What happens when there is a disaster and you have to get your infrastructure back up and running as quickly as possible? Let’s assume that we are on the same page and talking about VMware, especially ESX hosts. Most, if not all organizations already have an existing Disaster Recovery plan in place – but how many of those plans include these new hosts running virtualization? Do you have a plan to get them back up and running – EXACTLY HOW THEY WERE – in a matter of minutes? Let me tell you how you can do it with vProfile.
The scenario includes three locations— could be two, but I like odd numbers, so three it is. Atlanta is our HQ, Dallas is our HQ2, and Denver is our DR site. As we have witnessed in the past there are number of man-made or natural disasters that interrupt services. This time Atlanta is hit with another monster storm, with a monster tornado and wipes out our Atlanta HQ site. Using the Reflex vProfile we can go back to the VMC, extract the properties and set values from the downed servers, and then apply those properties and values to our newly built (or already running standby) ESX hosts, which reside in our St. Louis DR site.
Continue reading »
written by Tommy Speigner
\\ tags: compliance, Configuration management, Policy, VMC management, vmware, vProfile
In my previous post I talked about what PVLANs are and how to create secured PVLANs utilizing the Reflex VMC vTrust technology. After reviewing the post I realized that some might ask for more in-depth understanding of how we accomplish this, why this is different from doing it in the past, and what other options are available for creating these PVLANs. PVLANs have two major type classifications: isolated and community. Basically, what happens in an Isolated PVLAN is that hosts can talk out of or receive communication directly to the VM but the other VMs that are part of the defined Zone have no intra communication. Whereas, community PVLANs allow intra and inter communications between outside hosts and internal zone VMs.
Why would you want to have a community zone?
Continue reading »
written by Tommy Speigner
\\ tags: Policy, Reflex VMC, segmentation, VLANs, VQL, vTrust, Zones
Virtualized PVLANs
We have a dilemma… A customer wants to create a PVLANs (Private Virtual LANs) in their virtual environment. If you aren’t familiar with PVLANs, read what Cisco says they are: “A PVLAN is a VLAN with configuration for Layer 2 isolation from other ports within the same broadcast domain or subnet. You can assign a specific set of ports within a PVLAN and thereby control access among the ports at Layer 2.” With certain Cisco switches you can set up PVLANs to allow or deny the traffic between those two hosts in the same subnet.
Continue reading »
written by Tommy Speigner
\\ tags: Policy, Reflex VMC, segmentation, VLANs, VQL, vTrust, Zones
In mid 2008 our first major venture into Virtualization Management was a set of features around discovery, visualization, and monitoring of the virtual infrastructure. That set of features has now been bundled into a bundle called vWatch. In Mid 2009, we then introduced a set of features around securing the virtual infrastructure called vTrust. Since then we’ve been busy building the next major component of the End-to-End Reflex VMC Management platform was announced today and is called vProfile.
vProfile provides a set of User Interface and System components on top of a single tightly integrated Virtualization CMDB framework that significantly improves the ability to visualize, manage, and control a Virtualization Infrastructure. The vProfile product page provides some high level bullets of the features so I’m instead going to spend a lot of time on the in-depth functionality, design, and architecture here.
Continue reading »
Aaron Bawcom is the Chief Technology Officer for Reflex Systems, a provider of end-to-end virtualization management solutions based out of Atlanta, GA. Contact him at abawcom@reflexsystems.com.
written by Aaron Bawcom
\\ tags: compliance, Configuration management, Virtualization Management, vProfile, VQL
 I spent last week at the RSA 2010 show. It was a different experience for me as this time I was a guest of our new partner, TippingPoint. Overall it was a great show and I was very excited to hear multiple people tell me that the work we are doing with TippingPoint is the most interesting and innovative thing they saw at the show. Its great to get some end-user validation.
Another interesting thing that struck me was how much has changed with regard to thinking about virtual security. Reflex had a virtual security appliance back in 2006. When that product came out and we started talking about the new risks that virtualization was introducing, customers and other established vendors would stare at us like we were the crazy man on the corner predicting the end of the world. Last week as a I walked the aisles of RSA, I now see that all of the big security vendors have seen the light and are now preaching the same set of issues. Everyone has their own take on what the solution should be, but its great to see that the importance of virtualization security is mainstream. I think everyone now understands that virtualization brings a unique set of challenges and maintains many of the traditional security risks. Things like visibility, configuration management and control, compliance, and network segmentation all need to be considered. Since we started down this path, Reflex has grown from being network centric to offering multiple feature sets that help the virtualization administrators and security teams work together to address these issues.
