wrote.
The most damning problem for VMware, according to Clabby, is product depth.
Though VMware has the advantage of technologies like VMotion, to move live VMs, and all of the handy add-on management and infrastructure software integrated into VMware, Clabby said Microsoft’s management and infrastructure is far deeper.
Microsoft’s Systems Center product portfolio inlcludes systems management tools like Configuration Manager; Operations Manager; Data Protection Manager; Virtual Machine Manager; System Center Essentials; Capacity Planner, and the list goes on, ad nauseum.
Besides all of those points, Microsoft is a $51 billion dollar software company and VMware’s revenue is just over $1 billion.
In short, given its deep pockets, large installed base and virtualization strategy, it is safe to say Microsoft will, once again, be laughing all the way to the bank.
Given that virtual environments for x86 servers are relatively new, most lack direct experience in performing major in-place upgrades. While there are many ways to approach a key upgrade to a virtual environment, we’ll take a look at one example of a server virtualization upgrade: VMware ESX 3.5 and VirtualCenter 2.5 to the Update 1 release of both products. This release resolved some major issues, putting the spotlight back on the new features of ESX 3.5, namely Storage VMotion.
Maintaining version control on a virtualization platform is in the best interest of ongoing administration. With VMware environments, this situation is illustrated by the sequential upgrade tasks with older versions of ESX and VirtualCenter. The first step in making a successful upgrade is to go through the release notes and scour the Internet for existing resources that can make this task less daunting. One particularly helpful resource is the RTFM Education ESX and VirtualCenter upgrade guide by Mike Laverick which goes through many scenarios with specific, step-by-step guides on almost every topic of the upgrade.
Having all of the resources in the world may still not be enough to ensure a smooth upgrade of the virtual environment. This is where a test environment for the upgrades can prove critical to a successful project. Provisioning an accurate test environment can become increasingly expensive, but can provide a beneficial test ground to ensure there are no surprises during the upgrade. Consider the test environment shown in the figure below:
This test environment is a smaller, yet representative environment of the larger environment in that it may have the same storage system, base drivers on the host systems yet simply providing a smaller workload. This environment can be an adequate test environment for all of the basic functions involved with an upgrade. As for provisioning the environment, there are some tricks available such as using the systems in an unlicensed or evaluation mode, reducing processor inventories or taking resources from the live environment if the loss can be sustained.
Planning and testing are the best defenses against an upgrade failure. Furthermore, because the scope of a virtual environment is so broad, the investment in testing and planning should be a no-brainer.
If you have not noticed, I have been on a Sun xVM VirtualBox kick recently. I think it is beneficial to virtualization administrators and managers to be familiar with at least two hypervisors — so why not learn more about xVM?
VirtualBox has a smooth interface for a version 1 release, but the one area that would require the most adjustment is the virtual networking. Let’s take a closer look at network functionality in VirtualBox.
Virtual networking on VirtualBox has a few key differences that VMware users would need to develop an understanding about before fully utilizing the potential of the product. The first difference is the concept of the virtual networking hardware. VirtualBox allows a virtual machine (VM) to have one of four network interface cards virtually assigned. These are the AMD PCNet PCI II, AMD PCNet FAST III, Intel Pro/1000 T and the Intel Pro/1000 MT. This array of virtual adapters allows a VM to have broad support for multiple operating systems, but the corresponding bridging functionality may make network administrators a little uneasy.
For Windows systems, VirtualBox uses a spanning tree algorithm from the native operating system bridging that may cause issues on systems with multiple interfaces in managed network environments. The bridged network functionality puts the VMs on the same physical network as the VirtualBox host system. In this fashion, a VM would be able to retrieve a DHCP network from the physical network and interact as if it were placed on the network parallel to the host. Windows XP and Server 2003 products’ bridging functionality is explained on the TechNet website.
Another key difference is that in order for a VM to use the bridged network is the addition of a bridging interface. Adding an interface is fairly straight forward with the use of the VBoxManage command. The following command would add a bridging interface named “VM-Bridge”:
VBoxManage createhostif "VM-Bridge"
Once this command is completed, the VM-Bridge interface is now present in the network connections inventory of the Windows control panel. Then a VM can be configured to use bridged networking with the newly created interface as shown in the figure below:
At this point, the VM-Bridge interface can transparently place the VM on the same network as the host when the Windows bridged connections are correctly configured. Note also that in the network configuration you can fully edit the MAC address of the VM. While exceptionally convenient, this can introduce risk for some environments and situations.
Now that we have gone through a quick look at VirtualBox’s implementation of bridging network connections for VMs, I would have to nudge the VMware products to be a little more seamless in the category of bridged networking. By having the VMware bridge protocol binding used instead of a separate series of adapters for the same purpose, VMware’s bridging fits better for most environments.
Make no mistake, the comprehensive VirtualBox networking implementation is fully competitive with VMware. There is much more to the VirtualBox networking implementation available for download in the online user guide in section 6.
Sun xVM VirtualBox for Windows offers the capability to import VMware-based VMDK files into a virtual machine (VM), making a migration or cross-platform deployment quite enticing. VirtualBox 1.6.2 does not yet support the Open Virtual Machine Format (OVF) implementation; however, native handling of the VMDK files will suffice for most situations. Let’s go through importing a VMDK file for use in VirtualBox.
The critical tool in VirtualBox is the Virtual Disk Manager (VDM) for disk access. For most of us with a VMware-centric background, this will be a new concept. The VDM is a single tool where all virtual disks are inventoried. This can span multiple locations as well as multiple disk types – such as floppy, CD-ROM, and hard drives. Further, for the hard drive inventory, it is ubiquitous as to whether the disk is a VMware VMDK file or a VirtualBox VDI file. The figure below shows the VDM with an inventory of both VMDK and VDI files:
When a VM is created (or when modifying and existing VM), the drive inventory can be specified to create a new virtual disk or use a disk that is listed in the VDM inventory. By managing the virtual disks within the VDM, the VMs can pull directly from this inventory based on your configuration. The VDM can provide disks of all types from remote locations, such as a UNC path or a mapped drive.
There are a few important notes on the use of VMDK files within VirtualBox. First is that the snapshot functionality is not yet supported for VMDK files within VirtualBox. Second, if you intend to boot from the VMDK file, the VM may need boot device modifications. And lastly, the VMDK is modified when used by VirtualBox, so if you go back to using it with a VMware product, depending on what you have done to it – it may not be accessible. For non-boot drives, this should be a transparent exchange.
More information on the use of VMDK files within VirtualBox can be found in the online user guide for VirtualBox in section 5.4.