Category: IT

Baby, what time is it? The importance of time with VMware SSO

For the past week or so, in my copious spare time, I’ve been re-building my vLab at work. It’s a cobbled together menagerie of hardware that makes me wish I had a healthier budget so I could spend more time on learning and less on reconfiguring, scrounging and breaking out the baling wire and chewing gum. Dealing with old hardware is distracting and takes your mind off this things that are critical for success. This happened to me. I know plenty of friends in the vCommunity that also have dealt with this. (I hear your heads nodding)

One of the things I’m playing with in in the lab is configuring VMware vCloud Director 5.1 with vCenter 5.1’s SSO functionality. I’m finding that this is one of those times when you really should RTFM and plan ahead more. But that’s ok, I like diving in without docs because then I get to learn more by breaking things and then I have something to share.

Single Sign On

In vSphere 5.1 there is a new feature called Single Sign On. With the new vCenter client now being web based,  SSO now allows VMware to leverage industry standards like SAML so that an admin can log  once to vCenter and be automatically signed on to other resources like vShield Manager and vCloud Director. There’s a great overview of VMware SSO from Justin King here. You can read more about troubleshooting SSO here.

Not Kirk’s Federation

With vCenter and the SSO components up and running I installed the vCloud virtual appliance OVA and proceeded to set up federation between vCenter and vCloud. You can read more about federation in the Wikipedia article, but in a nutshell, it’s a way of linking identities. So, mike@foo.com and mike@bar.com can be linked. A trust relationship is set up so that if I log in from foo.com and hit a web page that needs my bar.com identity I get logged in using my bar.com account without having to provide the credentials.

Back to my lab, when I tried to do this, I ran into some trouble. I kept getting the following error.

Image 11-7-12 at 4.05 PM
Long story short, I had screwed up. I hadn’t been as diligent as I should have been with setting up my systems. The distractions I mentioned earlier had come back to bite me. Having recently added a couple of disk-less ESXi servers, I didn’t finish configuring them. I hadn’t been leveraging NTP as much as I  should.  What I now had was a number of  systems trying to talk to each other but not agreeing on the time. And with SAML, time is critical. You are issued a token and part of that token is a timestamp. If vCloud thinks it is 9pm and vCenter thinks it is 8pm, the token with a short lifetime will come back as already expired. Just what happened to me.

The Time/Space Continuum is restored

I fixed the problem by setting all the ESXi servers to pull from an NTP server. In addition I also set up my vCenter, SQL server and domain controller to pull from NTP. Just like DNS has become a critical infrastructure component that just needs to be there, NTP is now jumped to the “required” list. Valid, consistent time stamps across your datacenter are needed for the operation of your infrastructure. They are also critical for security in things like authentication and log analysis, especially when you are trying to correlate lots of information!

NTP is critical to other vCloud operations as well. My friend Chris Colotti called this out in this blog article.

If you haven’t set up your datacenter with NTP, now’s the time. Oh, and DNS too. It’s time to ditch the hosts files. (yes, there’s still plenty of people using them!!) Going forward, more and more of your datacenter are going to rely on these key components. Ensuring that you use them consistently will help a LOT in troubleshooting large and complex installations.

Thanks for reading!

mike

Would you pay for the TruCoat?

“I’m saying, that TruCoat, you don’t get it you get oxidation problems it’ll cost you a heck of a lot more than $500…”

For those of you playing along, you probably remember this line from the movie “Fargo”. William H. Macy, playing car salesman Jerry Lundgaard, is arguing with a couple about tacking on an unwanted option called “TruCoat” for $500. It’s one of those things that car dealers use to increase their margins. Watch the video here but be warned, there’s a part at the end that’s NSFW.

Jerry Lundgaard selling the TruCoat

So what’s all this got to do with virtualization and cloud security?

Well, in my talking with customers and cloud service providers, the topic of tiered offerings always comes up. You know, the “Gold, Silver & Bronze”. I’ve asked Cloud Service Providers about including security in those tiers and have been met with “Well, maybe, but it would have to re-coup the investment.” (It IS all about the Benjamin’s, isn’t it?)

That got me thinking about TruCoat. A product that Jerry Lundgaard is selling not because it adds value but because it’s got a GREAT profit margin. Not unlike doing the least amount of “security” (Checkbox Security) and charging the most for it. Not really bringing value but charging like you do. I’m not accusing anyone of doing that, but I wonder if maybe some less than reputable vendors (Joey’s Transmission and Cloud?) would head in that direction?

You see, this goes back to security being bolted on .vs. built in. If, in the Gold tier, you add in network packet monitoring and two-factor authentication, you as the cloud service provider are making a significant investment. You need to get that investment back and start to make a profit. How do you explain the TRUE value of the service you offer? Or, like Joey, you just upsell a little anti-virus and firewalling that you’d do anyways because, at scale, it’s not a big hit on the bottom line? Just like the TruCoat.

Clarification: AV and Firewalls are absolutely part of a good defense in depth story. But they are now, especially with the capabilities of vShield, a “commodity” item that is easy to set up and doesn’t impact the bottom line like other security products would.

Buying Value

Customers will pay money for something of value. I haven’t met many people who buy junk intentionally after all! That said, trying to meld security and value together in a cloud environment will be an interesting journey. Today I think it’s a bit of a chicken and egg. Many customer SAY they want secure clouds but how many are willing to pay for it? Cloud Service providers would like to offer security but, let’s face it, it’s not cheap and, as I said, how many are willing to pay for it?

What are your thoughts? Will customers start to demand things like GRC, packet inspection, two-factor authentication? Or will firewalls and anti-virus “check the box” for them?

For some, the response will be “Ya! You betcha!”