We also got quite a few questions about the product and partnership and a few of them were common enough to warrant some answers on our blog.
Q: Is the TippingPoint vController software that incorporates Reflex technology or an private label of Reflex VMC?
A: Today, vController is a TippingPoint branded private label version of the Reflex VMC with some enhancements to allow the redirection of packets to a physical IPS device. This is done via the familiar vTrust policy interface with a new rule that when matched will forward that traffic to the IPS. The rule can be very granular, down to port/protocol, so that only the desired traffic gets inspected. vController is limited to the functions Reflex provides under our vTrust feature set (but that does include the ability to use VQL!) This means that other, more virtualization management centric functions found in the Reflex VMC are not available in vController. But here is the good news, the product and the business relationship exist to allow customers that see the value in the full Reflex product to upgrade their vController to a FULL version of Reflex VMC and retain the TippingPoint integration….Best of both worlds. We have designed the software so that upgrades will be non-invasive and only require a simple license key addition to enable the functionality.
Q: Is there going to be a virtual IPS offering from TippingPoint?
A: The official answer will come from TippingPoint, but based on the following image and the messages that were communicated publically at the RSA show, I can tell you that the current plan is to virtualize all or some of the TippingPoint IPS technology and provide it as part of a virtual appliance. The same vController software would provide the policy and rules to decide which traffic would get inspected by a virtual or physical TippingPoint IPS. The image from theTippingPoint booth clearly shows both options.
Q: What about network segmentation and firewalling? Can the vController provide those functions?
A: The short answer is Yes. Those functions are present in vController which means that the creation of virtual network zones with granular policy for network segmentation, based on VQL, is also available. And yes, the Reflex vTrust solution is a stateful firewall implementation.
Q: How much does it cost and when will the product be available?
A: This is one that I must defer to TippingPoint. I believe it will be sooner rather than later, but delivery schedules and product pricing questions should be directed at TippingPoint.
Q: What if I’m one of the smart, forward thinking people that has already purchased the Reflex VMC product, can I get the TippingPoint functionality?
A: Yes you can!. Once TippingPoint vController is available, it will be possible to purchase the appropriate license keys to enable that functionality and leverage the existing installation of Reflex VMC. (Note: An upgrade to the most recent release of the Reflex VMC will be required).
Mike Wronski, VP of Product Management
Twitter: @Reflex_Mike
written by Mike Wronski
\\ tags: IDS/IPS, Reflx VMC, RSA, security, virtualization security, vTrust
I wanted to take a moment and add some color from a Reflex perspective on the recent announcement of the partnership between TippingPoint and Reflex. First off, we are thrilled to be in this partnership. Those of you that know Reflex and our history also know that many of us come from the intrusion protection / network security space. We all feel that our background in security is what lead us to develop the Reflex VMC product’s multi-faceted approach to management of virtualization that blends security and management functions. Why? Because our philosophy is that successful security must be tightly coupled with management. So a partnership between what we feel is the best system for managing virtual environments, Reflex VMC with the most advanced Intrusion Prevention System, TippingPoint N-Platform, makes perfect sense.
As for the partnership details, I can tell you that the technology that Reflex uses to deliver our vTrust feature set is at the heart of the engagement. vTrust is part of our VMware VMsafe implementation which integrates into the hypervisor to surface packet level introspection and control. What this means to the end user is that they can now leverage Reflex’s, patent pending, VQL language which allows for the definition of virtual network zones and segments. This means that not only can granular segmentation be accomplished but granular packet inspection.
vTrust with VQL is unique in that it does not require that segmentation be based on traditional lines (e.g. IP address range, MAC address, or host name). VQL allows the combination of all the properties we know about a virtual object and additional operator supplied meta-data to be used when creating a zone. For example, it’s possible to create a zone of all the Microsoft Windows guests running Apache that are part of a a specific web application and apply a segmentation and IPS inspection policy to those guests. Reflex’s policy engine automatically and continuously determines membership in that zone. When new machines that match the criteria are created, they are placed into the zone. This means that, with a correctly written policy, there is no need to alter security configurations or specific policy rules during normal expansion and contraction of the environment. Tasks like orchestration and self service provisioning can operate independently of, yet in constant sync with the defined security policies.
