Saturday, March 15, 2008

Simple way to make Virtual appliances

Ubuntu community released ubuntu JeOS (Just Enough OS) to make virtual appliance. Here is the is the announcement. I am pasting part of announcement here.

"

Ubuntu Server Edition JeOS

Just enough OS for your virtual appliance

Ubuntu Server Edition JeOS (pronounced "Juice") is an efficient variant of our server operating system, configured specifically for virtual appliances. Currently available as a CD-Rom ISO for download, JeOS is a specialized installation of Ubuntu Server Edition with a tuned kernel that only contains the base elements needed to run within a virtualized environment.

Users deploying virtual appliances built on top of JeOS will benefit from:

  • better perfomances on the same hardware compared to a full non-optimized OS,
  • smaller footprint of the virtual appliance on their valuable disk space,
  • fewer updates and therefore less maintenance than a full server installation.

ISVs looking to develop virtual appliances will have a compelling platform in Ubuntu JeOS, an OS optimised for virtualization that greatly reduces the complexity and maintenance overhead normally associated with general purpose operating systems. Ubuntu JeOS Edition has been tuned to take advantage of key performance technologies of the latest virtualization products from VMware. This combination of reduced size and optimized performance ensures that Ubuntu JeOS Edition delivers a highly efficient use of server resources in large virtual deployments.

Without unnecessary drivers, and only the minimal required packages, ISVs can configure their supporting OS exactlyas they want. Ubuntu provides only the security and enhancement updates needed for operating in a virtualised environment with no extraneous overhead.

"

Technical specification of JeOS are given as

"

Tech Specs:

  • 151M iso image
  • Kernel 2.6.22
  • Optimized for VMWare ESX, VMWare Server
  • Intel or AMD x86 architecture
  • Minimum memory 128Mo
  • No graphical environment preloaded as it is aimed at Server virtual appliance
  • Working knowledge of linux administration, dpkg and aptitude recommended to start building your own appliance

Download

Start testing it right now, download the image today from http://cdimage.ubuntu.com/jeos/

"

Step by Step instructions to make virtual appliance from JeOS with your application are given here. Pretty well written article indeed. I have not tried it myself and it looks very easy. Some extracts from this article.

"

Installation of JeOS

Installation of JeOS is done the same way you would install any other OS in VMware, but you'll need to consider a few things:

  • To reduce the size of JeOS, SCSI drivers have not been included in the kernel shipped with JeOS. Make sure that you instruct VMware to use an IDE drive instead.

  • If you plan on shipping a virtual appliance, do not assume that the end-user will know how to extend disk size to fit their needs. So, either plan for a large virtual disk to allow for your appliance to grow, or provide the user with adequate documentation on allocating more space.

  • Given that it's much easier to change the amount of RAM allocated to your VM, set the RAM to whatever you think is a safe minimum for your appliace. The user can change this if/when necessary.

  • Even though LVM setup is proposed by the installer, it doesn't work at this time-- so if you need LVM, it will need to be set up post-install.

"

Install your application. Sample is given in the article.

Once your application is installed, clean this up as per the article.

Then final step in preparing virtual appliance as per article is :
"

Now it's time to shut down the system and do the final cleanup. Once it's shut down, go to your virtual machine settings in the VMware management console and select the virtual disk. Defragment it, which should reclaim all of the space you've freed, which will make the appliance smaller. Your virtual appliance is ready to ship! "

Nice work indeed from Ubuntu community.

Saturday, March 8, 2008

Security among VMs - A thought.

Some physical deployments provide port based security. In physical world, it is implemented by replacing typical traditional L2 switch with L2 security switch. Each port is secured in the sense that each port belongs to a security zone. Security switches are typically provide firewall, IPS and in some cases provide Anti Virus capabilities. Policies can be setup among zones.

In virtual world, you deploy multiple VMs. If all VMs belong to one particular zone, then external security switch is good enough. But if VMs belong to multiple security zones, then packets may go among VMs without packets being seen outside of the box having VMs. If one VM is compromised, it gives chance for attackers to snoop the packets on its virtual adapter and might even become launching pad to compromise other machines.

In addition to security problems, there is no visibility of traffic patterns among VMs.

