KEEP IT SIMPLE Even when adding new monitoring tools, it’s best for network administrators to use a small tool set, says GPO’s Byron Blocker.

Feb 17 2009
Data Center

The Real Deal

Federal IT managers find they must deploy new tactics for managing and securing their expanding virtual environments.

The Government Printing Office retired 42 servers over the past two years, replacing them with four VMware ESX servers. It also swapped out 45 desktop systems for virtualized thin clients that it installed in its typesetting operation.

There were clear cost and environmental benefits: The consolidation saves GPO $56,000 in annual electricity costs, which translates into a reduction of 176 tons of carbon dioxide emissions. But the move to a virtualized environment also required the congressional agency’s IT shop to adjust its management focus, says Byron Blocker, director of GPO’s Systems Integration Division.

GPO’s realization that it would need a new monitoring approach for its VMs is an example of what’s transpiring in IT organizations across government and in the private sector as well, says Ronni Colville, a vice president and distinguished analyst at Gartner of Stamford, Conn.

It used to take hours, days, even months to set up physical servers, but because it now takes just minutes to provision VMs, IT shops have to set strict policies to prevent VM sprawl. IT managers also must be sure their configuration management tools can function with the new virtual servers and VMs.

“With 15 discrete servers, we could see the traffic and respond,” says Blocker. “Now, with roughly 15 virtual machines on one host, monitoring the traffic became challenging. If one virtual machine gets compromised, it could be attacking the main server and we might not see it.”

Good Advice

Blocker says GPO sought advice from VMware and also talked to a consultant about how to most effectively manage its virtual machines. VMware pointed out that its solution has built-in tools that let IT shops manage the hypervisor, which is the core software in a virtual environment that lets multiple virtual machines run on a single server. Blocker says if the host goes down for any reason, VMware can detect it and reproduce VMs on other hosts in the virtual environment.

The consultant suggested Tripwire to manage disk space, CPU usage and application files, but Blocker says GPO found that it could use an existing management product from Computer Associates to do many of the same functions. GPO is also testing software to handle patch management.

“We use the Computer Associates product to manage memory usage, disk space and whether our applications are up or down,” says Blocker.

“Our preference is to use the products we have. It saves the taxpayers money and simplifies the management environment,” he says, pointing out that it’s always best for network administrators to use as few tools as possible.

The Defense Information Systems Agency also primarily uses existing tools to manage about 750 virtual environments across 13 data centers. DISA uses Tivoli for basic management functions and the Virtual Center tool in VMware to manage the hypervisor.

DISA has a capacity-on-demand arrangement with Hewlett-Packard. “We add servers as we need them,” says Alfred Rivera, DISA’s director for computing services. “HP manages the ESX layer, and our staff manages the virtual environments.”

53%

IT operations staff who do not ask IT security people to get involved in virtualization evaluation and deployment

SOURCE: Gartner

Whatever course you take, Gartner’s Colville recommends that if your agency doesn’t already have configuration management control for its physical servers, start developing them now in tandem with provisioning virtual servers.

Ideally, development of con­figuration processes and controls should occur before an agency makes significant product implementations of physical or virtual servers, Colville says.

“When implementing virtual servers, develop the same governance and controls for these new assets that you have for your physical environment, making note of where modifications need to be made,” she adds.

Similar Tactics

Given the tough budget climate, other agencies are taking an approach similar to GPO’s, using existing tools where possible to manage their virtual environments while tracking the development of emerging products and tools.

The Pacific Northwest National Laboratory in Richland, Wash., runs 225 VMware VMs on 30 physical servers. PNNL, an Energy Department laboratory with 4,200 employees and an annual budget of $850 million, uses an open-source tool to determine uptime or downtime of its VMs. Microsoft’s System Center Operations Manager tracks alerts for disk space and keeps tabs on any SQL Server database or Microsoft Exchange e-mail issues. For patch management of ESX servers, PNNL uses the tools within VMware.

“We realized when we started that we have to patch ESX servers just like anything else,” says Daryl Anderson, the lab’s hosting portfolio manager. “We also have a process in place to control the provisioning of VMs to prevent server sprawl.”

At NASA, the IT team has ambitious plans to begin developing a virtual infrastructure, kicking off by virtualizing 80 percent of the servers at Ames Research Center in Mountain View, Calif.

