Nov 09

Baby, what time is it? The importance of time with VMware SSO

By mike in Infrastructure, IT, RSA, vCloud, Written while at RSA

For the past week or so, in my copious spare time, I’ve been re-building my vLab at work. It’s a cobbled together menagerie of hardware that makes me wish I had a healthier budget so I could spend more time on learning and less on reconfiguring, scrounging and breaking out the baling wire and chewing gum. Dealing with old hardware is distracting and takes your mind off this things that are critical for success. This happened to me. I know plenty of friends in the vCommunity that also have dealt with this. (I hear your heads nodding)

One of the things I’m playing with in in the lab is configuring VMware vCloud Director 5.1 with vCenter 5.1’s SSO functionality. I’m finding that this is one of those times when you really should RTFM and plan ahead more. But that’s ok, I like diving in without docs because then I get to learn more by breaking things and then I have something to share.

Single Sign On

In vSphere 5.1 there is a new feature called Single Sign On. With the new vCenter client now being web based, SSO now allows VMware to leverage industry standards like SAML so that an admin can log once to vCenter and be automatically signed on to other resources like vShield Manager and vCloud Director. There’s a great overview of VMware SSO from Justin King here. You can read more about troubleshooting SSO here.

Not Kirk’s Federation

With vCenter and the SSO components up and running I installed the vCloud virtual appliance OVA and proceeded to set up federation between vCenter and vCloud. You can read more about federation in the Wikipedia article, but in a nutshell, it’s a way of linking identities. So, mike@foo.com and mike@bar.com can be linked. A trust relationship is set up so that if I log in from foo.com and hit a web page that needs my bar.com identity I get logged in using my bar.com account without having to provide the credentials.

Back to my lab, when I tried to do this, I ran into some trouble. I kept getting the following error.

Long story short, I had screwed up. I hadn’t been as diligent as I should have been with setting up my systems. The distractions I mentioned earlier had come back to bite me. Having recently added a couple of disk-less ESXi servers, I didn’t finish configuring them. I hadn’t been leveraging NTP as much as I should. What I now had was a number of systems trying to talk to each other but not agreeing on the time. And with SAML, time is critical. You are issued a token and part of that token is a timestamp. If vCloud thinks it is 9pm and vCenter thinks it is 8pm, the token with a short lifetime will come back as already expired. Just what happened to me.

The Time/Space Continuum is restored

I fixed the problem by setting all the ESXi servers to pull from an NTP server. In addition I also set up my vCenter, SQL server and domain controller to pull from NTP. Just like DNS has become a critical infrastructure component that just needs to be there, NTP is now jumped to the “required” list. Valid, consistent time stamps across your datacenter are needed for the operation of your infrastructure. They are also critical for security in things like authentication and log analysis, especially when you are trying to correlate lots of information!

NTP is critical to other vCloud operations as well. My friend Chris Colotti called this out in this blog article.

If you haven’t set up your datacenter with NTP, now’s the time. Oh, and DNS too. It’s time to ditch the hosts files. (yes, there’s still plenty of people using them!!) Going forward, more and more of your datacenter are going to rely on these key components. Ensuring that you use them consistently will help a LOT in troubleshooting large and complex installations.

Thanks for reading!

mike

Sep 04

Checkbox Security

By mike in Automation, IT Security, Virtualization, VMware, VMware, vShield, Written while at RSA

Is security something that you feel you HAVE to do? Are you doing the bare minimum required by your auditor? Are you “Checking the box”?

In my role as Virtualization Evangelist, I seem to talk to mostly IT people. I endeavor to educate them on using VMware infrastructure as a layer (or multiple layer) of defense in depth. I spend a LOT of time trying to connect the dots between security and IT. I keep running into the same issues over and over. The attitude of “I’ve got a firewall and AV so I’m ok” is pervasive.

Newflash: You’re not OK. Just ask your security guy.

There are a lot of really nasty people out there who are trying hard to get at your stuff. Firewalls are porous and AV, well, it’s not going to help you with a zero day attack. I’m not knocking firewalls and AV. They most definitely have their place as part of the “Defense in Depth” story. Just pointing out that they can’t be your ONLY solution.

