Virtualization.com

News and insights from the vibrant world of virtualization and cloud computing

Search Results for: virtsec

Virtualization Security Startup HyTrust Launches With $5.5 Million In Series A Funding

by Leave a Comment

HyTrust is entering the virtualization arena today with HyTrust Appliance, which serves as a central point of control, management and visibility for virtualized environments. The company also announced it’s launching with venture capital backing to the tune of $5.5 million, a Series A funding round which was led by Trident Capital and joined by Epic Ventures.

VirtSec nowadays is less about those familiar ‘pure’ security functions like FireWalls (FW) or Intrusion Detection (IDS), but much more about the configuration control and compliance of virtualized environments. HyTrust claims to provide such centralized control, compliance,directory integration and security – requirements that become mission critical as virtual infrastructures scale up and production applications get virtualized. Readers of this blog, probably already know that in addition to immediate cost savings, virtualization enables a more flexible and dynamic infrastructure that can quickly morph to meet changing needs of any organization.

The fresh HyTrust single point of control seems to be competing with Reflex Virtualization Management Center (VMC),  Third Brigade Deep Security and an established suite of products from Catbird V-Security such as VMShield, HypervisorShield and VMPolicyCompliance. However during our interview with Eric Chiu (CEO HyTrust), he was confident that HyTrust is different by “really focusing on the underlying virtual infrastructure itself. HyTrust authenticates traffic across 5 VMware application interfaces and centrally enforces policies through role based access control. HyTrust single point of control and hypervisor security really ensures what is allowed to happen and what not.” Questioned on the introduction of a yet another single point of failure or potential security flaw, Chiu was confident that HyTrust “is even more secure than VMware vCenter, since our appliance runs on a hardened Linux OS, without command line interface and its use is strictly limited to the provided User Interface.” It goes without saying that known malicious penetration attempts, scans and probes were tested too. Apart form the current exclusive support for VMware ESX, Chiu confirmed to Simon Crosby they would come up with support for Citrix XenServer and also Microsoft Hyper-V later this year. “Our go-to-market strategy started with the VMWare enterprise datacenter customers, but we are already in talk with 3 leading Vmware cloud providers.” When it comes to cloud computing,  Chiu sees 2 main scenario’s. First the ‘internal cloud’-approach (aka located in-house, owned & internally managed by an organization), where HyTrust can provide a purpose built lasso around such corporate cloud environment. The second approach involves external cloud providers (located off-premise & managed by a third party provider) and could still make customers achieve compliance in an easy way by implementing Hytrust as a virtual appliance into that cloud offering.

Due to significantly higher rate of change in virtual infrastructure, automated controls are necessary to ensure that security and operational readiness is on par with that of physical environments. In addition, given the spread of virtualization, companies are now being faced with meeting regulatory compliance of their virtual infrastructure. HyTrust allows enterprises to meet these needs and answer the demands of auditors and their solution was created to proactively address the new challenges presented.

Rather than retroactively building necessary safeguards while sensitive data is put at risk, HyTrust, which has three patents pending, allows organizations to build a manageable virtual infrastructure foundation from the ground up. Additionally, to comply with regulations or security standards such as HIPAA, SOX and PCI/DSS, HyTrust gives enterprises the ability to demonstrate that adequate processes and enforcement controls are in place, configuration changes are consistent, and confidential information is secure. The HyTrust Appliance is the only product that addresses virtualization infrastructure control, including all four requirements outlined.

Backed by positive reactions from 12 trial customers, Eric Chiu is confident that he has gotten ‘at the right place, at the right time with the right solution’.

Pricing for the HyTrust Appliance (Enterprise Edition) is based on the number of protected VMware ESX hosts (on a per CPU/socket basis) and HyTrust Appliance license. Protection license for a 2 CPU VMware ESX host is $1,000; the HyTrust virtual appliance is $3,000; and the physical appliance is $7,500. Maintenance and support is charged on 25% of the annual license basis. HyTrust will soon make available the new HyTrust Appliance: Community Edition —a free virtual appliance available for download via the Web. Due out at the end of April, Community will allow protection for up to 3 hosts and offers an excellent way for smaller companies to bring automated virtualization best practices into their environments. HyTrust launched with a direct customer approach, but was already contacted by integrators and resellers eager to distribute licenses. Hytrust is expected to develop such hybrid distribution model in the third quarter of 2009.

