Virtualization

That Time Were My Security Paranoi Might Pay Off in a Real World personal Scenario

by

In a recent post I wrote about how I had to wipe my Mac Mini at home due to a potential compromise in my chrome browser. The ironic thing with that issue was for months I’ve already started taking steps to minimize the chance of such an exploit. The problem likely began months earlier and didn’t present itself until recently however the damage was already done. It just justifies the extreme measures I am taking taking in regards to securing my web browsing.

At a high-level my approach is isolating some but not yet all of my browser traffic to Linux virtual machine. I know that theoretically a virtual machine is not 100% isolated. I’m willing to chance using the virtual machine over booting into TAILS using a USB key. That level of inconvenience is not something I typically want to be bothered with and I feel that my current solution will be good enough.

Within the virtual machine I installed Firefox and chrome browsers as well as the TOR browser. I also configured open VPN to use my VPN provider. I then set up a visual cue i.e. a distinct background of the virtual machine to note that when I am using it I am in a semi-isolated system.

To protect the virtual machine from most exploits I take a snapshot about every month that includes the latest patch level for all the applications in the operating system. I do not ever use the virtual machine prior to that snapshot to do anything other thank update software or make base OS and application configuration changes I want to be persistent. Once a snapshot is taken I will use the virtual machine and then when I’m done I will revert back to that clean snapshot. I might not revert back to the clean snapshot after each use however I try to do it as often as possible. At minimum when I go to update the virtual machine I will revert back to the last known good “clean” snapshot and upgrade that. Then I’ll take another snapshot.

Late last year I implemented this solution using an Ubuntu 14.04 virtual machine. In April I built new ones using Ubuntu 16.04. Because I own a copy of VMware Fusion for personal use and a work copy of Parallels I have both virtual machine flavors of the operating system image. Other than a few minor tweaks with the new image the 16.04 version is mainly an operating system upgrade. I now have a “secured virtual machine” on all the main computers that I use day-to-day.

The solution isn’t perfect however as a first pass at this I feel that it gives me the best trade-off between additional security and ease of use. The VPN gives me some anonymity. TOR And VPN gives me more. The snapshot of the virtual machine decreases the chance that the system can be infected.

Longer term I want to build a dedicated machine for TAILS or Quibs. That solution would only work at home since I need a dedicated computer setup for it.  For now I will settle for the VM solution I have implemented until I am comfortable using it and able to accept the extra effort involved in a dedicated machine configuration.
What’s interesting or disturbing to me is some corporate executives and even government representatives (NSA labels Linux Journal readers and Tor and Tails users as extremists

XP SP-3

by

I am installing Windows XP SP-3 for the first time tonight. I am putting it on a Virtual Machine running on Fusion on my new iMac. Up until now I haven’t had the chance to give SP-3 a try, and since I have some free time on my hands I am going to tinker. Hopefully it wont blow anything up, but if it does who cares! It is a VM after all. If it does work, I should update the Sysprep image I have of a clean install of XP. You never know when you might need it.

Looking Forward

by

I wanted to write a bit about some of the cool new projects i am working on at my new job. I am not going to go into great detail but it is something.

One of the biggest things i am doing is working on a plan to move an existing self hosted data center to a Co-Location facility. We just need more space. Thankfully instead of physically moving all of our gear we are looking at getting an all new setup built out and retire most of the old gear. The timing works out perfectly for us so we are giving it a try. We will be moving some stuff, but not a whole lot. Another thing we are trying to do is make this data center site the model (for us at least) for Virtualization. We are going to build out as much if not everything with the exception of SQL server as Virtual Machines running on VMware’s Virtual Infrastructure 3. If all goes according to plan it will be really cool setup. The TCO will also be allot less than doing it physically, it will be quicker to build out and deploy, and it will consume allot less power! The way i think about it is if we get a request for new servers to be build we just see how much Virtual capacity we have and just provision a new machine. If we don’t have extra space, we just purchase an additional node and more SAN storage and add to our VI3 cluster. The goal is to stay far enough ahead in available capacity (minus the N+1 for redundancy) that we always can accommodate even the largest provisioning requests. I can’t wait to see how this turns out! It will be interesting.

