I just spent a couple of hours happily deploying VMware vShield Zones, less happily pouring over the manuals, and then unhappily thinking I’d wasted my time.
I think our ESX platform is fairly typical. We have multiple ESX servers, running guest VM’s for multiple customers (or departments), many of which are tagged to isolated vLans, and most of which ultimately communicate to the outside world via our firewall clusters. To achieve security in this scenario means understanding your vlans, dropping the right vNic on the right VM, and managing a typical firewall appliance (Cisco in my environment).
VMware vShield Zones have been introduced (actually bought from Blue Lane Technologies) supposedly to simplify the network security by implementing a firewall within your ESX farm. Sounds cool, right? It would be too, if it was done right.
I won’t go into the detail of how it works, and how to configure it, as you can read up on that by following the links on Rodos‘ blog.
There are loads of gotchas, and strange concepts at first, but they’re all well documented in the manual. The install process was flawless too, so what’s not to like?
- It requires a vShield agent VM per vSwitch with a physical NIC attached. That means lots of additional VM’s for us.
- It does not offer anywhere near enough reporting detail. No real time bandwidth monitors, just per hour statistics.
- It does not offer any bandwidth controls like rate limiting or QoS.
- But mostly IT DOES NOT SIMPLIFY ANYTHING.
On the contrary, as I doubt anybody will be throwing out their perimeter firewalls just yet, vShield adds a further layer to manage. Perhaps I’m missing something.
I found this fairly technical article addressing the exciting potential of Infrastructure 2.0 (anyone? no? first I’d heard about it too.)
It does look like a big change is on the way, and I for one can’t wait. If you are providing Platform as a Service (PaaS) or Infrastructure as a Service (IaaS) solutions, this article gives much food for thought.
This was originally posted by Gregory Ness over at seekingalpha.com, but I found it on another blog, so to give credit, that’s the one I’m linking to 🙂
Here’s an excerpt:
“Dynamic infrastructure will unleash new potentials in the network, from connectivity intelligence (dynamic links and reporting between networks, endpoints and applications) to the rise of IT automation on a scale that few have anticipated. It will unleash new consolidation potentials for virtualized data centres and various forms of cloud computing. It will enable networks to ultimately keep up with increasing change velocities and complexity without a concomitant rise in network management expenses and manual labour risks.
Further down the road there will be even more capabilities emerging from Infrastructure 2.0 as virtualization and cloud payoffs put more pressure on brittle Infrastructure 1.0 networks. The evolution of cloud (James Urquhart calls it a maturity model in his recent CNET piece) will drive new demands on the network for automation.
Cisco is looking to address end-to-end IT automation and virtualization with a combination of partner technologies from the likes of VMware (VMW), and our own successes in the Catalyst and Nexus lines (e.g. the Nexus 1000v). Stay tuned on that front for some eye raising announcements.
– James Urquhart, Cisco, December 7, 2008
Without dynamic infrastructure enabled by automation, the payoff of virtualization and cloud initiatives will be muted in the same way that static security muted the virtualization payoff into a multitude of hypervisor VLANs. Think static pools of dynamic processing power that will eventually be consolidated into ever larger pools, enabling greater consolidation, greater efficiency and bigger payoffs free of the churn and risk of on-going manual intervention. This is the vision of Infrastructure 2.0.”