Which Cloud – so many options!

Cloud Computing, or ‘The Cloud’, has become ubiquitous over the past couple of years. A term that was coined and took off within the IT community has taken hold among the general populace and even your granny will be on about storing information in the cloud. But which cloud is the right one? There’s so many different definitions of ‘The Cloud’ that I’d be writing for the next week just to go through them alone. For me, the keys to cloud involve scalability, shared-resources, automation, software/profile driven and provide a self-service function.

For the majority of end-users ‘The Cloud’ is where you store extra backups of your photos or documents on your laptop/smartphone which allows you to both recover those items if needed or access them quickly and easily on another device. Creating a seamless user experience between devices is key for these types of solutions. However for IT professionals it’s not only about these two features.

Cloud technology provides organisations the opportunity to expand their infrastructure and platforms quickly and dynamically while moving the cost model from CAPEX to OPEX. A situation that management are happy to see occur. The use-cases for using cloud technology are numerous but generally center around backup, disaster recovery, test and development, scalable applications and more recently virtual desktop infrastructure (VDI). The options for cloud have been defined as Public, Private and Hybrid. Public Cloud has hit the market hard during the past 3 to 4 years and has the backing of IT heavyweights like Microsoft (Azure), IBM (Softlayer), Google (Google Cloud Platform) and a relative newcomer but absolute beast Amazon (Amazon Web Services). For web-based applications or even start-up companies public cloud is a great way to go as it’s easy to scale and the infrastructure was designed more specifically for modular applications. The shining example of growth, AWS, has a success story with Netflix. Netflix grew rapidly and if it was running on a traditional platform it’s growth would definitely have been limited. However, thanks to using the public cloud to stream their content to the end users it was possible to satisfy the demand for Netflix and now Netflix is responsible to 80% of Sunday night internet traffic in the United States, all running from AWS and managed by a minimal support staff.

The majority of companies will have their own Private cloud or will at least be moving in that direction by having a fully virtualised platform. However, virtualisation is not the same as Cloud. A lot a people make that mistake. Virtualisation provides the mechanisms to allow cloud technology to exist. It leverages the physical resources into a shared virtual resource pool that allows greater utilisation of compute, storage and network resources. Where most Private Clouds fall down is in the area of automation and self-service provisioning. There are a large number of infrastructure providers that fit into the Private Cloud space. Cisco & Netapp teamed up to create Flexpod which has been an extremely popular and has helped Cisco become the leading blade infrastructure provider globally in just 5 years. Cisco UCS’s policy driven platform has helped organisations quickly and easily scale their infrastructure using templates. This has been seen to be the ‘legacy infrastructure’, a term I don’t necessarily agree with because to me it’s a nice marketing term. In just the past 2 years there’s been a huge shift in the storage market that has impacted how storage is now delivered. Hyper-converged infrastructure has been growing rapidly with Nutanix leading the charge. Other similar systems such as the recently announced VMware EVO:RAIL and even Simplivity, which has teamed up with Cisco earlier this year, are creating waves in how infrastructure is delivered. They all bring storage closer to the compute layer and modularise RAM, CPU, Networking and Storage into one unit so that growth is easily scalable at a low-cost entry point. The hyper-converged platforms are definitely going to change how Private Cloud is deployed and managed in the coming years. And the upside to these new players on the market is that some of the older, larger players in the IT market have had a virtual kick in the arse. So expect lots more innovation in the future.

Hybrid cloud has been on a similar trajectory to hyper-converged platforms in the past 2 years or so, on the up and up in terms of popularity. There are many reasons for organisations to utilise the capacity, scalability and resources of public cloud platforms but usually security reasons, internal politics, infrastructure complexities or even application restrictions mean that it’s not possible to move the entire production infrastructure. However, having the opportunity to open up your environment to leverage some public resources in a private capacity and under the control and security of just one IT team. As an engineer at a company that suffers from tombstone applications (applications that have been left in the environment with no owners and no responsible person but cannot be moved or upgraded) and valid security concerns around sensitive data the only option regarding cloud technology is Hybrid. I’m currently looking into our options around this and some very recent announcements have really tweaked my interest. I plan to go into more detail around some of these over the coming weeks but some worth a look at VMware’s new vCloud Air announcement and also NetApp Cloud OnTap and Private Storage.