Technorati Tags: , , ,

A VMware Gotcha

by

A minor gotcha we ran into with our Virtual Center cluster last week and again possibly today. Virtual Center requires a SQL Server (Microsoft I know) to collect telemetry I think. Not really sure why, but it does. It is not critical to operations of any VM, but you do need it for VMotion, creating new VM’s and other admin work. Well when we built our ESX cluster we put our virtual center DB on the one sql server we had on the LAN in that office that had any amount of stability. Well we were wrong. It turns out that the machine we picked (a dev db) runs out of space because our DBA’s don’t pay attention to their backup schedules. I am making an assumption there but it has happened twice in a week and a half. Well when the server runs out of space, there goes virtual center. Jayson has all the details of the issue, but it boiled down to we couldn’t use our virtual center manager until it was fixed. It is our own fault for putting it on a dev box but it was our only option at the time. We are now just building our own SQL server that the operations group will own and all it will do is the virtual center db.

This ESX roll out is a learning experience, but I still believe that we are far better off with our current infrastructure over past non vmware setup.

Technorati Tags: , , ,

Black Box Project

by

As I write this I am on my way home from several days in Costa Rica, and El Salvador. 3 of us have been visiting several sites in both countries for what would be considered a black box project in my company. If this post is ever read it will be after I leave my current job, so I feel I can write about it.

We are researching outsourcing some of our call center operations. I went along to asses the technical operations of each call center site we visited. I also wanted to get an idea of how each company integrates their systems to ours. From what I saw we can send them calls via our providers voice cloud and do percentage based routing to their system. We would allow access to our applications via a citrix or terminal solution. As of now I am thinking a VDI solution that we have been toying around with for a while.

The trip was hectic, but very informative. We visited 3 sites from 2 companies in 2 countries in 3 days. I just hope that upper management listens to our recommendation to actually try and send some calls off shore. The venture would be profitable and still keep the same level of service. I was amazed that the majority of people in both countries that worked at the call centers spoke excellent english. I am in no way a fan of off shoring call centers to places like India because of constantly poor experiences I have had. Everyone we spoke to spoke very good english at each site. And it wasn’t like the discussions were staged. Just walking around and grabbing some food or hitting a bathroom and saying hi to someone they responded with excellent english. That and the technical feasibility of this project makes me want to try it out. Hopefully we will be given the chance.

Parallels & VMware Fusion Head to Head

by

Late last week I finally received the email I was waiting for giving me instructions to download the VMware Fusion Friends & Family Beta. It is the same version I saw a demo of at VMworld. My first impression is that I wish it was faster. To VMware’s credit the issue is that by design the beta build has debugging on. It is a closed beta after-all.

My first use of the Fusion was a test for my own personal edification. I cannot get Parallels to sync my Treo 700P with an XP VM. The main reason to use a Windows VM on my Mac at home is to use the windows version of Quicken. I cannot stand the Mac version. This get complicated when I want to sync my Quicken with Pocket Quicken on my Treo. I sync everything else with the Mac, so I just need this one windows program to sync. Up until now I have a Windows XP desktop around with an XP VM on it for me to sync my Treo to. I took that VM with Quicken on it built and run on VMware Workstation 5.5.3 and simply copied it over to my Macbook. I told Fusion were to find the VM, and let it run. After a minute of updating the VM Tools the VM was working perfectly. Within 5 minutes I was able to sync my Treo with the Windows VM. The trick I found was that I disabled the USB sync in The Missing Sync, since I have that software start when the Mac starts. This trick didn’t work with Parallel’s but was exactly what Fusion needed to see the USB device.

My work requirements are a bit more intensive for what I need in a VM than my home needs. At work since I use a Macbook Pro, I still need to access some Windows only tools. From time to time I also need to simulate our users working environment, so I need a Windows XP VM with our corporate software build on it. Getting the software build working in Fusion was as simple as copying the XP VM we have ready with sysprep onto my laptop and turning it on. After joining it to our domain, and updating the VM Tools I was up and running. This template VM of Windows XP SP-2 was built to work with VMware workstation as well as Server, so I had no problem getting it running. The drag and drop copy between host and guest worked exactly as advertised. Rob wanted a copy after I showed him how I can move stuff around between my Mac and the VM. The auto resizing of the VM window was also very helpful for day to day work. I didn’t have any stability issues with the beta, but I did have a very noticeable performance loss in the VM. Debugging does give you a noticeable speed hit.

