Agenda:
- 3PM: Check-in, Welcome, Facilities
- 3:05: VMUG Video
- 3:15: Fusion-io preso
- 3:50: Break
- 3:55 VMware vShield Security preso – Karl Fultz, VMware SE
- 4:40: Open Discussion
- 4:55: Drawings
- 5:00: Break
- 5:15: Social networking at Buffalo Wild Wings
My Notes:
- VMUG Video
- VMware Paul Strong, CTO, Global Customer and Field Initiatives, VMware
- vCloud Community, 8 Certified providers
- Fusion IO: Gus Siefker (sales) and Victor Backman (tech)
- 4 years in business, 80,000 cards
- Move a lot of data, fast
- Hardware and software combo that does a minimum of 100k IOPS
- Good for DBs, VDI density
- VDI Design: abstracting the layers (HW, OS, App, User Data) helps prep for putting Fusion-IO in the mix.
- Boot images and high-IOPS data go to FIO, User Data and low IOPS go to SAN storage, lower tiers.
- Basically a block level device. Presents to host as local storage.
- Storage is persistent, can be (if needed) moved to different servers. Gave example of one client that ships them off site rather than file transfer over Internet/WAN.
- Nutanix Complete Block: 4 Fusion-io ioDrives = 1.3 TB fo storage.
- Card draws about 25 W of power, but replaces lots of HD spindles.
- Uses NAND Flash memory like an SSD, but removes the controller from the mix.
- 15 micro second latency.
- ioTurbine: recently acquired by Fusion-io. Allows vMotion of local storage on a Fusion-io card which normally couldn’t be vMotioned.
- There is an ioTurbine guest driver installed on the VMs. Acts as a read cache. Writes still go to SAN.
- Keeping up to 80% of IO local to ESXi host, and reduces read load on back end storage.
- Lab test with F-io card and NetApp back end storage using IOmeter as the load with 8 VMs. F-io solution averaged around 12,000 IOPS once the cache “warmed” up. NetApp read ops just about nothing, so its write ops performance increased.
- When a VM is rebooted, its cache is flushed and it needs time to re-warm.
- Guests supported are Windows only for now. Need a driver in the guest. Linux support is “coming soon.”
- There is also a host driver.
- Refreshment Break
- vShield Security Overview: Karl Fultz, VMware SE
- Enterprise Security today is not virtualized, not cloud ready.
- Most people are still using physical security devices.
- Moving workloads is challenging when the security doesn’t move with it.
- vShield moves the firewall/security into virtual appliances on the host.
- Perimiter, Internal, and End Point security.
- vShield Zones/vShield App are basically the same. vShield Zones included with 4.1 Enterprise Plus. Segmentation and data scanning. vShield App new stand-alone product.
- Provides 5-tuple ruleset firewall
- Hypervisor-level fw. Inbound, outbound connection control at vNIC level
- Groups that can stretch as VMs migrate to other hosts.
- Flow monitoring, policy management, logging and auditing.
- vShield Edge is perimiter security.
- Provides NAT, DHCP, VPN, some load balancing.
- VLAN /Port Group isolation. PG isolation requires vDS.
- Detailed network flow stats.
- Policy management and logging/auditing.
- vShield Endpoint is AV offload.
- Offloading scanning to the Security VM. No AV agents in the guest VMs.
- Central management.
- Enforce remediation within the VM with the driver.
- Trend Micro (now), McAffee (in beta now), Sophos (coming soon), Symantec (coming soon) provide endpoint appliances.
- Windows only for guests.
- vShiled Manager is the management plugin in vCenter.
- vShield App with Data Security had pre-defined templates to scan environment for data loss. (DLP, agentless if you don’t count VM Tools as an “agent”). Can configure trust zones.
- Security policies follow VMs. Allows for mixed trust zones.
- vShield Zones is not supported in vShield Manager 5.0, must use older verson of vShield Manager to support Zones. Will need multiple managers if mixing in 5.0 vShield App/Endpoint/Edge products.
- Q/A Time
- I asked for clarification about vShield Zones/App:
- Enterprise Plus 5.0 still includes Zones. App is a separate add-on product, but they are almost identical. App adds a little more granularity.
- Zones rules are stored in vCenter db, so backup of vCenter includes backup of the rules.
- Upgrade path from Zones to App? First time anyone has asked him. Since the rules are in vCenter db it SHOULD just work.
- Drawing for prizes