These steps will install Matriux into a Hyper-V vm (2008 or 2008 R2) and integrate the network and storage adapters.

Create a Hyper-V vm with the legacy network adapter and a 10 GB vhd.
Download Matriux and install onto the local vhd. 

Configure apt-get to download the Lucid (2.6.32-7) kernel.

 

sudo bash

nano /etc/apt/sources.list

 

# added by -JWG- for Hyper-V integration

# The Lucid repository contains the 2.6.32-7 kernel

deb http://archive.ubuntu.com/ubuntu/ lucid main

 

apt-get update

 

Install the kernel and then comment out the repositories.

 

apt-cache search linux-image-2.6.32

apt-get install linux-image-2.6.32-7-generic linux-headers-2.6.32-7-generic build-essential

 

nano /etc/apt/sources.list

Comment out the #deb line

 

Validate the kernel after rebooting to ensure we are on 2.6.32-7.

 

uname -r

 

Enable the GPL integration components.

 

uname -r

sudo bash

cd /lib/modules/2.6.32-7-generic/kernel/drivers/staging/hv

insmod hv_vmbus.ko

insmod hv_blkvsc.ko

insmod hv_netvsc.ko

insmod hv_storvsc.ko

 

Add the modules to the startup file.

 

nano /etc/initramfs-tools/modules

 

# added by -JWG- for Hyper-V integration

hv_vmbus

hv_blkvscb

hv_netvsc

hv_storvsc

 

update-initramfs -u

reboot

 

 

Confirm that the modules are loaded. You will have full network and disk integration. The mouse integration (Inputvsc) is currently provided by Citrix Project Satori and has not yet been patched to 2.6.32-7.

 

lsmod | grep vsc

 

These steps will install Matriux into a Hyper-V vm (2008 or 2008 R2) and integrate the mouse, network adapter, and storage adapter.

Create a Hyper-V vm with the legacy network adapter and a 10 GB vhd.
Download Matriux and install onto the local vhd. 
Download the Linux Integration components for Windows Server 2008 R2 (LinuxIC v2.iso).
Download the Citrix Project Satori mouse driver (Inputvsc.iso)

Configure apt-get to download the previous version of the kernel, which includes first flushing and renewing the encryption keyring.

 

sudo bash

 

apt-key list

apt-key del 437D05B5

apt-key del FBB75451

 

apt-key list should now return an empty list.

 

Install the keyring

apt-get install debian-archive-keyring

 

Load the key for the ftp.us.debian.org and security.debian.org.

 

cd /home/tiger/.gnupg/

mv gpg.conf gpg.con~

 

gpg --keyserver wwwkeys.eu.pgp.net --recv 9AA38DCD55BE302B

gpg --list-keys 9AA38DCD55BE302B

gpg --export 9AA38DCD55BE302B > 9AA38DCD55BE302B.gpg

apt-key add ./9AA38DCD55BE302B.gpg

apt-key list

 

Add the repositories to the end of the sources list, and update the apt list.

 

nano /etc/apt/sources.list

 

# Repository for older kernel versions

# added by -JWG- for Hyper-V integration

deb http://ftp.us.debian.org/debian etch main

deb http://security.debian.org/debian-security etch/updates main

 

cd /usr/src/

apt-get update

 

Install the kernel and then comment out the repositories.

 

apt-cache search linux-image-2.6.18

apt-get install linux-image-2.6.18-6-amd64 linux-headers-2.6.18-6-amd64 build-essential

 

nano /etc/apt/sources.list

Comment out the two #deb lines.

 

Modify the menu.lst file so it defaults to the 2.6.18-6 and reboot.

 

nano /boot/grub/menu.lst

default 2

reboot

 

Validate the kernel after rebooting to ensure we are on 2.6.18-6.

 

uname -r

Insert the LinuxIC v2.iso disk, copy locally, and install the drivers.

 

sudo bash

 

mkdir /opt/linux_ic

cd /opt/linux_ic

cp -R /media/CDROM/* /opt/linux_ic/

./setup.pl drivers

cat drvinstalls.err

 

The only error should be "make: udevcontrol: command not found" and "make: *** [install] Error 127". These simply indicate that we will need to manually add the services to the init modules file.

 

Insert the Inputsvc.iso disk.

 

mkdir /opt/inputvsc

cd /opt/inputvsc

cp -R /media/CDROM/* /opt/inputvsc/

./setup.pl drivers

cat drvinstall.err

 

Again, the only errors should be related to the modules. Edit that file now.

 

nano /etc/initramfs-tools/modules

 

# added by -JWG- for Hyper-V integration

netvsc

blkvsc

storvsc

inputvsc

 

update-initramfs -u

reboot

 

Confirm that the modules are loaded. Then it is play time.

 

lsmod | grep vsc

Matriux is a vulnerability assessment / penetration testing Linux distribution. The team's beta release was the beginning of this month, and I have been playing around with the distro for the past couple weeks. What can I say? I am a sucker for Latin motto's ("Aut viam inveniam aut faciam" or "I shall find a way or make one") and for cleanly laid out VA/PT toolsets.

