October 1, 2007 8:47 AM
Posted by: Joe Foran
, Virtualization strategies
The need to hire qualified staff to design, implement and manage virtualized environments is growing, and that means hiring managers are having to shift focus towards this distruptive technology and be ready with good interview questions for their prospective hires.
1. Do you have experience in (VMware/Xen/Virtual Iron/Virtuozzo) implementations?
This is the no-brainer question, and the lead in to the others. If the prospective hire’s answer is no, stop right here, do not proceed past go, do not collect $200. Even a certified candidate may not have any experience, and an inexperienced candidate isn’t one you want for the job, since you probably have staff who would like to learn on the job or be trained, and already have the internal processes and procedure knowledge to edge out the competition from outside.
2. When implementing a virtualization environment, what do you consider the most important feature of the product to ensure overall success of the implementation?
This question is good for sorting out who sees the strategic value of virtualization and who is focussed on the technical aspects. A good answer will cover either failover functions or the ability to reduce costs, and relate how they will benefit the business in technical terms. Neither a techie or a managerial answer is right or wrong, but rather will help you sort the crowd of interviewees into the categories you are looking for.
3 . When you were at WidgetMakers, Inc. you list in your resume that you used VirtualBlahBlahBlah to aid your company in meeting the goal of DoingThisOrThat. Can you share with me what challenges you experienced and how you overcame them?
This is a typical interview question surrounding any product, and it needs to be asked for any product you are hiring somebody to work with.
4. How deep is your understanding of storage systems, and can you share an example of how you used this knowledge in a virtualized environment at WidgetMakers, Inc.?
5. How deep is your understanding of network switching, and can you tell me how you would use virtual switches in a broad virtualization implementation?
Cross-disciplinary skills are crucial for virtualization, particularly around storage. Many larger companies have storage administration teams, server administration teams, network administration teams. Being able to work with these groups doesn’t mean that the candidate can work with the technology, and its important that, if the position is technical, that they can do both.
6. Tell me about how you would configure a virtual environment to best take advantage of its features in a backup and disaster recovery framework?
Being able to understand how to use DR-friendly features like VMware’s vmotion and backup-friendly features like snapshots can make all the difference in candidate selection. It’s important for a candidate to know how to keep the business running, even if they don’t know the business itself yet.
7. Tell me about VirtualizationProductFeature, and what you think makes it valuable or not valuable.
This gets into the technical understanding of the product, a crucial point in both technical and managerial interviews. If a technical candidate blows this one, they need to go home. If a managerial candidate doesn’t provide a business-oriented answer, they need to go home or consider a technical position.
8. BadThing happens. Tell me how you would troubleshoot the situation and get it resolved.
A typical technical question, and one that should always be asked to both technical and managerial candidates. Managerial candidates may get some leeway in technical minutia, but absolutely must speak about their role as the manager and how they would deal with their technical staff to get the problem resolved. This is also a rinse-and-repeat question that should be asked a couple of times, using different BadThings.
There are also consultant-specific questions to ask, if that’s what you’re looking for. Things like:
1. How many VCPs do you have on your staff?
Until the other companies start with their own certs, the VCP is where the game is at.
2. How many virtualization projects has your company undertaken in the last year?
The default no-brainer.
3. Do you eat your own dog food? By that I mean does your company use the product internally as well as support it?
Also a no-brainer
4. What was your company’s most spectacular failure?
Everyone is going to tall you about their company’s great success. Make them squirm a bit and tell you about how they failed, then then ask:
5. What did you do to correct the situation?
This will tell you what kind of consulting firm you are dealing with. If they can be upfront with these two questions, if the failure wasn’t a show-stopper for your environment, and if they dealt with it right, they get high kudos.
Obviously there are many, many more questions to be asked of potential staff, managers, and consultants, so many that I’d like to encourage people to comment about questions you like to ask, would like to be asked, or think would be important – I’m looking forward to some audience participation!
September 28, 2007 11:17 AM
Posted by: Bridget Botelho
, Virtual machine
, Virtualization security
Following the launch of the article “VMware dispels virtualization myths (sort of),” VMware emailed me to correct some issues about virtual machine security.
According to VMware, an “incorrect statement” was made by Burton Group Analyst Chris Wolf, who, like all of the engineers at VMware he’s spoke with, he thought to be correct.
In the article, Wolf said, “one significant issue with virtual machine security is with virtual switch isolation. The current all-or-nothing approach to making a virtual switch ‘promiscuous’ in order to connect it to an IDS/IPS is not favorable to security.”
For example, “if you connect an IDS appliance to a virtual switch in promiscuous mode,” Wolf said, “not only can the IDS capture all of the traffic traversing the switch, but every other VM on the same virtual switch in promiscuous mode could capture each other’s traffic as well.”
This statement ruffled some feathers at VMware, and they quickly emailed me and Burton to “educate us” and the VMware community that in fact, VMware allows (and encourages) users to configure only the ports they need to be promiscuous as such. This is not a per vswitch setting, but rather a per portgroup setting. The way to configure a vswitch for IDS/IPS is to create a separate portgroup from those used for normal VMs and configure it for “Promiscuous Allowed,” a VMware spokesperson said.
After testing this out in his own lab, Wolf said it is really an easy solution, because the architecture is already there.
“At the switch level, promiscuous mode is an all or nothing configuration. VMware doesn’t argue this. However, a way around this issue is by configuring a separate port group on a virtual switch just for the IDS and making the port group promiscuous. That allows the IDS to monitor the vswitch traffic and still keep all other traffic isolated,” Wolf learned from VMware.
“So, with the port group feature it isn’t all or nothing, it can be granular,” Wolf said. That said, “Vmware’s own team wasn’t even aware of this,” therefore it’s unlikely many VMware administrators are either, he said.
So the record stands corrected. “The option of making a virtual switch ‘promiscuous’ in order to connect it to an IDS/IPS is not favorable to security and should never be used,” Wolf said. Instead, administrators should create a dedicated port group on the switch for the IDS and only make the IDS port group promiscuous. This would allow the IDS to monitor all unicast traffic on the switch while preventing all other VMs on the virtual switch from seeing each other’s unicast traffic.”