Monday, 12 May 2008

13:30-14:30 Monday, May 12, 2008 Radically Transforming Security in a Virtualized World

Speaker: Neil MacDonald

I decided to attend this session on the basis that we are embarked on a program of virtualization and, if that means that we need to re-think how we ensure the security of our systems, having a strategic view on how security paradigms are impacted by virtualization would be useful.

"Virtualization will radically change how you secure and manage computing environments."

Two main topics: How can virtualization be used today to improve security; what will we be able to do that radically changes security in the longer term.

Today:

There are multiple layers of virtualization: presentation; applications; operating system/hardware. VMWare is 85% of the market. Citrix, Microsoft and VMWare are all looking at having offerings at all the different layers of virtualization. Most of today's talk will be around virtualization layer between the hardware and the operating system.

Moving from having a host operating system to a hypervisor (like VSX or Hyper-V) is a good move from a security perspective, as the attack surface of a hypervisor is much smaller than that of a whole host operating system. Clearly securing the hyper-visor is critical—a successful attack on the hypervisor takes down everything above it.

At the guest operating system level, virtual machines can become virtual firewalls and virtual intrusion detection systems. The vendors are different and much less expensive. The hardware vendors are slow to produce these virtual systems as the costs for virtual versions are so much less expensive (think of them as software based appliances—as opposed to more expensive hardware based appliances). [Maybe we should consider looking at virtual IDS and virtual firewall vendors as an alternative to hardware solutions—proof-of-concept is much less expensive, as the up-side. Down side is that we know less about what the software appliance is composed of—whether, for example, it is based on an embedded, older version of Linux which is vulnerable to certain attacks].

OVF (Open VM Format) package the VM in XML-based meta-data, digitally signed. Can't necessarily trust the meta-data; might still be low quality code; might be signed after it is tampered with—not a silver bullet.

Virtualizing a browser allows the browsing of sites that might have malicious content—but the virtualization layer protects the PC from the mal-ware (GreenBorder, AppSense). Might try to check out "portable personalities" tomorrow where the notion of creating a boundary between trusted and untrusted is turned on its head—making a trustable space in an untrusted environment.

Longer term:

VM State Inspection via the hypervisor. Configuration management can be done at the hypervisor level, not at the virtualized OS level (via a security VM—consider it a security appliance VM: state information like: processor state; memory pages; network state; disk blocks; process control blocks; threads and processes; services; applications; files; handles; kernel modules). Need to control what the virtualized OS does not what it is. MacAffee claim that, in that environment, they could have just one instance of anti-virus software for the hardware, rather than one for each virtualized operating system. The protection is provided outside the virtualized operating systems so protection can be provided to out-of-support operating systems; security software cannot be turned off by mal-ware, as the scope of control provided by the virtualized OS does not extend to the protecting software (like anti-virus).

Security workloads can be applied quickly and dynamically, just as we can start and stop virtual machines dynamically. Applying hot patches; changing policies—and doing so at the VMM/hypervisor layer rather than the individual virtualized workloads.

We need to ensure that security is a mandatory part of evaluation of virtualization solutions: Gartner will help with more specific recommendations.
Posted by at No comments:

Thursday, 15 November 2007

Panel Discussion: The Green Datacentre

Just to keep everyone on their toes—especially those who can see my calendar, I have switched session to see an interactive one. I thought I would be good to understand the issues surrounding the green datacenter given that we are just getting started on the new ISS building. Let's see what happens.

AMD, Citi, Dell, HP, Intel, Green M3, Microsoft. An impressive cross-section of people in the panel.

  • Harvey Cobbold, CitiGroup
  • Ed English, Dell
  • Michael Manos, Microsoft
  • Ramon Huesa, AMD
  • Nigel Bridgeman, HP
  • Kevin O'Donovan, Intel
  • Dave Ohara, Green M3 (moderator)

Citigroup are spending $232M on a new datacenter—saving 11000 tonnes of CO2 and cutting energy use by 75%.

$0.5B data center being built by MSFT in Dublin, complete by mid-2009, with tens of thousands of servers.