This is only the first step. We expect to continue to work with TippingPoint and extend both of our capabilities. Its going to be exciting! Look for even more cool innovations to come from this partnership in the future.
Find out more at RSA 2010:
I will be attending RSA 2010 at the Moscone Center in San Francisco from March 1st –5th. You can stop by the TippingPoint booth (#1825) for one of their theater presentations where I will be jointly presenting the TippingPoint vController product. If you’re lucky you might even get a peek at the demo of the combined solution. The current theater schedule for vController is (Monday 7pm, Tuesday & Wednesday 1:30 & 5:30, and Thursday 2:30) Stop by and say hello.
 If you have interest in the cloud. our CTO, Hezi Moore, will be presenting with Savvis’s Technical VP, Ken Owens in STAR-203: Extending Security Policies into the Cloud With Dynamic Policy Enforcement on Wedsnesday, March 3 @ 10:40AM. Stop by and hear how organizations can leverage virtualization management technologies to seamlessly and securely move VMs that run business-critical applications and their operational policies between private and public cloud environments.
Mike Wronski, VP of Product Management
Twitter: @Reflex_Mike
written by Mike Wronski
Extending Security Policies into the Cloud with Dynamic Policy Enforcement
Enterpr ise organizations are looking to the Cloud as a way to improve operational efficiency and reduce fixed infrastructure costs. However, most enterprises are reluctant to leverage cloud infrastructure in any meaningful way due to the inherent security risks. Hezi Moore, founder of and CTO of Reflex Systems along with Ken Owens, Technical VP of Servers and Security for SAVVIS will look at how organizations can leverage virtualization management technologies to seamlessly and securely move VMs that run business-critical applications and their operational policies between private and public cloud environments.
WHEN: Wednesday, March 3rd at 10:40AM PDT
WHERE: RSA Conference 2010
Moscone Center, San Francisco
Orange Room 309
WHO: Hezi Moore, Founder and CTO, Reflex Systems
Ken Owens, Technical VP of Servers & Security, SAVVIS
written by Laura Armistead
\\ tags: Cloud, Cloud Security, policy enforcement, Reflx VMC, RSA, security
Navigating the virtual environment quickly can be a challenge— particularly if you only want to locate specific information about a certain virtual machine (VM) in a relatively large environment. When I say large environment I mean 100+ VM’s. On a scale of 1 to Large, 100 might not be so large for you, but that is about the point where the increasing number of virtual machines can provide a challenge when trying to find that one specific needle in the proverbial VM haystack.
Using the Reflex VMC, there are a number of ways to quickly and easily navigate the virtual environment and find that particular VM— actually, three specific ways that I’m about to show you.
Quick Navigator
The first and easiest way to get to our target VM- let’s call it WebSrvr1- is to use the “Quick Navigator”.
- Select “Quick Navigator” from the Topology Menu.
- Once the Quick Navigator is opened, type in the name of the VM you are searching for.
- (When you find your VM,) select it from the list and the GUI will automatically navigate you to the VM location.
Continue reading »
written by Tommy Speigner
\\ tags: virtual infrastructure navigation, VMC management, VQL
Reflex vTrust was awarded SearchServerVirtualization’s Silver Award for Virtualization Security Product of the Year for 2009. According to the TechTarget write up:
“Reflex’s vTrust technology provides a robust network security solution for virtual environments. It is the company’s next-generation security product that takes advantage of VMware Inc.’s VMsafe application programming interfaces (API) to provide simpler and better integration with vSphere. VTrust’s compelling user interface provides an easy-to0use and effective means of displaying the data collected from security tools. And vTrust does more than define firewall policies; it integrates with the operational aspect of virtual environment.”
 Reflex vTrust Security written by Laura Armistead
\\ tags: security, segmentation, vmsafe, vTrust
|
|
