Hidden Possibilities
Storage-centric solution providers who add server virtualization to their practices are finding they need new ways to implement and deploy storage infrastructures to virtual server environments. Those environments can, in turn, enhance such areas as data replication and disaster recovery with server virtualization.
Other solution providers with strong security backgrounds are finding that security issues related to virtual servers are as similar as they are different in regards to physical servers. In either case, they are benefiting from a whole new set of service opportunities.
Storage and virtual server technologies are starting to feed each other, said Greg Knieriemen, vice president of marketing at Chi, a Cleveland-based solution provider.
"As customers add server virtualization, their storage needs ramp up quick," Knieriemen said. "So storage consolidation is becoming an issue. Before, a midrange company might have had 20 to 40 physical servers in a non-SAN environment. But many companies that don't have a SAN today who are implementing server virtualization are finding they require a SAN to do it."
Kevin Houston, business development manager and virtualization practice manager at Optimus Solutions, a Norcross, Ga.-based solution provider, said having a good storage network in place is a prerequisite to server virtualization.
"Oftentimes, the customer doesn't have a storage network," Houston said. "Or they have older technology, in which case we can then help them move to a more robust platform or add new features."
Houston said that the opposite, that storage complexity drives server virtualization, is also true. "As we help them consolidate their storage, we can also show them how their servers are only being used at 3 percent to 5 percent utilization," he said.
While much has been made about the negative impact server virtualization has had on physical server sales, less noticed is the negative impact it is starting to have on the building of SAN fabrics.
Chris Mierzwa, vice president of product management and alliances at Sirius Computer Solutions, a San Antonio-based solution provider, said that he's already starting to see a cut in the number of storage ports that are connected to customers' servers, thanks to a fall in the number of physical servers being installed.
"Now everybody has all the ports they need," Mierzwa said. "The main exceptions are companies that never had a SAN installed before."
Knieriemen agreed that the number of SAN ports is starting to fall, thanks to server virtualization. However, he said that SANs are not always needed by midsize companies implementing server virtualization, and that the technology can actually lead to increased adoption of direct-attached storage.
Bryan Champagne, director of storage engineering at The Only System Solution (TOSS), a Framingham, Mass.-based solution provider, also sees increased server virtualization resulting in a smaller SAN port count.
However, Champagne said the increase by no means lessens the need for SANs, or at least for looking for ways to tie multiple SANs together. "People think SANs are widely accepted," he said. "But they are often very vertical. For instance, a hospital may have a couple of SANs, but they are focused on specific functions, such as PACS or radiology."
Regardless of whether Fibre Channel or iSCSI SANs are used, much SAN-based storage capacity is required for such functions as data snapshots and virtual server migration, said Keith Baskin, storage practice manager at Optimus Solutions.
Server virtualization is also changing the staffing requirements of customers, as much of an IT infrastructure's routine tasks become more automated, Mierzwa said.
Customers will need more highly skilled people with server migration and related storage expertise, and fewer people to handle routine tasks, Mierzwa said. "There will be increased pressure on people who can handle these solutions," he said. "We are seeing that from customers who expect our people to have expertise in server virtualization, storage and network management."
Implementing server virtualization means several new challenges for solution providers, Baskin said. For instance, because virtual servers are running during the backup process, they have to be dealt with as if they are open files in the same way that open databases are handled.
"You need to quiesce the virtual machine in order to work with the VMDK [VMware's Virtual Machine Disk Format] file," he said. "For disaster recovery, if you can get the VMDK file to another system, you can recover a virtual server as long as that other system has a copy of VMware ESX Server."
The problem is getting the VMDK file into a quiesced state. "In the past, you could suspend it, take a snapshot and then bring it back up," Baskin said. "But that leads to downtime. You have to put the server in the suspend mode. Today, we're seeing a lot of R&D in being able to quiesce the VMDK file and take the snapshot."
When it comes to security, virtualized servers are in many ways similar to physical servers, with each individual virtual or physical server requiring processor time, memory, I/O and an operating system to run an application that does not care on which type of server it is found.
Yet the differences are broad enough to spur a debate between those who say that virtual servers primarily need the same type of protection tools—antivirus, antispam, firewall—as any physical server, and those who say that server virtualization brings its own potential areas for malware exploits and requires a new set of tools.
While security is an important issue in any part of the data center, customers have yet to express concern about the security of their virtual servers. "A lot of people don't think virtual environments need protection," Houston said. "They have perimeter security to protect against external attacks, and an inside perimeter to protect against internal threats."
Within the host servers, virtual servers are often not protected, Houston said. "But no customers say they are worried," he said. "But remember, this is still new. Just a year ago, customers were still looking at whether they wanted to virtualize servers or not."
Paul Adamonis, director of security solutions at Forsythe Solutions Group, a Skokie, Ill.-based solution provider, said it will take a major breach to bring security to the forefront. "That will happen when you see the first rootkit at the hypervisor level," Adamonis said. "Then you'll see everybody scrambling."
For now, Adamonis said his company has discussed security in virtual environments and has concluded that the issues are similar to those of physical servers. "If you are going to do antivirus or e-mail lockdown, you'll have to do it on the virtual server as well as on the physical server," he said.
In many ways, securing virtual servers is not very different from securing physical servers, said Patrick Lin, senior director of product management at VMware.
"At the end of the day, they are just Windows machines," Lin said. "When you turn a physical server into a virtual server, it's no more vulnerable than it was before. There are not new avenues of attack all of a sudden."
Virtual machines need to be treated the same in terms of protection and management as physical servers, said Michael Berman, CTO of Catbird Networks, a Scotts Valley, Calif.-based developer of virtual security appliances that feature the company's software stack optimized for deployment on virtual servers.
"You can't assume virtual servers are any more secure," Berman said. "They're still affected by the same issues: spyware, viruses, patches. Even people with good security and who have deployed defense in-depth in corporate environments have not extended it to their hypervisor environment."
Tracking active and dormant virtual machines is a specialty of ConfigureSoft, a Colorado Springs, Colo.-based developer of software, to ensure that changes to a company's IT infrastructure do not affect any compliance issues that company is facing. Andrew Bird, vice president of marketing at ConfigureSoft, said it's increasingly common for users to build virtual servers and add them to the network without ensuring they are compliant with corporate policies. Many of those virtual machines are put in a dormant stage when not in use, and when they are awakened do not have the required updates and patches.
It's also becoming common to build virtual servers for disaster-recovery purposes, and then let them go dormant until required in an emergency, Bird said.
Server virtualization vendors also look at ways to ensure that one virtual server does not, and cannot, interfere with another.
The Solaris operating system, which runs an application inside its own container on a common operating system instead of giving each virtual server its own OS, lets users create multiple name space environments within the same kernel, said Joost Pronk van Hoogeveen, product line manager for Solaris virtualization at Sun Microsystems, Santa Clara, Calif.
Users can specify which of up to 52 distinct privileges each application's container has, such as the ability to plumb IP addresses, snoop on network traffic and change process priority, van Hoogeveen said. Many of those privileges are turned off by default, he said.
Because of its flexibility, server virtualization can be a helpful tool for implementing a company's overall security infrastructure. For instance, Lin said, customers can use virtualization to simplify certain operations, such as updating security patches.
"It's easy to test patches with different server platforms using virtual servers before applying the patches to production servers," Lin said. "And you can take a snapshot of a server using virtualization before updating it to make it easy to revert to an earlier version."