In my previous post I talked about what PVLANs are and how to create secured PVLANs utilizing the Reflex VMC vTrust technology. After reviewing the post I realized that some might ask for more in-depth understanding of how we accomplish this, why this is different from doing it in the past, and what other options are available for creating these PVLANs. PVLANs have two major type classifications: isolated and community. Basically, what happens in an Isolated PVLAN is that hosts can talk out of or receive communication directly to the VM but the other VMs that are part of the defined Zone have no intra communication. Whereas, community PVLANs allow intra and inter communications between outside hosts and internal zone VMs.
Why would you want to have a community zone?
A community zone provides intra zone communication between VMs, thus allowing Load Balanced application VMs to talk to each other. Or another example would be to allow all intra-zone VMs to connect to each other for possible collaborative applications, but still grouping them all together. In the latter example, think of SETI or any other Grid based computing platform where all systems can interact with a central directive server but can also work together as one application.
- To create a promiscuous, community zone in vTrust simply use the default policy called “Zone Isolation”. Or, you can create your own policy with an Allow rule utilizing this VQL query, vnic.exists = true as the Source and Destination.
- Ensure that the Rule is set to “Allow” and the Source and Destination are using the VQL specification of type=vnic.
Note: You can even make this community zone promiscuous for a single application service, by specifying the application port in the service box. This allows you to create a pseudo promiscuous zone without having to use a promiscuous port on a vSwitch.
Why would you want an isolated zone?
One example of why you might want an isolated zone is for patching or updating purposes. In this example we will use all Windows OS based systems and an update server. Just because all the Microsoft based VMs are in one zone doesn’t mean you want them to talk to one another so you will create a zone for the Microsoft VMs but allow them to talk to WSUS server outside of that environment.
- Here you will configure a Zone for ALL Windows based VMs, using this VQL Statement for your Zone Definition: vm.os_name contains Microsoft or vm.os_name contains windows (you can also define the version of Windows by using vm.os_name contains “Microsoft Windows Server 2008″, vm.os_name contains “Microsoft Windows Server 2003″, etc.)
- Now tag your Windows Update Server with a “WSUS” tag. If you have forgotten about vmTagging already, go here for a recap. In essence, you will create a WSUS vmTag and assign it to each Windows Update Server.
- After creating your Windows, MS, Microsoft, MS_OS, etc. zone you will then create a policy that allows this zone to communicate to your tagged Windows Update Server(s).
- To create this policy follow these steps:
- Create New Policy (WSUS_Policy_Name)
- Add New Rules to WSUS_Policy_Name
- To accomplish denying traffic between all of the VMs in the Windows Zone you will then use a Zone Isolation Deny Policy. This policy denies all traffic between each VM by using rules to deny traffic between VNICs attached to VMs. If the VM has a VNIC then it cannot talk to any other VM with a VNIC, in THIS zone only.
- Pretty sweet, huh?
- You’ve now created an Isolated PVLAN using vTrust.
written by Tommy Speigner
\\ tags: Policy, Reflex VMC, segmentation, VLANs, VQL, vTrust, Zones
Virtualized PVLANs
We have a dilemma… A customer wants to create a PVLANs (Private Virtual LANs) in their virtual environment. If you aren’t familiar with PVLANs, read what Cisco says they are: “A PVLAN is a VLAN with configuration for Layer 2 isolation from other ports within the same broadcast domain or subnet. You can assign a specific set of ports within a PVLAN and thereby control access among the ports at Layer 2.” With certain Cisco switches you can set up PVLANs to allow or deny the traffic between those two hosts in the same subnet.
So the question becomes, how can we do the same thing in the virtual environment while leveraging virtualization to do it? Using the Reflex VMC and vTrust technologies you can define these PVLANs much easier in the virtual environment and apply policy to individual Virtual Machine (VM) hosts or even a set of VM hosts by creating zones. By utilizing VQL and vTrust to segment and set policy, the rules will only apply to the hosts you specify and allow all other network communications. vTrust also provides the option to prevent all internal zone VM-to-VM communication. Reflex VMC setup and configuration can be done quickly and with very few errors.
