Tuesday, December 7, 2021

Carbon Black Cloud Workload Protection

Companies have been dealing with security for decades, but the escalate of incidents and attacks like Ransomware has been proving that we are losing this war. 


There was always this idea of prevent/detect it on upper layers, like border firewalls, IDS/IPS systems which on the actual distributed environment, on-prem/cloud/edge, remote workforces, is becoming more and more challenged, specially with the use of traditional approaches/tools.


Prevent/Detect is as important as is to reduce the attack surface, no doubt if there was no vulnerability to exploit than there's nothing to worry about, right ? of course there's no such thing as 100% guarantee of security, and if someone is telling you that be suspicious (at least).


To reduce the attack surface you can implement a few disciplines like Hardening Guides and Vulnerability Management. That is one of the areas VMware can help with.
 

Carbon Black Cloud Workload Protection is aimed to bring Infrastructure and Security Teams together with a unified view, identifying and prioritizing vulnerabilities in your environment so you can act upon it accordingly, lets see what I'm talking about:
 

*** Integration ***

 
Workload Protection is integrated with vCenter, meaning that Infrastructure teams don't have to learn any new tool, it's already there in the environment they know and love. Also, they will have the same vulnerabilities view the security teams have.

It starts with a nice Overview of your environment. You can immediately see your inventory's status, how many systems are affected, and the categorization of them.









*** Prioritization ***

 
It's not news that everybody is overloaded with activities, there's no way anyone of us could do everything, be on top of vulnerabilities popping up every single day, adding to that constant changes on your environment, workloads being provisioned automatically, it's really hard to keep track of all of it without proper tools. would not be nice if you could focus your efforts on what's really important ?!?
 

Your welcome ; )
 

By default, the Vulnerabilities page point you to the critical systems that need immediate attention. It's by far the greatest way of saving hours of you have to dig on the systems/vulnerabilities to understand what's  critical or not.








You can make your analysis by grouping them by affected systems or by vulnerabilities. Either way, you will see the Risk Score, systems affects, and more..










The way we rank the vulnerabilities is the most innovative way in order  to help you focus on what's critical.

 

Despite the score provided by Common Vulnerability Scoring System (CVSS), you would need more information of the vulnerability, like the method of attack, likelihood of being attacked, that's where VMware in Partnership with Kenna Security come to rescue and master the risk score based on a few extra criteria

 

- Easily Exploitable: Is that a vulnerability easy to be exploited, have the method being recorded

- Malware Exploitable: Has this been productized/weaponized on tools or exploit kits 

- Active Internet Breach: Is it presence on your location or real-time exploitation

 

Based on those criteria we can reassess the risk and provide you with a more realistic risk of each vulnerability, allowing you to focus on the critical ones.

 











*** Agentless - Scanless ***


Because we are integrated with vSphere there's no need to install and lifecycle extra agents on the Virtual Machines, we could collect all required information through VMware tools.
 

On the Inventory tab, you can select the assets that are not being monitored. To enable the collection, simply just select the VMs and hit the button ENABLE













With time is common that you have to update the sensor collecting the data, a simple task with the vSphere integration.


Just select the desired assets and hit the UPDATE button.











As you can see Workload Protection is doing a fantastic job bringing together  Infrastructure Team and Security Team together,  but most important is to give you insights on where to focus your efforts to keep the environment safe.


Please, let me know what measurements you are using to keep the bad guys out.


Wednesday, September 22, 2021

VMworld 2021 - Top Pick


VMworld is only two weeks away, once again this ever the event will be all virtual but even better FREE of charges, so if you did not register yet, dont miss this opportunity to hear from VMware's leaders all the news, the strategy and the direction the company is heading to. Also Michael J. Fox and Will Smith will be joining us for great talks.

So wait no more and do your registration now !!!

There'll be more than 800 technical sessions and even though the Catalog is available it takes time to build your schedule and you might fell buried with all the content available.

So, to give you a good start here's my top pick sessions for your appreciation;

Multi Cloud

 

Deliver the Same Infrastructure to a Multi-Cloud Deployment [MCL1268]

Learn how VMware vRealize Automation Cloud integrates with Azure VMware Solution, Google Cloud VMware Engine, and Oracle Cloud VMware Solution, and their differences and considerations for running VMware deployments.

 

VMware Cloud on AWS: Architecture Deep-Dive [MCL1811]

Expand your technical knowledge of VMware Cloud on AWS and learn more about the underlying elements of a software-defined data center as we focus on the architecture and options for deployment topologies. 

 

Kubernetes

 

Get Started with vSphere with Tanzu [MCL1648]

This session will introduce VMware vSphere admins to vSphere with VMware Tanzu. We will go over the requirements and set up a basic configuration so admins can deploy a VMware Tanzu Kubernetes cluster and application. 