Interesting that very early on—talking about the roof on the data center, the operational costs might be lower for the green solution, but the initial capital cost is higher. When we looked at value engineering the new ISS building, did we look at capital plus three years, five years, twenty years? Interesting, for a 20 year lifespan, the capital cost of a datacenter is 6%-10%... that's very low.

http://www.techworld.com/opsys/news/index.cfm?NewsID=8110

So it seems that these guys have not developed a set of KPIs—instead they seem to be responding to legislative bodies. Disappointing. It might be worth us looking at what the EU is doing, as, in the lifespan of the new ISS building, we may have to comply…

There seems to be a lot of tap-dancing in this session. No one seems to have KPIs or long term targets for their efficiency of their computer power—without that, the notion of a green datacentre is really a marketing ploy, not an environmentally responsible initiative…
Posted by at No comments:

Next Generation Networking in Windows Server 2008

Rafal Lukawiecki; Strategic Consultant, Project Botticelli Ltd: rafal@projectbotticelli.co.uk

Chris thought this session was about food poisoning, but in fact it's about Italian painters… J

  • Introducing Next Generation (NG) TCP/IP (crash course)
  • Teaching us IPv6 assuming good knowledge of IPv4 (crash course)
  • Discuss enhancements to Windows Server 2008 networking environment

We want tings faster, high connectivity, simpler administration—innovative concepts, not just flashy UIs.

Issues with Vista networking—throughput down-throttling during multimedia playback. Performance of large file copy (including local). MMCSS service is the problem. The faster your network, the more obvious this issue is. Will be fixed in Vista SP1 and Windows Sever 2008 RTM.

NG TCP/IP

Entire protocol stack re-written for first time since 1990—for security, performance, and developer support.

Three big scalability enhancements.

  1. TCP window scaling, aids both sending and receiving.
  2. Explicit Congestion Notification – Vista and WS2008 will listen for a packet that the router can send indicating that it is overloaded. If it gets such a packet, it backs off how much it is trying to send, so does not make the problem worse.
  3. Multiprocessor scalability of NDIS 6.0. NDIS 5.1 did not allow the distribution of packets across processors.

Performance enhancements, through following a large number of RFCs (couldn't catch all of them) J

  • No restart or reboot needed when configuring
  • Policy based QoS
  • Auto-configuring and self-tuning of IPv4
  • Roaming in IPv4 and IPv6 better.

Security

  • Full resistance to TCP/IP DoS attacks
  • Multiple firewalls can be configured, and will not fight each other in the same way they do in XP.

CRASH COURSE IN IPv6

There is a university in the States with more addresses allocated than the whole of Asia. We will run out of IPv4 addresses in 2010 to 2011… (Vint Cerf)

  • IPv4 makes p-2-p really hard
  • Security is not built in from the ground-up.

3.4x1038 addresses in the IPvb6 address space.

It does look like there are some security advantages to having an environment with both Windows Server 2008 and Windows Vista. We should be looking at how to combine our plans for deploying Vista with our plans for deploying Windows Server 2008—we should be thinking about which Windows Server 2008 deployments will get us the best bang-for-the-buck.

Windows P2P is for IPv6 only. QoS is managed by GP—very cool demo showing how QoS can be used to restrict the bandwidth available to specific applications or specific IP addresses. Perhaps we could allow certain kinds of traffic if we knew that we could limit the bandwidth that was available to particular services, particular address spaces.

Check out http://www.xtseminars.co.uk
Posted by at No comments:

Intel VPro and System Center Configuration Manager 2007

Out-of-band management. Imagine that your motherboard draws a small amount of current even when your machine isn't running—rather than just wake-on-LAN (which has been around for years) there are all kinds of other things that you can do to your machine while it is turned off… J This is the presentation that will tell us what (and I know both the presenters—one from MSFT, one from Intel).

We were a little surprised (or at least I was) that the presentation was not particularly well attended—I wonder if that is because "VPro" is not actually in the title of the session. I guess I knew as a result of the inside track that AMT (Active Management Technology) is part of VPro and that out-of-band management is what you can do with AMT.

  • Remote Power Control: power a device up or down over the wire (including, of course, Wake-on-LAN)
  • Redirecting IDE—allows a help-desk operator to re-boot your machine from a known good image elsewhere on the network.
  • Serial-over-LAN (seeing the BIOS screen on a remote machine, during boot)

SCCM 2007 provisioning of the AMT technology; Query of AMT enabled devices; Remote console (BIOS). Out-of-Band service point is a new SCCM site role. Certificate based security, with mutual authentication via Active Directory and Kerberos.

