Wednesday, 12 May 2010

A straightforward DR configuration

In a virtualised environment DR is always top of the agenda.

One of the pre-sales team put together this simplified network infrastructure overview of a DR config' that he recently installed at one of our customers.
The diagram shows the logical networks in both office and the DR site. IP addressing provided for illustrative purposes and simplicity of understanding only. In practice certain aspects of IP addressing will have to be changed to fit in with the clients pre-existing international office to office VPN.

Failover modes with this config'

In the event of Internet connection failure in the office, the default route for traffic will be via the DR site. Should two shared storage drives fail in one storage device, there is no interruption to service (Raid6). Should one physical Xen server node fail in the office, the other office node can continue running workloads. Should both virtualisation platforms fail or their storage then DR VMs can be accessed at the DR site.

If the entire office fails (both links down because of complete power outage, building on fire or whatever) DR is accessed over the Internet via VPN. Normally, the public Internet Router (or its firewall) provide the default route.

Should the Internet connection fail, the default route is the LAN extension service router. This fail-over routing can be achieved manually or automatically via technologies like HSRP/VRRP.

Hope you find this useful and I'm sure we'll post other snippets and suggestions in future.

Saturday, 1 May 2010

Citrix XenServer & VMware ESX Common Criteria Certification

As some of you already know, Citrix have sponsored XenServer, XenDesktop, XenApp, and Netscaler into the Common Criteria program for Information Technology Security Evaluation (CC). We have had several questions about the announcement and what it means for both VMware and XenServer in particular. Since 1 or 2 of us at VMCo were there way-back when Common Criteria & ITSEC first started seeing mainstream IT products submitted for evaluation, we thought we would take this chance to answer some of your questions in this posting.

What is Common Criteria (CC)?
CC is an attempt to reduce duplication of effort of the IT security evaluation functions of several governments (6 in all). CC is an international standard that describes how product vendors may make claims about their security software or hardware, and have independent laboratories investigate these claims and certify the product has been designed and built in a way that meets the vendors claims and can be relied upon to function as described.

What is EAL?
Within CC, products are examined to an Evaluation Assurance Level (EAL). EALs are numbered currently from 1 to 7, with 7 being the most detailed, most stringent level of scrutiny that a product is put under. VMware ESX and ESXi 3.5 were certified to EAL4+ in February 2010. Citrix have submitted their products for the EAL2 process this month.

So An EAL4 Product Is More Secure Than An EAL2 Product?
No. This is probably the most common misconception about CC. A higher EAL number means only that the product passed a deeper level of scrutiny of the vendor's claims. For example, I might have a simple weak encryption application that passes EAL7, because it was found to meet my claims without fault, and its design and execution was found to be exemplary even when "put under the microscope" of EAL7. A much stronger encryption application, that would protect my data better using a strong algorithm, might only be submitted for EAL2, because I want to get some kind of basic certification quickly so I can sell to my government customers. There are also a number of misconceptions around how vendor claims are tested. In our experience, code review is only done at EAL 6 or 7 for example.

What Claims Might A Vendor Make?
The scheme allows for vendors to tailor their claims based upon their product and the way it is to be used. This means that a Firewall is not subject to the same investigation as an Email system or a Desktop OS. A vendor with a Firewall might claim that in order to administer the device you must pass 2-factor authentication, and can only do so over a strongly encrypted connection, and that there are no other possible way of gaining admin access. Such a claim would be investigated to the required depth as part of the CC certification. Another example of a popular claim might be "the admins can't automatically read everyones Email". CC tests these claims are true to a certain depth. Documentation is a vital part of passing an evaluation.

Does It Matter What Version Gets Certified?
Yes. It matters very much. Just because version 1 of a product received certification, it doesn't mean that v2 or even v1.0.1 is certified. The product must be resubmitted into the evaluation process for it to be re-assessed. This is because CC evaluates vendors claims for a given version and even a given configuration of the product. It is normal for a product to be obsolete by the time it passes certification. You could argue this is made worse by the pace of change in commercial software, with many companies pushed to make 1 major release per year and 2 functionality patches, alongside the 4 critical security related hotfixes, all of which take a product outside its certified condition.

How Long Does It Take?
For product of similar size/complexity, the higher the level of assurance the longer the evaluation takes. Expect to see an XenServer (we presume v5.0 or v5.5) certified within the next 6 months. A CC certification can be an expensive business, in our experience of the process (mainly CheckPoint-FW1 and Harris CyberGuard) the cost is £200K-£400K.

Who Cares If A Product Is Certified?
Mostly it is government buyers or those who have to work closely with government agencies, exchanging information with them, or connecting directly to them. Often such customers are restricted to choosing products from the catalogue of evaluated solutions. However, depending on the sensitivity of the information being handled by the IT, an EAL certified may not even be required.

Where Can I Find Out More?
As ever, Wikipedia is a good start.
Check the Portal for certified products.