The Virtual Data Center

With all the technology we all work with and talk about, it’s the smallest things that remind us that everything is error prone. John Peterson, CEO of Montego Networks and blogger at vmwaresecurity.com, posted a comment on April 1st to my post about their new software switch security VMs and built-in hypervisor security. Well that comment was lost in the ether until today. So click on through to the original post to read John’s insightful feedback where he answer a good bit of my questions. And I love his (paraphrased) “it may not be elegant but it’s a great start” response; touche.

Now I’m off to find the virtual gremlin in Wordpress that’s stealing our comments. Makes me wonder how many more there may be…

A quick blog status update: Last week was a quiet week on this end (certainly not on the virtualization front; I’ve got my RSS consumption cut out for me) due to a much enjoyed vacation.  This week I’m down in Vegas visiting Interop, talking to a ton of great people, and speaking at the Microsoft Management Summit (MMS).  My session, aptly titled “Virtualized Data Centers – Beyond the Virtual Sum of Virtual Parts,” is on Thursday at 4:00 PM followed by a break-out Q&A session at 5:30 PM.  If you’re here and signed up, swing on by.  More info here.

…and then next week it’s all catching up and back to normal.  Until then…

Eric Siebert’s post on “Saving money by using virtualization” has gotten quite a bit of screen time in my RSS reader this week as it’s passed around from blog to blog. I’m doing the same, however, I think his post may be more of a disservice to people thinking about virtualization. Don’t get me wrong: power conservation is a beautiful thing, and reducing the number of physical devices in a data center will absolutely save you money on raw power consumption as well as environmental/HVAC requirements.

But “going virtual” isn’t free, and unfortunately saving power isn’t the only metric used in data center ROI calculations. Adding virtualization to your data center can actually be extremely expensive. There are so many new considerations that have to be factored in when virtualization is introduced. Here are some cost considerations that Eric, and almost everyone else, glosses over so they can jump right to the huge, blinking $$$ savings:

• New Hardware Platforms (Virtual Hosts): These are typically more powerful boxes than the ones you’re replacing, have more CPUs and usually many, many additional drives and things like RAID controllers. These cost more up front than your single-purpose boxes and consume more power than individual, single-purpose boxes. It’s not a 1:1 power trade-off; a box that can run 50 OS images doesn’t consume 1/50th of the power that the physical farm consumed.
• Virtual Platform Licenses: This will obviously vary depending on which vendor you choose, but as an example, VMware ESX/i and Virtual Center ain’t cheap. Even if you’re looking at a less expensive option like Microsoft or Xen, you’re then looking at possible OS costs to run Xen, new expertise to manage it (see below), etc.
• OS and Application Licenses: The more guest images you add to a virtual host platform the less performance you’ll get out of each image (the law of diminishing returns). While you may have been able to load balance across 200 physical installs before, you might have to increase that install base to 250 or 300 once you virtualize because each one of those installs is able to run fewer processes, apps, etc.
• Management: You’re going to need to manage this new virtual data center, most likely in a different manner than you do with your physical servers. You now have to monitor performance and events of the virtual infrastructure and each individual hypervisor. So you’ll probably need to buy new management software as part of the migration, and your incident/event processes will probably change as well.
• Headcount: Saving headcount is almost always one of the top 3 drivers for virtualization: have less servers, have less people to manage them. And while that’s true, it’s probably also true that most of your existing IT staff aren’t virtualization experts, and have no idea how to troubleshoot ARP floods on a virtual switch, or how to performance tune multiple guest images on a host. You may actually have to hire new staff to manage your virtual infrastructure, or at least re-train your existing staff.

So again, I think that the core message behind Eric’s post is a good thing, but it’s missing the big picture. Thinking that saving on raw power is going to translate dollar-for-dollar into OpEx savings is short-sighted. Please do begin looking into power consumption as one of your data center cost metrics and as part of your overall virtualization strategy, but also factor in everything else that’s going to be required to complete this task. You may find that you save a ton of money within 12 months of converting, or you may find that savings is much less than you originally anticipated; just make sure you know that before hand and know what you’re getting into so you don’t promise your CIO $1M in savings only to spend $950k getting there.

Fresh on the heals of my post yesterday, I read this morning that Wyse has launched a new line of hardware targeted at hosting remote XenDesktop deployments. This is a great, inexpensive solution for enterprise deployments where quantity and supportability are paramount, such as call centers, hospitals, travel, etc. I like this model a lot, and can’t wait to see a full deployment of these devices hosting both XenDesktop streams as well as XenServer apps. Very cool.

