Tool: EZP2V

A new tool for free physical to virtual (P2V) migrations born: EZP2V.

As the Mike Laverick’s well known Ultimate-P2V, also this one is based on BartPE Windows liveCD.

In my opinion while free P2V is highly desirable to accelerate virtualization adoption, these tools are still too complex in initial assembling to gain mass popularity.
Abandoning BartPE (which is a great tool) in favor of Linux LiveCD solutions, would workaround Windows redistributable limitations, permitting to offer a ready-to-go solution.

At today the market still left space to offer a P2V tool which perform offline migrations for free, and requires a commercial license to achieve live migrations (like PlateSpin PowerConvert and Leostream P > V Direct now do).
Why nobody is catching the opportunity?

Yankee Group reports 76% of corporations to deploy server virtualization

Quoting from official press release:

The poll of 1,700 managers and executives worldwide revealed that three out of four businesses, regardless of size, already have or plan to deploy server virtualisation over the next 12 months.

Of the 76% of organisations that affirmed they will deploy virtualisation, +nearly two-thirds, 62%, already have a virtualisation solution in place or are in the process of migrating, while another 21% indicated they will install server virtualisation within the next 12 months. Only 4% of respondents, ranging from the smallest SMBs with under 50 users to the largest multinational enterprises with 100,000+ end users, said they had no plans to install a virtualisation solution.

VMWare is the clear and convincing market leader. 45% are deploying or plan to use VMWare’s ESX, while another 10% will install VMWare’s GSX. According to the survey results, VMWare has a total market share of 55%,
which it should easily maintain over the next 12 to 15 months.

Microsoft’s Virtual Server is second with 29% market share.

All of the other server virtualisation solution providers including the open source XenSource, XenOptimizer built into Red Hat Enterprise Linux and Novell SuSE are very small niche market solutions which each have only about 1% market share…

The whole press release is interesting and worth to read.

Webcast: Improving Business Continuity Using Virtual Infrastructure

Altiris, Dell, Intel, VMware, EMC and ZiffDavis are sponsoring a joned webcast for Jul 13, second of a 3-episode serie:

As IT systems support key business operations, the need for increased availability of those systems is a priority of nearly every organization. Challenges from patch management to IT resource constraints to variability in business demands can make it difficult for IT to manage for maximum uptime.

Implementing a virtual infrastructure can reduce planned and unplanned downtime while lowering the cost of ensuring business continuity. To help streamline the implementation of this technology, Dell, Intel, VMware, Altiris and EMC are joining forces to offer an integrated virtualization solution, including highly reliable servers, storage, virtualization infrastructure software, management and services.

Attend this eSeminar and gain real-world insight from these industry leaders on implementing virtualization to enhance business continuity that results in higher availability and streamlined recovery processes. Find out how their integrated approach of virtualizing servers, storage and networks provides a robust, virtualized IT infrastructure that reduces planned and unplanned downtime by:

  • Transforming IT infrastructures into self-healing, highly available resource pools
  • Reducing complexity of fail-over facilities through virtualizing shared storage and implementing consolidated backup tools
  • Providing proven methodologies to simplify and facilitate rapid recovery processes
  • Empowering IT staffs to address system maintenance with zero-downtime windows

Register here.

Security by virtualization

Modern server virtualization has been relaunched in early ’80 for lowering maintenance costs due to server sprawl, including hardware and software purchase, power, IT management staff time, etc.

But quite immediately customers and virtualization vendors themselves revaluated virtualization for a lot more purposes.

Security is one of the biggest fields where virtualization can serve, isolating unstable or compromised applications, providing fast disaster recovery solutions, offering powerful forensic analysis capabilities, creating cheap intrusion detection tools.

Below we’ll explore all of these applications, also looking at how the virtualization evolution will help security even more in a near future.

Virtualization for Sandboxing

The first and easiest application of virtualization for security purposes is application isolation.

Moving a set of applications or a single one in a virtual machine helps IT managers control two kind of problems: application instability, which could lead to a significant resource wasting or to a complete system crash in worst cases, and application compromising, which could lead to local privilege escalation and system unauthorized owning.

