Bleeding Heart for the Heartbleed

Thankfully VNS3 supported versions 2.7, 3.0, 3.01, 3.03, and 3.04 were not affected by the OpenSSL TLS heartbeat read overrun (CVE-2014-0160) better known now as the "Heartbleed."

I feel for all the providers whose products are/were compromised.

I feel for all the users who may have been negatively impacted.

I feel for the OpenSSL Software Foundation (OSF) team members who have contributed to the project.

I feel for all those who will now walk the long road ahead of rebuilding trust, rebuilding systems, and quantifying the potential damage caused by the OpenSSL Heartbleed.

The heartbeat bug and the disclosure timeline will prove to be quite a disruptive event in the consumer technology and enterprise IT markets.  More on that in a minute...

How did we escape this potential blood bath?

We, like most of the sane world, take advantage of open source software for use in our internal systems as well as in our product offering, VNS3 the cloud network appliance.  CohesiveFT extensively tests and vets all aspects of the VNS3 system before making a new version generally available.  Additionally we, like most of the responsible ISVs/service providers, take advantage of the downstream Linux providers' practice of just including fixes for security vulnerabilities in certain security libraries like OpenSSL.  The result of which is feature freeze on what we spent time and energy testing while still benefiting from the ongoing security patches coming out of the open source project.

I <3 Open Source and OpenSSL

Many are quick to blame open source or the guys (and possibly girls) behind the OpenSSL Software Foundation (OSF), this is wrong.  If you're one of those people, stop reading this blog, take a deep breath, and go pound sand.

Open source powers the world, it's a fact and we move on.  Moreover, open source projects are great places for security libraries to live.  The openness means vulnerabilities are more easily and quickly patched plus the transparency of the code means the projects' provenance is guaranteed and auditable.  If you're worried about big brother peaking into your secure systems, anything proprietary is likely already cracked and in many cases with the compensated help of the provider/vendor.

I don't defend all the choices of the guys at OSF, there are definitely some issues with their commercial plan (they're no RedHat).  But they fight the good fight and have provided a serious amount of value over the life of the project across all geographies.  Regardless of the fallout from this bug, we'll still be net positive as a result efforts as a whole.

It's ECON 3545-001 Environmental Economics at CU-Boulder all over again (yes, I'm a Buffalo).  The market has failed to assign appropriate value to the OpenSSL project.  There some some ridiculous estimates about OpenSSL market share (see apache and nginx) yet it's "4 guys and a dog" struggling to keep up with the code base and some commercial projects.  Unfortunately the weeks immediately following a major security hole disclosure isn't the best time to ask for $.  Maybe I'll followup with a post in a couple months to solicit corporate contributions to OSF.  (I am a OpenSSL contributor).

NFV can be Lifesaving Nitro*

What will be the nitroglycerin for old man Internet's recent heart attack?  The Heartbleed bug is real, the fallout is and will be real, the NSA is real and has been listening.  Now what?

It's time to apply what we've learned.  In the event VNS3 was affected by the bug, we could have built and delivered a new image (for all our supported public cloud and virtual environments) in a matter of hours.  Our customers would have simply swapped in the new image with total potential downtime limited to minutes, if any.  Wait what?  Yeah instance based NFV is the future for a number of reasons but let's focus on the fact that is software not hardware given the topic of conversation... Bugs.

Do some hardware providers really burn in OpenSSL in to their chips?  Maybe, but I hope not.  Bruce Schneier, a cybersecurity researcher and cryptographer, was recently quote in the Wall Street Journal seemed to think so when he said, "the upgrade path is going to involve a trash can, a credit card, and a trip to Best Buy."  That's a little sensationalist especially given that Cisco and Juniper are saying software patches will be out soon as opposed to saying new replacement hardware devices will be shipping in early Q2.  But the fact is customers are still waiting for some patches and the all clear.

Exploring the hypothetical is fun when you're sitting around a table with some whiskey and some buddies, but it's less useful when talking enterprise IT strategy.  Typically a real world event is needed to help us look at our decisions from a different point of view - enter the Heartbleed.   I argue that this type of exploit makes the case for running a tight, limited, high performance and isolated VMware stack in the corporate DMZ.  Just run a rack of vSphere with it's own dedicated set of switches. Run all your DMZ edge network devices as NFV appliances.  Make your DMZ a micro cloud.  If anything on the DMZ edge is compromised or vulnerable, the fact that it's an instance-based NFV appliance means it's quickly and easily replaced.  Turn on aes-ni support on the Intel chips (why public cloud don't do this already is straight silliness) running your DMZ micro cloud and you'll even have some nice savings on any encryption overhead. 