If I had to rate the Fusion Beta against the current final build of Parallels I would say Fusion has all the advantages except for the fact that it is beta, and Parallels has been out for months. Fusion beats out Parallels in basic features. Add on top of that the fact that I can use existing VM’s we build for Workstation & Server it puts Fusion over the top. Of course if I had to rate the Fusion Beta against the beta of the next update to Parallels that I just downloaded I am not so sure. The Parallels beta offers a conversion tool from VMware to their format. Helpful yes, but not as good as having full two way compatibility between Mac, Windows, & Linux versions of VMware. Then there is the Coherence feature. The few minutes I had to play with it tonight has me wanting to give it a full workout tomorrow at the office. They say a picture is worth a thousand words, so take a look at this photo posted on Flickr by someone to explain what Coherence does. And yes my friends it works just like as it looks. The video is a bit choppy, but it is beta.

So the jury is out on what features VMware will add to Fusion as it gets closer to release. Parallels also seems to be adding more features as they roll out updates. For me, if VMware can compete with Parallels on features they have the advantage simply because of the interoperability between their other products. For now I look forward to the next versions of both Beta’s. More opinions as I get them.

Technorati Tags: , , , , , , , , ,

The Waiting…

by

At VMworld I signed up to be in the friends and family beta of Fusion, the VMware product for the mac. I wonder if anyone that went to VMworld and signed up for the beta actually get their email invite to the program? They said to look for the information this week, and it has been over 2. I am not sure if I am being impatient or I got forgotten about:(

I thought about that the other day when jayson was building some VM’s for Parallels to test some new linux software on his machine. I wanted to try it out also, and thought if I had Fusion I could just use the virtual appliance we were trying to replicate in the first place.

Technorati Tags: , ,

Vista on VMWare Update

by

Apparently the newly released version of VMware Workstation 5.5.3 provides experimental support for Windows Vista. I already downloaded both 5.5.3 of workstation and my MSDN copy of Vista. Now I need to find time to try it out and see if it works. This hopefully solves some of the issues I brought up with last post.

Technorati Tags: , , ,

VMware Fusion

by

While at VMworld I got to sit through a demo of the new VMware product for the Mac. They are calling it Fusion as a code name now. It looked pretty cool. is it better than Parallels? I am not sure yet. It has allot of things going for it. For one I use VMware products on other platforms and the VM’s being compatible is a huge plus. I don’t need to build new VM’s when I want to run something on my Mac.

Drag and drop between guest and host was also awesome looking. Parallels has nothing like that. The VMware product also appears to have better USB support. Using the iSight camera in the VM was nifty but with iChat and Skype on the Mac natively I don’t know what I would use it for. Well maybe the Cisco video conferencing software with Call Manager so it might be worth it. If I can get my Treo 700P to sync to the VM on my Mac with Fusion I will be completely sold. I cannot get Parallels to do that even with the latest build.

I will say that I am a bit biased for the VMware product (just because of the interoperability with their other products), so unless Fusion really sucks I will be using it. That doesn’t mean that I won’t be critical of it if I have issues with it! So far I like what I saw in the demo. I hopefully will be getting access to the closed beta they offered people while at VMworld. From what I saw it looked pretty stable. The only issue I saw was that NAT networking was the only network option available in the beta. Bridged networking will come in a later build.

Technorati Tags: , , , ,

VMworld Update

by

I had a great time at VMworld. I learned allot about what the topics I went out to the convention for. Now I need to put concept into an actual working system. I also have to convince the powers that be that they should spend the money on some of these projects because the have a great ROI in the long run. More details on some of my ideas later.

I also signed up for the beta of version 2.0 of Ace. They claim that it will work on Linux hosts, so that makes it a viable option for one of the security enhancements we are looking at. More news on that if/when we get the beta.

Technorati Tags: , , ,