Year: 2006

One of the most complex things an IT Manager or Security Manager has to face in a corporate environment is enforcing the mobile computer population.
Laptops, PDAs, Smartphones are all critical viral vectors, which are under control when behind million dollars company security infrastructures, but totally at risk when connected to home or public networks during owners’ daily travels.

Infection of these devices and consequent corporate network compromising is not the only problem: they usually store business, sensible data and have configuration sets able to easily reach inner part of company datacenter. As soon as a laptop is stolen an IT Manager has to handle something even more painful than a virus infection: an authorized remote access with partial or complete clearance to reserved informations.

Today’s products can hardly mitigate these kinds of scenarios, and upcoming endpoint security technologies are just partially committed to solve problems like ones described.

A real effective solution is provided by a virtualization product from VMware called Assured Computing Environment (ACE).
ACE is a special VMware Workstation version featuring a powerful and flexible security wrapper, able to control how a virtual machine interact with outside world, at host and guest level, in a centralized way.

In this article we’ll describe a real world scenario where ACE is perfect to handle all arising security and privacy issues.

The problem
Our today’s scenario involves a SMB company working in a small niche provisioning market, where competition is very aggressive.

The company bases the majority of revenue on its territory sales force carrying out direct sales on customers’ sites.

Sales agents are required to order customers material accessing an online provisioning portal. They also have to access company intranet by VPN with a custom application to see, modify or cancel on-going orders and to verify their commissions.

The company develops its own orders management application for Windows operating system but doesn’t adopt Microsoft Active Directory technology.

To lower costs the company populates its sales force with contractors, which are required to provide computer equipment from themselves.
On these machines company IT staff has to install and regularly update the orders management application, the Internet browser to access the online portal without problems, and the VPN.

The scenario presents many problems for the IT management:

• Centralized control Sales agents have to move along their competency territory with laptops, often where no Internet connectivity is available and the company cannot count on Group Policy feature offered by Active Directory: laptops are not easily controllable in a centralized way.
• Heterogenic environments Sales agents have to provide their own computer equipment, which means IT staff has no guarantees the operating system will always be secure for corporate network remote access and compatible for company provisioning application.
• Data disclosure Sales agents have complete control over their laptops and can illegally replicate corporate data in personal storages for different purposes: backup, personal benefits, etc.
  At the same time equipment can get lost or stolen, leaking downloaded data and configuration details for company remote access.

In our particular scenario the computer equipment is also owned by sales agents and when they resign they are not obliged to give anything back.

Last but not least, sales agents could sell a copy of their application to competitors, providing them a continuous access to corporate data.

The VMware ACE solution
To address security issues of this scenario with ACE we’ll create a minimal configured, secured and compatible operating system inside a virtual machine where to install and setup the company orders management application, a browser working with the online provisioning portal and the VPN to the corporate network.

Then we’ll limit this virtual machine’s capabilities to reach external networks, also preventing it from being moved or copied around. And finally we’ll ship it in a 1-click installation package to be deployed in every sales agent laptop.

Preparing the virtual machine
The first step is creating the wanted virtual machine. We can do this by creating a new one from scratch inside the ACE environment, which is pretty identical to the Workstation one, or import an existing virtual machine created with another VMware product.

In this second case we should act carefully: if we created our VM with a version of Workstation 5.x it will not be available for use inside ACE.
This compatibility issue exists because at time of writing this article VMware is shipping Workstation 5.5.1 and ACE 1.0.2, which can only works with virtual hardware coming from Workstation 4.x family.

Luckily there is a solution: VMware is working on a product called Virtual Machine Importer 2.0, actually available just as beta, which is able to convert recent virtual machines hardware in legacy hardware, working with Workstation 4.x products and ACE 1.0.2:

It’s a waste of time trying to do the same with the released Virtual Machine Imported 1.5 because that version is not able to work on VMware virtual machines but just on third party images.

Defining security policy
After the virtual machine creation or import it’s time to define security policy to limit network access and availability.

One of the biggest security need here is to avoid that the corporate data is illegally accessed or copied, and that users can manipulate virtual machine configuration to workaround restrictions.
To achieve both objectives we can configure encryption for virtual machine image and configuration files, and request the creation of a complex password to access it:

Note that to avoid a management nightmare we also have to setup an administrative password for recovery purposes, which will generate a recovery key:

Finally, we have to prevent a virtual machine copy:

The leak of reserved informations can also happen by copying them on a USB memory stick, a floppy or a recordable CDROM.

A possible approach could be creating the original virtual machine already without these devices but it’s unpractical for any administrative task or further needs.
So better configure ACE to block access to existing virtual devices without removing them:

The last and most critical media, network, has to be restricted as well, both for data leaking and risk of security compromising: as we already said it could both ruin the safety of local environment, preventing correct working of business applications, and propagate in the corporate network when connected in VPN.

ACE helps us in all these problems offering 4 kinds of network quarantine. We’ll use the Version-based dynamic quarantine:

To maintain tightest control we want our virtual machine to check for latest available network quarantine policy at every startup and on regular basis.
In this way we can update the restrictions upon needs just updating a single file:

Consider that the quarantine policy check and update is done at host level and not at the virtual machine level, so we should put our policy file in a location easily reachable by any point on the Internet (like a non-linked and non-indexed directory on company’s website).