The best example to avoid this second scenario comes from VMware, pioneer of modern virtualization, which promoted the concept of so called Virtual Appliances, launching a Browser Appliance: an operating system in a virtual machine just for Internet-related tasks, like surfing, reading emails, chatting, or downloading stuffs from P2P networks.

All these actions are critical today and in case of compromising the attacker cannot interact with the underlying host operating system, where the important user data are stored and from where he can obtain access to corporate network.

Recovering compromised systems is even easier: the user, without technical skills, once recognized something is not working good, can revert to the starting point just restarting the virtual machine, having a completely intact and brand new system in matter of seconds, anytime he wants.

It’s important to mention that about virtualization use for sandboxing many security analysts raised over years doubts about the real capability of virtualization layers to securely isolate virtual machines from themselves and host operating system.

It’s a reasonable doubt since the Virtual Machine Monitor (VMM) process virtual machines I/O requests all the time and a malformed one could lead to buffer overruns and further compromising of host operating system where VMM resides.

But until today we have no public news of successful attacks against VMMs and we’ll have to wait some more time before the underground community will seriously start looking at this.

Virtualization for Disaster Recovery and High Availability

The biggest need in any corporate environment is data preservation and availability of service.

The first one is achievable today with backup solutions acting at file level inside the protected server. This approach has two big downsides: data restore requires a large amount of time and the original hardware (or an exact copy) to get back on business without further manipulations.

Virtualization greatly helps reducing time and costs of disaster recovery operations.

Instead of saving files, backup solutions working at host level can copy the whole virtual machine, in some environments even if it is running, which appears as a unique big file, which will take much less time in restoring than re-installing operating system and restoring data.

If this seems good but not revolutionary you should also consider the saved virtual machine can be restored in any host operating system, on any enough powerful hardware, permitting you to recover even a physical failure without expensive downtimes.

In case downtimes are not affordable at all we have to approach high availability configurations, where cluster nodes share and balance traffic load, or less expensive hot-standby configurations, where one or more secondary node are ready to take over if the primary has a failure.

Both solutions rely on availability of two or more physical servers, which you have to multiply for all services you intend to protect, but virtualization can help provide some of these capabilities at a cheaper price.

More and more companies every day are deploying in production mixed clustered services where the secondary node is virtual: while the primary node is installed on physical hardware, a second node is available in a virtual machine, ready to take over any failure.

Since the standby node actually consumes no resources, a single host physical machine can store several of them, dynamically providing enough physical resources to demanding virtual node at failover time.

A frequent stop-issue of this second scenario is the problem of replicating data from the physical node to the virtual, standby node.

Companies like vizioncore are filling this hole offering affordable replication services for most common virtualization platforms.

Virtualization for Forensic Analysis

Another, even older application of virtualization for security purposes is for sure forensic analysis.

VMware executives love to remember how law enforcement agencies, like FBI, approaching their products at company beginning, immediately asked how to copy criminal hard disk content in a virtual machine for offsite analysis of contents.

This kind of approach, today largely automated, is called physical to virtual (P2V) migration and permits to have an exact working copy of a physical computer, including hidden or encrypted partitions, without altering data.

The process is straight simple in most cases and can transfer the whole hard disk content over the wire in few minutes (depending on size).

The backside is that at today we still have to shut down the original machine, which for a security professional means losing volatile memory contents.

Today big PV2 solutions providers are PlateSpin, Leostream and VMware itself with some emerging start-ups offering free migration tools to tailor a space in this segment.

Also traditional imaging solutions like Symantec LiveState are now doing the trick since newest virtualization products are providing capability of importing this proprietary formats in empty virtual machines.

P2V migration is not the only way to do forensic analysis with virtualization.

The best tool for simplifying testing in virtual machines, called snapshots, is by chance also the best tool for forensic analysis.

Snapshots are the way virtualization products freeze the operating system image, to permit recovery of messed up environments when we work with betas or unstable products.

Snapshots can be taken when the virtual machine is powered off or on: in the first case just what is in the virtual hard disk is marked as point of restore, in this second case also the whole volatile memory is saved in the image file.