Next to its venture capital investors, HyTrust is launching with an impressive list of technology partners, including VMware, Symantec, Cisco Systems and Citrix Systems.

Video: Interview Simon Crosby, CTO of XenSource – Citrix (VMworld 2008) part 2/2

by 1 Comment

In this second part of our exclusive video interview recorded at VMworld2008 in Las Vegas, the Citrix XenSource CTO denies that there is more than a ‘fabulous partnership’ between Microsoft and Citrix. In his typical outspoken style, Simon Crosby does not see his competitor VMware take of into the clouds with vaporware. He remains an advocate for open standards and shines his light on Virtualization security issues (aka VirtSec by the insiders).

.
A full transcript of the interview is below and the  first part of our interview can be viewed here.

(00:00) Simon, in the blogosphere there are these ever mounting rumors about Microsoft and Citrix. What can you comment on that relationship. Add Cisco, VMware and you’ve got a complicated puzzle.

It is.

(00:10) It’s intriguing though.  Many people see a lot of interesting things going on there, what can you say about that?

So our partnership with Microsoft is great.  I mean fabulous.  Microsoft makes a ton out of everything of what Citrix does and they give us scale and we basically take the platform, extend its features set. We’ve done this for years.  It turned out to what XenSource was doing in Virtualization with Microsoft, very similar to the traditional Citrix model of working closely with Microsoft to extend the platform and deliver a bunch of features.  So we do that today and so we’re partner in Virtualization for XenDesktop and runs great on Hyper-V, runs great on XenServer and you know, that’s a terrific partnership.  We’ve partnered also in the area of Virtualization generally and interoperability is key. But XenServer in the platinum edition, not generally known, has the ability to run VMs on VMware or Hyper-V or Xen or even bare metal. Okay, so once you’ve taken your VMs and centralized them into a central repository, we can boot them and run them on anything, right?  Which allows us to extend the concept of Virtualization beyond just Xen, to other hypervisors and even bare metal.

(01:23) If we go back to the cloud concept, because that has been buzzing this industry for a few months now.  What I find quite intriguing is that there’s no standards.  Every cloud has its own APIs and with VMware launching its newest product line (vCloud).  It’s not very clear what those APIs are going to look like, nor when we’re going to have them.  Xen is also moving in that direction with CCC or C3 (Citrix Cloud Center).

Yeah, though not from an API perspective. I agree with you that the APIs are an important one and the ABI.  That is compatibility between the enterprises that counts a big deal. The VMware announcement yesterday, the demonstration around the clouds, the big bullet point on Paul Maritz slide was compatibility, okay? Which basically says that every cloud is going to have to buy by VMware.  You know what?  It’s just not going to happen, okay?  So compatibility is an important concern.  It’s really important that enterprise that  adopt Virtualization know that their VMs will run great in their enterprise but also in the cloud and if the only way we can achieve that is if everybody buys VMware, I can tell you the industry is sunk.  That’s not going to happen.  So compatibility is an important consideration.  OVF is a great component of that and I think it gives us a good way of migrating that whole process.

(02:43)  Do you think that the DMTF is a good standards body to also look into APIs that the vendors agree upon from Amazon to Citrix?

(02:50) Simon Crosby:  I’m not so sure about the Amazon guys. You should go out and speak to Werner on that. But in general, you know Amazon is very open to moving towards standard based APIs, kind of an innovator out there. But VMware, to give them credit, is doing a great job in the DMTF.  They really are.  So, I got to tell you that I’m not a fan of LibVirt you know in the Linux world, it doesn’t have strong semantics.  It doesn’t have like a well-defined API or ABI but the DMTF world is moving forward terrifically, yeah very good.

(03:24) Virtualization was a way of abstracting. Now clouds are another way of abstracting?