So if you’ve read this far you have to right to ask if I’ve told you which Cloud you should choose. I haven’t. I can’t tell you that. There’s just far too many options. Nowadays IT, and in particular Cloud, is the equivalent of a menu at the Cheesecake Factory, absolutely immense and when the waiter asks what you want you blindly point at the menu hoping that you get something you wouldn’t mind eating as you couldn’t get past reading the second page. Cloud is just the same. So many options, not enough time. You really have to analyse your environment, your requirements and your desired roadmap so that you can match the type of cloud you need.

 

 

Trend Deep Security Manager 9 – Post Installation Issue

DSVA Security Update Failed:

Once I had the full Trend Deep Security Manager environment installed I ran the Download Security Updates command to get the latest updates from the Trend website. When trying to update the DSVA I got the following error:
Error Code: -1073676286 Error Message: IAU_STATUS_NETWORK_CONNECTION_FAILURE https://trendserver1:4122/ 
I ran a putty session on the ESX host server (where DSVA security update fails) and saw that there is an entry under vmkernel.log that shows “DSVA not bound”. When I logged into vShield Manager and checked the ESX Host summary and saw that vShield Endpoint was installed but that there were no items listed in Service Virtual Machines. This should show the name of the protected DSVA on that host.
The issue occurs when the DSVA and filter driver improperly bind, causing communication failure between DSVA and the VM to protect. To successfully activate the VM:
  1. Ensure that the value 169.254.1.1 is bound to Dvfilter-dsa.
    1. On the vCenter, click the ESXi host.
    2. Go to Configuration tab > Advanced Settings > Net.
    3. Make sure that the value of Net.DVFilterBindIPAddress is “169.254.1.1”.
  2. Make sure that the dvfilter is listening to port 2222.
    1. On the vCenter, click the ESXi host.
    2. Go to Configuration tab > Security Profile.
    3. Under Firewall, click Properties.
    4. Ensure that the dvfilter is selected and listening to port 2222.
  3. Restart the filter driver.
    1. Put the ESXi on maintenance mode. This requires turning off the VMs or migrating them to another ESXi host.
    2. Connect to the ESXi host via SSH using Putty.
    3. Run the command “esxcfg-module -u dvfilter-dsa” to unload the filter driver.
    4. Run the command “esxcfg-module dvfilter-dsa” to reload the filter driver.
    5. Exit the ESXi from maintenance mode.
  4. Power on the DSVA.
  5. On the Deep Security Manager (DSM) console, make sure that the DSVA status is “Managed-Online” and the vShield Endpoint status is “Registered”.
  6. Activate the VM.
Activation will be successful and the “Dvfilter-dsa: update_sp_binding: DSVA not bound” will no longer appear on the ESXi log.
Deactivating and re-activating the DSVAs fixed this issue.

 

Trend Deep Security Manager 9 – Install and Configure (again!)

While working on a recent project for a client utilising Cisco UCS and NetApp for a cloud offering I was tasked with getting Trend Deep Security 9 working for a multi-tenant cloud environment. The primary caveat is that the environment isn’t true end-to-end multi-tenancy as the virtualisation layer is not fully segregated. vCloud Director or another similar tool has not been used but rather the vCloud Suite from VMware and segregation is at the network and storage layers through the use of vDCs on Nexus 7k (network) and SVMs on NetApp Clustered Data OnTap (storage virtual machines). In the production environment Trend Micro professional services were engaged to deliver the original design. Part of the criteria given to them was not to enable multi-tenant mode within the Shared Resources cluster as the tenants would not be managing their own anti-virus protection or scanning. In order to satisfy the requirements of multiple VMware clusters protected by one Anti-virus package a DSM was deployed on each cluster and managed from a central console within the Management cluster. I will go into more of a discussion on the ideal architectural design for multi-tenant anti-virus in another posting.

