StoneBlog.stonesoft.com

Typically, the virtualization starts from the most internal network segments. Later on, the technology is expanded closer to the perimeter that is facing the partners and/or the public Internet. When virtualizing the internal servers only, it is often thought that there is no need to have any additional security solutions deployed specifically for that environment. Isn’t there already a firewall in the perimeter protecting unauthorized connection attempts coming from the public networks? In addition to the Internet firewall, the organization may even have another set of firewalls to separate each organization unit. There are also multiple IPS appliances deployed all over the network to provide additional layer of protection. Furthermore, the same servers in the physical network were not segmented either, nor was there any dedicated IPS systems between the hosts, so why would we bother to do it in the virtual environment either?

Continue reading »

written by pentti - 3,784 views \\ tags: layered security, security threat, Virtualization

I like to move it,move it
She likes to move it,move it
He likes to move it,move it
You like to (“move it”)

This is the smash hit of Madagascar, where funny lemurs were singing and dancing… well, given the potential and features of VMware technology this could easily become the catchphrase of Virtual Datacenter managers very soon.

This page contains links to a 5 minutes movie to show how smoothly Virtual Appliance Clustering is working in VMWare ESX Virtual Infrastructure, offering maximum compatibility with VMotion.

The tested setup is the one reported below:

And for those who want the full 15 MB Flash version, right-click here and choose “Save as…”

Or if you want to see it bigger (will open up a new browser windows), click here.

written by RoarinPenguin - 2,149 views \\ tags: clustering, firewall, Virtualization, vmotion

“Virtualization is both an opportunity and a threat,” says Patrick Lin, senior director of product management for VMWare [http://www.darkreading.com/document.asp?doc_id=117908]. Thanks to the great and visible marketing efforts, the opportunities are quite well understood and there is more and more organizations enjoying the opportunities and benefits the virtualization provides. However, only minority of those organizations knows and understands all the security threats it comes with. And even if some of the threats have been understood, they may have been accepted as such during the risk analysis phase because of not knowing how to solve them, or they have been solved with an unnecessarily complex security solution, which brings up new security threats itself.

Continue reading »

written by pentti - 2,567 views \\ tags: security threat, Virtualization

I’m telling you what happened today to me with a StoneGate Management Center I’m using in a test lab.

The SMC is installed onto a CentOS Virtual Machine in VMware ESXi virtualized environment on a multiGB RAM machine.

SMC was starting to show some limits in terms of memory, since when I installed it I gave to VM 1 GB and started working, and Working, and WORKING on it

Easy solution: power off the linux box, raise the memory assigned to it up to 2 GB, boot it again. The problem is that you need to reconfigure the underlying java environment to allow StoneGate service to use more memory.

Luckily Stonesoft R&D thought even to this case: it was enough to run <StoneGate_install_dir>/bin/install/AutoAssignHeap.sh > /dev/null
to have the system automatically reconfiguring services according to how much memory I do have available.

It runs silently, but you can check the results, for instance, by checking the parameter
MANAGEMENT_MAX_MEMORY_IN_MB
in <StoneGate_install_dir>/data/SGConfiguration.txt

Cool, isn’t it?

written by RoarinPenguin - 1,247 views \\ tags: memory management, SMC, tips, Virtualization

Hello World!

written by RoarinPenguin - 1,541 views \\ tags: stonegate firewall, Virtualization, Xen

To setup properly the portgroups in VMware vSwitching environment, we had to create two portgroups per vSwitch as depicted below:

Reason for this configuration is that “operative portgroups” where servers and machines are connected should not be in Promiscuous mode to avoid sniffing other machines’ traffic, while portgroups dedicated to IPS inline ports must:

• be configured in promiscuous mode to receive all traffic of the vSwitch they are connected to
• be part of VLAN ID 4095 to “pass” all VLAN IDs to Virtual Machine without any intervention

Below you can find the sample screenshot about where to configure these settings:

These settings can be done in portgroups’ properties in ESX and they are NOT needed if you implement similar configuration in VMWare Workstation or VMWare Free Server.

written by RoarinPenguin - 1,691 views \\ tags: IPS, portgroups, promiscuous mode, Virtualization, vmware