They are just another hypervisor platform for me.

(03:34) What about an OS.  What would be your definition, VMware is calling it an OS? 

Oh, the data center OS?

(03:42) Interviewer:  How do you define such an OS?  Do you consider it an OS, a framework or an API set?

You know what?  I think it’s vaporware, right?  So let’s be real for a bit, there are several key things that people want to achieve.  They want to achieve greater agility, greater dynamism, and greater security. There are a lot of ways to get there. But defining a data center OS based on a product which has got a single point of failure, isn’t the way to get there.  There are very interesting technologies that one can bring to solve that problem. In general, I don’t think they (VMware) have them.  Now, it differs between enterprises and clouds on how you want to do this. Enterprise IT runs in a very different way than the cloud.  So we know today that NetScalers drives automatically very large files, that is we can use NetScalers sitting in the application hard drive to dynamically move traffic between machines whenever machine fails, between data center whenever data center fails and on the fly bring up new VMs and servers on the basis of need. Because we can watch the application response times and drive the data center in that way.  That is in particular like a kind of cloud architecture. There are some enterprise adopting it. But at data center OS which is built in the management domain out of a bunch of stuff which is really just managing software.  I don’t buy the concept.  It’s an important concept that people start to think about, that is agility and dynamism and data center reintroduce a whole bunch of complexities but it isn’t here yet.

(05:14) Maybe to finish off, you mentioned security?

Yeah.

(05:18) How do you see that involve, it’s one of the major concern of these people.  How do you secure Virtual issues?  How do you make absolutely sure that they can’t break out?

There are three things here, one of them is how do you secure the guests?  How do you secure the hypervisor?  And how do you virtualize the security function generally, okay?  So let’s start. How do you secure the guest?  You know, the basic capabilities of inspecting the traffic, block an I/O, everybody can do that.  That’s straightforward.  VMware took a one step further with VMsafe which allows their plug-in security appliances to inspect the memory of running guests.  The black hat folks just don’t like this approach, okay?  We have an equivalent thing in open source that the big scary moment is if you compromise that interface, you can get hold of any memory of any guest.  It’s really, really scary.  So you have to do better than that, you know. 

But in general, virtualizing the security function is thought very open area and Chris Hoff has a perfect take on this, you know it’s very, very early days and has a ton of work to do.  Moreover is I/O starts to go back into hardware so we just get IOV devices coming.  None of those security appliance gets to look at the traffic anymore, so it’s going to be very interesting.  So all has to get down again.  Securing a hypervisor, we’re absolutely concerned about that.  That is one of our key focuses, I guess VMware is concerned about it.  They have a big code base.  I think one of their big things that they do is they went from you know ESX to ESXi was to ditch the console OS which is a major headache for them.  You know we’re down onto tens of megabytes in software now, generally written onto read-only flash and we focus manically on securing our box, right?  That’s absolutely what we have to do.  Now can we make guest more secured?  Absolutely we can do that and that’s the next big one which is how you can use the Virtualization platform itself and Virtualization to provide greater security for the workload while it’s running and through its life cycle.  So once you separated the software from the server, can I take a guest to walk out of the building without a memory stick?  That’s an interesting question.

(07:31) Simon, I’d like to thank you for the time you’ve given us and for the straight talk and your views on Virtualization and everything around it.  See you.

Guest Post: Clouds, Networks and Recessions

by Leave a Comment

This is a cross-post of a blog article written by Gregory Ness, former VP of Marketing for Blue Lane Technologies who is currently working for InfoBlox.

Over the last three decades we’ve watched a meteoric rise in processing power and intelligence in network endpoints and systems drive an incredible series of network innovations; and those innovations have led to the creation of multi-billion dollar network hardware markets.  As we watch the global economy shiver and shake we now see signs of the next technology boom: Infrastructure2.0.

