Comments on: Bypassing the Hypervisor For Performance & Network “Simplicity” = Bypassing Security? http://www.rationalsurvivability.com/blog/?p=578 Hoff's Ramblings about Information Survivability, Information Centricity, Risk Management and Disruptive Innovation. Oh, I have a fondness for virtualization and cloud computing security, too... Thu, 09 Sep 2010 02:54:50 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Paul http://www.rationalsurvivability.com/blog/?p=578&cpage=1#comment-5377 Paul Mon, 29 Jun 2009 09:04:57 +0000 http://www.rationalsurvivability.com/blog/?p=578#comment-5377 This is all great in theory, but what about where I have Blade servers running virtual environments which themselves do some level of NIC virtualization (i.e. HP Flex10). Im sure i'm not alone when I say I see a LOT of customers are now just beginning to standardise virtual environments on Blades and I cant see that changing anytime soon (the large data companies we work with anyhow). Will HP/IBM support Palo on Cisco physical switches? Say for HP I guess it would mean updating Virtual Connect and maybe there'll bring out their own ProCurve equivalent and tie the whole lot together (a la UCS) I can see the benefits for sure, in terms of reduced hypervisor cycles, but until we have full cross vendor support for some of these things, it's a long way off Plus VM admins like vSwitches, they like the choices they have there and the ability to dedicate Port Groups to vLANS, seperate vSwitches out for vMotion, management etc. I think they'd want any physical switch representation to do something very similar This is all great in theory, but what about where I have Blade servers running virtual environments which themselves do some level of NIC virtualization (i.e. HP Flex10). Im sure i’m not alone when I say I see a LOT of customers are now just beginning to standardise virtual environments on Blades and I cant see that changing anytime soon (the large data companies we work with anyhow).

Will HP/IBM support Palo on Cisco physical switches? Say for HP I guess it would mean updating Virtual Connect and maybe there’ll bring out their own ProCurve equivalent and tie the whole lot together (a la UCS)

I can see the benefits for sure, in terms of reduced hypervisor cycles, but until we have full cross vendor support for some of these things, it’s a long way off

Plus VM admins like vSwitches, they like the choices they have there and the ability to dedicate Port Groups to vLANS, seperate vSwitches out for vMotion, management etc. I think they’d want any physical switch representation to do something very similar

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: Datacenters (Datacentres)…. « Is there a security mindset? http://www.rationalsurvivability.com/blog/?p=578&cpage=1#comment-2497 Datacenters (Datacentres)…. « Is there a security mindset? Sun, 12 Apr 2009 21:17:14 +0000 http://www.rationalsurvivability.com/blog/?p=578#comment-2497 [...] In the case of net new I can see this happening.  My question is, going forward as a mid range organization what do you do if you need a second datacentre?  I’m really liking the concepts that Cisco, VMware are putting forward with their Network Virtualization strategies.  Of course my paranoid security mind agrees with The Hoff. [...] [...] In the case of net new I can see this happening.  My question is, going forward as a mid range organization what do you do if you need a second datacentre?  I’m really liking the concepts that Cisco, VMware are putting forward with their Network Virtualization strategies.  Of course my paranoid security mind agrees with The Hoff. [...]

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: PhilA http://www.rationalsurvivability.com/blog/?p=578&cpage=1#comment-2080 PhilA Fri, 20 Mar 2009 08:01:36 +0000 http://www.rationalsurvivability.com/blog/?p=578#comment-2080 Personally, I enjoyed the Cisco UCS references to Brock Lesnar a few posts ago. Somehow, MMA and Infosec go well together. Perhaps you may want to bring those references back up to clearly communicate your point to the average reader? Ok, just kidding. And no flexibility for you. You will like what the vendors give you as a solution and that's it. Another solid article. Personally, I enjoyed the Cisco UCS references to Brock Lesnar a few posts ago. Somehow, MMA and Infosec go well together.

Perhaps you may want to bring those references back up to clearly communicate your point to the average reader? Ok, just kidding.

And no flexibility for you. You will like what the vendors give you as a solution and that’s it.

Another solid article.