With Reflex VMC you can create PVLANs (Private Virtual LANs) by following these directions:
1. Create a New Zone – Label it properly, based on business entity, use case, organizational unit, or application function. In this example, I used the Applications zone.
2. Assign VMs to Zone – Determine which virtual machines should be a part of this zone based on specific attributes of the VMs. Alternatively, you can utilize vmTags to classify VMs, as this can be easier and more efficient in large environments.
a. Example VQL, vm.name = Source1 or vm.name = Source2
b. Example use of vmTags, tag: Applications or you can click on the  and select the desired tags.
c. Other VM attributes such as PNIC, Memory, Tags, etc. can be used when assigning VM’s to a zone.
3. Create Additional Zones – As needed, additional zones can be added. An example zone could be something like “Backups” with your backup server in the zone where you can specify the vmTag associated with your Backup VM’s. A similar association would be tag: Backup_Srvr.
4. Create a New Policy – When creating a new policy, name the policy according to its purpose Retention, Backup, Archive, Corp, etc.
5. Add Rules to the New Policy
- An example of these rules are Source (zone:Applications) and Destination (vm.name contains “Backup”) (whatever your target server is) or more specifically (zone:Backup_Srvr), which is the defined zone for your Backup Servers.
- Create specific Rules, which prevent the VMs inside the Applications zone from talking to each other.
a. Deny > Source (vm.name = Source1) > Check “In Zone” > Destination (vm.name = Source2) > Check “In Zone” – Remove Ethernet Protocols to block all traffic
b. Deny > Source (vm.name = Source1) > Check “In Zone” > Destination (vm.name = Source1) > Check “In Zone” – Remove Ethernet Protocols to block all traffic
Save these rules and they will apply to the associated VM/Servers. You have just created your first PVLAN in the Virtual Environment. Now you can accomplish even more granular network segmentation by using Reflex’s VMC and vTrust technologies. Go forth and segregate…
written by Tommy Speigner
\\ tags: Policy, Reflex VMC, segmentation, VLANs, VQL, vTrust, Zones
In mid 2008 our first major venture into Virtualization Management was a set of features around discovery, visualization, and monitoring of the virtual infrastructure. That set of features has now been bundled into a bundle called vWatch. In Mid 2009, we then introduced a set of features around securing the virtual infrastructure called vTrust. Since then we’ve been busy building the next major component of the End-to-End Reflex VMC Management platform was announced today and is called vProfile.
vProfile provides a set of User Interface and System components on top of a single tightly integrated Virtualization CMDB framework that significantly improves the ability to visualize, manage, and control a Virtualization Infrastructure. The vProfile product page provides some high level bullets of the features so I’m instead going to spend a lot of time on the in-depth functionality, design, and architecture here.
Design
vProfile is built entirely on top of the VQL language developed by Reflex. VQL provides a layer of abstraction from the database and the virtual infrastructure which makes it very simple to provide configuration management capabilities for anything that VQL can represent. For example, if tomorrow we provide VQL objects/properties for networking infrastructure we could then re-use all of our Configuration Management capabilities with those new VQL objects. This ensures a consistent look & feel as well as a tightly integrated enterprise framework to build upon.
In the initial release of vProfile we support three major types of targets:
- VMS – A Virtualization Management Server such as the VMware vCenter product.
- Host – A physical Host running a hypervisor such as the VMware vSphere ESX or ESXi product.