Can use in conjunction with Operating System Deployment Task Sequencing (in SCCM 2007) – so the ISO image that performs a task sequence – gets kicked off through IDE redirection. Nice. Though the transport differs between AMT 2 and AMT 3, the admin does not need to know what protocol is being used.
Posted by at No comments:

UK Education Session

Two different presentations this afternoon—the dominant one was live@edu which took so much time that there was little time left to see the presentation on infrastructure optimization—the latter is where the real follow-ups are—we can complete a significant survey which will tell us where we are with respect to infrastructure optimization. Brad Anderson (see my previous posting) related Infrastructure Optimization to significant differences in Total Cost of Ownership—significant savings on a per PC basis, and something we should be thinking very carefully about—how much is it worth spending on infrastructure optimization given the ultimate cost savings. The assessment is here: http://www.microsoft.com/business/peopleready/bizinfra/ac/bpio.mspx The UK HE folks at Microsoft will help us to also get the third party survey that allows us to assess total cost of ownership.

The breadth of the live@edu offering is quite significant—though the speaker was very up-front that the offering is not going to provide the best student experience, but may provide the cheapest. Given the other (e-mail) discussions about push-mail during the day, I asked some questions about whether and how the experience could be split, and they do expect that live@edu might be a student offering without it being a faculty and staff offering. It provides e-mail (via hotmail); shared calendar; messenger; document collaboration; shared filestore and sharepoint-like workspace. Their profit model is through the search engine—if you search for something through the site, then the search page will have sponsorship—advertising—but everything else is ad-free and free.

One possibility would be to offer this as e-mail for life to alumni—but they do not expect this to be anyone's primary e-mail address, and they do accept that students do tend to flit from one e-mail address to the next—but hope/pray that their spam filters will solve that problem… I am not convinced. Spam seems to come in waves as the war between spammers and filters continued. You only need one wave to hit while alumni are using live@edu and they switch to another e-mail and we have lost them…

The other problem with offering the service only to alumni is that we don't get them used to the experience while they are at the university, so our confidence in their continued use of the service is low…

My inclination is to skip live@edu, but I am more than willing to continue a green hat discussion if that's what people want to do.
Posted by at 3 comments:

Wednesday, 14 November 2007

Microsoft Application Virtualization 4.5

First Microsoft branded release of Microsoft Application Virtualization 4.5

Focus on:

  • Dynamic Virtualization
  • Extending Scalability
  • Globalization
  • Microsoft Security Standards

Application Isolation: keeping the application separate from Windows so that it is not impacted by differences between different versions of Windows and so on. When there is Middleware that needs to be sequenced with the main application, it is not in the "context" of the application. Today, that is solved by "suiting" the application with the middleware. That is a problem when I want to update the Middleware that is "suited" with many different sequenced applications. With 4.5, we can decide at run-time which other applications or Middleware will run in the same "SystemGuard Environment".

4.1 and 4.2 were not sufficiently scalable, or manageable.

Three different flavours of delivery options:

  • Full infrastructure: AD and SQL Server req'd; desktop configuration service; dynamic delivery; desktop configuration
  • Lightweight infrastructure: dynamic delivery; No desktop configuration
  • Standalone mode: No server req'd—delivered via CD.

Nice that the streaming happens in the background to ensure the maximum amount of streaming has happened by the time you are trying to use the application. Right now, streaming does not happen until you require the next page of memory. It sounds like this is really solved with 4.5.

4.5 will also allow sequenced applications to be run by people that access them across the internet (if we sequenced applications we could provide them to students and staff off campus—even people who never came to campus). Integration with SCCM 2007 R2—the infrastructure from SCCM 2007 R2 can be used by Application Virtualization.
Posted by at No comments:

Active Directory Domain Service in Microsoft Windows Server 2008

What a mouthful. Starting with the notion of the Read-Only Domain Controller (RODC). There's a new tool for preppin a machine to be an RODC. If no accounts are cached on the RODC (which is the default) the machine is very secure; the RODC is not responsible for replicating to other DCs—only the recipient. It does not require that a domain admin ever needs to log on to the machine—so it sounds like this is a great machine to put in a branch location where there is no IT admin staff… hmmmm… wonder if there are applications for us at the University.

Fine-grain password policy can be set to global security groups or users. So no longer do we need the same password policy for the whole domain. Where there is overlap and multiple policies would apply to the same person, they have a precedence algorithm. They do not apply password setting to OUs.

Apparently we really ought to regularly back up our DCs…
Posted by at No comments:
Subscribe to: Posts (Atom)