Considering an on-ongoing compromising we have to deal with so called 0day tools, able to exploit new vulnerabilities without being recognized by updated malware engines, and with the ability of hackers to cover tracks, clearing logs and deleting used tools.

To mitigate this loss of precious informations today we have to rely on so called host intrusion detection systems (HIDS) able to track changes to files and memory and send them over the network to dedicated logging facilities.

But these tools not only are often very expensive but waste a large amount of protected servers’ resources, are not necessarily deployed on every server we want to protect and can be compromised as well.

Virtualization is a cheap and effective alternative in this case: a live snapshot taken at the right moment can freeze 0days tools in RAM or disk, and attacker tracks in system logs before he can delete both.

At convenient time, even on a different host operating system inside the laboratory, the virtual machine can be restarted at the snapshot point, providing an unprecedented capability in forensic analysis.

Virtualization for Honeypotting

A research field in which security community is investing a lot is honeypotting.

A honeypot is a system looking and acting like a production environment, deployed in specific points of the corporate network, and with enough interesting data to attract attackers, but full of logging sensors. Its mission is to discover as much as possible about new hacking tools and techniques and to foul attacker enough to give security managers time to patch real systems against these new kinds of attacks.

Before virtualization spread setting up a machine or a whole network, called honeynet, just for security research purposes could be prohibitive for costs and managing efforts.

Today we can rely on free virtualization platforms, free traffic generators tools and raising virtual lab automation solutions (like ones offered by Akimbi or Dunes).

Building a virtual honeynet in a box it’s finally possible and affordable, and companies should evaluate deploying such systems to mimicking their production servers, considering them as enhanced monitoring sensors, precious in critical realities where standard security effort is not enough.

Virtual honeypotting is also effective for simulating a desktop population, catching internal threats antivirus agents can handle no more and endpoint security solutions has still to handle.

Similar applications have been launched by Microsoft, with its project codename Honeymonkey, and IBM with codename Billy Goat, automating virtual desktops to surf the Net and be infected, just to discover new viruses.

A big objection in using virtualization for honeypotting is that virtual machines are immediately recognizable by simply checks an attacker can run at network level or system level once compromised. Once discovered to be in a virtual machine the attacker would stay away from it or leave it immediately if already inside, considering the environment a trap.

We can argument this objection in two ways.

First of all many attacks are automated, like worms, and malicious code is not yet so evolved to avoid virtual machines.

Secondarily, at today more and more companies, from enterprises to SMB, are moving their production servers in virtual infrastructures: being inside a virtual machine is no more so suspicious for attackers which could possibly decide to stay, evaluating the target as a real one.

A more blended future

Virtualization is still at an early stage and technologies in this segment are evolving fast as well as their applications, which will advantage of more computing power and smarter programmable interfaces.

In an immediate future the very first benefit of virtualization from a security point of view will be the free of resources in virtualized servers actually wasted by security agents.

In fact as soon as VMware and Microsoft granted open access to their virtual hard disk format, vendors like Symantec and Trend Micro applied for access, eventually followed by the whole security industry.

Being able to know how a virtual disk is structured means for this companies being able to act on files inside virtual file system from the host level.

In other words antivirus, patching and backup softwares will need no more to access data from inside the virtualized operating system, but from the layer below, achieving their security tasks in a transparent way.

And, as side benefit will not be possible anymore to compromise their agents, dropping down systems’ defences at origin.

Also the concept of using virtualization for sandboxing is going to be much more common very soon.

Intel announced the new vPro technology, enhancing virtualization capabilities in its processors to provide two fully isolated environments out of the box: one hosting the traditional operating system meant for usual computing purposes and another one hosting independent and safe environment meant for any kind of purpose, from rescue to intrusion detection.

An immediate use of this second isolated environment has been announced by Symantec that will host on it a monitoring product, able to detect when the standard operating system is compromised and act to prevent it access to network resources accordingly.

It’s likely this trend will grow over time and several hardware vendors, including network interfaces and memory’s supports manufacturers, will offer this kind of partitioning capabilities in tomorrow’s servers and desktops.

