20120119 VMware Users Group (VMUG) Meeting

Agenda:

  • 3PM: Check-in, Welcome, Facilities
  • 3:05: VMUG Video
  • 3:15: Fusion-io preso
  • 3:50: Break
  • 3:55 VMware vShield Security preso – Karl Fultz, VMware SE
  • 4:40: Open Discussion
  • 4:55: Drawings
  • 5:00: Break
  • 5:15: Social networking at Buffalo Wild Wings

My Notes:

  • VMUG Video
    • VMware Paul Strong, CTO, Global Customer and Field Initiatives, VMware
    • vCloud Community, 8 Certified providers
  • Fusion IO: Gus Siefker (sales) and Victor Backman (tech)
    • 4 years in business, 80,000 cards
    • Move a lot of data, fast
    • Hardware and software combo that does a minimum of 100k IOPS
    • Good for DBs, VDI density
    • VDI Design: abstracting the layers (HW, OS, App, User Data) helps prep for putting Fusion-IO in the mix.
    • Boot images and high-IOPS data go to FIO, User Data and low IOPS go to SAN storage, lower tiers.
    • Basically a block level device. Presents to host as local storage.
    • Storage is persistent, can be (if needed) moved to different servers. Gave example of one client that ships them off site rather than file transfer over Internet/WAN.
    • Nutanix Complete Block: 4 Fusion-io ioDrives = 1.3 TB fo storage.
    • Card draws about 25 W of power, but replaces lots of HD spindles.
    • Uses NAND Flash memory like an SSD, but removes the controller from the mix.
    • 15 micro second latency.
    • ioTurbine: recently acquired by Fusion-io. Allows vMotion of local storage on a Fusion-io card which normally couldn’t be vMotioned.
    • There is an ioTurbine guest driver installed on the VMs. Acts as a read cache. Writes still go to SAN.
    • Keeping up to 80% of IO local to ESXi host, and reduces read load on back end storage.
    • Lab test with F-io card and NetApp back end storage using IOmeter as the load with 8 VMs. F-io solution averaged around 12,000 IOPS once the cache “warmed” up. NetApp read ops just about nothing, so its write ops performance increased.
    • When a VM is rebooted, its cache is flushed and it needs time to re-warm.
    • Guests supported are Windows only for now. Need a driver in the guest. Linux support is “coming soon.”
    • There is also a host driver.
  • Refreshment Break
  • vShield Security Overview: Karl Fultz, VMware SE
    • Enterprise Security today is not virtualized, not cloud ready.
    • Most people are still using physical security devices.
    • Moving workloads is challenging when the security doesn’t move with it.
    • vShield moves the firewall/security into virtual appliances on the host.
    • Perimiter, Internal, and End Point security.
    • vShield Zones/vShield App are basically the same. vShield Zones included with 4.1 Enterprise Plus. Segmentation and data scanning. vShield App new stand-alone product.
      • Provides 5-tuple ruleset firewall
      • Hypervisor-level fw. Inbound, outbound connection control at vNIC level
      • Groups that can stretch as VMs migrate to other hosts.
      • Flow monitoring, policy management, logging and auditing.
    • vShield Edge is perimiter security.
      • Provides NAT, DHCP, VPN, some load balancing.
      • VLAN /Port Group isolation. PG isolation requires vDS.
      • Detailed network flow stats.
      • Policy management and logging/auditing.
    • vShield Endpoint is AV offload.
      • Offloading scanning to the Security VM. No AV agents in the guest VMs.
      • Central management.
      • Enforce remediation within the VM with the driver.
      • Trend Micro (now), McAffee (in beta now), Sophos (coming soon), Symantec (coming soon) provide endpoint appliances.
      • Windows only for guests.
    • vShiled Manager is the management plugin in vCenter.
    • vShield App with Data Security had pre-defined templates to scan environment for data loss. (DLP, agentless if you don’t count VM Tools as an “agent”). Can configure trust zones.
    • Security policies follow VMs. Allows for mixed trust zones.
    • vShield Zones is not supported in vShield Manager 5.0, must use older verson of vShield Manager to support Zones. Will need multiple managers if mixing in 5.0 vShield App/Endpoint/Edge products.
  • Q/A Time
    • I asked for clarification about vShield Zones/App:
      • Enterprise Plus 5.0 still includes Zones. App is a separate add-on product, but they are almost identical. App adds a little more granularity.
      • Zones rules are stored in vCenter db, so backup of vCenter includes backup of the rules.
      • Upgrade path from Zones to App? First time anyone has asked him. Since the rules are in vCenter db it SHOULD just work.
  • Drawing for prizes