MTI Secure Hyper-Converged Infrastructure Webinar & Guide

Back end of February I presented a webinar with my colleague, Andrew Tang, around Key Challenges and Considerations for Securing Hyper-Converged Infrastructure.

The webinar has been uploaded for public consumption by the marketing team at MTI Technology.

As I mentioned previously in my blog, I don’t really touch upon product in this webinar as the last thing customers want is to be shoehorned into a certain vendor product… instead I hope the webinar gives enough information about what HCI is in general, why customers should be looking at HCI during their next infrastructure refresh, and more importantly what to consider when evaluating a HCI solution!

You can access the webinar recording here: https://mti.com/secure-hci-webinar-page/ (sorry, you have to fill in your details to gain access….)

Marketing has also finally released the HCI guide that both Andrew and myself put together around HCI, feel free to download that here: https://bit.ly/2qMY6qJ

Finally, if you’re interested in talking more about HCI then feel free to contact me or register for one of MTI’s HCI Discovery Workshops: https://bit.ly/2vQO3Gb

Advertisements

Dell EMC VxRail Software Update – Spectre Guest OS leakage mitigation

I posted earlier in the year that Dell EMC had released a Security Advisory to address Spectre (Meltdown doesn’t really affect VMware and hence VxRail).

One of the items that wasn’t addressed in the original fix was Guest OS leakage mitigation between processes within the VM – this required CPU/BIOS microcode updates which were not yet available from Intel.

Those updates were made available from Intel at the beginning of April and it’s taken a while for it to filter through to vSphere and VxRail – the delay is down to VxRail being a fully turn-key appliance which means all software/firmware updates from Dell EMC are fully tested and validated before release.

Updates 4.0.402 and 4.5.152 are now available to download from Dell EMC’s support portal.

Release notes can be found here:
https://support.emc.com/docu80740_VxRail-Appliance-Software-4.0.x-Release-Notes.pdf?language=en_US
https://support.emc.com/docu86659_VxRail-Appliance-Software-4.5.x-Release-Notes.pdf?language=en_US

The accompanying Dell EMC Security Advisory is available here: DSA-2018-074: Dell EMC VxRail Security Update for Multiprocessor Side-Channel Analysis Attacks (Meltdown and Spectre)

VxRail Appliance software 4.0.402 and 4.5.152 contains the Intel microcode fix to complete the resolution of the speculative execution security issues.
VxRail Appliance software 4.0.402 includes fixes for the following security vulnerabilities:

  1. CVE-2017-5753 (Variant 1: bounds check bypass, also known as Spectre) – Complete fix in 4.0.401 and above.
  2. CVE-2017-5715 (Variant 2: branch target injection, also known as Spectre):
    • Mitigates leakage from the hypervisor or guest VMs into a malicious guest VM – Complete fix in 4.0.401 and above.
    • Guest OS leakage mitigation between processes within the VM requires BIOS or CPU microcode update released by Intel and included in this release – Complete fix with either BIOS or CPU microcode update automatically applied through the VxRail 4.0.402 automated software upgrade. No manual BIOS update required for any supported VxRail hardware platforms.
  3. CVE-2017-5754 (Variant 3: rogue data cache load, also known as Meltdown): Does not affect VxRail Appliance.

NOTE: Manual steps are required after the VxRail Appliance software upgrade to 4.0.402 to power cycle the VMs for branch target injection to take effect. More info available within this KB article: https://support.emc.com/kb/519601

Also note that this update does not patch Guest OS!

For more information about Spectre/Meltdown, have a meander to my original posts:
Spectre & Meltdown Vulnerabilities
Spectre & Meltdown Update

MTI Secure Hyper-Converged Infrastructure Webinar

So last Thursday I was asked by the marketing peeps at my company, MTI Technology, to run a webinar with my colleague, Andrew Tang, around what Hyper-Converged Infrastructure is all about, why it’s suddenly become so popular within the industry, and how best to secure a HCI solution.

The webinar has now been uploaded for public consumption…. and since it kind of went ok – apart from me suffering from a runny nose throughout (sorry for all the sniffing) – I’ve decided to blog about the webinar for you all to watch.

I don’t really touch upon product in this webinar, as the last thing customers want is to be shoehorned into a certain vendor product… instead I hope the webinar gives enough information about what HCI is in general, why customers should be looking at HCI during their next infrastructure refresh, and more importantly what to consider when evaluating a HCI solution!

Feel free to pop along and access the webinar recording here: https://mti.com/secure-hci-webinar-page/ (sorry, you have to fill in your details to gain access….)

Finally, if you’re interested in talking more about HCI then feel free to contact me or register for one of MTI’s HCI Discovery Workshops: http://bit.ly/2C8vS14

Dell EMC updates VxRail software to address Spectre

So Dell EMC have finally released the patches for their VxRail appliances, I know many of my customers were asking about these patches – in a way it’s good it was slightly delayed given how many normal VMware customers experienced issues when patching and how one patch was pulled by VMware!

The good thing about VxRail is that any software patches or updates released have been tried and tested by the Dell EMC CPSD engineering team, so they should be ready for roll out with minimum disruption!

Updates 4.0.401 and 4.5.150 are now available to download from Dell EMC’s support portal.

