Category: Virtualization

That’s my View and I’m sticking to it

Minimizing the clicks & Better Performance

As some of you may know, I’m a user (and fan) of virtual desktops. I’ve been using a VMware View-based virtual desktop now at EMC for about 2+ years. This works well for me because I use my personal MacBook rather than a company issued laptop. I like to keep that separation between what’s mine and what’s EMC’s. I do all my “EMC” work on the virtual desktop. Email, timecard, etc…

So, when new VMware View clients came out, I jumped over to see what’s new. I’m happy to report that a couple of things caught my eye.

URI Support

Screen Shot 2012-11-02 at 11.33.51 AM

The first is the new URI support for the VMware View client. You can now launch the VMware View client from your browser, passing certain characteristics to the client. The URI would be vmware-view://. That was interesting to me as I wanted the ability to launch a URL with the VMware-View URI for specific use cases. Primarily, I wanted to launch the View client with different sizes. One for fitting well on my Macbook Air screen and another when I’m using an external monitor. I looked into the documentation and found this was trivial to set up.

vmware-view://mike@my.view.server.com/MikeF%20Desktop?desktopProtocol=PCoIP&desktopLayout=1280×854

Obviously, I’ve changed the username and server name and desktop name in the above URL. But, as you can see, I can specify the protocol, PCoIP or RDP and the size of the screen, in this case 1280×854. According to the docs and a blog article by Kristina De Nike at VMware you can change all sorts of things. Here’s a list from the blog.

  • View Connection Server address
  • Port number for View Connection Server
  • Active Directory user name
  • Radius or RSA SecurID user name
  • Domain name
  • Desktop display name
  • Window size
  • Desktop actions including reset, log off and roll back
  • Display protocol
  • Options for redirecting USB devices

Screen Shot 2012-11-02 at 11.37.07 AM

How do I get this so I can just click on a desktop icon, add my password and go? By creating a .URL file using a text editor. This .URL file is understood by both PC and Mac browsers and will do the right thing. Here’s the format:

[sourcecode language=”text” padlinenumbers=”true”]
[InternetShortcut]
URL=vmware-view://mike@my.view.server.com/MikeF%20Desktop?desktopProtocol=PCoIP&desktopLayout=1280×854
[/sourcecode]

Copy that into your text editor and save it as a .URL file on your Windows or Mac desktop.

How does this work with things like SecurID? <shameless plug for my employer> It works just fine. When I’m at home and I double-click the icon, I’m prompted for my SecurID credentials and then my Active Directory credentials. When I’m in the office on the corporate LAN, I’m just prompted for my Active Directory credentials. Someday, I would LOVE it if 1Password could fill in the login info, but…

Performance

This now leads me to the second thing I found out with the new VMware View clients. I was originally going to have two .URL files on the deskop. One for RDP and one for PCoIP. The reason being is that I use a USB 2.0 to DVI DisplayLink adapter from Monoprice.

image

As you can imagine, it doesn’t really have a lot of horsepower for graphics. Earlier VMware View clients for the Mac running PCoIP would choke horribly on this device. I used RDP for the past year when I wanted my virtual desktop on the monitor connected to the USB/DVI adapter. But lo and behold, I started up the new View client using PCoIP on the 2nd monitor and it works beautifully! I don’t know what VMware changed, but I sure am glad it’s working. I can now resize at will and as I write this, I have a View session going at 1440×1024 with great performance!

So, to wrap up, the new VMware View clients make it easier to launch the client just the way you like them and if you’re using DisplayLink devices like the Monoprice adapter and the DisplayLink 1.8 drivers you’ll get decent performance to boot.

I hope this was helpful. Please share your comments!

thanks,

mike

Software Defined Security

Got you with that title, huh? :)

Every couple of weeks, I join a number of other folks in the security business on Edward “Texiwill” Haletky’s Virtualization Security Podcast. Today’s episode, Sept 6th 2012, was a bit of a round-up of VMworld 2012 with a pretty good discussion on Big Data and Software Defined X, where X could be Datacenter, Network or Security.

Near the end of the podcast we were talking about what would Software Defined Security actually be. I chimed in with my thoughts. No surprise if you follow this blog, but for me it started with infrastructure.

SDx

First, for the purposes of this blog post, let me share my definition of Software Defined X. SDx is where everything (and I mean EVERYTHING) is programmatically accessible. Basically, everything is available and manipulated via API’s.

At VMworld, VMware talked about “Software Defined Security as vShield/vCNS (vCloud Networking and Security). Allwyn Sequeira from VMware had a great presentation on this here. They are doing an excellent job around the network portion of what one could call Software Defined Security and I’m sure they’ll knock it out of the park moving forward. But, as usual, I want more. Let me explain.

Here’s what I’d like to see from VMware

Today, the objects in vCenter (VM’s, network, storage, etc) can be controlled using the RBAC capabilities of vCenter. But I think it’s time to start thinking about more. What I’d like is an enabling technology. One that can enable a new/better way of managing, security and reporting objects in vCenter. I’d like to see the ability to add digitally signed meta-data to an object such as a VM, network or storage. Because it is signed it provides verification that it hasn’t been tampered with. This should work in hand in hand with a root of trust that starts from the hardware on up.