Infrastructure1.0- The Multi-billion Dollar Static Network

From the expansion of TCP/IP in the 80s/90s, the emergence of network security in the mid/late 90s to the evolution of performance and traffic optimization in the late 90s/early 00s we’ve watched the net effects of ever-changing software and system demands colliding with static infrastructure.  The result has been a renaissance of sorts in the network hardware industry, as enterprises installed successive foundations of specialized gear dedicated to the secure and efficient transport of an ever increasing population of packets, protocols and services.  That was and is Infrastructure1.0.

Infrastructure1.0 made companies like Cisco, Juniper/NetScreen, F5 Networks and more recently Riverbed very successful.  It established and maintained the connectivity between ever increasing global populations of increasingly powerful network-attached devices.  Its impact on productivity and commerce are proportionate to the advent of oceanic shipping, paved roads and railroads, electricity and air travel.  It has shifted wealth and accelerated activities on a level that perhaps has no historical precedent.

I talked about the similar potential economic impacts of cloud computing in June, comparing its future role to the shipment of spices across Asia and the Middle East before the rise of oceanic shipping.  One of the key enables of cloud computing is virtualization.  And our early experiences with data center virtualization have taught us plenty about the potential impact of clouds on static infrastructure.  Some of these impacts will be felt on the network and others within the cloudplexes.

The market caps of Cisco, Juniper, F5, Riverbed and others will be impacted by how well they can adapt to the new dynamic demands challenging the static network.

Virtualization: The Beginning of the End of Static Infrastructure

The biggest threat to the world of multi-billion dollar Infrasructure1.0 players is neither the threat of a protracted global recession nor the emergence of a robust population of hackers threatening increasingly lucrative endpoints.  The biggest threat to the static world of Infrastructure1.0 is the promise of even higher factors of change and complexity on the way as systems and endpoints continue to evolve.

More fluid and powerful systems and endpoints will require either more network intelligence or even higher enterprise spending on network management.

This became especially apparent when VMware, Microsoft, Citrix and others in virtualization announced their plans to move their offerings into production data centers and endpoints.  At that point the static infrastructure world was put on notice that their habitat of static endpoints was on its way into the history books.  I blogged about this, (sort of ) at Always On in February 2007 when making a point about the difficulties inherent with static network security keeping up with mobile VMs.

The sudden emergence of virtualization security marked the beginning of an even greater realization that the static infrastructure built over three decades was unprepared for supporting dynamic systems.  The worlds of systems and networks were colliding again and driving new demands that would enable new solution categories.

The new chasm between static infrastructure and software now disconnected from hardware, is much broader than virtsec, and will ultimately drive the emergence of a more dynamic and resilient network, empowered by continued application layer innovations and the integration of static infrastructure with enhanced management and connectivity intelligence.

As Google, Microsoft, Amazon and others push the envelope with massive virtualization-enabled cloudplexes revitalizing small town economies -and whomever else rides the clouds– they will continue to pressure the world of Infrastructure1.0.  More sophisticated systems will require more intelligent networks.  That simple premise is the biggest threat today to network infrastructure players.

The market capitalizations of Cisco, Juniper, F5 and Riverbed will ultimately be tied to their ability to service more dynamic endpoints, from mobile PCs to virtualized data centers and cloudplexes.  Thus far, the jury is still out about the nature and implications of various partnership announcements between 1.0 players and virtualization players.

As enterprises scale their networks to new heights they are already seeing the evidence of the stresses and strains between static infrastructure and more dynamic endpoint requirements.  A recent Computerworld Research Report on core network services already shows larger networks paying a higher price (per IP address) for management.  Back in grad school we called that a diseconomy of scale; today in the networked world I think it would be one of the four horsemen of infrastructure1.0 obsolescence.  Those who cannot adapt will lose.

Virtsec as Metaphor for the New Age

Earlier this year VMware announced VMsafe at VMworld in Cannes.  Yet at the recent VMworld conference mere months later the virtsec buzz was noticeably absent.  The inability of the VMsafe partners to deliver on the promise of virtualization security was a major buzz killer and I think it may be yet another harbinger of things to come for all network infrastructure players.  This issue is infinitely larger than virtsec.

