March 2011 archive

Five VMware security breaches that should never happen

VMware security breaches should not be taken lightly, especially now that there’s a spotlight on regulatory compliance and the shift toward cloud computing.

Virtual hosts house many workloads, and if an unscrupulous individual gains unauthorized access to a host, that person can potentially compromise all of its virtual machines (VMs). That means virtualization administrators should pay special attention to preventable VMware security breaches. There are several potential weak points where VMware security breaches can occur.

Making VMware security less like Swiss cheese

Out-of-the-box, VMware vSphere is fairly secure, but you can make it more susceptible to security breaches if you’re not careful with its configuration and remote-access settings.

By default, VMware disables many features that would make administration easier, and enabling these features weakens security. In ESX, for example, administrators typically enable Web user interface. And in ESXi, many IT pros allow access to the remote console through Secure Shell (SSH) connections. These actions may make your job easier, but they open up attack vectors for unauthorized individuals.

An even bigger vulnerability is the host’s management console. It’s the door to your entire virtual infrastructure, so don’t pass out many keys. Lock up the management console tightly and use it only when absolutely needed — which typically isn’t often. Other areas of concern are VM data stores, management and storage network traffic, virtual networking, application programming interfaces, VM-host interconnects, vCenter Server roles and permissions and third-party add-ons.

The bottom line: Know your weak points and make them secure.

Read the full article at searchvmware.com…

Share This:

Managing storage for virtual desktops

Implementing a virtual desktop infrastructure (VDI) involves many critical considerations, but storage may be the most vital. User experience can often determine the success of a VDI implementation, and storage is perhaps the one area that has the most impact on the user experience. If you don’t design, implement and manage your VDI storage properly, you’re asking for trouble.

VDI’s impact on storage

The biggest challenge for storage in VDI environments is accommodating the periods of peak usage when storage I/O is at its highest. The most common event that can cause an I/O spike is the “boot storm” that occurs when a large group of users boots up and loads applications simultaneously. Initial startup of a desktop is a very resource-intensive activity with the operating system and applications doing a lot of reading from disk. Multiplied by hundreds of desktops, the amount of storage I/O generated can easily bring a storage array to its knees. Boot storms aren’t just momentary occurrences — they can last from 30 minutes to two hours and can have significant impact.

After users boot up, log in and load applications, storage I/O typically settles down; however, events like patching desktops, antivirus updates/scans and the end-of-day user log off can also cause high I/O. Having a data storage infrastructure that can handle these peak periods is therefore critical.

Cost is another concern. The ROI with VDI isn’t the same as server virtualization, so getting adequate funding can be a challenge. A proper storage infrastructure for VDI can be very costly, and to get the required I/O operations per second (IOPS) you may have to purchase more data storage capacity than you’ll need.

Expect to spend more time on administration, too. Hundreds or thousands of virtual disks for the virtual desktops will have to be created and maintained, which can be a difficult and time-consuming task.

Read the full article in the March 2011 issue of Storage Magazine…

Share This:

Tips for using the iPad vSphere Client

A few tips and tricks for using the new iPad vSphere Client:

1. The vCenter Mobile Access (vCMA) appliance  is required, the iPad vSphere Client cannot directly connect to hosts and vCenter Servers. The vCMA is needed as a proxy, the iPad vSphere Client connects to the vCMA and the vCMA then connects to the destination host/vCenter Server. I ran netstat on the vCMA and also on the vCenter Server and it looks like all connections between the iPad/mobile devices and the vCMA are on port 443, additionally it looks like the only port used between the vCMA and the vCenter Server is port 443 as well. So if you need to configure firewalls the only port you should need to open is port 443.

ports

2. You MUST use the latest version (1.0.0.42) of the vCMA which was released on 3/14/11, if you use an older version you will get an error message that the connection has failed. This is because the iPad vSphere Client connects to the vCMA using SSL and prior versions of the vCMA did not support SSL. If you have an older version (1.0.0.41 or earlier) of the vCMA already deployed, delete it and re-deploy the new one.

