One befuddled list lurker emailed me looking for clarification regarding
virtualization and the variety of virtualization technologies and
techniques on the market right now---More importantly, how they do or
could relate to Apple hardware. I won't attempt to cover all of the
technologies available, but WikiPedia has plenty of technical,
historical and product related entries regarding virtualization for you
to consider.
By now you may be familiar with the valuable consumer-level
virtualization technologies currently available for Intel-based Macs
such as Parallels Desktop and VMWare "Fusion" (still in public beta).
These are hosted virtual machine solutions: They require a host
operating system to run, which in this case is Mac OS X.
You may recall that I mentioned "bare mental" virtualization
technologies like VMWare Server ESX and XenEnterprise. "Bare metal"
virtualization technologies (technically known as "Type 1 Hypervisors")
are directly installed on the physical hardware, acting like a host OS.
(Technically speaking they are a host OS, but running only the barest
minimum of services. XenSource markets it as "Minimal software footprint
dedicated to running virtual machines.")
The list lurker expressed some confusion regarding my mention of Xen in
this respect. Prior to Xen version 3.x, Xen only supported
"paravirtualization." For paravirtualization to work, the guest
operating systems need to be ported, which is not likely to be an option
with Darwin/Mac OS X. Two examples of Xen paravirtualization supporting
operating systems are Sun's Solaris 10.x and Novell's SuSE 10.x.
(I've been running openSUSE 10.2 off-and-on for a couple of weeks now in
a test environment.)
Where it regards Intel-based Macs, we have access to "hardware assisted
virtualization" in the form of Intel Virtualization Technology (IVT).
This potentially opens up a whole world of virtualization options in the
form of better hardware support for virtualization, enhanced security,
efficiency and reliability. Parallels Desktop and VMWare Fusion take
advantage of IVT to a varying degree to improve the virtualization
experience and performance.
In the case of "bare metal" virtualization products, and specifically
where it regards Xen 3.x and XenEnterprise, when running on specific IVT
enabled hardware, Xen can now run unmodified guest operating systems.
The drawback with "bare metal" virtualization solutions are in the
finite list of hardware they are designed and supported to run on. Both
XenSource and VMWare maintain detailed lists of hardware and other
components they support their "bare metal" virtualization products with.
So now that we have that explanation out of the way, why should we care
about "bare metal" virtualization solutions for Intel-based Apple
hardware? Consider the workstations and servers you administer. What is
their typical and average utilization? 20%? 10%? Less?
Drew Robb of ServerWatch.com gives a great strategic overview:
http://www.serverwatch.com/tutorials/article.php/3634911
"By letting several virtual servers share a single set of hardware, a
much higher average utilization rate is achieved, and hardware and
support costs are lowered...Virtualization also makes it easier to
provision and reallocate servers. Instead of having to manually set up a
server, the virtualization software can set up a server using a
pre-existing template and shift server images from one physical server
to another to balance workloads or improve efficiency. It can also
automatically set up a new virtual server on a different machine when
there is a hardware malfunction. Each application is isolated from the
others, which provides greater security."
From a security research perspective, "bare metal" virtualization
solutions are by several degrees more secure. As Peter Ferrie wrote in
his "Attacks on Virtual Machine Emulators" research paper I mentioned
last week, bare metal virtualization solutions are "almost completely
transparent" and difficult to detect. That's exactly what we want in
honeypot and honeynet environments.
It's an open question with regards to what would it take for EMC/VMWare
and XenSource to port their "bare metal" solutions to the Mac Pro and
Xserve.
____________
Todd D. Woodward
Technical Support Engineer
Security Response Researcher
Focus-Apple Moderator
Enterprise Macintosh Products
virtualization and the variety of virtualization technologies and
techniques on the market right now---More importantly, how they do or
could relate to Apple hardware. I won't attempt to cover all of the
technologies available, but WikiPedia has plenty of technical,
historical and product related entries regarding virtualization for you
to consider.
By now you may be familiar with the valuable consumer-level
virtualization technologies currently available for Intel-based Macs
such as Parallels Desktop and VMWare "Fusion" (still in public beta).
These are hosted virtual machine solutions: They require a host
operating system to run, which in this case is Mac OS X.
You may recall that I mentioned "bare mental" virtualization
technologies like VMWare Server ESX and XenEnterprise. "Bare metal"
virtualization technologies (technically known as "Type 1 Hypervisors")
are directly installed on the physical hardware, acting like a host OS.
(Technically speaking they are a host OS, but running only the barest
minimum of services. XenSource markets it as "Minimal software footprint
dedicated to running virtual machines.")
The list lurker expressed some confusion regarding my mention of Xen in
this respect. Prior to Xen version 3.x, Xen only supported
"paravirtualization." For paravirtualization to work, the guest
operating systems need to be ported, which is not likely to be an option
with Darwin/Mac OS X. Two examples of Xen paravirtualization supporting
operating systems are Sun's Solaris 10.x and Novell's SuSE 10.x.
(I've been running openSUSE 10.2 off-and-on for a couple of weeks now in
a test environment.)
Where it regards Intel-based Macs, we have access to "hardware assisted
virtualization" in the form of Intel Virtualization Technology (IVT).
This potentially opens up a whole world of virtualization options in the
form of better hardware support for virtualization, enhanced security,
efficiency and reliability. Parallels Desktop and VMWare Fusion take
advantage of IVT to a varying degree to improve the virtualization
experience and performance.
In the case of "bare metal" virtualization products, and specifically
where it regards Xen 3.x and XenEnterprise, when running on specific IVT
enabled hardware, Xen can now run unmodified guest operating systems.
The drawback with "bare metal" virtualization solutions are in the
finite list of hardware they are designed and supported to run on. Both
XenSource and VMWare maintain detailed lists of hardware and other
components they support their "bare metal" virtualization products with.
So now that we have that explanation out of the way, why should we care
about "bare metal" virtualization solutions for Intel-based Apple
hardware? Consider the workstations and servers you administer. What is
their typical and average utilization? 20%? 10%? Less?
Drew Robb of ServerWatch.com gives a great strategic overview:
http://www.serverwatch.com/tutorials/article.php/3634911
"By letting several virtual servers share a single set of hardware, a
much higher average utilization rate is achieved, and hardware and
support costs are lowered...Virtualization also makes it easier to
provision and reallocate servers. Instead of having to manually set up a
server, the virtualization software can set up a server using a
pre-existing template and shift server images from one physical server
to another to balance workloads or improve efficiency. It can also
automatically set up a new virtual server on a different machine when
there is a hardware malfunction. Each application is isolated from the
others, which provides greater security."
From a security research perspective, "bare metal" virtualization
solutions are by several degrees more secure. As Peter Ferrie wrote in
his "Attacks on Virtual Machine Emulators" research paper I mentioned
last week, bare metal virtualization solutions are "almost completely
transparent" and difficult to detect. That's exactly what we want in
honeypot and honeynet environments.
It's an open question with regards to what would it take for EMC/VMWare
and XenSource to port their "bare metal" solutions to the Mac Pro and
Xserve.
____________
Todd D. Woodward
Technical Support Engineer
Security Response Researcher
Focus-Apple Moderator
Enterprise Macintosh Products
Symantec Corporation
www.symantec.com
Office: 541-335-7441
"Confidence in a Connected World"
[ reply ]