I suspect that the VMsafe gap between expectations and reality drove production virtualization into small hypervisor VLAN pockets, limiting the payoff of production virtualization and I think impacting VMware’s data center growth expectations.  That gap was based on the technical limitations of Infrastructure1.0, more than any other factor.  It also didn’t help the 1.0 players grow their markets by addressing these new demands.  The result was as slowdown in production virtualization, a huge potential catalyst for IT, with new economies of scale and potential.

The appliances that have been deployed across the last thirty years simply were not architected to look inside servers (for other servers) or dynamically keep up with fluid meshes of hypervisors powering servers on and off on demand and moving them around with mouse clicks.

Enterprises already incurring diseconomies of scale today will face sheer terror when trying to manage and secure the dynamic environments of tomorrow.  Rising management costs will further compromise the economics of static network infrastructure.

The virtsec dilemma was clearly a case of static netsec meeting dynamic software capable of moving across security zones or changing states.  There are more dilemmas on the way.  Take the following chart and simply add cloud and virtualization in the upper right and kink the demands line up even higher:

If you take a step back and look at the last thirty years you’ll see a series of big bang effects from TCP/IP and application demand collisions.  As we look forward five years into a haze of economic uncertainty, maybe it’s a proper time to take heed that the new demands of movement and change posed by virtualization and cloud computing need to be addressed sooner rather than later.

If these demands are not addressed, more enterprise networks will face diseconomies of scale as TCP/IP proliferates.  They’ll experience additional availability and security challenges and will emerge when the haze clears at a competitive disadvantage after years of overpaying for fundamental things like IP address management (or IPAM).  Most enterprises today are still managing IP addresses with manual updates and spreadsheets and paying the price, according to Computerworld research.  How will that support increasing rates of change?

The Emergence of Connectivity Intelligence

As I mentioned one of the biggest challenges of virtsec was the inability of network appliances to see VMs and keep track of them as they move around inside a virtualized blade server environment (racks and stacks of powerful commodity servers deployed in a fluid pool that can add or remove servers/VMs on short notice and therefore operate with less power than the conventional data center with each server running a unique application or OS and therefore having to be powered 24/7).

The static infrastructure was not architected to keep up with these new levels of change and complexity without a new layer of connectivity intelligence, delivering dynamic information between endpoint instances and everything from Ethernet switches and firewalls to application front ends.  Empowered with dynamic feedback, the existing deployed infrastructure can evolve into an even more responsive, resilient and flexible network and deliver new economies of scale.

A dynamic infrastructure would empower a new level of synergy between new endpoint and system initiatives (consolidation, compliance, mobility, virtualization, cloud) and open new markets for existing and emerging infrastructure players.  Cisco, Juniper, F5 Networks, Riverbed and others who benefited from the evolving collisions between TCP/IP and applications could then benefit from the rise of virtualization and enterprise and service provider versions of cloud, versus watching it from the sidelines.

The Rise of Core Net Service Automation

That connectivity intelligence requirement will make core network service automation (DNS, DHCP, and IPAM, for example) strategic to infrastructure2.0.  Most of these services are today manually managed.  That means that network and system are connected and adjusted manually.  More changes will mean more costs and more downtime and less budget for static infrastructure.

These networks need dynamic reachability (addressing and naming) and visibility (status and location) capabilities.  In essence, I’m advocating the evolution of a central nervous system for the network capable of delivering commands and feedback between endpoints, systems and infrastructure; at the core it would be a kind of digital positioning system (DPS) that would enable access, policy, enforcement and flexibility without the need for ongoing and tedious manual intervention.

In between recent emails with Rick Kagan and Stuart Bailey (both also at Infoblox) Stuart recommended Morville’s “Ambient Findability”.  I soon found out why.  The following is from the online Amazon review:

“The book’s central thesis is that information literacy, information architecture, and usability are all critical components of this new world order. Hand in hand with that is the contention that only by planning and designing the best possible software, devices, and Internet, will we be able to maintain this connectivity in the future.”