Why digitally sign? Why not just put stuff in the .VMX file? Because, any admin with enough privileges can manipulate that data. Signing the meta data would mean that the meta data would be invalidated or changed if the VM was copied for example. All this has to happen at the Hypervisor and control plane (vCenter) level.

For VMware vSphere 5.1, VMware has added Tagging, which, while useful, isn’t signed so it can’t be fully trusted. It’s a handy thing for IT guys but not good enough for security.

So, if we could digitally sign information it means we can now start to do interesting things like apply and enforce policy, generate reports and orchestrate actions. Here’s an example of what I’m thinking of.

  1. Create new VM
  1. VM meta-data added. I create a digitally signed tag of “PCI” using a “PCI” key.
  2. VM is also digitally signed to only run in a specific cluster
  • Upon creation, I choose to try and put the VM on a non-PCI network.
  1. The policy enforcement engine says only non-PCI VM’s are allowed on the non-PCI network and blocks that action.
  2. And sends a log to my SIEM and into my GRC solution!
  • Ok, I change the network to be PCI and the VM is ready to be powered up.
  • A disgruntled admin logs in but he doesn’t have PCI rights so he can’t change the VM. He also can’t copy the VM.
  • And because I’ve created a policy that PCI VM’s can only be managed via a VMware Orchestrator workflow that’s been signed with the PCI key, even *I* can’t delete the VM without going thru an approved PCI workflow in Orchestrator

As you can see, this type of ability would go a long way to managing LOTS of VM’s that fall under different regulatory compliance umbrellas. Working in concert with logging solutions and GRC solutions, you can be assured that only the right people are touching the right things and that workflows can be enforced at the infrastructure layer, ensuring compliance. Also, because everything is programmatically addressable, it becomes VERY easy to measure and report on all those actions and workflows, sending that information into a Governance, Risk and Compliance solution.

So what’s the downside?

The big downside is that you really, really need to architect the security of the control plane. With it all being in software, you need to be even more paranoid…er…diligent about securing all the logins, network, etc that these API’s will be running over. For example, you may want to run all the control plane parts in a separate, non-routable network to minimize exposure to the bad guys.

I want to hear from you!

I’d love to hear your thoughts on this line of thinking. As you can tell from the podcast, I got a number of the other participants to agree. What I’d really like to see is someone picking this apart. It’s how we’ll all learn. This blog entry is by no means complete. More of a stream of consciousness like most of my blog posts.

Disclaimer

This blog was written with NO advanced information from VMware, purely from my brain. VMware, if you are doing something like this then I can’t wait to see it! :)

Thanks,

mike

Checkbox Security

 

Is security something that you feel you HAVE to do? Are you doing the bare minimum required by your auditor? Are you “Checking the box”?

In my role as Virtualization Evangelist, I seem to talk to mostly IT people. I endeavor to educate them on using VMware infrastructure as a layer (or multiple layer) of defense in depth. I spend a LOT of time trying to connect the dots between security and IT. I keep running into the same issues over and over.  The attitude of “I’ve got a firewall and AV so I’m ok” is pervasive.

Newflash: You’re not OK. Just ask your security guy.

There are a lot of really nasty people out there who are trying hard to get at your stuff. Firewalls are porous and AV, well, it’s not going to help you with a zero day attack. I’m not knocking firewalls and AV. They most definitely have their place as part of the “Defense in Depth” story. Just pointing out that they can’t be your ONLY solution.

Checking the Box

Sure, you can implement all the stuff that you HAVE to to check the box. You may even get the thumbs up from your auditor that you’re “Compliant”! But are you SECURE? Are you protecting the assets of the business or just covering the assets? (Read into that what you will :))

What’s needed is a sea-change in approaching security. Using every asset at your disposal is critical. With the changes coming in VMware vSphere V5.1, you’ll now have more security tools at your disposal. For example, in all editions of vSphere V5.1 is the inclusion of vShield Zones and Endpoint, providing you the ability to manage your firewalls at the vNIC level, providing increased isolation between VM’s. This is a great first step in being able to use firewalls and AV at scale.

Also, and here I go again, you need to leverage automation. Measurement of critical assets and those measurements feeding into a GRC solution like RSA Archer can help you wrap a workflow around things that need to be fixed and track if/when they do get fixed. It’s critical that the IT organization work with security by providing them the data they need to provide better security with minimal impact to the business.

What I present to customers

As I call out in my recent presentation, “Understanding the Measured Risks of Cloud Security”  this attitude of securing with just a firewall isn’t good enough. Also read the blog post “The Palace of Harmonious Virtualization” as well

I want to hear from you!

What I’d love to hear from is customers that ARE using the virtual infrastructure to provide new ways of securing their environments. Reply here or send me an email. I’d love to showcase some of your thoughts as well.

Thanks,
mike