Friday, October 26, 2007

Monday, October 22, 2007

A Day of VMWare Seminars

I recently spent a day at VMWare seminars on server and desktop virtualization.  I knew going in that it would be mostly a sales pitch, but I hoped to learn a few things from the events.

It turned out that there were a couple of hours of good content.  Unfortunately, it took all day to get it out.

A few highlights-

One thing I am really tired of hearing is that you can "deploy servers in minutes instead of days or weeks".  Although that gem was trotted out repeatedly during the day, it was effectively rebutted by their own "customer success story" presenter.  An IT manager from LL Bean shared his experience with their multi-year VMWare migration and deployment.  He stated clearly that deploying servers takes  a minimum of a few hours, even if an appropriate VM is available for the task.  It turns out that he actually patches, updates, and optimizes the VMs for the specific task before deployment- and also considers network configuration and other related issues.  At least some of VMWare's customers have a clue.

One of the desktop deployment scenarios mentioned was letting developers and QAs deploy their own systems, which will be safe because of some sort of "fencing".  That might be true if the virtual machine library is always up to date and developers never need to add weird software you've never heard of or vetted.  And Unicorns will prance around the development lab, too.

At one point, while touting the new, lightweight 3i devices, it was mentioned that reducing the footprint between the guest and the hardware would contribute to a more secure virtual environment because [truth alert] the Service Console exposes over half of the known vulnerabilities in VMWare deployments and a lighter virtual environment would expose a smaller attack target.  That was refreshing.

A couple of cool things are on the horizon-

VMWare is going to integrate a patch management system into Virtual Center, initially it will only patch the host and hypervisor, but eventually it will also be able to patch Windows guest OSes, maybe even others.

Also, distributed power management is being developed which will allow servers to be redistributed and put into and out of standby to minimize power consumption.  I don't think I'll be seeing the benefits of this feature in small business, but it is still pretty slick.

As always, I think virtualization can be a great asset- if deployed properly.


Sunday, October 21, 2007

A different kind of Zombie Server lurks ahead.

I'm not sure how I missed this, but I have finally realized that server virtualization
is going to be a security nightmare, creating a class of zombie servers that will be hard to kill. Now that it is fairly easy to get old software off of old hardware and onto modern, reliable hardware we may (will) end up with vast fleets of obsolete software living well beyond its normal life. The pain of hardware upgrades is often a driving factor in forcing software upgrades; "do it once, and do it right" may be out the window with simplified hardware upgrades. We can keep the old (obsolete, unpatched, and insecure) software running indefinitely, occasionally providing it with a fresh body to inhabit. Virtualization will become a form of life-support, creating vast armies of undead servers.

As insecure as they will be, thanks to the wonders of virtualization-enhanced Disaster Recovery, these zombies will be hard to kill, too- they'll just keep coming back to life.

Far-fetched? Wait 'till the bean counters figure out that they can force software to live longer (and perform better) by simply doing sporadic hardware refreshes.


Saturday, October 13, 2007

Concern for Customers- gone wrong

I signed up for email updates from a small craft brewer and vintner a couple of years ago. The messages are infrequent and unobtrusive (as they should be), just updates on latest releases and special events- until this week. The list received a message from the vintner explaining that their webhost's servers had been hacked and that we should not visit their site until the system was cleaned up. Unfortunately, they included a live link to their website in the message.

I'm sure it wasn't intentional, their email client probably just converts anything that looks like a URL into a link, but the result was sending their entire list a link to a compromised site.

Of course I fired up VMWare, launched a Windows guest OS and headed over to the site to see what I could find- but they had already restored the webserver- no sign of malware. It is good that the webhost did the cleanup so quickly, but I was a little disappointed that I couldn't infect a machine to poke at later.

We still haven't received a "sorry folks, everything's back to normal" message from the vintner, either. I think there might have been better ways to handle the situation...


Friday, October 12, 2007

Only XKCD...

...can make database security funny.

Monday, October 8, 2007

I want one!

I discovered a cool little toy today. Well, it looks cool, but we can't play with them yet.

I'm talking about the Bug Labs' BUG platform.
"BUG is a collection of easy-to-use, open source hardware modules, each capable of producing one or more Web services. These modules snap together physically and the services connect together logically to enable users to easily build, program and share innovative devices and applications."
"BUGbase is the foundation of your BUG device. It's a fully programmable and "hackable" Linux computer, equipped with a fast CPU, 128MB RAM, built-in WiFi, rechargeable battery, USB, Ethernet, and a small LCD with button controls. It also has a tripod mount because, well, why not? Each BUGbase houses four connectors for users to combine any assortment of BUGmodules to create their ultimate gadget."
Promised extension modules include GPS, a camera/videocam, touch screens, a mini qwerty keyboard and a teleporter. I'm not holding my breath for the last one, though.

What kind of monitoring, scanning, sniffing, attacking, whatever- device could you build with this rig?

I wonder if I can get my hands on one before Shmoocon?


Monday, October 1, 2007

Virtually impossible

I'm trying to virtualize some old legacy app servers for a client- NT4 boxes. I have used VMWare's Converter for Physical-to-Virtual migrations with great success on Windows 2000 and up, but it just doesn't like the NT machine's network settings- so I decided to try Microsoft's own physical to virtual migration tools and see if the outcome was better.

Short version:
Do not try this; not at home, not at work, not anywhere, not ever.

A few details of the Microsoft P2V "solution"-
First, start with a Windows 2003 Enterprise Server
Install and configure ADS (Automated Deployment Services)
(ADS requires either MS SQL Server or the MS SQL Desktop Engine- MSDE)
(ADS also requires IIS, the web server, to be installed!)
Install MS Virtual Server 2005
Install MS VSMT (Virtual Server Migration Toolkit)
Now you can start to think about configurations...
As an added bonus- MS VSMT only converts "server" OSes, not desktops.
And, VSMT only does live migration- the source server is shut down at the end of the migration and the VM is booted. That is a great testing scenario...
What is wrong with these people?

By comparison, VMWare's free Converter installs on -and converts- NT4 and up server and desktop OSes, can be "pointed at" a machine to convert or run locally on the machine (or even converted cold with a boot CD if you buy the management suite). Tweaking the networks doesn't look so bad anymore.

The security angle, you ask? There are a few obvious ones- such as building a complex system to convert the machines and then hosting them on the same complicated (and bloated) box, going live and dropping the old machine without testing the VM, and configuration fatigue. Configuration fatigue is when you are so tired of wrestling a system that you give up as soon as it works, telling yourself "I'll secure it later"- of course this thing is already live by that time, and "later" is too late for production system security.

Sorry to sound like an ad for VMWare, but the Microsoft answer is just plain wrong. Besides, you can use Vmware's Player, Server, and Converter for free.