The bonus, for those running Hyper-V, is that Matriux is a Kubuntu based and comes with the Jaunty kernel (2.6.28-13-generic). Setting up a Hyper-V security appliance is as simple as creating a vm, using the legacy network adapter, skipping the hard drive, and booting off the downloadable ISO. Matriux works right out of the box within Hyper-V.

You can compare this to the Slax VA/PT distros, which do not support the network adapter. Often times, these distros do not even support the mouse. Using the Matriux Live CD in Hyper-V is a breeze. For an environment to support a demo or an occassional vulnerability assessment, you cannot ask for more.

If you are doing regular assessments, there are a couple limitations with Hyper-V. The legacy network adapter performs at 100 Mbps (significantly slower than the 10 Gbps speed of the standard network adapter.) The Live ISO is read-only, too. The mouse integration is present, but it is not the seamless integration one is used with Windows vms. Oh, and the mouse integration does not work when connected to Hyper-V over RDP. To get full functionality, you will need to install Matriux into a vhd and install the Hyper-V integration components.

The Jaunty kernel does not support integration. You have two options: (1) downgrade Matriux's kernel to 2.6.18 and install Hyper-V's integration components; or (2) upgrade Matriux to the Lucid kernel (2.6.32-7) and enable the Hyper-V GPL code. Option (2) provides faster performance and is in-line with the Matriux planned Beta 2, but it does not support the full mouse integration.

Detailed steps for both options are in the links above. For those who want to skip to the chase and simply try out Matriux under Hyper-V, I have done the steps for you. You can download the security appliance from SimWitty's website. Enjoy!

Matriux beta (0.9.4) with 2.6.18-6 kernel
Matriux beta (0.9.4) with 2-6-32-7 kernel

Thank you to the Matriux team for a smooth, well done security distribution beta. Thanks goes, too, to Tom Houghtby for providing the Linux knowledge and guidance that made the integration possible.

jwg

There are several laws of information security. Ask ten InfoSec pros and you will likely get ten different lists of laws, but I wager every one of them will agree on a couple fundamentals. If an attacker can gain physical access to the computer, or if an attacker can modify the operating system, then the attacker can compromise the computer. The reason is physical access allows an attacker to bypass the OS and directly access the data, and bypass the security controls.

 

Now, switch gears and picture a virtual environment. The physical analog is the hypervisor. If an attacker can gain access to the hypervisor, he has the same abilities as if he had access to the physical computer. If an attacker can exploit the Windows or Linux server hosting Hyper-V or XenServer, then the attacker can compromise all virtual computers on the host.

 

It is a subtle shift in the way of thinking. In the past, only one server ran on one piece of hardware, and the security boundary was the server itself. Thus you would place a physical web server in the DMZ and physically wire it to the firewalls. Computers with different security postures (e.g., domain controllers) would be on separate physical hardware and wired into separate physical networks.

 

Thus the hypervisor should host servers that have relatively the same security posture. One should not, for instance, host domain controllers and public-facing web servers on the same hypervisor. Even if the public-facing web server is on a separate virtual network, you still run the risk of its compromise affecting the domain controllers.

 

The security boundary is the physical hardware, not the computer itself.

Hyper-V Core, or the Hyper-V role running on a Server Core installation of Windows Server 2008, provides only a command line interface. This makes installing management apps a bit tricky.

 

Take CA ARCserve Backup agent, for example. You cannot simply logon and run the installer. Rather, you need to use the management console that comes with ARCserve (r12.5). Use the management console to push out the agent to the Server Core.

 

The normal caveats apply to push installations. Both the management console and the Server Core computers should be on the same network. Both computers should be in the same Windows domain (or have a domain trust relationship setup.) Ensure the Windows firewall on the Hyper-V Core is accepting inbound file (CIFS) and procedure (RPC) requests. Once those are accomplished, pushing the agent is straightforward.

 

Similar procedures apply to Diskeeper and anti-virus software.

One project in my portfolio at the moment is building what I call a disposable end-point model. It is a low priority project, but an ongoing one. The goal is to deliver the best user experience at the lowest price-point.

Portability is a must. Think about the concerns over swine flu and the like. What is your pandemic plan? My pandemic plan, at least from a technology standpoint, is straightforward. People work from home over the vpn and run apps from Citrix. So the end-point devices must be portable and dual-use.

Yet traditional notebooks are expensive. My firm, like most, has an inventory of aging notebooks. These older computers are costly to maintain (studies show ~$1K per device per 2 years) and replace if lost or stolen (studies show ~$50K per incident).

The sweet spot are computers that are cheaper than supporting aging devices and disposable if lost or stolen. No local data means no security incident, which erases the risk exposure of stolen devices. These inexpensive computers should be light-weight and easily ported from office to home. So I am looking at netbooks, which run around $500.

I spoke with Jeff Vance, Datamation, about these ideas. He recently wrote an excellent article that summarizes the netbook market and how data center managers are looking to use the devices: Will Desktop Virtualization and the Rise of Netbooks Kill the PC?

