Yesterday afternoon I was out with few friends enjoying a nice sunny day away from my computers. After having a few beers at a great pub, my mind was far away from work and I began to live in real life again. My eyes began to readjust and their veiny red lines began to recede. The carpel tunnel of my hands began to wear off. A fresh blush of color began to bleed into my cheeks. In short, I no longer looked like I was a vampire waiting to strike. All was well… that was, until THEY walked in to the pub looking for a fight.
The four douche bags sat next to us and they began saying things that really got to me. No, they weren’t talking smack about my Yankees. No, they weren’t bantering under their breath about my hot girlfriend. They were talking about security Hyper-V and VMware… and they wore their lack of knowledge on their sleeves (which, I might add led up to some seriously popped collars).
At first I thought my friend was trying to punk me. I looked around for cameras or Ashton – No sign of either. So, these dudes started talking about deploying some solution and how they have to provide the highest level of security and all this nonsense. I remained quiet and managed to mind my own business as they had their chat until the topic hit VMware. My blood began to boil when one of them (the Security Know-It-All Dude – or just The Dude, as I like to call him) started to talk about VMware security flaws. The Dude even mentioned something about a vulnerability with VMotion and how it’s not very secure and all that crap. As the Dude (the main douche bag) mentioned this, I could see myself teaching my next class with a missing tooth, bloodied lip, and black eye a-la Fight Club. Believe me, the Dude would look much worse. I fought my instincts not to get into their discussion (or jump out of my barstool), but I was two Guinness down and incapable of staying quiet about what was going on. So, I jumped in on the conversation in order to school these douche bags about VMware and true security. No fisticuffs. I would just run good old fashion geek circles around the Dude and his pals. What I told him was the truth:
VMware has made a great deal of changes in the architecture of their platform in a load of different areas. Those advancements have been happening since the Virtual Infrastructure 3 and even more so with vSphere 4. I want to take this moment and inform everyone that follows Punching Clouds about a few major security changes that I informed the douche bags about in regards to the re-architecture of the new ESX/ESXi 4.0:
- The Service Console is now based on the 64-bit version of the Linux 2.6 kernel.
- The VMkernel now runs and owns the device drivers
- The Service Console (what Microsoft calls Parent Partition or Management Operating System for Hyper-V in the Windows Server 2008 version) is enhanced with Address Space Layout Randomization (ASLR), a method which is used to load software in memory in a way that attackers can’t really predict where the software is going to be store in memory when they try to hijack it with attacks.
- Support for Trusted Platform Module (TPM) chips as another way to control the authenticity of drivers signatures. and to make it even better, they’ve removed
- All development environments and libraries like GCC, and anything that can be used to compile code and run it against it has been removed.
The Security Super Douche tried to counter with something about about footprint size and all, and I asked him if he’d been living under a rock because he seemed to have missed the news about ESXi. To address his tirade on VMotion and its security vulnerability, I pointed out that any security issues were resolved and in any case, the VMotion network should always be isolated whenever possible as VMware recommends. I combined that left punch with a quick right, when I told him about how you can now encrypt the VMotion traffic for added security (The actual configuration is shown in the screenshot below. vCenter Server 4.0 provides the interface where you can configure that)
Then I knocked his ass out by firing out some info about vShield Zones, VMsafe and all the good stuff that quelled their security concerns real quick. So, they bowed down to me. Fatality. They turned tail and quickly realized the superior nature of VMware security. Ok, ok – it didn’t turn out quite like that. But I did get two rounds of beers out of those dudes, which to me was a sign that they had started to believe that VMware security was no joke… or at least they had started to see that if they messed with its players, they were messing with the wrong team.
I returned to my barstool. The beer tasted a little sweeter. The sun felt a little warmer. Life was good.
To all you nonbelievers and naysayers, as my boy The notorious B.I.G said: So if you don’t know, now you know!
Guess what folks. It’s not an Intel world after all. AMD, the competitor that comes closest to Intel’s dominance of the CPU market, is about to release new versions of their processors. We all know that when it comes to megahertz speeds, both companies’ processors are operating at around the same numbers. So, how does each company plan on getting a leg up on its competition? The strategy now seems to be about raising the amount of cores per CPU, which means changing the architecture of the processor itself. As Intel and AMD continue to push each other with new processor enhancements and features, we have to take stock of the effects that architecture changes have on virtualization environments. In a VMware virtual infrastructure configure with Distributed Resource Scheduler (DRS) cluster service, CPU feature incompatibility can create some serious challenges. VMware’s VMotion, the underlying technology of the Distributed Resource Scheduler (DRS), is very dependent on CPU features and architectures. Therefore, without CPU architecture compatibility, VMotion and DRS may not work.