In a recessionary scenario these labor-intensive strains will get worse as budgets and resources are trimmed.  Rising TCO for infrastructure will impact the success of the infrastructure players as well as VMware, Microsoft and others, as virtsec friction has already impacted VMware.  The virtualization players will be forced to build or acquire application layer and connectivity intelligence as a means of survival.  They may not wait for the static team to convert to a more fluid vision.

That is why the fates of the static infrastructure players (and IT) will be increasingly tied to their ability to make their solutions more intelligent, dynamic and resilient.  Without added intelligence today’s network players will benefit less and less from ongoing innovations that show no sign of slowing; the impacts of a recession would be made even more severe.

VMware Buys Blue Lane (Updated)

by 3 Comments

VMware went shopping and came back home with Cupertino-based Blue Lane Technologies. Despite the lack of press releases, this transaction was confirmed by Mary Ann Gallo, VMware’s head of Global Public Relations. Unfortunately she could not disclose the financial details.

Update: according to Brenon Daly from The 451 Group, the price was around $15 million, and Blue Lane was in search for a buyer since last Summer because of lack of sufficient capital. He also mentions Blue Lane raised “some $18.4m in two rounds of funding”, but our information keeps it at $13.4m.

The acquired company provides solutions that secure virtual and physical data centers. Its solution secures servers and VMs by controlled code execution in the network and taking appropriate countermeasures against traffic aimed at known software vulnerabilities (without signatures).

Blue Lane was quite silent after releasing VirtualShield 4.2 last April. We interviewed Greg Ness, former VP of Marketing with Blue Lane (and avid blogger) and Thierry Evangelista, Technical Director Europe for the company at VMworld Europe earlier this year.

This acquisition confirms VMware’s commitment to virtualization security or VirtSec in short.

Blue Lane was founded in 2002 and has raised $13.4 million to date in two financing rounds from Benchmark Capital, DAG Ventures and Matrix Partners. According to Greg Ness, who left the company last July to join Infoblox, Blue Lane has around 40 employees.

Below, you can find 3 embedded videos encompassing a long interview we did with Ness last June when he was still with the company.


Interview BlueLane Greg Ness 1/3 from Toon Vanagt on Vimeo.


Interview BlueLane Greg Ness part 2/3 from Toon Vanagt on Vimeo.


Interview BlueLane Greg Ness 3/3 from Toon Vanagt on Vimeo.

Thanks to Virtualization.info for the news.

Blue Lane Technologies

Embotics Releases White Paper on Virtualization Security

by Leave a Comment

Embotics today announced “Understanding VirtSec,” a new study that focuses on virtual server security issues inherent in IT environments. The research addresses threats posed by virtualization deployments and the technology that is available to tackle these emerging issues. Authored by David M. Lynch, vice president of marketing of Embotics, the white paper identifies immediate and potential security threats so organizations can plan accordingly.

Virtualization security is a wide concern for IT executives and Embotics’ “Understanding VirSec” summarizes the new threats and issues associated with server virtualization. The research, containing a wide range of user feedback, helps IT executives differentiate the potential future security issues from those that are present today, and offers recommendations and best practices to minimize these risks.

As virtualization deployments expand and become more complex, organizations are facing increased risk of data center security threats. Embotics’ “Understanding VirtSec” provides an overview of why IT administrators cannot rely on IT policies and processes that existed pre-virtualization, and how the impact of an uncontrolled environment in the data center is detrimental.

0wning Xen?

by 1 Comment

InvisibleThings.org posted some more details on their Xen Owning Trilogy session at last weeks Black Hat conference in Las Vegas.

Joanna Rutkowska and her crew gave a series of 3 talks discussing different potential security issues with Xen. With the VirtSec awareness growing this obviously is an important topic .

When quickly skimming trough the presentations the big question that arise is , how relevant is this all for a day to day production environment. Given the fact that some exploits assume you already root before you can install a stealth backdoor and others rely on specific hardware features that might or might not be available in your setup things might be that critical yet.

All 3 talks can be found on the Invisiblethingslab.com site

Virtualization.com will have a closer look at the discussed issues and we’ll be back with more detail later.