Virtualization, Cloud, Infrastructure and all that stuff in-between

cool.. http://www.hpcsystems.com/blog/?p=24

Hyper V apparently only supports 16 cores , but here’s some info on hyper V running on an 4 x 4 CPU core system.

Won’t be long before the price point for these really drops; imagine how many VM’s you can cram on one of these at the recommendation of 3vCPu:1pCPU-Core.

(8 sockets x 4 core) x 3 vCPU = 96 single CPU VM’s per server Nice.

Yeah, one for the real geeks to appreciate (myself included!) I’ve been guilty of some not so nice installs in the past where time allocated supercedes art by a significant margin… but these are ace!

Shame we can’t really stack cabs with 42 x 1U servers anymore without someone coming to shout at me about power allocations.. ah those were the halcyon days of providers selling rack space by the U.. no power limits 🙂

I’ve looked at this topic a number of times as we often have requirements to send sensitive files around – lots of customers send them to me via email/FTP or on CD within encrypted WinZip files as this is what they find easiest as it’s pretty ubiquitous rather than having to agree a compatible encryption app/protocol and have it “blessed” by a security dept/PC build team – Dave Whitelegg has posted a useful article here outlining the practical limits of this approach and suggested password lengths.

Obviously if you have information that is worth an attacker spending several weeks brute-forcing then I would suggest maybe you shouldn’t be sending it electronically or even holding it at all; as I’m sure there would be quicker ways for an attacker to find this information once its in it’s unencrypted form at either end, social engineering/bribery etc.

And of course – if you do have to persist in the encrypted WinZip approach maybe rename the files held within for a bit of security by obscurity – “Board of directors – salary review.xls” is probably a lot more tantalizing to an attacker than “Photocopier Toner Audit.xls” or “AACD12323.DAT” or place a .zip file within another .zip file as you can see the table of contents with in the .zip regardless of its encryption state.

Our very own marvelous HMRC could do with reading this article being as it seems to be data breach disclosure month!

keep up the good work Dave!

Interesting article here

What if you could breach the hypervisor? best practice would dictate firewalling off the management traffic to the service console to a management network but what if you could exploit the VM Tools or other enlightenments/paravirtualizations to compromise the hypervisor – if you could you own every VM it’s running.

Does this compare to VLAN jumping on a Cisco switch? As far as I understand it show me a practical exploit to do this and the mitigation steps are quite well documented.

This is (and will) always a big issue with Multi-tennant systems but it’s the same issue that we currently face in most service providers, shared SANs, LAN, WAN, even physical buildings/suites etc. – virtualization is just a marketing tag, the same principals have been applied in the physical world for ages and mitigated against – I don’t think this is any different.

A session with the US Marine Corps at VMWorld 2007 mentioned that the US DoD had audited the code of ESX for this issue and found it to be satisfactory – but I’ve not seen this documented anywhere, if it’s safe for the US .mil isn’t it safe enough for you?

Compare risk vs cost saving, patch, mitigate, move on but keep your eyes open.

This is a bit underhanded; preventing debugging tools from tracing your applications especially when the underlying OS is derived from Open Source technology where one would expect to have such access.

Although you can obviously patch it yourself as you can have the source and recompile the associated binaries; bit of a waste of time?