4 areas – continue to enhance core platform Pulling out console OS and vulinerable pience 32M code to eliminate attaches or code Integrate in extrenal technologies – use what they have Protection at the host level instead of the Host and policy driven security – clouds and SLAs and managing at an environment individual Platform security is a core area of focus on making sure the platform is hardened against attack. VMware takes the primary responsibility for this activity. The second is to ensure that existing security processes within the enterprise are enabled to make sure that VI can be operated in a secure fashion in the enterprise Virtual appliances help customers deploy more security than possible in physical datacenters, increasing the overall “density” of security in a virtualized datacenter Lastly, we believe that virtual can be more secure than physical systems. This is all built on the foundation of VMsafe-enabled products, but in addition, changes to the way customers can deploy and operate their systems in a virtual environment will make things more secure.
Application vServices – to recap, are services provided by our platform to applications – uniformly, enabled by simple point and click in most cases. Let’s review the current application vServices provided by VMware and new vServices in 2009
Partner solutions that utilize VMsafe have the following advantages over existing security mechanisms: They can protect VMs without needing to install agents inside each VM They can perform a multitude of tasks that protect a VM holistically ( monitor VM components on the host, nw traffic through the distributed switch) AV, Firewall, IPS can all be in one appliance. They can do all these tasks efficiently in a dynamic environment where the virtual machine moves from host to host. For e.g. if a VM is being monitored on a particular host, it carries its security state with it to the next host where another appliance starts monitoring it.
vShield Zones is a new Application vService providing fundamental and critical network security for the VDC-OS Expanding virtualization deployments in the datacenter are encompassing multiple areas of trust such as DMZ (demilitarized zone) buffers to the Internet and senstive data such as credit card information subject to Payment Card Industry (PCI) compliance or corporate financial data covered by Sarbanes-Oxley. These varying trust zones must be segmented with firewalls and other network security. Existing physical appliances require diverting traffic to external chokepoints, splintering ESX resource pools into small fragments and disrupting the seamless vision of an internal computing cloud. vShield Zones is a vritual appliance that allows you to monitor and restrict inter-VM traffic within and between ESX hosts to provide security and compliance within shared resource pools. vCenter integration lets you create network zones based on familiar VI containers such as hosts, clusters, vswitches and VLAN’s vShield Zones scans VM’s for known applications to present network flows and security policies by application protocol rather than as raw network flows. Virtualization awareness and application awareness increases accuracy and reduces risk of misconfiguration and noncompliance. Consistent security policies can be assured throughout a VM lifecycle, from initial provisioning to VMotion across various hardware to final decommissioning. Comiplete view of virtual machines, networks and security policies allows you to audit security posture fully within the virtual environment to meet defined security SLA’s, irrespective of changes to your external physical network and perimeter.
Here is a screenshot of what you see with the VM Flow monitoring capability The UI allows you to drill down and see what’s happening in more and more detail. Allowed vs. disallowed traffic; Protocol (UDP, TCP, etc); Incoming vs. outgoing Categorized (i.e. traffic which can be attributed to a particular application) vs. uncategorized (other) Application (i.e. which protocol is responsible); Source and destination
The firewall feature in vShield Zones is called VM Wall. This configuration screen reveals one of the most important aspect of the product: the fact that you can create rules based not simply upon individual IP addresses, but upon logical zones. The zones in this case are the ones mentioned earlier: datacenter, cluster, VLAN Because you can create rules based upon zones instead of individual IP addresses, the total number of rules is far fewer than if you simply ported a physical firewall to a virtual appliance. For example, for a typical three-tier app with 4 hosts and 8 VMs per tier, you’d need more than 700 rules if you were using individual IP addresses! By contrast, using logical zones, the number of rules collapses down to a mere 12. A second important point is the fact that these rules need not simply be based on port number, but can be based on application. Due to the built-in application awareness, you can block traffic even for applications that use a range of ports or ephemeral ports. vShield Zones knows when an application is trying to communicate, and block all traffic for that application regardless of which port it tries to use
! Compliance and governance managers. This group is interested in the fact that a license has been deployed that requires authorization to use, and an audit trail exists that documents use procedures are established and followed. In this case, there need not be a difference between the virtualized and native applications, as either configuration will allow tracking and management of the license through the same tools used today. ThinApp virtualized applications register with WMI (similar to natively installed applications) and can be tracked by the same mechanisms used to inventory and track natively installed applications. Because the virtual package is an .MSI or .EXE, it can also be registered with the Definitive Software Library and tracked through normal change and configuration management and asset management systems used today by natively installed applications.
Pricing considerations are of paramount interest for some customers, but make sure that they also see the value for what they are buying. VMware View is packaged starting at Citrix’s mid tier package offerings, but also compare what is purchased for each option. VMware View Premier offers capabilities not available in Citrix’s top offering, and is priced 36% less.
vSphere - Virtual Datacenter OS from VMware Off-premise Cloud vCenter On-premise Infrastructure Make applications more scalable, secure and resilient in a virtual environment than physical. SaaS Linux Grid Windows J2EE .Net VMware Infrastructure -> virtual datacenter OS Application vServices Scalability Infrastructure vServices Security Availability vNetwork vStorage vCompute Cloud vServices …… . Web 2.0
DPM Hot Add Fault Tolerance Thin Provisioning Data Recovery VMsafe Distributed Switch Host Profiles
Consolidates workloads onto fewer servers when the cluster needs fewer resources –
- Distributed Power Management will be fully supported in production. DPM with WoL will still be supported experimentally only.