 

Modernize Infrastructure with S3-Compatible Object Storage on VMware HCI [APP1980]

Modern applications create new storage requirements for unstructured and semi-structured data. Join this talk and demo session to learn how you can run S3-compatible object storage from Cloudian and MinIO on VMware Cloud Foundation with VMware.

 

 

Security

 

Ransomware Protection: Unlocking the Power of Security and Resiliency [SEC1177]

Security and resiliency are not the same thing, but they are a perfect combination. Join us for a solutions session where we’ll focus on how VMware Carbon Black Cloud and VMware Cloud Disaster Recovery work together to drive confidence in...

 

Architecting VMware DR Solutions to meet your Recovery Goals [MCL2232]

VMware customers have a variety of options when deciding how to architect their disaster recovery environment. The selection and configuration of products and services such as VMware Cloud Disaster Recovery, VMware Site Recovery, and Site Recovery..

 

Automating Ransomware Remediation with VMware Carbon Black Cloud [CODE2782]

Are you prepared for the next Ransomware attack? With our Next Generation Anti-Virus and Behavioral EDR in the VMware Carbon Black Cloud, you can feel confident that your employees and sensitive infrastructure will be better protected. 

 

 

Networking

 

Understand Hybrid Connectivity for VMware Cloud on AWS [MCL2840S]

Some organizations running VMware vSphere on premises have use cases that require them to extend their data centers to the cloud using VMware Cloud on AWS. Configuring network connectivity between on premises and the AWS Cloud is a crucial.

 

Automated Problem Resolution in Modern Networks [NET2160]

Legacy network operations and management solutions have been primarily reactive. Once an issue is detected (such as packet drops, jitters, congestion), network operators are alerted to resolve them manually. 

 

 

Storage

 

vSAN Technicical Deep Dive [MCL1654]

VMware vSAN is the largest and fastest growing HCI product in the market today. vSAN has always been at the forefront of technology innovation. Are you interested in learning about the latest innovations in vSAN? 

 

VMware’s Vision for Storage and Data in a Multi Cloud world [MCL2505]

VMware continues to innovate storage and availability solutions for use on-premises and in the cloud. The speakers in this session will share VMware's vision and direction for the current and next-generations of products such as vSAN, vVols.

 

Disaggregating Storage and Compute with HCI Mesh: Why, When and How [MCL1683}

There are multiple use cases for disaggregating Hyperconverged Infrastructure (HCI) storage. Common scenarios include environments with disproportionate requirements for compute and storage resources and architectures with limited local storage.

 

Operations

 

A Big Update on vRealize Operations [MCL1277]

Give us 30 minutes and we will give you an update on VMware vRealize Operations you won’t forget. The premier cloud management tool has some great things coming for ease of use, time to value, troubleshooting, capacity and cost efficiency.

 

60 Minutes of Non-Uniform Memory Access (NUMA) 3rd Edition [MCL1853]

Although we enrich the stack with multiple layers of abstraction, obtaining consistent performance boils down to understanding the fundamentals. This requires the admin and the architect to focus on individual host components again. 

 

vRealize Automation – Now and into the future [MCL2448]

In this session, you will see all the great capabilities that have been released this year within vRealize Automation and vRealize Automation Cloud. We will also discuss what's coming in the future with vRealize Automation.

 

 

Workforce

 

Advanced Architecture for Deploying Horizon in the Cloud [EUS1129]

This session will dive into many of the advanced VMware Cloud on AWS design considerations and topologies that impact delivering VMware Horizon on VMware Cloud on AWS. These design considerations and topologies are not limited to Horizon. 

 

Anywhere Worspace Expert (EUS2610]

Anywhere Workspace is an industry-first architecture that enables any employee to work from anywhere. This integrated solution combines Unified Endpoint Management, Desktop and App Virtualization, Endpoint Security and Secure Access Service Edge.

 

Technical Deep Dive on SASE and Horizon – Part II [EUS2467]

The EUC Solution keynote continues with a deep dive into two important topics. First, Shawn Bass will talk about VMware SASE, VMware Secure Access, and what they mean for end-user computing strategies in a world of distributed work. 

 

Designing and Implementing a High Performance Virtual Desktop Solution [EUS3074S]

In this session, we will present the design and implementation of a virtual desktop infrastructure (VDI) solution to support migration of high-performance developer desktops from local workstations to VDI. We will summarize the customer’s key.

 

Empower the future of Work for a 130.000 Distributed Workforce [EUS2276]

Executing a successful distributed workforce strategy requires rethinking where and how team members work. Dell Technologies has built flexibility into their culture for the past decade by removing friction to allow team members to connect and.