Like in physical world, there are virtual switches within Virtualized environment. It is logical to replace virtual switches with virtual security switches. Unfortunately, it is not as simple as it in physical world. Virtual switches are part of Hypervisor and there are only two possibilities:

  • Enhance Host OS to add security functions. In Xen, it is simple. It uses Linux bridge to implement virtual switches. It can be enhanced with security functions.
    • Advantages
      • There is no additional logical connectivity required.
      • No additional virtual switches.
    • Disadvantages
      • All security functions run in the context of hypervisor. Performance is limited by number of CPUs allocated for hypervisor machine.
      • Any problem in security function brings down the entire physical system.
      • Image Updates could be a problem
    • It is recommended that Host OS has very minimal software to ensure that it is not vulnerable.
  • Make some VMs as security switches. That is, don't replace virtual switches. Work along with virtual switches. VMs based on zone they belong to connect via these security VMs.
    • Advantages:
      • Secuirty VM can do many functions.
      • Security VM can be restarted at any time if there is any problem.
      • Security VM can be updated like any VM.
    • Disadvantages:
      • Additional connectivity is required to redirect the traffic via these security VMs. Hence, more virtual switches may be required.
Security VMs must provide following functions to provide security services for server VMs.
  • Security VMs must support Layer 2 operation (transparent mode)
  • Security VMs must support multiple zones.
  • Security VMs provide very good log and reporting functions.

Thursday, March 6, 2008

LAN Bypass using Xen/Vmware kind of virtualization technology

Many inline security infrastructure products such as IPS, Web application firewalls, Anti Virus and Anti Spam gateways make use of a feature called 'LAN Bypass'. This feature is implemented in hardware using watch dog timer functionality. If the software fails to reset the watch dog timer, it interconnects the LAN ports there by bypassing any software functions running on the device. Basically, if software running on device fails to run due to hangs and crash, the connectivity does not suffer. Many businesses prefer bypassing security functions over non availability of network.

LAN bypass hardware is expensive and typically works with two Ethernet ports. Xen/Vmware based virtualization technology eliminates the need for having this expensive hardware by running security software as VM and having some kind of monitor in host OS (domain 0) which monitors the health of security VM. When the VM does not respond, the host can create software bridge among all physical Ethernet ports.

As a appliance vendor, one should follow these steps to make a security appliance: None of these steps are required to be done by end user.
  • Use Xen or Vmware : My preference is Xen as it has paravirtualized Ethernet drivers, which is fast compared to full virtualization.
  • Run the security software as VM.
  • Have as many virtual switches as number of physical Ethernet ports.
  • Create as many virtual adapters on VM as number of physical ports.
  • Connect virtual adapter of VM and physical adapter in separate virtual switches (bridges).
  • Security software anyway creates a bridge among virtual adapters to work in transparent mode.
  • Have monitor software running in host operating system and have some monitor counterpart in security VM to monitor the applications in VM.
  • When host monitor detects the problem in security VM, it can try restarting it. If it does not restarts, then the host monitor can remove all virtual switches and create a bridge connecting all physical Ethernet ports.
With this, we can eliminate the need for LAN Bypass hardware.

What are the limitations with above approach?

  • Performance of VM is typically 20% less than running software in non virtual environment.
  • Though it solves problems of software crashes and hangs, this is not solution for hardware problems.
  • This only works for transparent security appliances.
As I understand from several administrators, around 70% of cases, problems are observed in the software application than the hardware. Hence this solution should work fine and I feel that many security vendors would be doing this in future.

By the way, at Intoto we do this in IntruPro-IPS and UTM products.

Monday, March 3, 2008

Virtualization in Network security - Present and future

Service providers are increasingly providing security services at their edge for their customers. Firewall, IPsec VPN, IPS and P2p rate throttling are some of the security services provided by service providers. SPs are providing this functionality using virtualization capability provided by many security appliance vendors. Virtualization provided is at the level of instantiating configuration and run time states. That is, for each customer, there is separate routing table, firewall session table, configuration tables, Ipsec SA table etc.. But the code and data segments are shared. With role based management, different customer accounts are handled by different admin personnel of service provider.

Here is the question. Do Xen/VmWare/KVM based virtualization technology replace current security virtualization? Note that in this virtualization, there would be as many VM instances as number of virtual instances (customers) required. Each virtual instances has its own OS and security application in addition to configuration and run time states.

Advantages of Xen/VmWare/KVM based virtualization:
  • It provides isolation : If there is any software problem, only current instance is effected. In case of traditional virtualization provided by security vendors, any software problem brings down the entire system.
  • It provides mechanism to assign CPU for each virtual system.
  • It provides mechanism to control memory used by each virtual system.
  • It provides mechanism to control bandwidth used by each virtual system.
  • Basically, it is true virtualization.
Disadvantages of this type of virtualization over traditional virtualization:
  • It requires as many virtual machines as number of customers.
  • Memory requirements are too high
  • CPU utilization is very high.
  • System Performance would be way less
  • High cost.

In summary, if the number of virtual instances needed are more than few dozen, then traditional security virtualization is the choice for service providers. Traditional virtualization provides optimal cost and performance over Xen/VmWare based virtualization. I have a feeling that Vmware/Xen based virtualization becomes popular in Enterprise environments where it can replace multiple security appliances. But, in case of service providers market, traditional virtualization would be used for some more years to come.