Dynamically add additional compute, memory or network/storage resources as applications grow -Hot Add Enables admins the ability to scale VM’s without disruption to end user Ensure continuous availability for virtual machines against hardware failures. - VMware FT creates virtual machine “pairs” that run in lock step - essentially mirroring the execution state of a VM & eliminating data loss or downtime to any application. Optimizes storage costs through the most efficient use of storage in virtual environments - Use Thin Provisioning to reduce storage costs by up to 50%. Quick, simple and complete data protection for your VM’s -Data Recovery provides you with agent-less, disk-based backup and recovery (VM or file level) of your VM’s Comply with corporate security policies and regulations on data privacy while still running applications efficiently on shared computing resource pools. - vShield Zones makes it easy to centrally manage and enforce compliance with security policies across large pools of servers and virtual machines.
Enables the use of security products that work in conjunction with the virtualization layer to provide higher levels of security to virtual machines
Partners working on VMSafe products: Symantec, trend micro, checkpoint, Internet security systems and McAfee
Simplifies and enhances the provisioning, administration and control of virtual machine networking - VMware Distributed Switch is a new type of virtual switch which spans the entire Virtual Infrastructure which enables the network to be treated s an aggregated resource. Standardize and simplify how customers configure and manage ESX host configurations. - Host profiles simplify and standardize ESX host configuration. This feature in vCenter Server 4.0 allows the creation of a “golden profile” from an existing host and using this as a template to configure other hosts vShield Zones vSphere – New & Improved Enterprise OS
VMware VMsafe Multi-function Security Appliance Security VM vNetwork Distributed Switch Security VM
Integrated, more effective, comprehensive security solutions within the virtual infrastructure
Better than physical: automatic protection, right-sized security capacity
Agent-less deployment of partner security services
Single security VM for multiple security services AV, Firewall, IPS
Mobility-awareness: Security policy and state moves with virtual machine
VMware ESX App OS App OS App OS App OS App OS VMware ESX App OS
Bring back previously decentralized applications and data into the corporate data center.
Centrally control and manage all off-site access to these sensitive applications and data.
Extend their corporate network security levels to off-site facilities.
Sensitive applications and data are no longer stored on off-site computers.
Data integrity and business continuity (DR) is more easily maintained.
Most users , not just for off-shore users and contractors, but for mobile workers and branch office employees, too.
Regulatory compliance requirements are more easily adhered to. (HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley)
Server-based Desktop Virtualization Profile Moving the desktop to a virtualized image in the data center allows the complex components to be protected and managed. File Server User Data Profile File Server App App App
Universal Operating System “Gold” Image Profile A single encapsulated hardware build for all users allows for better tuning and hardening of the underlying operating system. File Server User Data Profile File Server App App App
Patch Management in the Data Center Profile Patches can be delivered at data center network speeds, or virtual machines can be periodically destroyed and rebuilt cleanly. File Server User Data Profile File Server App App Patch Server App
Access Control Profile Controlling access to the virtualized desktops provides further protection to applications and user data. File Server User Data Profile File Server App App X App
Elimination of Complex Devices at the Edge Profile Users can be issued tamper-proof thin clients with no moving parts to complete the solution. File Server User Data Profile File Server App App App
Data Security - Backing Up With a fully virtualized desktop, backups are not only simplified, they’re actually possible. ? Profile File Server User Data Profiles File Server App App VM Template App
Applications are encapsulated in their own container
Each application is separated from other applications and the operating system
Application virtualization intercepts file and system calls between the application and the OS
Security Benefits of Application Virtualization
Single App to Patch
No need to “install” software on systems
Can be run as a usermode application with no admin rights
Can be run from a central location
Integrated Virtualization Solution Profile Users can be issued tamper-proof ACE Instances with virtualized apps and network access only through VIEW instances to complete the solution. File Server User Data Profile File Server App App App
Competitive Pricing/Packaging Comparison * Experimental support only XenDesktop VMware View Advanced Enterprise Platinum Enterprise Premier Virtualization Platform Connection broker Secure remote access Storage Optimization Multi-backend support Application Virtualization Offline Desktop* High Availability Dynamic Provisioning Desktop Monitoring Partner Partner Pricing $195 $295 $395 $150 $250 x x x x x x x x x x x x x x x
Cost Comparison Vmware cost per user Premier Bundle $ 250.00 List price per user Premier Bundle Support and Maintenance $ 62.00 ESX Server HW $ 156.25 ESX server $10,000 64 users on 8 core system Provisioning Server HW Cost $ - Virtual Machine on ESX Connection Broker HW Cost $ - Virtual Machine on ESX Storage Costs $ 30.00 Space for Linked clone $ 498.25 Total per user cost Citrix cost per user Xen Desktop Advanced $ 295.00 List price per user XenDesktop Platinum Support and Maintenance $ 48.75 Xen Desktop Server Hw $ 312.50 XEN server $10,000 32 users on 8 core system Provisioning Server HW Cost $ 16.67 Physical server per documentation 300 users for $5,000 Connection Broker HW Cost $ 4.17 Physical server per documentation 1200 users for $5,000 Storage Costs $ 30.00 In theory, some costs but will be minimal $ 707.09 Total per user cost (+ additional server for XenApp, + TSCAL, +,+)