How My Firm Reduced Costs and Delivers Agile IT Infrastructure through Virtualization

Virtualization has become an important part of many organizations’ IT strategy for 2009 and beyond.

The availability of both data and IT systems are at risk not only from natural disasters but also power outages, human error and hardware failures. To ensure that your company can quickly recover systems and data in the event of such an incident, it needs a reliable and cost-effective disaster recovery plan. The use of virtualization and data protection technology combined helps you control costs as your company grows, which is essential in any economic climate.

My firm has deployed CA ARCserve Backup and Microsoft Hyper-V server 2008 to create a simple and scalable disaster recovery environment. The combined solution is responsible for backing up around 36 terabytes of data every week.

Join this webcast to find out how CA ARCserve Backup, combined with Microsoft Hyper-V 2008, can work in tandem to protect many terabytes of data, and deliver an agile, cost-effective IT infrastructure.

In this webcast, you’ll also hear:

• How to utilize CA ARCserve Backup to restore single files 
• How CA ARCserve can backup your physical environment and also restore virtual instance 
• Microsoft’s Virtualization Strategy 
• The role Microsoft’s Hyper-V plays today and what you can expect in the upcoming release of Windows Server 2008 R2 
• How in the event of a disaster, my firm is able to recover 86 physical servers to 12 standby servers in just two hours 
• How my firm has been able to minimize not only downtime but also its spend on disaster recovery utilizing this combined solution 

Eric G. Pitcher
Eric Pitcher is vice president of technology strategy at CA, responsible for setting and communicating CA’s Recovery Management plans across the business unit, throughout CA and to partners and customers. Previously, Eric served as vice president of product management at CA, responsible for defining the process, requirements and product specifications for CA’s Recovery Management product lines. Prior to that, Eric worked as assistant vice president of CA’s research and development global SWAT team—a specialized task force designed to maximize the quality, customer satisfaction, and market competitiveness of CA’s storage management solutions.

Before joining CA, Eric was network and systems administrator at Universal Studios Florida and was responsible for server and network design, installation, administration and support on a network of more than 1,000 users. Eric earned a bachelor of science degree in business administration from the University of Central Florida.

Wolfgang Goerlich
J Wolfgang Goerlich, CISSP, CISA, is an information security professional who focuses on performance and availability. Mr. Goerlich is currently ... the network operations and security manager. With ten years of experience, Mr. Goerlich has a solid understanding of both the IT infrastructure and the business it enables.

Isaac Roybal
Isaac Roybal is a Product Manager in Windows Server managing the Server Virtualization, including Microsoft’s Hyper-V, and has been involved with IT for over twelve years. Seven of those years have been with Microsoft. Isaac’s career started in Systems and Network Engineering working with VMS, Windows Server since NT 3.51 and IIS 4 in various capacities.

As I mentioned before, I have played around a bit with Hyper-V and virtualized my production and recovery systems. CA did a case study on the project.  This coming Monday, April 20 at 12:00 pm Eastern, I am doing a joint webcast with CA and Microsoft. The topic is still virtualization with the focus on disaster recovery. I doubt I will say anything new during the talk, excepting the talk will be much briefer than some others I have given on DR. CA’s going to talk a bit about their CDP, however, which is pretty cool stuff.

http://www.windowsitpro.com/go/seminars/CA/infrastructure_through_virtualization

http://www.networkworld.com/news/2008/120508-virtual-server.html?netht=rn_120508&nladname=120508

Good article. I go back to the ending sentence: “but assuming you control sprawl, virtualization is typically worth it from an ROI perspective."

Sprawl is much the same, whether physical or virtual. We have finite resources and definite deadlines. The bottom line is that we need effective capacity planning, configuration management, and change management. The better capacity meets requirements, the closer our foot print will reflect business demand. The faster we can affect change, thru configuration and change management, the better we can meet changing demands.

Personally, I am more focused on improving our capacity and flexibility. Sprawl I can manage.

J Wolfgang Goerlich

VDI is great in theory but doesn't price out right. Say we convert 25 desktops to VDI. That means we need 25 processors and 100 GB of memory (assuming each desktop has 4 GB). That figures out to be six servers, quadcore, with 18 GB of memory (assuming 1 GB for the OS). The servers would cost around $7K, so figure $42K plus licensing. Say $54K. That means I end up spending $2,160 per desktop (excluding the thin client) to have hardware that I could by at Dell for $1K.

But wait, I think, there are storage savings. Figure 100 GB per machine. A desktop hard drive runs about $50, or $2/GB. A server hard drive on the San runs $1,500 or $15/GB. The best case scenario would have  the provisioning gold-copy/stub model sharing one image across 25 machines. Desktop cost: $1,000. VDI cost: $1,500. Nope, storage is more expensive even assuming a best case.

The bottom line is I want to take a long, hard look at Citrix's ROI calculator. It does not make sense in terms of hardware. TCO is where the case will be made. Knowing our desktop demands would help us to know if we need 6 servers or could get away with fewer. I can enable perf counters and do a study on the desktops to determine typical utilization. It could be done with WMI, scripting, and a little elbow grease.