I know there are hundreands of good sessions out there, if you have any good suggestion please, leave on the comments bellow.



Thursday, September 9, 2021

Customizing VMs with Cloud-Init

 Last post was all about creating Virtual Machines through VM Services operator provided by vSphere with Tanzu, which would give immediately freedom of choice to Developers when it comes to choose how their application might be made of; Containers, Pods, VMs, a mix of all of them .... in fact it does not matter anymore, they can build and run any of them just the same way.

Honestly, my previous post just shows how to create VMs, All the fun comes now when we can customize it during provisioning.

Guest customization is performed by the use of Cloud-Init, mainly because it became one of the most popular customization tools out there, meaning that you can leverage all that beauty you already have created.

Cloud-Init also provides dozens of modules since basic things like creating Users and Groups, Repo configuration, Packages installation, but also more advanced functions like integration with Puppet and Chef. As a start I suggest going through the examples available on their portal.

Back to my initial ConfigMap, it just had basic customization


Let's see how we can pimp this code:

First create your cloud-init file with the customization you want to make. I made a basic one, just user's creation, set it's password, install some package and run a command.



Although it's available on my git, it's far from being considered best practices, use it at your own risk !!

Once it's done, you will add it to ConfigMap under user-data section, which by the way need to be base64

just run: cat "cloud-init-file" | base64

Now just copy the code and past under the user-data... make sure it's a single line of code.




It's all set now, you can create your VMs just as I showed on the previous post.

 

Good customization !!!


Wednesday, September 1, 2021

Creating Virtual Machines with Tanzu 2/2

A few weeks ago, I started blogging about VM service, a new feature of vSphere with Tanzu update 2 which allows developers to created virtual machines with descriptor files, just the same way they do with Pods and Containers.

 

By that time, I wrote through the eyes of an Operator, which will setup the environment to Developers consume in a secure and control manner.

 

Today, let’s see how a Developer benefits from a self-service Virtual Machines consumption, enhancing their agility, delivering solutions faster to the marketing.

 

To start with login to supervisor cluster and make sure your context is configured to the Namespace where VM service has been configured

 

Documentation page provides a basic template to start with, but if you wanna test my use case, I also published it on my git.

 

 

I highlighted some points on the yaml file, those are the critical information you need to provide as follow:

 

imageName: it’s the template’s name which was made available to your Namespace as part of the Content Library selection:

to list all templates available run: kubectl get vmimage

Along with the templates available for VM Service it also lists templates for Tanzu Kubernetes Cluster (if it has been configured to your Namespace);

 

 

className: is that kind of t-shirt size profile which dictates the resources your VM will get.

To list the classes available run: kubectl get virtualmachineclassbindings

 


The name might not be the most intuitive thing in the world, describe the class to get detailed information about the resources allocated, running kubectl describe virtualmachineclassbindings “class_name”

 

 

storageClass: That’s the name of the storage policy where the disks of your VM will be created at:

To list the storage policies available to you run: kubectl get resourcequotas

The first part is your storage policy name



networkName: that’s the network name attached to your VM, but it’s ONLY REQUIRED if you are using vSphere Distributed Switch, otherwise you can remove this specification.

To get the networks available to you run: kubectl get network

 

 

In case you get a message like: Error from server (Forbidden): networks.netoperator.vmware.com is forbidden: User "sso:user@domain" cannot list resource "networks" in API group "netoperator.vmware.com" in the namespace "name" it means your Namespace is configured with NSX-T (see topic bellow)

   

networkType: it’s the solution providing network services to  your Supervisor Cluster; it can be vsphere-distributed or nsx-t

For a developer it’s not something they would know or care about to be honest, to make sure the result you got querying the network is valid you can just describe the network, running kubectl describe network "net_name"


 

 

That’s all you need to create your VM.

 

Well, there’s nothing fancy about creating VMs if we cannot customize it right ? 

 

Customization of VMs like installing packages, creating files, adjusting settings is done through the use of ConfigMaps, but this topic deserves its own blog post. (check it out)

 

For now, as part of my deployment I also create a ConfigMap which just configures hostname and set up the default password (which will be required to change upon first login). 

Just create the VM as you would normally do with any Kubernetes object

 

 

In a few minutes the VM will be available, run kubectl get vm

 


Also, the VM will be on vCenter inventory under the Developer's Namespace, just as any other VM.

 



 

That's what I call Developers freedom !!

 

 

 

Monday, August 23, 2021

Tanzu Self-Service Namespace

Giving developers freedom and autonomy to do what they do best, delivering meaninful business vaule through faster and faster cycles has been a VMware's obssession with Tanzu portfolio.