- VM – A guest virtual machine running in a hypervisor
Overview
For any target (vCenter, Host, or VM) of configuration, some common capabilities are supported. The user Interface provides the ability to:
- Compare and visualize differences between targets, profiles, or both
- Manage Profiles for those targets
- Edit Masks for visualizing configuration differences
- Schedule changes to the configuration
Heatmap Visualization
For each of these major target types we support configuration visualization, baselines/profiles, scheduled & ad-hoc remediation, and extensive enterprise reporting. The image below shows the visualization of configuration differences. In this image all of the Hosts in a Cluster are being compared to each other. In the Heatmap each cell of the map represents an individual unique property of the targets being compared against. The Hotter an area is in the heatmap the more differences there are between the targets of comparison. By clicking an individual cell in the Heatmap you can see what that property is and how it is different from other targets. From the Heatmap you can also quickly remediate the configuration among the targets. This capability makes managing complex configurations across multiple targets much simpler as you can just click hot-spots until everything is the same.
Heatmap Search
The visual Heat Map can also be searched using the Property Name search as shown in the following Figure. As you type in the Property Name search field, any properties that match the string you have typed within the Heatmap are outlined with a border to visually indicate their location.
Pivot Table
If a graphical Heatmap does not suit your style of analyzing data, the vProfile UI also offers an advanced pivot table to offer sophisticated grouping analysis of properties as well. Specific properties can be dragged from the Field List on the right-hand-side into the Pivot Grid. Properties can be dropped into Pivot Rows, Pivot Columns, or the Data Filter field. Once you choose pivot points the resulting cells of the Pivot Grid represent the number of hosts that match the matrix of property values. Clicking within a given cell will produce a ToolTip that lists the hosts that match that combination of properties. You can also export the pivot table to a native Excel file for further analysis.
Profiles
The baseline for a target can be either created from a blank slate or can be imported from an existing target as shown in the following Figure.
Multiple Profiles
As shown in the previous Figure, multiple profiles can be bound to a given Host. This allows certain properties to be configured in a matrix between different types of Hosts. As shown in the following example table.
| |
North America Time Profile |
EMEA Time Profile |
| VDI Cluster Profile |
Host 1 |
Host 2 |
| Server Cluster Profile |
Host 3 |
Host 4 |
Profile Editing
Choosing the Edit button (Left of the Red X button) displays the Profile Editor dialog as shown in the following Figure.
Profile Contents
A baseline profile is organized as a tree of configuration components. A configuration component represents a major type of Virtualization Infrastructure such as a vSwitch, a Port Group, or a pNIC. Each one of these components can include certain properties. Some properties of a component are required while others are optional.
Editing a Profile consists of the following tasks:
- Creating components using the + button
- Removing components and properties using the x button
- Adding/Removing properties using the Profile Property editor
- Adding a list element to a collection using the + button
Property Inclusion
The figure below shows an example of selecting the properties you want in the profile for a selected Port Group.
IP Pools
Some properties of a Host include IP setting for VMKernel Port Group types. IP settings are specific for every Host in the infrastructure and present a challenge for unifying the configuration of a set of Hosts. To address this problem Reflex provides a capability to manage pools of IP Addresses that can be used for these network interfaces. In the configuration of a VMKernel Port Group the name of an IP Pool can be specified instead of an actual IP Address. Since the core Reflex technology tracks all of the properties of a Host the Virtualization management Center knows all of the IP addresses that are currently in use and thus knows which IP addresses can and can not be used. The figure below shows the configuration of IP Pools as well as visualizing the capacity of the IP space.