Checking the Box

Sure, you can implement all the stuff that you HAVE to to check the box. You may even get the thumbs up from your auditor that you’re “Compliant”! But are you SECURE? Are you protecting the assets of the business or just covering the assets? (Read into that what you will :))

What’s needed is a sea-change in approaching security. Using every asset at your disposal is critical. With the changes coming in VMware vSphere V5.1, you’ll now have more security tools at your disposal. For example, in all editions of vSphere V5.1 is the inclusion of vShield Zones and Endpoint, providing you the ability to manage your firewalls at the vNIC level, providing increased isolation between VM’s. This is a great first step in being able to use firewalls and AV at scale.

Also, and here I go again, you need to leverage automation. Measurement of critical assets and those measurements feeding into a GRC solution like RSA Archer can help you wrap a workflow around things that need to be fixed and track if/when they do get fixed. It’s critical that the IT organization work with security by providing them the data they need to provide better security with minimal impact to the business.

What I present to customers

As I call out in my recent presentation, “Understanding the Measured Risks of Cloud Security” this attitude of securing with just a firewall isn’t good enough. Also read the blog post “The Palace of Harmonious Virtualization” as well

I want to hear from you!

What I’d love to hear from is customers that ARE using the virtual infrastructure to provide new ways of securing their environments. Reply here or send me an email. I’d love to showcase some of your thoughts as well.

Thanks,
mike

Checkbox Security, RSA-Authored

Jun 01

EMCworld Wrap Up Part 1–Automation, Security and a Razor

By mike in Automation, VMware, Written while at RSA

Wow, what an amazing week! While it’s still fresh in my head, I thought I’d write about something that I witnessed at EMCworld. I’ll do another post on the sessions I gave later.

Automation and Security?

“Ok, what’s this “auto-mation” thing of which you speak Mike? And why, as a security guy, should I care?”

Razor

Well, the coolest thing was a project known as “Razor”. It was done by EMC’s Nick Weaver. Nick, also known as @lynxbat on Twitter, works in the EMC Office of the CTO. Nick is one of those guys that you show a new programming language to and after the weekend, he’s written something in it that blows your mind. All us geeks aspire to having those kinds of chops.

So, Nick worked with Puppet Labs on a project called Razor. The one sentence/paragraph description is “A tool that can, from bare metal, provision an OS” Honestly, that’s about the lamest description ever of what it can do! You NEED to read up on it here then come back to finish what I wrote… I’ll wait……

Ok, you’re back. Now why is this important to security? Well, Chuck Hollis (@chuckhollis), the EMC CTO of Marketing, hit the nail on the head in his blog on the Puppet and Razor stuff when he said

It doesn’t take to long to realize that there are some interesting areas where this could potentially go over time. Obviously, what’s been done for server resources could also be applied to storage and perhaps network. And, of course, EMC has some nice upper level IT governance management framework tools (e.g. Archer, Ionix) where policy can be specified and reported on.

Archer? RSA Archer? Yea, that Archer. Imagine if you will the ability to attest (there’s a big security word) to the validity of a server from the point of powering on to the system running and serving up what it serves up? You know how it was built, what was installed on it, who did what, when, where and how. Now, feed all that information into an eGRC solution like Archer and when the auditors come calling, you have a record and that record lines up with the security policies that are in effect. Need to build a server to handle PCI stuff? Here’s the record of how it was built and it’s mapped to all the PCI compliance regs. All in an automated fashion.

Combine that with a SIEM solution that can take in events that change the configuration and now you’re cooking with gas. You can attest to every change from creation to destruction. And map it all to policy.

It was a VERY insightful post Chuck made. When I saw Razor in action, that’s exactly what I thought. I ran into Chuck one evening at EMCworld and told him so.

Security at Scale

THIS is part of the “security at scale” issue that we as an industry are facing. The old ways of managing security just won’t scale to the levels of “cloud” (there I go, saying that word. For me, cloud = scale. ‘nuff said) You NEED to leverage automation. There’s just too many moving parts to keep track of manually. (more on that one in a later post!)

So for you IT guys who are wondering about security in a virtual environment, run over and start playing with Razor (did I mention it’s Open Sourced??????!!!!) and think about how you can help the security guy by giving him measurable results in a consistent fashion.

For you security folks, guess what, it’s time you look at all the cool tools that are available to the IT folks that can help you measure compliance. The depth of these tools is amazing. And the ability to pump it all into Archer to map it to the compliance policies makes your job infinitely easier.

I’m heading into Boston in a couple of weeks to learn more about Puppet and about Razor. Hopefully I’ll have more to talk about then!

Let me know what you think!

thanks for reading,