Self-services for Kubernetes cluster creation, scale-out, update and even the creation of virtual machines is already a reality . But for vigilant eyes, there's one step back before all this beauty can happen, access to a Namespace !!!

How do you give Developers access to an environment ? Ticket systems ?!?! Shame on you !!!

vSphere with Tanzu Update 2 brought another great feature, Self-Service Namespace, now your developers can create it's own Namepace, let's dig into it.

First of all, you need to enable Namespace service on your supervisor cluster; that will create a kind of template that will be reproduced over an over every time a developer request a new Namespace.



 

It then starts asking about the quota you wanna set up for the Namespace template, click Next when you are done;


On the Permissions page, you assign the developer's accounts with the capability to create Namespaces, just add the users from the identity sources of your choice and click Next;

If everything is fine with your Template, just click Finish;

Now it's time to create some Namespaces.

Depending on the developers, you might have several others contexts,  make sure you are on the context of your supervisor cluster.


To create a Namespace just run: kubectl create namespace "namespace_name"


A new Namespace will be created, the developer will be the owner of it and all the configuration will be inhered from the Namespace template we just setup before.


Tanzu Update 2 had so many great features that Self-Service Namespace runs under the radar, have you notice this feature before ?



Friday, July 16, 2021

Creating Virtual Machines with Tanzu 1/2

We have seen the increase of containers adoption at companies of all sizes, driving innovation and conquering new markets by the release of new apps or features faster and faster. It would not be possible without the use of modern applications, mostly running on top of Kubernetes, but it’s also unliked to think that those applications will be 100% based on microservices, in fact those new Apps are hybrid, part microservices, part running on virtual machines, like databases or applications that demand a more traditional runtime and even functions, so what's better than having a single platform that can run them all, integrated, self-service and transparent to the developer ?!?

 

That’s what VM Service is all about, to allow developers to create VMs using K8s manifests on top of vSphere with Tanzu just the same way they are used to deploy all others K8s constructs, eliminating manual or ticketing requests, improving their autonomy and delivering value faster to business.

 

I’ll cover this subject under two different angles:

- The Operator, which is responsible for the infrastructure, concerning about it’s availability, security and compliance.

- The Developer, which is concern about delivering value through the deployment of applications and features as fast as possible without need to worry so much about the infrastructure.

 

Let’s start with the Operator.

First of all VM Service has been released to vSphere 7 update 2, so make sure you update your vCenter and Supervisor Cluster to at least this version.

 

Once available you will notice a new tab on Workload Management called Services.

 


VM Service has two main components, VM Class and Content Library 

 


You can think of VM Class as a profile for VMs, like T-shirt sizes on public clouds, where you define the VM resources in terms of amount of CPU and memory which will be allocated, also you can specify how much of those resources are guarantee (reservation). 

 

 By default vSphere with Tanzu offers a few classes, but you can also create your own, it’s very intuitive, just give it a name and set the values you desire, please avoid to change the default ones, if you need different parameters create your own instead.

 

 

Content Library is where the VM images or templates are stored, so developers can pick one desired OS flavor during provisioning.

 


 The creation of Content Library is straight forward, and you probably have been doing this for years, so I don’t want to bother you here with the steps.

 

Once the library is created you just need to add the images you want.

VMware is gradualy releasing supported and curated images on Marketplace, just search for VM Service and download the template and add it to the Library.

 

 

I created a Library called Tanzu-VMs and added two templates, CentOs and Ubuntu, I used a prefix to help find it easier and distinguish them from the images to Tanzu Kubernetes Cluster.


 

Now that the requirements are ready it’s time to allow developers to consume those resources. 

 

That’s when the governance comes in place, allowing the operator to adjust the guardrails on a Namespace basis, like specifying which VM Class to each Namespace to avoid the creation of bigger VMs not suitable for the environment or the use of only approved OS images.

 

Select the desired Namespace, you will see a new widget, VM Service;

 

Click on Manage VM Classes to select what classes you want developers to have access to.

 

Now click on Add Content Library, and select the Library with the Tanzu images you want developers to have access to.

 

 

At this point developers are ready to create Virtual Machines as part of their deployments, stay tuned next post I’ll show you how developers can consume this new service.

 

See you soon.

Who am I

My photo
I’m an IT specialist with over 15 years of experience, working from IT infrastructure to management products, troubleshooting and project management skills from medium to large environments. Nowadays I'm working for VMware as a Consulting Architect, helping customers to embrace the Cloud Era and make them successfully on their journey. Despite the fact I'm a VMware employee these postings reflect my own opinion and do not represents VMware's position, strategies or opinions. Reach me at @dumeirell

Most Viewed Posts

Blog Archive