2011-03-16_15452913

3. You MUST set the Web Server field in the Settings app of the iPad before you can use the vSphere Client app. This field is for setting the IP address of the vCMA so it knows where to connect to it. This field is confusing it should say vCMA hostname/IP address, make sure you do not put https:// in this field, just the host name or IP address.

web_server1

4. You will get a certificate error when logging in every time the app is freshly open (not running in background). This occurs because a self-signed certificate is used for the SSL, this is common with any self-signed certificate, the same behavior happens in web browsers.

cert_warning

I’ve tried installing the certificate on to the iPad by extracting it into a DER file using a web browser, emailing it to myself, opening it on the iPad and installing it as a profile and the error still occurs. I also tried installing it with the iPhone Configuration Utility with the same results. Therefore it looks like the only way to eliminate the error is to create and install a trusted certificate from a vendor like GeoTrust or Verisign. This process is not documented and is fairly complex so it might be difficult to do.

cert2

5. While you can connect to either a vCenter Server or directly to ESX/ESXi hosts, it looks like there is a bug that occurs when you connect directly to hosts. After you connect if you click on a VM you will get a “NullPointerException: Operation Failed” error message. This issue has also been reported to happen on some hosts as well even when connecting to a vCenter Server. VMware is currently investigating this issue, you can help by adding your feedback here if you experience the problem.

nullpointer

6. As soon as you deploy the vCMA, change the root password right away, the default login for the vCMA is root/vmware. To do this open a console window on the vCMA and select Login from the CLI console window and login using the username root and password vmware. Once logged in type the command passwd and enter the new root password. You can then type logout to end the session.

ipad-7

7. The  Set Time Zone option on the CLI console main screen does not work, to set the time and time zone you can use standard Linux commands (all commands are case sensitive). The vCMA is running CentOS, follow the below procedure to update the time zone and time:

  1. Open a console window on the vCMA and select Login from the CLI console window.
  2. In the CLI console change to the timezone directory: cd /usr/share/zoneinfo
  3. Find the file for your time zone, you can type ls to see the directory contents, blue items are sub-directories. There are both general (.i.e Mountain) and specific (i.e. Denver) timezones for areas, either will work. Note the path to the file you plan on using.
  4. Backup and get rid of the current time zone file by moving it: mv /etc/localtime /etc/localtime-old
  5. Create a new symbolic link to point to the timezone file that you chose in step 2: ln -sf /usr/share/zoneinfo/US/Mountain /etc/localtime
  6. To change the time type date -s “20 MAR 2011 10:30:00”
  7. Logout and the proper time zone should show on the vCMA main blue screen

8. While you can successfully connect to vCenter Server 2.x and ESX 3.x hosts with the app you will not be able to do anything and will not see any host/VM objects listed. However ESX 3.x hosts appear and work OK if they are managed by a vCenter Server 4.x and you connect to it with the app.

9. There currently is a bug that prevents you from scrolling through the list of hosts if they exceed the amount that can be displayed on the screen. Typically this amounts to more than 12 hosts, this will most likely be fixed in the next version.

10. Bear in mind that the iPad vSphere Client and vCMA are “Flings” which means it is a technology preview, essentially it’s a live beta version that is still being developed. It will get better quickly as new versions are released, the development schedule for this will be much quicker than the usual VMware update schedule for vSphere software. VMware wants customer input to guide their development efforts to determine what features that they should include in the app so be sure and let them know by posting in the vCMA forums. Features like vMotion and remote VM consoles have been frequently requested already. VMware plans to integrate the vCMA functionality natively into vCenter Server in a future release.

11. Being a Fling, this also means there is currently no official support for the app. VMware is watching the vCMA and iPad app forums though and will respond to any issues that are posted there.

12. You can also use the vCMA with any mobile device with a web browser by connecting to the following URL: <https://IP address or hostname of vCMA/vim> i.e. https://192.168.1.133/vim. Note you must use https, there is no http running on the vCMA and no automatic re-direction from http to https. VMotion is supported on the vCMA web UI by using the Migrate feature.

ipad-8ipad-9

13. Don’t forget to RTFM, here are some helpful links for the iPad vSphere Client app and vCMA:

Share This:

VSphere Client for iPad: VMware management on the go

The new VMware vSphere Client for iPad, a native iOS application that performs basic host and virtual machine (VM) administration and monitoring tasks, hit Apple’s App Store today.

The initial release of the VSphere Client for iPad doesn’t have the complete functionality of the vSphere Client. It’s designed to perform approximately 80% of the most common vSphere administration tasks, but this first release can perform roughly 50% of the most common tasks.

