Feb 05
I’m telling you what happened today to me with a StoneGate Management Center I’m using in a test lab.
The SMC is installed onto a CentOS Virtual Machine in VMware ESXi virtualized environment on a multiGB RAM machine.
SMC was starting to show some limits in terms of memory, since when I installed it I gave to VM 1 GB and started working, and Working, and WORKING on it 
Easy solution: power off the linux box, raise the memory assigned to it up to 2 GB, boot it again. The problem is that you need to reconfigure the underlying java environment to allow StoneGate service to use more memory.
Luckily Stonesoft R&D thought even to this case: it was enough to run <StoneGate_install_dir>/bin/install/AutoAssignHeap.sh > /dev/null
to have the system automatically reconfiguring services according to how much memory I do have available.
It runs silently, but you can check the results, for instance, by checking the parameter
MANAGEMENT_MAX_MEMORY_IN_MB
in <StoneGate_install_dir>/data/SGConfiguration.txt
Cool, isn’t it?
written by RoarinPenguin - 1,247 views
\\ tags: memory management, SMC, tips, Virtualization
Jan 20
Hello World!
Just want to share with you test I’ve done with StoneGate on Citrix Xen 5.0.
Not that platform is listed as compatible or supported by Stonesoft, of course, but I wanted to check to which extent it works out of the box… and the answer is… nicely!
I’ve installed the bare metal Citrix Xen Hypervisor 5.0 on a 64bit Intel laptop with virtualization extension enabled in BIOS (otherwise it does not install).
Then I’ve installed the Management software on my Windows Vista box, accessed the server and tried to install StoneGate FW/VPN Engine software 4.3.1 from installation ISO.
Installation went on nicely, engine contacted the SMC and I’ve installed a simple Any-Any-Any-Allow policy as shown below
Validation started…
No issues have been detected.
Contacting nodes of Xen-StoneGate
Connection ok on firewall Xen-StoneGate
Preparing configuration for Xen-StoneGate
Policy snapshot started
Policy snapshot created.
Uploading configuration on Xen-StoneGate
New configuration generated for firewall Xen-StoneGate
New configuration uploaded to firewall Xen-StoneGate
Applying configuration on Xen-StoneGate
New configuration activated on firewall Xen-StoneGate
Checking connectivity on Xen-StoneGate
Contact with firewall Xen-StoneGate confirmed
Policy installation successful for Xen-StoneGate
Tried to ping it, accessing it in SSH, ping from it… all worked out beautifully!
NICs have been recognized as 8139cp.
I’m sharing this experience to have some comments from you out there:
-
to my knowledge, paravirtualization required modified kernel in guest machine: why did it work out of the box like a charm?
-
did you test any other security engine in Citrix Xen (or any other virtualization platform other than VMware)?
-
what is your opinion about Xen, compared with VMware ESX? Plusses, minuses?
-
should Stonesoft support it? Why?
written by RoarinPenguin - 1,541 views
\\ tags: stonegate firewall, Virtualization, Xen
Dec 30
In my experience, virtualization projects I’ve seen so far are mainly consolidating multiple servers before running on different machine onto a cluster of servers forming a hypervisor, mainly for cost/maintenance/power savings.
Those pioneers who went really “into” virtualization are virtualizing network segments also, taking advantage of rock solid technologies like VMware VMotion and Distributed Resource Scheduler to implement the so-called Virtual Datacenter at full.
In these interesting technological projects, one should not forget the important role of network security, and many are positive with Stonesoft approach since it allows “transposing” a traditional network security model in virtualized world.
What is your opinion?
Have you faced already virtualization projects in your company?
Which technologies did you consider for secure your virtual information flow?
Any hint/recommendation to share with the community?
Please use the comments to share your thoughts…
written by RoarinPenguin - 1,305 views
\\ tags: Security, Surveys, Virtualization
Dec 03
To setup properly the portgroups in VMware vSwitching environment, we had to create two portgroups per vSwitch as depicted below:
Reason for this configuration is that “operative portgroups” where servers and machines are connected should not be in Promiscuous mode to avoid sniffing other machines’ traffic, while portgroups dedicated to IPS inline ports must:
- be configured in promiscuous mode to receive all traffic of the vSwitch they are connected to
- be part of VLAN ID 4095 to “pass” all VLAN IDs to Virtual Machine without any intervention
Below you can find the sample screenshot about where to configure these settings:
These settings can be done in portgroups’ properties in ESX and they are NOT needed if you implement similar configuration in VMWare Workstation or VMWare Free Server.
written by RoarinPenguin - 1,691 views
\\ tags: IPS, portgroups, promiscuous mode, Virtualization, vmware
(1 votes, average: 4.00 out of 5)
Loading ...
I’m telling you what happened today to me with a StoneGate Management Center I’m using in a test lab.
(2 votes, average: 4.50 out of 5)
Recent Comments