Release notes can be found here:
https://support.emc.com/docu80740_VxRail-Appliance-Software-4.0.x-Release-Notes.pdf?language=en_US
https://support.emc.com/docu86659_VxRail-Appliance-Software-4.5.x-Release-Notes.pdf?language=en_US

It’s worth noting that at present this patch only contains 2 of the 3 required fixes for Intel to address the Speculative Execution vulnerability (Spectre – Meltdown doesn’t really affect VMware and hence VxRail). The 3rd fix has not yet been released by Intel and Dell EMC basically decided they couldn’t wait any longer as Intel drag their heels!

VMworld 2017 US General Session Day 2

….. This update is a bit late going up because Tuesday evenings is 5-a-side footie for me…. =)

So what was the General Session on Day 2 all about… well it kicked off with a fireside chat between Pat Gelsinger and Michael Dell, answering a few questions that were submitted the previous evening from attendees. In my opinion there wasn’t any major revelations or probing questions asked/answered, what we do know is that Michael Dell likes Peanut Butter & Chocolate… =P

It’s interesting that Dell thinks that we’re in for some exciting times with AI and machine learning…. although he didn’t quite pin his flag like Zuckerberg and Musk recently… =)
The amount of data created from IoT is stupendous, and the possibilities of using that data are endless – however, companies need to start thinking about how to use the vast amounts of data they have to try and improve processes, products and services – if they don’t then they could be left behind (Just like Elastic Sky Pizza were)!

However, one of the more memorable quotes from Pat was that “Today is the slowest day of technological evolution of the rest of your life!” Great quote, and how true it is…. In IT we live in an ever-changing world!

One thing I did pick up on was VMware Skyline – a new and innovative support technology which will offer pro-active support for VMware solutions. It will consist of a Collector appliance that end-users deploy, it then sits there securely collecting environmental-data from different VMware components (such as configuration, performance, and product usage) whilst performing machine-learning analytics to ensure the overall solution functions correctly. If it detects any changes, events or patterns that will cause a deviation from best practices or validate designs then it will alert the customer. Skyline is aimed at improving support experience through data analytics.

Both Pat and Dell were then joined on stage by Rob Mee (CEO of Pivotal) – it was really interesting to hear that Pivotal Cloud Foundry was being used in over 50% of the Fortune 500 – I wonder what the percentage is in the UK FTSE? Pivotal has be “pivotal” (excuse the pun) in helping enterprises and their digital transformation – how to run legacy production workloads alongside developing new cloud-native applications, yet still providing the availability and security whilst also reducing cost! Pivotal Cloud Foundry addresses all these issues.

The biggest announcement of the day was the unveiling of Pivotal Container Services (PKS) – a partnership between VMware, Pivotal and Google Cloud. Pivotal has been working with Google for a while – Project Kubo – and now with the partnership with VMware, PKS will enable enterprises to deliver production-ready Kubernetes on VMware vSphere and Google Cloud Platform (GCP), with compatibility to Google Container Engine (GKE) – all secured by – yup you guessed it – NSX. Pat went on to say that they’re not stopping there and will start to integrate other VMware products such as vRealize Automation and Operations, along with Wavefront (who VMware acquired in May – it’s a “real-time metrics monitoring and streaming analytics platform designed for developers to optimize their clouds and modern applications that rely on containers and microservices”)

PKS-Image

Pat, Dell and Rob were joined on stage by Google’s Sam Ramji (VP of Product Management – Developer Platforms). It’s interesting how Google are pouring in vast amounts of their knowledge on containers into Kubernetes – a way of giving back to the community! Sam also announced that Pivotal and VMware were to become as Platinum Members of the Cloud Native Computing Foundation – home of Kubernetes.

The rest of the General Session involved a fictitious company called “Elastic Sky Pizza” which was stuck in the past and needed assistance in transforming their business. Loads of demos and presentations showing how VMware’s suite of Cloud products work – including PKS, AppDefense, NSX, Pulse IoT (Edge LIOTA).

 

PKS looks amazing, but I do still think that containers is an enterprise play – which kind of goes against one of the questions during the fireside chat about looking after the SMB market… this is probably going to be priced above what SMBs can afford!

End of Availability of vSphere Data Protection

Wow…. ok….. so this was an interested announcement to receive. Whilst I kind of understand that VDP wasn’t really deployed by the masses, it was still nice to be able to have a free backup solution if you were deploying a small VMware environment.

The EoA of vSphere Data Protection pretty much means anyone wanting to backup their VMs will now need to pay for a 3rd party product! That kinda sucks!

VMware vSphere 6.5 is the last release which includes the VDP product!

You can read more about the announcement here: http://www.vmware.com/products/vsphere/data-protection.html

Also worth checking out the VMware KB article for more info: https://kb.vmware.com/kb/2149614

And if you have VDP deployed then don’t worry, any installations where you have an active Support and Subscription (SnS) will continue to be supported until the End of General Support (EOGS) date – the EOGS date can be found on the VMware Lifecycle Product Matrix.

It’s worth noting that this does not affect the vSphere Storage APIs – Data Protection (VADP) which most 3rd party vendors utilise.

It’s also worth noting that Dell EMC are helping those who have VDP deployed by offering them 3 years of free Avamar Virtual Edition (AVE) licensing to protect the first 4TB of protected data – although Maintenance costs will continue to apply during this 3-year period. Offer valid through October 15, 2017.

The offer can be found here: http://dellemc.com/vdpeoa

 

Finally, the FAQ released will assist with any questions you may have: http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/vsphere/vmw-vdp-eoa-faqs.pdf