It’s also worth noting that VMware doesn’t officially support the vSphere Client for iPad. It’s part of VMware Labs, which issues experimental tools and applications.
Currently, the vSphere Client for iPad can execute the following tasks:

* monitor host and VM performance;
* manage VM power states;
* manage VM snapshots;
* place hosts in maintenance mode and restart them; and
* perform basic network troubleshooting using ping and traceroute.

A big feature that’s missing is performing a vMotion, which will be added later.

The VMware vSphere Client for iPad is not a standalone app. It requires the vCenter Mobile Access (vCMA) appliance, which is a free, pre-built virtual appliance that can be imported directly into vCenter Server. Before you can take advantage of the vSphere Client for iPad, you have to download and install vCMA, then connect it to the iPad app.

Read the full article at searchvmware.com along with part 2

Share This:

Top 10 virtualization management tools

Virtualization vendors such as Citrix Systems, Microsoft and VMware deliver great hypervisors, but they don’t often provide the most robust virtualization management tools.

Until recently, vendors such as VMware have traditionally focused their development efforts on the core of their products. This left the door open for third-party vendors to develop virtualization management tools that addressed some of the shortcomings in management and usability that existed.

Third-party virtualization management tools
Today there are many third-party vendors that pick up the slack by delivering feature-rich applications. These apps go beyond the basic tools supplied by virtualization vendors and include security, monitoring, reporting, backups and automation. Although many of the best virtualization management tools are expensive, there are also many lower cost and free tools available as well that can help make virtualization management easier.One big enabler for third-party vendors is the application programming interfaces (APIs) and software development kits (SDKs) that virtualization vendors develop. Third-party vendors can use them to directly integrate with the virtual hosts, virtual machines (VMs) and other components of the virtual environment.VMware, in particular, has lots of APIs, SDKs and toolkits in many areas that vendors can use to develop applications. They include storage and backup integration with its vStorage APIs and security and networking integration with its VMsafe APIs. Vendors,such as Microsoft, have more limited API support, including WMI APIs, but they all are continually adding more APIs as products mature.

But although virtualization vendors have always provided the tools and support for third-party vendors to develop applications, they are now starting to compete with them by adding to their core products some of the virtualization management features that vendors have traditionally addressed.

Read the full article at searchservervirtualization.com…

Share This:

VSphere Enterprise Plus: Persuading your boss to upgrade your VMware licenses

VSphere Enterprise Plus is the only tier of VMware licenses that provides Host Profiles, which streamline host provisioning and configuration, and Distributed vSwitches, which are advanced virtual switches that span multiple hosts. Enterprise Plus also includes other new features and increased resource limits.

As a result, many companies that have Enterprise licenses might consider upgrading to Enterprise Plus. But these VMware licenses can be expensive, and organizations usually require you to prove their business case and justify their cost. This sample letter should help make a convincing argument for upgrading to vSphere Enterprise Plus.

Read the full article at searchvmware.com…

Share This:

vCenter Mobile Access – now with https support

The vCMA is considered a “Fling” which means it is an experimental app that is not officially supported and more of technology preview. The vCMA has been out for over a year and can be used for mobile devices to provide web-based basic administration of vSphere. I first downloaded the vCenter Mobile Access (vCMA) virtual appliance from VMware’s website a few weeks ago in preparation for the iPad vSphere Client application that is due to be released soon,VMware released an updated version of the vCMA in February that added support for the vSphere Client iPad application.

After installing the vCMA I found a really big security hole with it, by default all client connections to it are made over http and there is no support for enabling https. This means all the traffic between your mobile devices and the vCMA is in plain text, including your login credentials to hosts and vCenter Server. I ran a sniffer on my PC to prove this and saw my login information clear as day. I looked around in the vCMA forum and found a post from someone at VMware that gave general instructions for enabling https. It was not an easy process at all and involved creating your own certificates and modifying files inside the vCMA operating system. Most users would not be able to do this on their own.

I brought this to VMware’s attention, I couldn’t believe that they did not have https support for the vCMA, this should of been the highest priority above everything else. Well VMware agreed and they quickly responded and turned around a new version of the vCMA inside of 2 weeks time. The new version now has https enabled by default using a certificate that VMware installed on the appliance so all network traffic is safe and sound.

So if you already have the vCMA installed make sure you download and install the new version of it as you run a great risk using it un-secured.

2011-03-16_1545291

Share This: