VMware announces Ultimate Virtual Appliance Challenge winners

After more than 4 months of work, a lot of hype about the company and the new concept of virtual appliance, VMware can finally declare closed its Ultimate Challenge:

VMware, Inc., the global leader in software for industry–standard virtualized desktops and servers, today announced the winners of the Ultimate Virtual Appliance Challenge at LinuxWorld 2006. The Ultimate Virtual Appliance Challenge began February 27, 2006 and was designed to foster continued innovation in developing virtual appliances, which are pre-built, pre-configured and ready-to-run software applications packaged with the operating system into virtual machines….

The winners are:

1# ($100,000) HowNetWorks
The appliance features an Ubuntu distribution tailored around the open source network sniffer Ethereal (now Wireshark) and a special application, HowNetWorks, created for the challenge.

This application act as a analysis console of Ethereal collected traffic, simplifying some basic troubleshooting operations, like identifying so called top talkers (machines generating and receiving most traffic) or detailing most used protocols at a given time.
For most complex efforts it can invoke Ethereal itself feeding it packets you like to investigate.

HowNetWorks aims to provide few, neat capabilities with an easy interface, and it’s successful in the effort with its pretty effective sequencer.
The only concern is about buffer of packets which is limited to 300MB (oldest out approach): a selling point for the development team but a notable limitation for me.

2# (50,000) Trellis NAS Bridge Appliance
The appliance features a minimal Linux distribution, the winning PHP web interface launched by m0n0wall and subsequently adopted by other great liveCDs like pfSense and FreeNAS, and a Samba server.
The objective is easy: connecting remote disks on several storage servers reachable by different protocols and represent them in a consolidated way.

Trellis NAS Bridge Appliance it’s different from a traditional storage server because it only acts as a mapper for remote storage, not offering local or remote disks management capabilities.

It only support storage mapping and connection with SMB/CIFS and SSH but I hope the project will grow and implement iSCSI and Fibre Channel support as well.
I also hope to see a joint effort between this project, FreeNAS and OpenFiler to create a reliable liveCD solution able to act as storage server or storage brigde on demand.

Trellis NAS Bridge Appliance is a concrete example of storage virtualization over server virtualization. Pretty effective.

3# (25,000) Sieve Firewall
This submission is pretty original, featuring a Windows application which creates a minimal Linux liveCD distribution.
The resulting ISO has to be mapped on the virtual appliance CDRom, transforming it in a read-only, transparent firewall.

I’m much concerned about this third place assignment.

Sieve team did a great job developing a new product and are surely much more appreciated than many other submissions where you see usual software packed inside a virtual machine.

Sieve Firewall also has the big merit to have took the most from its virtual environment, cutting away all unneeded drivers but ones to drive virtual hardware and reaching a record size.
Anyway the solution has serious problems on several points:

  • While a read-only firewall could appear a great security solution, recreating the ISO and replacing it inside the virtual machine (which means you have to shut it down, creating disservice) every time you change a setting is simply unpractical.
  • Rules are created sequentially and there is no way to check them all together (like in any other firewall rulebase) and understand what you are doing, if and where are errors (putting a more permissive rule above a more restrictive one).
  • Rules are still defined with TCP/UDP ports, which implies a deep knowledge of security and applications behaviour.
    It’s also a reprecated approach in desktop firewalling since years: application proxy demostrated to be much more simple and effective to mitigate already installed malware.
  • The whole configuration with rules, pipes (to be intersected with rules for QoS), zones and blacklist (which are to be considered exceptions to allowing rules) requires notable knowledge.
  • The whole product is very raw and misses several basic and mandatory features, like network address traslation (NAT).

Nothing personal with Michael Jett and Kennieth Goodwin but in my opinion at the moment Sieve doesn’t reflect canons (which, at this point, I could have completely misunderstood) of simplicy and innovation this challenge aimed to enforce.

Check all other mentions here.