VMS Profiles
In addition to Hosts the vProfile technology can also profile the configuration of a Virtualization Management Server (vCenter) as well. The types of data that can be configured on a vCenter server includes:
- Datacenters
- Roles
- Permissions
- Privileges
- High Availability properties such as HA & DRS
- Folders
Reporting
The vProfile module also includes extensive reporting capabilities such as scheduled reports in PDF & HTML. The reports provide two different modes of data: Exception based reporting and Audit based reporting. Exception reports are generally empty if things are normal and if they include data the data is prioritized so that you can immediately address only the top problems that may exists. Unlike the exception-based reporting the Audit based reports provide exhaustive information for tracking purposes. In addition, the reports dynamically include new targets as they become available so there is no need to main the reporting configuration. Report Date/Time filters can also use relative time lengths so it is possible to run a report every Sunday for the last 7 days. Some of the included reports are:
- Remediation Events
- Targets not associated with a Profile
- Profiles not associated with a Target
- Target-to-Target Compliance
- Target-to-Profile Compliance
VM Profiles
One of the most useful types of configuration management is for Virtual Machines. The ability to visualize & make vast changes to the virtual machines in your infrastructure can save lots of time and again eliminates the need to build custom scripting logic to perform these functions. The Figure below shows how to matrix the memory, CPU, and OS settings for a set of virtual machines just by dragging a few fields onto the Pivot Table.
Visualizing these differences is one thing but being able to affect changes on the virtual machines is another. By creating a Profile that has a single property which is a target Datastore, then binding that Profile to a set of Virtual Machines using the VQL language, and then setting that profile to apply at 2AM on Sunday night, you can instrument the svMotion of those virtual machines without writing a single line of scripting code.
Migrations
DRS does a great job of load balancing the execution of virtual machines in a Cluster but often times virtualization administrators must load balance resources on a macro scale. The vProfile module also includes the ability to automate full migrations within the environment of a Host, a Cluster, or an entire vCenter preserving the configuration of the target objects during the migration. These migrations are simply small snippets of code that layer on top of the vProfile module further automating the fundamental capabilities of the framework.
Summary
The new vProfile module further extends the Reflex VMC’s ability to provide end-to-end management of the virtual infrastructure. vWatch, vTrust, and now vProfile all work as a single integrated system to provide a holistic management solution for the entire virtual infrastructure.
Aaron Bawcom is Vice President of Engineering for Reflex Systems, a provider of end-to-end virtualization management solutions based out of Atlanta, GA. Contact him at abawcom@reflexsystems.com.
written by Aaron Bawcom
\\ tags: compliance, Configuration management, Virtualization Management, vProfile, VQL
 I spent last week at the RSA 2010 show. It was a different experience for me as this time I was a guest of our new partner, TippingPoint. Overall it was a great show and I was very excited to hear multiple people tell me that the work we are doing with TippingPoint is the most interesting and innovative thing they saw at the show. Its great to get some end-user validation.
Another interesting thing that struck me was how much has changed with regard to thinking about virtual security. Reflex had a virtual security appliance back in 2006. When that product came out and we started talking about the new risks that virtualization was introducing, customers and other established vendors would stare at us like we were the crazy man on the corner predicting the end of the world. Last week as a I walked the aisles of RSA, I now see that all of the big security vendors have seen the light and are now preaching the same set of issues. Everyone has their own take on what the solution should be, but its great to see that the importance of virtualization security is mainstream. I think everyone now understands that virtualization brings a unique set of challenges and maintains many of the traditional security risks. Things like visibility, configuration management and control, compliance, and network segmentation all need to be considered. Since we started down this path, Reflex has grown from being network centric to offering multiple feature sets that help the virtualization administrators and security teams work together to address these issues.
We also got quite a few questions about the product and partnership and a few of them were common enough to warrant some answers on our blog.
Q: Is the TippingPoint vController software that incorporates Reflex technology or an OEM of Reflex VMC?
A: Today, vController is a TippingPoint branded OEM of the Reflex VMC with some changes to allow the redirection of packets to a physical IPS device. This is done via the familiar vTrust policy interface with a new rule that when matched will forward that traffic to the IPS. The rule can be very granular, down to port/protocol, so that only the desired traffic gets inspected. vController is limited to the functions Reflex provides under our vTrust feature set (but that does include the ability to use VQL!) This means that other, more virtualization management centric functions found in the Reflex VMC are not available in vController. But here is the good news, the product and the business relationship exist to allow customers that see the value in the full Reflex product to upgrade their vController to a FULL version of Reflex VMC and retain the TippingPoint integration….Best of both worlds. We have designed the software so that upgrades will be non-invasive and only require a simple license key addition to enable the functionality.