I’m normally not a reminiscing kind of guy (we’ve all been places and done things), but this one unexpectedly took me back. My first x86 machine was a Wyse 8088 I used to learn DOS, connect to BBSs over a 300 baud Smartmodem, and play this awesome construction game that was a blatant rip-off of Donkey Kong. Ah, those were innocent, good times. Ok, that’s out of my system (no pun intended), so no more living in the past, I promise.

Citrix has announced that they’re going to start shipping XenDesktop in mid-May at their Citrix Synergy conference. Targeted at pushing full OS virtual images to remote desktops, XenDesktop will definitely address some of the largest virtualization security issues facing more traditional VMs out of the gate: patch management, checking images back in, corrupt and/or infected images in the field, etc. That alone is enough reason to be interested. But I find this announcement interesting for a number of ways beyond security (eee-gats!), each of which could be a glimpse of what dynamic VDI is going to look like in 5 years. Here’s what I’m noodling “out loud”:

• Application Delivery Networking: During the IDC virtualization summit last week, Citrix came right out and said that Xen is an enabler to delivering a complete end-to-end application delivery infrastructure. Where NetScaler was/is the delivery network and controller portion of that plan, Xen is the content. I’ve long said that at the end of the day Citrix wants to sell more Presentation Server (now XenServer), and this week has basically confirmed this. There’s nothing wrong with this model at all, but it does move them away from the pure ADN/ADC market to a greater degree, creating a “forklift” one-vendor solution. Now what does this mean for Citrix’s business model long term, their NetScaler plans, etc? That remains to be seen.
• Application Hypervisor Competition?: My first question with this announcement and the comments in the press release was “Why?”. Specifically, why focus on streaming an entire OS rather than just jumping straight to streaming a virtual application. Is Citrix taking baby steps, and beginning to blur the lines between traditional VDI and application [delivery] virtualization? When you can push down just the app, why do you need a complete operating system? But then I started to think about their next baby step…and this is where it gets really cool…and about virtualizing and streaming both components. Is this where Citrix is headed?

  • Step 1: Virtualize the OS and push it down to a new user. This virtual machine is nothing beyond a kernel, display and input drivers, and a network stack. Very much a “thin client” from a few years ago. Light on the network, light local footprint, light to support.
  • Step 2: Virtualize all the applications your users need: Office (or Live Communication Server) and Outlook, CRM, and a web browser, and stream those down to the newly streamed virtual OS from step 1.
  • Step 3: Make this a completely portable solution. When I’m at my desk in an office, I run this solution on inexpensive desktop hardware. When I’m on the move, I run this solution sandboxed on my personal laptop. When I’m at home, I also run it sandboxed on my beefy desktop.
  • Step 4: Mix and match. Support legacy OS installs by pushing down just the apps. Support specific business need functions by sending down virtual Ubuntu to Dev and virtual Vista to Marketing. Allow “roaming” installs to follow the user; I’d no longer need to load something on my desktop then RDP from the data center to kick off a remote network test.

  Now when you rope this in with my comments above, Citrix may be setting themselves up to deliver a complete Virtual Application Delivery Network, literally.

VMware addressed these same ideas with their Thinstall post a few days ago by suggesting that we start separating the applications from the desktops. Couldn’t agree more, and maybe Citrix agrees as well, they’re just planning on creating a “support everyone” model by virtualizing the entire infrastructure, including the network (oh the network, why does everyone in the virtualization game ignore you?).

Personally, I’m thinking this may be a precursor to finally changing the way people think about and use virtualization. Or maybe I’m just so flippin’ excited to see a company focus on more than just hypervisor OS virtualization, and possibly creating a real solution that incorporates OS, application, server, and network virtualization, that I’m reading too much into this. Only time will tell…

I’m back from RSA and SAP; it was a great week, and boy is my brain tired. But despite the lack of super-compelling new technologies at RSA this year, there was one interesting point I brought home. The company I work for usually has a booth at the shows that I attend. I spend my days at the shows in analyst and customer meetings and walking the floor during breaks looking at other technologies. It’s a good time, albeit an exhausting one that starts very early for breakfast and usually extends each night into the wee hours of the morning with customers and partners…but I can’t complain.
Anyway, back to a day in the life of Alan’s conference-going adventures!  Throughout the day I will make my way back to our booth to check in, see how things are going, and pick up a stack of business cards that have been left by others with my name on them (we all know these shows are about meeting people as much as scouting tech ;). I drop the stack of the hour in my pocket and repeat this process a few times each day. Then I go through them, catalog and sort them by technology and responsibility back in the hotel room that evening, creating a clean slate for the business card exchange round the next day. I always come out of these shows with cool companies and meet great people through this process.