At the same time, since sales agents in our scenario are not always connected we want to permit them to work even without checking policy, allowing a policy caching that expires after a week:

If, for any reason after the caching period, the virtual machine doesn’t update its quarantine policy, it goes in a restricted status, limiting even more access to resources.

So while in a allowed status it can reach corporate intranet servers for data access, in restricted status it loose this permission, only accessing security servers for antivirus checking and patch management.

Now that we defined limitations for virtual machines interaction with real world, we have to handle the case in which sales agents resign and, in our scenario, don’t have to give back any equipment.

Let’s define an expiration date for the virtual machine with a warning before the last day, so that renewed contractors can request an IT staff intervention:

Distributing the package
Once we completely defined the virtual machine and ACE environment policies we can assemble the distribution package.
For the first deployment we’ll ask to include every part of the solution, while in subsequent updates, if needed, we’ll just package the virtual machine part:

An ACE package can easily become very large in dimension and deployment can become pretty complex. To simplify delivery we just have to ask ACE to split executable package in several CD-sized or DVD-sized images:

Installation is 1-click operation without further intervention and the final user interface is almost identical to the one offered by free VMware Player: the virtual machine can be powered on with a single button and if the sales agent is in hurry and cannot shut down operating system, it will be suspended until next use.

Bottom line
It’s not a secret VMware never pushed ACE as much as other more popular products like Workstation or ESX Server, but it turned to be a great product in managing hard to control productivity environments.

At the price of $795 for ACE Manager (which can be used a standard Workstation installation) and $99 for each ACE virtual machine, this product can easily be a more affordable solution than traditional security alternatives to address issues of this scenario and others not contemplated, and customers should seriously consider it when planning their security strategy.

This article originally appeared on SearchServerVirtualization.com.

SearchOpenSource interviewed Jeff Dike, creator of User Mode Linux, the most popular OS partitioning solution ever.
In the interview Jeff clarifiy when customers should look at his creation, at Xen or at VMware solutions. It also mentions upcoming features UML will have.

Read the whole interview at source.

Macworld published a review of much acclaimed Parallels Desktop for Mac, including an interesting benchmark comparison and providing this conclusion:

Parallels’ ability to run nearly every version of Windows, along with many versions of Unix and Linux, makes it a valuable tool for anyone using an Intel-based Mac who has a need or desire to work with other operating systems.
If your job requires Windows, but you love your Mac and OS X, Parallels will truly give you the best of both worlds. If you put your Parallels session in full screen mode, anyone walking by won’t even be able to tell that under the Windows façade, you’re actually running the world’s greatest operating system.

Read the whole review at source.

Linux.com published a very brief review of SWsoft Virtuozzo for Linux 3.0, providing this conclusion:

Any business or organization that’s looking at virtualization should put Virtuozzo at the top of the list. It’s a really powerful solution that’s relatively simple to administer and use.

Virtuozzo is not the same type of solution as VMware Server or ESX. Since Virtuozzo approaches virtualization differently, you don’t have the same operating system flexibility that you’d have with VMware Server — want to run FreeBSD, Linux, and Windows on the same machines? Then Virtuozzo isn’t the offering for your organization. Want to use a virtualization solution that helps partition servers into multiple Linux VPSes, and makes things much easier to manage? Then I’d recommend checking out Virtuozzo when you evaluate solutions.

If you’re an “open source at all costs” type of person, take a look at SWsoft’s OpenVZ instead. OpenVZ has a subset of the features included with Virtuozzo — you can still run multiple guests on a single host, and it offers much of the same functionality in terms of QoS features, but it lacks the GUI tools and utilities that make it really easy to manage Virtuozzo.

Read the whole review at source.

You may also be interested in reading the virtualization.info review of SWsoft Virtuozzo for Windows 3.5.1.

Mike Laverick published another very useful guide, this time about command-line environment of VMware Infrastructure 3:

This guide is designed for people who already know ESX 3.x and VC 2.x quite well. Although it starts as a beginners guide initially, it pretty rapidly starts to assume very good knowledge of the system. I would recommend you get to grips with the GUI first, and feel comfortable with Vi-3 before attempting this guide.
…
It is not a comprehensive guide to ALL the commands – just the primary ones. I hope to make this guide gradually more comprehensive, and cover all new commands that useful. I’ve deliberately not covered every single esxcfg command – because not all of them are terrifically useful…

There are some big topics that I have yet to add to this guide – this includes setting NTP and Active Directory authentication for the Service Console…

Read it here.

Quoting from Macworld:

…
Needham and Company analyst Charles Wolf recently predicted that Apple’s market share could triple in the home, yet he says that the same thing is not true of the corporate space.
…
“I am so pleased to see [Apple promoting Parallels],” said Wolf. “I had a talk with Phil Schiller at the opening of the 5th Avenue Apple Store, and I asked him the question, ‘will Apple include a virtualization solution in [the next version of Mac OS X] Leopard.’ He said ‘absolutely not, the R&D would be prohibitive and we’re not going to do it. Our solution is dual boot.’…

Read the whole article at source.