Q: Is there going to be a virtual IPS offering from TippingPoint?
A: The official answer will come from TippingPoint, but based on the following image and the messages that were communicated publically at the RSA show, I can tell you that the current plan is to virtualize all or some of the TippingPoint IPS technology and provide it as part of a virtual appliance. The same vController software would provide the policy and rules to decide which traffic would get inspected by a virtual or physical TippingPoint IPS. The image from theTippingPoint booth clearly shows both options.
Q: What about network segmentation and firewalling? Can the vController provide those functions?
A: The short answer is Yes. Those functions are present in vController which means that the creation of virtual network zones with granular policy for network segmentation, based on VQL, is also available. And yes, the Reflex vTrust solution is a stateful firewall implementation.
Q: How much does it cost and when will the product be available?
A: This is one that I must defer to TippingPoint. I believe it will be sooner rather than later, but delivery schedules and product pricing questions should be directed at TippingPoint.
Q: What if I’m one of the smart, forward thinking people that has already purchased the Reflex VMC product, can I get the TippingPoint functionality?
A: Yes you can!. Once TippingPoint vController is available, it will be possible to purchase the appropriate license keys to enable that functionality and leverage the existing installation of Reflex VMC. (Note: An upgrade to the most recent release of the Reflex VMC will be required).
Mike Wronski, VP of Product Management
Twitter: http://twitter.com/reflex_mike
written by Mike Wronski
\\ tags: IDS/IPS, Reflx VMC, RSA, security, virtualization security, vTrust
I wanted to take a moment and add some color from a Reflex perspective on the recent announcement of the partnership between TippingPoint and Reflex. First off, we are thrilled to be in this partnership. Those of you that know Reflex and our history also know that many of us come from the intrusion protection / network security space. We all feel that our background in security is what lead us to develop the Reflex VMC product’s multi-faceted approach to management of virtualization that blends security and management functions. Why? Because our philosophy is that successful security must be tightly coupled with management. So a partnership between what we feel is the best system for managing virtual environments, Reflex VMC with the most advanced Intrusion Prevention System, TippingPoint N-Platform, makes perfect sense.
As for the partnership details, I can tell you that the technology that Reflex uses to deliver our vTrust feature set is at the heart of the engagement. vTrust is part of our VMware VMsafe implementation which integrates into the hypervisor to surface packet level introspection and control. What this means to the end user is that they can now leverage Reflex’s, patent pending, VQL language which allows for the definition of virtual network zones and segments. This means that not only can granular segmentation be accomplished but granular packet inspection.
vTrust with VQL is unique in that it does not require that segmentation be based on traditional lines (e.g. IP address range, MAC address, or host name). VQL allows the combination of all the properties we know about a virtual object and additional operator supplied meta-data to be used when creating a zone. For example, it’s possible to create a zone of all the Microsoft Windows guests running Apache that are part of a a specific web application and apply a segmentation and IPS inspection policy to those guests. Reflex’s policy engine automatically and continuously determines membership in that zone. When new machines that match the criteria are created, they are placed into the zone. This means that, with a correctly written policy, there is no need to alter security configurations or specific policy rules during normal expansion and contraction of the environment. Tasks like orchestration and self service provisioning can operate independently of, yet in constant sync with the defined security policies.
This is only the first step. We expect to continue to work with TippingPoint and extend both of our capabilities. Its going to be exciting! Look for even more cool innovations to come from this partnership in the future.
Find out more at RSA 2010:
I will be attending RSA 2010 at the Moscone Center in San Francisco from March 1st –5th. You can stop by the TippingPoint booth (#1825) for one of their theater presentations where I will be jointly presenting the TippingPoint vController product. If you’re lucky you might even get a peek at the demo of the combined solution. The current theater schedule for vController is (Monday 7pm, Tuesday & Wednesday 1:30 & 5:30, and Thursday 2:30) Stop by and say hello.