“Virtualization will be a key element in NASA’s IT strategy over the next few years,” says Ames CIO Chris C. Kemp. “Virtualization offers NASA increased flexibility as we provision infrastructure to meet the sometimes unpredictable needs of our organizations.”

Kemp says that instead of spending all of the center’s server budget at the beginning of a project, Ames’ ability to rapidly provision VMs means it can use only the servers it needs during the life of a project. If the project is scrapped and the physical boxes are no longer necessary, the servers and the VMs in them can be repurposed for another project.

As dramatic as virtualization’s benefits can be, the virtual environment must be managed. NASA also uses mostly existing tools, much like GPO. Kemp says NASA runs Sun Identity Manager to manage user provisioning and Windows Group Policy to handle security password policies, as well as password expirations and user privileges. Lumension Security automates software patches and runs reports on the status of licenses and on the software installed on the servers. Tools within VMware manage the hypervisor.

“Too often,” Kemp says. “Securing virtual environments is overlooked, but I can tell you that security is a forethought with us.”

Smart Process


MAINTAIN CONTROL

At the IRS, it’s not OK “to spin up new VMs just because
it’s easy to do,” the agency’s Brian Bahlert says.
Photo: Christopher Navin

Security and management are also priorities at the IRS, which has an automated process in place to provision each new VM. The IRS deployed VMware proto-types at 12 locations nationwide, prototypes it intends to phase out this year. Today, it has 550 virtual servers and 200 virtual desktops that reside on 40 physical servers.

In the next year, the agency plans to retire 1,600 physical servers. The IRS estimates it will wind up with around 200 physical VMware hosts.

“We treat the VMs the same way we would the physical servers,” says Brian Bahlert, who handles server standards and configuration at the Enterprise Computing Operations Division of IRS. “We don’t let people spin up new VMs just because it’s easy to do,” he adds.

The IRS also uses existing management tools to manage security for the virtual servers. HP OpenView does systems monitoring, and tools within VMware manage the hypervisor.

“We’re very happy with VMware,” Bahlert says. “It lets us automate the virtual environment and put it in a maintenance mode.”

Emerging Security Market

Although the majority of agencies now use existing management tools to manage their virtual servers, that will likely change as agencies build out their virtual environments.

Ted Ritter, a senior analyst at Nemertes Research of Mokena, Ill., says the problem is that many current systems management tools are blind to what’s happening inside the virtual infrastructure.

“Provisioning happens so rapidly in virtual environments that unless you have the right monitoring going on, it’s really hard for traditional configuration, performance and security management tools to keep up,” Ritter says.

Products from Shavlik Technologies, Tripwire and some other makers of systems management tools are hypervisor-aware and aim to protect all IT assets in a virtual environment. And, according to Ritter, security companies such as Check Point Software Technologies, Symantec and IBM Internet Security Systems intend to release products later this year that focus on securing virtual environments.

Ritter says that, short of a major breach, most organizations will look to make due with existing tools for the near term. His hope is that as IT shops gain more experience with virtualization they will recognize the unique security issues and turn to the new crop of tools specifically honed for VM management.

 

An Energy Lab’s Virtual View

Need to secure your VMware infrastructure? Here are 10 points that the Pacific Northwest National Laboratory suggests:

  1. Restrict access to the service console. This includes least privilege, strong passwords and no third-party software on the console.
  2. Divert service console network traffic onto a separate virtual network. This is a good idea because you don't want hackers sniffing around your administrative network.
  3. Separate VMotion traffic from other network traffic. This is a good idea because the VMotion traffic carries the content of virtual machine memory and is not encrypted.
  4. Restrict administrative privileges on ESX servers and Virtual Center (least privilege). You want the least number of people with those privileges as possible.
  5. Establish separation of duties and privileges for network and SAN settings (least privilege). Only people who know how to configure the network and the SAN should be granted access.
  6. Configure shared storage properly. Whether it's Fibre Channel, NFS or iSCSI, storage needs to be configured securely.
  7. Configure appropriate logging. This will give you early warning of any unusual activity or problems in your infrastructure.
  8. Keep patches current. You want to protect against vulnerabilities in the operating system and hypervisor.
  9. Stay on top of configuration management. If your configuration is documented and managed properly, it will minimize security risks caused by misconfiguration.
  10. Protect the Virtual Center server. All management functions are centralized here, so this is a critical resource that you want to carefully control and monitor.
<p>Photo: Gary Landsman</p>

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now