It really seems Apple’s fans will be severely disappointed since Phillip W. Schiller is the Senior Vice President of Worldwide Product Marketing at Apple, and his words, if true, should be considered an official statement.

The Rational Guide to Managing Microsoft Virtual Server 2005 is an ideal book for who has to start fast.
It permits the reader to explore the large majority of product’s features but it’s not overwhelming.

Chapters 1 and 2 cover basic concepts of server virtualization and product itself, listing benefits of the technology and scenarios where it’s useful.
These chapters also mention competiting products like VMware solutions and Xen, but also alternative approaches like application virtualization.
The biggest bonus of Chapter 2 is a comparison between Virtual PC and Virtual Server, something newcomers always ask, and a clarification on virtual machines compatibility between the 2 products.

Chapter 3 briefly covers planification phase, detailing minimal requirements for host OS and suggesting how to size it depending on virtual machines you plan to run.
It also mention hot topics like licensing and products support inside virtual machines.

Chapter 4 details product installation and configuration steps, clarifying some process issues reader could encounter with several real-world tips.

Chapter from 5 to 8 are dedicated to virtual machines management, with a particular focus on virtual hardware.
Virtual storage (Chapter 7) and virtual networking (Chapter 8) architectures are extensively covered, with comparison between concurrent options.

Chapter 9 is all about security and help readers to understand and correctly configure several aspect of the product, from access to virtual machines to access to web management interface.
File systems permissions, running services for Virtual Server components, web server permissions are covered in an understandable way.

The last chapter, 10, is dedicated to advanced concepts and includes critical tasks like performance monitoring and resource allocations for virtual machines. Both critical in the fine tuning phase.

Three more chapters are available only online for registered readers and are highly recommended to further improve fine tuning capabilities when using Virtual Server in serious implementations:

• Bonus Chapter A: Optimizing disk performances
• Bonus Chapter B: Optimizing network performances
• Bonus Chapter C: Virtualization best practices

Conclusion
At the moment of writing this one is the only book entirely focused on Virtual Server 2005, covering the R2 version and being assured in quality by Mike Sterling, Product Manager for Windows Virtualization at Microsoft.

If you are looking for a starting point to become operative in no time and without efforts for a small project or personal use this book is a good choice.
And since it provides a wide coverage of topics you’ll always have starting points to futher deepen your knowledge.

If instead you are looking for the definitive guide to virtualization and Microsoft Virtual Server 2005, planning a hardcore use in your company, then you should look somewhere else.

It is possible VMware launched Player and now Server for free to counteract the upcoming menace of Xen, the open source hypervisor?

Bernard Golden thinks so, and wrote it in a CIO India article:

…
Today, VMWare has completely restructured its product line and its go-to-market strategy. VMWare offers a significant part of its product line available for immediate download at no cost. That’s right: EMC paid Rs 2,700 crore to buy a company that doesn’t charge for its products.

Why the big change in strategy? In one word: Xen. This is an open source virtualization product emanating from Cambridge University, with a commercial arm called Xensource. The entrance of an open source product into the market has caused the effective price of virtualization to head toward zero…

Read the whole article at source.

I would say it’s not the case at all.
VMware is giving away a large part of its technology following a precise evangelization strategy. And the objective is to have a position as solid as possible when Microsoft will invade the segment.
Even now that Xen can count on AMD and Intel virtualization aid, offering Windows virtual machines (the big missing feature of the project since beginning), it doesn’t represent a real threat.

I already covered the VMware ongoing strategy in The long chess game of VMware.

Manuel Bouyer, the current maintainer of Xen on NetBSD announced on the Xen development mailing list:

I’m proud to announce that, with today’s commit NetBSD has finally usable Xen3 domain0 support.
…
I added a XEN3_DOM0 kernel config file to i386, which will be build as part of release (the next build should have a netbsd-XEN3_DOM0.gz in pub/NetBSD-daily/HEAD/… on the ftp server).

Installing a Xen3+NetBSD system is much like a Xen2+NetBSD, you just need to install xentools30 instead of xentools20 from pkgsrc 🙂
…
For now, Xen3+NetBSD won’t run (at last it doesn’t on my system) on SMP system, you have to disable SMP on the Xen command line…

A lot of interest exists around a special Virtual PC edition, called Express, which will be embedded in upcoming Microsoft desktop operating system Windows Vista. But worldwide press rarely talks about the product. Why?
Because Microsoft decided to offer it just for Enteprise Customers with Software Assurance.
The product will be also severely limitated, allowing just 1 virtual machines and missing support for Linux guest OSes.

In his post Brandon LeBlanc suggests to offer this edition for all Microsoft customers at a small add-on price but I disagree: comparing Microsoft offering to VMware one Virtual Server 2005 R2 can address competition with upcoming VMware Server, but there’s nothing to compete against the ubiquitous VMware Player.

I would rather consider a better move bundling Virtual PC Express with all Vista editions, as optional installation package, for free.