 If you have interest in the cloud. our CTO, Hezi Moore, will be presenting with Savvis’s Technical VP, Ken Owens in STAR-203: Extending Security Policies into the Cloud With Dynamic Policy Enforcement on Wedsnesday, March 3 @ 10:40AM. Stop by and hear how organizations can leverage virtualization management technologies to seamlessly and securely move VMs that run business-critical applications and their operational policies between private and public cloud environments.
Mike Wronski, VP of Product Management
Twitter: http://twitter.com/reflex_mike
written by Mike Wronski
Extending Security Policies into the Cloud with Dynamic Policy Enforcement
Enterpr ise organizations are looking to the Cloud as a way to improve operational efficiency and reduce fixed infrastructure costs. However, most enterprises are reluctant to leverage cloud infrastructure in any meaningful way due to the inherent security risks. Hezi Moore, founder of and CTO of Reflex Systems along with Ken Owens, Technical VP of Servers and Security for SAVVIS will look at how organizations can leverage virtualization management technologies to seamlessly and securely move VMs that run business-critical applications and their operational policies between private and public cloud environments.
WHEN: Wednesday, March 3rd at 10:40AM PDT
WHERE: RSA Conference 2010
Moscone Center, San Francisco
Orange Room 309
WHO: Hezi Moore, Founder and CTO, Reflex Systems
Ken Owens, Technical VP of Servers & Security, SAVVIS
written by Laura Armistead
\\ tags: Cloud, Cloud Security, policy enforcement, Reflx VMC, RSA, security
Navigating the virtual environment quickly can be a challenge— particularly if you only want to locate specific information about a certain virtual machine (VM) in a relatively large environment. When I say large environment I mean 100+ VM’s. On a scale of 1 to Large, 100 might not be so large for you, but that is about the point where the increasing number of virtual machines can provide a challenge when trying to find that one specific needle in the proverbial VM haystack.
Using the Reflex VMC, there are a number of ways to quickly and easily navigate the virtual environment and find that particular VM— actually, three specific ways that I’m about to show you.
Quick Navigator
The first and easiest way to get to our target VM- let’s call it WebSrvr1- is to use the “Quick Navigator”.
- Select “Quick Navigator” from the Topology Menu.
- Once the Quick Navigator is opened, type in the name of the VM you are searching for.
- (When you find your VM,) select it from the list and the GUI will automatically navigate you to the VM location.
Quick Click
The second way to navigate to the WebSrvr1 VM is to use the “quick click” method. The VMC offers multiple visual representations of your virtual environment through the inventory and logical topology maps. From either topology map, simply double-click the Icons that represent the Virtual Center, Cluster/Host, VM Folder, and Virtual Machine (WebSrvr1). Once you have identified where the VM is, you can see how it is connected within the virtual network. Again, you can double click on the WebSrvr1 VM and see the details of what is running on that virtual machine, how it is performing and other vital information about the virtual machine.
Virtualization Query Language (VQL)
Finally, the third way to find the same VM host is to utilize Reflex’s Patent Pending technology, VQL, to query the virtual infrastructure. This powerful virtualization query language (VQL) enables administrators to quickly search all objects in the virtual infrastructure by way of natural search (like Google) or a structured search (like SQL). VQL is also used to classify data, write policy and define zones within the virtual environment.
To use the VQL method:
- Open the VQL Query Editor.
- Enter the VQL Query vm.name- “WebSrvr1”- and run the query F5 or .
- Select the VM name from the “Query results” window and the GUI will redraw to show your VM in the environment.