This past week there was one huge trend in my card stacks that I wasn’t expecting, especially at a security show: they were almost all associated with management. Management can be broken down into sub-categories, like log harvesting and analysis, outbound document management, virtual firewall management, complete data center management, etc. But all of my cards this year trended towards awareness vs. remediation and mitigation, as has been the trend in the past. I’ve long said that the #1 barrier to virtualization adoption in the data center will be management of these disparate virtualization technologies, and if RSA’s security trend is any indication, we may very well be on our way to climbing the management mountain. I was both surprised and extremely pleased to see these technologies as the face of RSA ‘08.  Granted I’m sure most of these solutions were drawn from compliance necessity vs. addressing the core management of the virtual data center world, but I’ll definitely take what I can get.  Remember, it’s all about baby steps and making due with what we have today in order to advance a step forward towards tomorrow.

If management of the virtual data center is near, does that mean that we’ll be able to focus all of our time on software switching in the hypervisor? Is it my birthday?

Well I’ve been at RSA for exactly one day now and I’ve literally already discussed the concepts of virtualization security in every meeting and impromptu conversation I’ve had, which is awesome. I love it that people are thinking about virtualization in their data center as a platform or framework and starting to look at the security implications of this new technology they now have to manage.

But as with the rest of my virtualization path that brought me here today, the 2nd sentence in each one of these conversations has been “Well, what exactly do you mean by virtualization security, and what specific problem are you trying to address?” Virtualization security means one (or any) of 3 things:

1. Security risks introduced to the data center when new virtualization technologies are introduced, ie my paper on Security Implications of the Virtual Data Center. What new risks and attack vectors is the hypervisor and software switching going cause.
2. Security of virtual machine images running in a VDI and/or on a hypervisor. So the security risks we deal with every day in our bare metal OS installs transported to a virtual environment, where they can (and most likely will) go through long stages of rest and then an immediate need. Things like patch management of images that haven’t been used for some time, outdated user credentials, virus control, etc.
3. Virtual instances of previously physical security devices. Going from a physical firewall and IPS to a virtual image running iptables and SNORT. There’s the first issue of doing this outright, and then there’s new developing technologies designed at offering this level of security specifically for virtual environments.

I think we are well on our way to having viable solutions for #s 2 and 3, and this is where most of those virtualization security conversations are ending up once we’re past the “which one” phase of the conversations, but I still don’t see a tremendous amount of public solutions on #1 (which is where I spend almost all of my research time). People are seeing these new solutions come out that address patch management and virtual firewalls so that’s what they’re thinking about and what they’re asking about. Don’t get me wrong: these are excellent questions. But I really have to play the terminology card again and suggest that when you’re thinking about virtualization security, that you define which problem you’re trying to solve with a particular solution. If you’re looking at virtualizing your data center infrastructure, and specifically for a full VDC, you’ll be concerned about each one of these and you will eventually have solutions for each of them (hopefully from single vendors that provide kernel-level coverage). So make sure you’re targeting the correct solution for the correct problem. The above is step one in the 4Ds: Define, Design, Develop, Deploy. You can’t run until you walk.

On a related note, I haven’t had the chance to do anything at RSA beyond walk the expo floor (no sessions due to work commitments), and I don’t think I’ve found one vendor specifically talking about any form of virtualization security. Last year at Interop there were quite a few, so we’ll have to see if they hit Interop over RSA (which sounds strange to me) or if I’m just missing them all. I did take a peek at the Secure Vantage station in the Microsoft booth; looks like they may be doing some cool stuff along the lines of applying Group Policies to systems via Operations Manager 2007. I’ll try to swing by their station later today and dig a bit deeper on their technology and see if there’s any virtualization overlap.

Back to the meetings…

Just a quick note: I’ll be going dark next week as I head down to the Bay area for a few days for RSA, and then even farther south to Palo Alto to present the Virtual Data Center at SAP Virtualization Week.  It’s going to be a fun week…

A few days ago, I started writing about why we need to make sure that the thing that started all of us on our virtual data center paths, the hypervisor, should retain its glory and king of all things virtual and should drop that terrible title: Commodity (aside: calling some technology in the data center a “commodity” is the new black; everyone is rushing to be the first to call something a commodity. OS’ aren’t pork bellies.). Then yesterday I talked about what could be gained from looking at the hypervisor as more than just a virtual machine platform manager and hardware proxy. What began as me writing one post has now turned into a 3-part series (well, I’m relatively certain I’ll be off my soapbox about this topic after this post, but who knows). Now let’s talk about who’s in the best place to make this happen today, and ultimately be responsible for bringing the hypervisor out of the mines.