But there is much more than inline antivirus and patching capabilities or hardware partitioning in virtualization-aided security future.

Today’s virtualization can be employed in many security tasks but it still requires a lot of customization and manual intervention.

Within few years it could be so much more responsive to permit real self-defending datacenters.

VMware has been the first talking about integrating an intrusion detection system (IDS) at the host operating system level, providing transparent traffic analysis and threats interception.

But once a security monitor is at the host level and can programmatically interact with virtual infrastructure, it can do much more than just alerting about an on-going attack, like an IDS, or terminating open malicious sessions, like an IPS.

The intrusion detection sensor for example could request running snapshots for virtual machines as soon as a port scan is recognized.

Depending on time of snapshot it could provide a safe point of restore for compromised virtual machines or a freeze of attacked memory, to be sent to the security department for forensic analysis.

And to avoid an identical attack, the sensor could invoke a transparent virtual machine patching starting at host level.

In another scenario the intrusion detection sensor, recognizing an on-going attack could redirect traffic in another virtual network where a dedicated virtual machine, what today we call honeypot, appears as the designed target, ready to be compromised and log any 0day tools and hacking techniques attackers will use.

While highly expected, this evolutionary path will not be easy to walk since the whole picture relies on two factors: the whole datacenter have to move in virtual infrastructure and time required to achieve operations on virtual machines has to be much shorter than now.

Bottom line

Server virtualization is not just a compelling need for server consolidation, but it’s becoming and will eventually be the most important allied for security managers, simplifying a wide range of tasks from disaster recovery to forensic analysis, up to intrusion detection and prevention.

Companies approaching security by virtualization today will have noticeable results, even if a big effort could be required on tool automation for most complex scenarios, knowing that tomorrow, when virtual infrastructure will be self-defending and self-healing datacenters, they’ll have to move their effort on engagement rules.

This article originally appeared on SearchServerVirtualization.

Review: InfoWorld reviews PlateSpin PowerConvert, PoweRecon and Leostream P > V Direct

InfoWorld published a brief review of two competing P2V products: PowerConvert from PlateSpin and P > V Direct from Leostream. Plus threw in PlateSpin PowerRecon.

PowerRecon is not involved in P2V process directly but fills the candidates recognition need, which is much earlier than the actual migration.
The fact InfoWorld put on the same level PowerRecon and P2V tools is not a good thing and assigned scoring should not be considered as valuable.

Apart this big mistake the review is not completely attendible, stating that PlateSpin live migration feature produced a malfunctional virtual machine, with broken Active Directory services.
I feel hard to understand how a specific part of a migrated machine doesn’t work while the rest of it does (unless the specific part is on a dedicate partition which has not been migrated).
A migrated machine works or not, easily (unless you mess with the network, having powered on both physical and virtual copy of the same server…).

Read the review here (at this time pages 2 and 3 are not reachable), but with care.

VMware working on VirtualCenter 1.4

An incautious press release from PCS LabMentors revealed VMware is still working on the VirtualCenter 1.x branch. despite availability of VirtualCenter 2.0, and it’s going to release 1.4 version:


Joe Khoury, President of PCS LabMentors, LTD., described the expansion of the relationship indicating that “PCS LabMentors had been selected to participate in VMware’s private VirtualCenter 1.4 beta program.”…

It’s sensible thinking VMware could continue developing ESX 2.x as well.

Review: InfoWorld reviews Softricity SoftGrid 4.0

InfoWorld published a brief review of Softricity SoftGrid 4.0, just acquired by Microsoft, comparing it to Altiris SVS in several occasions. It received a score of 7.5/10 (Good) and the following botton line:

SoftGrid’s compatibility quirks mar an otherwise innovative solution to the Windows app management puzzle. The underlying sequencing and streaming technology shows promise, but a reliance on user actions to trigger the virtual environment makes it unsuitable for “headless” agents and services. IT shops considering SoftGrid should also evaluate Altiris’ SVS.
Finally, Microsoft’s decision to acquire Softricity ensures that elements of SoftGrid’s deployment model will eventually become an integral part of the larger Microsoft Server System.