Now you have the power to navigate your entire environment exactly the way YOU want to, with quick, easy steps.
written by Tommy Speigner
\\ tags: virtual infrastructure navigation, VMC management, VQL
Reflex vTrust was awarded SearchServerVirtualization’s Silver Award for Virtualization Security Product of the Year for 2009. According to the TechTarget write up:
“Reflex’s vTrust technology provides a robust network security solution for virtual environments. It is the company’s next-generation security product that takes advantage of VMware Inc.’s VMsafe application programming interfaces (API) to provide simpler and better integration with vSphere. VTrust’s compelling user interface provides an easy-to0use and effective means of displaying the data collected from security tools. And vTrust does more than define firewall policies; it integrates with the operational aspect of virtual environment.”
 Reflex vTrust Security written by Laura Armistead
\\ tags: security, segmentation, vmsafe, vTrust
The Solvay Group uses Reflex VMC to manage server consolidation, reduce costs and centrally control more than 500 virtual machines worldwide
The Solvay Group has implemented Reflex VMC (Virtualization Management Center) to manage more than 50 servers with 500 VMware-based virtual machines running in nine datacenters throughout Europe and the U.S. Solvay has significantly consolidated its physical servers, reduced costs, and gained complete visibility into all global virtual machines and hosts across multiple sites from a single console.
“The number of VMs we had implemented began to outgrow our tools’ ability to manage them efficiently. We needed a cutting-edge solution to centrally manage our entire virtual environment from a single pane of glass,” said Bruce McMillan, Manager of Emerging Technologies at Solvay, an international chemical, plastics and pharmaceutical organization with 2008 sales approaching 14 billion USD. “Reflex VMC has been become the cornerstone of our virtual infrastructure management. Not only does it enable one-stop-shop management, it allows us to put in place the corporate-wide standards that are critical to our success.”
“Solvay is a technology savvy organization that clearly recognizes the importance of using a comprehensive management and security solution to enhance its virtual infrastructure,” said Pete Privateer, president and CEO of Reflex Systems. “We’re extremely pleased that Solvay selected Reflex and is realizing such great benefits.”
The award-winning Reflex VMC solution enables next-generation datacenters to enforce IT policies, ensure compliance with government mandates, and manage and protect virtual servers, desktops, and networks across multiple platforms. The benefits Solvay has gained from using Reflex VMC include:
- Total visibility across multiple, distributed sites: Using Reflex VMC, all of Solvay’s 50 physical server hosts and 500 virtual machines can be viewed, monitored and managed at one time. This enables Solvay to assess the current implementation and plan for expansion so that new virtual machines can be logically added without impacting datacenter service levels.
- Consolidated servers and reduced costs: Leveraging Reflex, Solvay has reduced the physical host servers in each office. For example, its Atlanta office cut the number of physical servers from ten to 5, which run approximately 150 virtual machines. Other offices have realized a 12-to-1 consolidation. These high consolidation ratios have also helped to lower datacenter cooling and electrical costs.
- Improved security: According to McMillan, “The Reflex VMC security features are robust and enable us to monitor network activity within our virtual infrastructure that you normally don’t see. The IPS lets us see a lot of traffic that we did not know was there before. It gives us the opportunity to know what is going on. If you are running VMs without Reflex VMC you are blind to this activity.”
McMillan added, “With the management, security and compliance that Reflex VMC offers, combined with the stability of today’s virtualization platform from VMware, there is nothing I wouldn’t virtualize.”
About Solvay Group
Solvay is an international chemical and pharmaceutical Group with headquarters in Brussels. Its companies employ more than 29,000 people in 50 countries. In 2008, its consolidated sales amounted to EUR 9.5 billion, generated by its three sectors of activity: Chemicals, Plastics and Pharmaceuticals. Solvay is listed on the NYSE Euronext stock exchange in Brussels (NYSE Euronext: SOLB.BE – Bloomberg: SOL.BB – Reuters: SOLBt.BR). Details are available at www.solvay.com.
written by Laura Armistead
\\ tags: compliance, Reflx VMC, security, virtual management, vmware
|
|
Recent Comments