And so to the beginning of the troubles. No anti-virus solution is really ever straight-forward. There’s a number of policies and exclusions to consider for both operating systems and specific applications and usually there is lack of distinct information within the installation and admin guides. Trend Micro Deep Security Manager is no different. This however is not a huge criticism of Trend, they have to make their documentation as generic as possible for multiple use cases. It does make installation just that bit more frustrating though. You can find the full Deep Security 9.0 Installation Guide here.

Trend Micro Deep Security consists of a number of components that work together to provide protection against viruses and malware in real-time. It can also provide Intrusion Prevention, Web Reputation, Firewalling, File Integrity Monitoring and Log Inspection. It is also available as both agent-based and agentless options. The component of Trend Deep Security are:

  • Deep Security Management Console (DSM) – this server (recommended to be virtualised) is the central web-based management console for controlling and managing all Deep Security enforcement components (DSA’s and DSVA’s). The Server is recommended to be Windows Server 2008/2012 R2 64bit.. It is important that it is installed on a different ESXi host to that hosting the VM’s which are protected by the DSM. The DSM should be allocated 8GB and have 4 vCPU allocated. This configuration will be capable of serving up to 10000 agents. The MS SQL database size is relatively small at around 20GB for 10,000 agents.
  • Deep Security Relay (DSR) – this server is responsible for contacting Trend Micro’s Security Centre for collection of platform and security updates and relaying this consolidated information back to the DSM and to Agents and Virtual Appliances. The DSR will also be virtualised at Interactive with 8GB ram and 4 vCPU. This configuration will be capable of serving up to 10,000 agents. The Relay has an embedded Agent to provide local protection on the host machine. In the case of multiple relays each will act independently and synchronise their local databases with the Trend Security Centre.
  • Deep Security Virtual Appliance (DSVA) – this server is a virtual machine appliance that is installed on every ESXi host. The DSVA enables agentless Deep Security control and management within the hypervisor, providing Anti-Malware, Intrusion Prevention, Integrity Monitoring, Firewall, Web Application Protection and Application Control protection to each VM. The agentless control is only currently available for vSphere 5.1 or earlier. Support for VMware 5.5 will be available in 2014 Q2. The DSVA will communicate directly with the DSM and it is recommended to enable affinity rules within VMware to lock each DSVA to their required ESXi host.
  • Deep Security Agent – for non-Windows servers (such as Linux), the agent is deployed directly to the VM’s OS computer, providing Intrusion Prevention, Firewall, Web Application Protection, Application Control, Integrity Monitoring and Log Inspection protection. This is the traditional client-server deployment model and the agent could be included within the imaging process or pushed out from the DSM. DSA will also be necessary on all VM’s within a vSphere 5.5 hypervisor until Q2 2014 (after which a DSVA can be used with vSphere 5.5).
  • Smart Protection Server. Web reputation works by clients contacting Trend Micro’s Smart Protection Service on the Internet. Rather than all clients accessing this service, it is possible to deploy Trend Micro’s Smart Protection Server as a VM. The Smart Protection Server will periodically update its URL list allowing it to locally respond to client requests for web reputation ratings. This component is normally part of the Trend Micro Office Scan products and using it may incur an additional licensing fee. Given that the DSVA also caches similar data, this product is not recommended. Hence, the DSVA and DSA will regularly be checking web reputation over the Internet.
  • Deep Security Notifier – is aWindows System Tray application that communicates the state of the Deep Security Agent and Deep Security Relay on local computers. A DSA and DSR already contain the Notifier but for Windows guests protected by the DSVA will need ti install the Notifier as a standalone application.

Continue reading