Let’s start with Xen. Xen is/was in an excellent place to push a lot of this technology into the hypervisor. Not only is XenSource open, but it’s also a paravirtualized technology. It’s kind of the best of both worlds, sitting between a completely obfuscated hypervisor (like VMware and Microsoft) and full kernel virtualization (ala Parallels). In other words, they still have a hypervisor and it’s wide open; anyone could build solutions directly into it. This could be powerful since many of the solutions that are being turned into virtual machines, like firewalls, IPS’, etc, are also open source. However, since the Citrix acquisition, Xen has began it’s migration to supporting the Citrix application delivery message. A good thing for the ADC market, but doesn’t do anything for the hypervisor or software switching. So to me, they’re rapidly moving out of the business of worrying about virtual infrastructure.

Next, VMware: the obvious choice b/c they pioneered the x86 obfuscated hypervisor. But…that was then, this is now. They seem to be spending all of their time lately split between building virtual data center infrastructures (networking, image distribution, etc) and virtual machines (what they term appliances). They’re splitting the ocean, so to speak, and the hypervisor is merely the path they’re walking on. They’re pushing out development and innovation on the hypervisor to others with VMsafe. I’ve talked in depth about the pros and cons of this model previously, so I’ll leave it at “could be good, could be bad.”

Which leads us to Microsoft. I truly do believe that Microsoft is going to be the company that changes the way we think about OS and network virtualization. Don’t get me wrong: this isn’t kool-aide, and I believe in a competitive marketplace where different technologies ultimately benefit us users. But after researching this for so long, I think I’m comfortable in saying that if Microsoft can deliver on this idea of collapsing these full-blown single-point virtual machine images into the hypervisor, there’s no question they will ultimately own the majority of of the VDC hypervisor market.

Why am I saying this so soon, well before Hyper-V, VMM, and 2008 are fully available? Two primary reasons:

• As I’ve talked about numerous times, Microsoft has all the components necessary to build on the hypervisor to turn it into a platform. They’ve got all parts of the client (OS, network, environment options), the network to some degree with NAP and just because they own each of end of the transport stack, the back-end servers and systems to manage application delivery and access, and most importantly, completely policy management in place with Group Policy, AD, and Forefront.

• Time and time again, they have shown as a company that starting late doesn’t mean you’re out of the race. I want to specifically avoid religious wars here and issues concerning browsers, or lawsuits, or GUIs. This ain’t the place. And despite any misgivings that you may have about them as a company, we all use their stuff extensively in our data centers. And truthfully: how many enterprise desktop systems aren’t running a Windows platform? In short, they have the momentum and necessity to get this done more than the other two players. I’m sure someone in Microsoft cringes every time an engineer builds a Sharepoint farm on ESX and manages it with Virtual Center. They need to own this space, and hypervisor innovation is the ticket.

And #2 is really what pushes them ahead. They’re predominance in the end-to-end data market, from client desktop OS and browser to back-end IIS server and Sharepoint/Exchange, is what will allow them to move virtualization outside of the data center racks and, more specifically, move the hypervisor out of the relegated role of CPU/address translator.

VMware is relying on an external market to bring value to their own hypervisor, creating this symbiotic relationship which is good in many ways, but not so good in many, many others. But they have market share today. But my money is on MS right now simply because they control everything, end-to-end, in-house. I think one of the key test points will be their software switching infrastructure within Hyper-V, and it’s feature-set beyond 2008. Only time will tell.

So ultimately, I think that we will see the hypervisor continue to be a huge portion of virtualization solutions, and eventually it will morph into something that resembles a CPU: it will become the compute resource for virtual environments, rather than a brand or just a required part of the overall system. And I think there may be a winner, or probably more likely, two major hypervisor players. That winner will be determined based on who brings the most “solution ready” features to the virtual party. But the hypervisor is here to stay, so let’s put it to its full potential and use it accordingly, instead of rushing to name it our virtual lame duck.

I spent a bit of time looking at Cisco’s reference designs for the data center which is collection of flash demos with links to lots and lots of their products. One of the things that really stood out for me in all the designs was that Cisco truly is the networking company they say they are. And that’s just the point, they’re a networking company. They continue to promote their switches, and routers as the cure to everything, but when new technologies come along that could really benefit companies and reduce power and management costs it gets a back seat. Take a look at the design that includes their VFrame technology, roll over the outlines for each section of the network, i.e. data network, storage network, application network, and so on. What do you see? The VFrame server is never included in the architectures! Does that mean it’s a standalone solution? I don’t think so. If vendors really want to promote reduction in management and infrastructure costs, they need to talk about their whole ecosystem.