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: beaker http://www.rationalsurvivability.com/blog/?p=578&cpage=1#comment-2074 beaker Thu, 19 Mar 2009 21:49:58 +0000 http://www.rationalsurvivability.com/blog/?p=578#comment-2074 <a href="#comment-2073" rel="nofollow">@Wes Felter</a> So, one of two things has occurred, and I'm happy to accept either as the answer: 1) I've done a bad job communicating my concerns, or 2) You've done a bad job understanding them. Firstly, I've not "complained" that virt breaks hardware security, I've simply pointed that out and its attendant issues. Secondly, Cisco/VMware hasn't "unbroken" anything, they've squeezed the balloon and shifted where and how networking and some security functionality gets done. What do I want? I want the flexibility to be able to provide the level of protection commensurate with the profiles of the assets I'm protecting and ensure I understand the risks inherent with that flexibility. There will be a meet in the middle strategy (as there always is,) but I'll be honest...name one other person prior to my Four Horsemen presentation and VirtSec "...end of Network Security as we know it" talks from two years ago that highlighted the deficiencies of virtual appliances as a "solution" to this problem... Feel free to complain that I'm not happy with either solution because you're right, I'm not. However, I'm pretty sure given the feedback I've received that I've done more good than harm. To your last point, it's going to take a while for UCS to mature and since VN-Link and the 1000v is hitched to vNetworking (of which VMsafe is a component) the reality is that "pragmatically" UCS and no vSwitches ain't gonna happen overnight, either. /Hoff @Wes Felter

So, one of two things has occurred, and I’m happy to accept either as the answer:

1) I’ve done a bad job communicating my concerns, or
2) You’ve done a bad job understanding them.

Firstly, I’ve not “complained” that virt breaks hardware security, I’ve simply pointed that out and its attendant issues.

Secondly, Cisco/VMware hasn’t “unbroken” anything, they’ve squeezed the balloon and shifted where and how networking and some security functionality gets done.

What do I want? I want the flexibility to be able to provide the level of protection commensurate with the profiles of the assets I’m protecting and ensure I understand the risks inherent with that flexibility.

There will be a meet in the middle strategy (as there always is,) but I’ll be honest…name one other person prior to my Four Horsemen presentation and VirtSec “…end of Network Security as we know it” talks from two years ago that highlighted the deficiencies of virtual appliances as a “solution” to this problem…

Feel free to complain that I’m not happy with either solution because you’re right, I’m not.

However, I’m pretty sure given the feedback I’ve received that I’ve done more good than harm.

To your last point, it’s going to take a while for UCS to mature and since VN-Link and the 1000v is hitched to vNetworking (of which VMsafe is a component) the reality is that “pragmatically” UCS and no vSwitches ain’t gonna happen overnight, either.

/Hoff

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: Wes Felter http://www.rationalsurvivability.com/blog/?p=578&cpage=1#comment-2073 Wes Felter Thu, 19 Mar 2009 21:08:22 +0000 http://www.rationalsurvivability.com/blog/?p=578#comment-2073 It seems like you used to complain that virtualization breaks hardware security appliances; now that Cisco/VMware has unbroken them you're complaining that it breaks VMsafe. What do you want? Pragmatically, it will take a while for VMsafe to mature after it comes out, so the enterprisey enterprises are probably better off with UCS, no vSwitches, and their beloved hardware security appliances for a few more years. It seems like you used to complain that virtualization breaks hardware security appliances; now that Cisco/VMware has unbroken them you’re complaining that it breaks VMsafe. What do you want?

Pragmatically, it will take a while for VMsafe to mature after it comes out, so the enterprisey enterprises are probably better off with UCS, no vSwitches, and their beloved hardware security appliances for a few more years.

Like or Dislike: Thumb up 0 Thumb down 0

]]> By: Prestaties verbeterd ten koste van veiligheid? « EarlyBert http://www.rationalsurvivability.com/blog/?p=578&cpage=1#comment-2071 Prestaties verbeterd ten koste van veiligheid? « EarlyBert Wed, 18 Mar 2009 19:20:06 +0000 http://www.rationalsurvivability.com/blog/?p=578#comment-2071 [...] Chris Hoff zet er echter wat vraagtekens bij het bypassen van de virtuele switch. Je omzeilt namelijk ook de lang verwachte VMSafe ondersteuning op netwerkgebied. Hij vraagt zich dus af of we niet opnieuw de fout dreigen te maken om veiligheid in te wisselen voor een (klein?) stukje prestatieverbetering. [...] [...] Chris Hoff zet er echter wat vraagtekens bij het bypassen van de virtuele switch. Je omzeilt namelijk ook de lang verwachte VMSafe ondersteuning op netwerkgebied. Hij vraagt zich dus af of we niet opnieuw de fout dreigen te maken om veiligheid in te wisselen voor een (klein?) stukje prestatieverbetering. [...]

Like or Dislike: Thumb up 0 Thumb down 0

]]>