The bottom line is this - as an NFV vendor, I'm incentivized to get my customer new images.  Hardware vendors are "fire and forget."  The major difference is additional unit manufacturing cost (and delivery cost).  I as a virtual appliance vendor have a unit and delivery cost of $0 and that means every time I have a new version, I want to get it into my customer's hands ASAP.  Latest and greatest means I'm happy because my customers are happy keeping up with my new hotness.

*Added Bonus - NFV won't kill you if you're using Viagra

Ask a Cloud Networking Expert: Why is multicast disabled in the cloud? How can you re-enable UDP multicast?

Multicast: one to many
In networking, multicast is the delivery of a message or information to a group of computers simultaneously in a single transmission from the source.

IP multicast is a technique for one-to-many communication over IP infrastructure in a network.  Multicast uses network infrastructure efficiently by requiring the source to send a packet only once, even if it needs to be delivered to a large number of receivers.

The most common transport layer protocol to use multicast addressing is User Datagram Protocol (UDP).  UDP multicast is widely deployed in enterprises, commercial stock exchanges, and multimedia content delivery networks.  Multicast is mostly used in enterprises for service discovery.

A common use case of IP multicast is for applications used to create High Performance Computing Grids (HPC).  Another common use case is with call centre routing software, used to route a call to the next available agent.
So why is multicast disabled in public clouds?  
Sending one source pack to every host in the network it very “chatty.” Multicast scales to a larger receiver population by not requiring prior knowledge of who or how many receivers there are.   If you think about public cloud networks, you’re usually on a shared VLAN or LAN in a multi tenant environment.  Allowing a “chatty” protocol to span over the cloud network could have a serious impact on the performance of the cloud as a whole.  For this reason, multicast is usually disabled without an option to re-enable.

So it’s no wonder our customers and cloud partners such as AWS come to us and ask us for help with moving multicast applications to the cloud.

We solved the problem.
Our customers use VNS3 to create their own network which is overlaid on top of the cloud native network, this gives them back control with the added benefit of end to end encryption.  It also allows multicast traffic to pass thought the VNS3 network.  Here’s the details:

VNS3 re-enables multicast in cloud networks by creating its own sealed network, which is overlaid on top of the existing cloud network.  Think of it this way: you consume a server from AWS and it has an ETH0 network interface card (NIC), the IP on this NIC is assigned to you by AWS from either your private VLAN pool (VPC) or from the great un-washed shared VLANs (EC2 Classic).  This IP and NIC is connected to the AWS cloud network. It is at this point that an AWS firewall (somewhere) blocks the traffic from spanning the LANs looking for other hosts to discover.

By using a VNS3 overlay network, your instance is configured with a second virtual tunneled interface (TUN0), and this interface is logically connected the the VNS3 Manager.  In this respect, the VNS3 Manager becomes the host’s switch.  This tunneled VNS3 overlay interface is free from any AWS firewall conditions, because it is inside your control and inside the VNS3 sealed overlay network.

Attaching other servers to the the VNS3 Manager means that multicast packets can now flow from your first server through the VNS3 Manager and then on any other servers.  The same logic applies if your create any VPN connection to the VNS3 Manager, via IPsec or BGP.

Real customer examples.
So far we have gathered a wide and varied collection of customer use cases where the customer needed to use multicast applications in the cloud.  I think for me the most interesting is use case is HPC grid bursting, here’s a quick preview:

Source: this guy

Expert Profile

Name: Sam Mitchell
Title: Senior Solution Architect
Favorite Snack: Edamame
Credentials: As Senior Cloud Solutions Architect, Sam leads all technical elements of the sales cycle in the UK and internationally.  Sam runs demos, technical qualification, technical account management of proof of concepts, technical and competitive positioning, RFI/RFP responses and proposals.

Before CohesiveFT, Sam was a Cloud Solution Architect at  IBM Platform Computing. He was also a Lead Architect at SITA, where he headed up OSS BSS Architecture, Design and Deployment activities on SITA's cloud offerings.

Vote for VNS3 in 2 categories for the 2014 DCS Awards

Please Take a Moment to Vote for VNS3 for Security and Networking Product of the Year
Vote for VNS3 in Datacentre Solutions Awards: Datacentre ICT Security Product of the Year and Datacentre ICT Networking Product of the Year
CohesiveFT has been shortlisted for two Datacentre Solutions Awards: Datacentre ICT Security Product of the Year and Datacentre ICT Networking Product of the Year.
The security and networking category nominations highlight our virtual networking product’s versatility - See the customer use cases that got us nomiated. 
VNS3 helps enterprises regain control of security in any virtualized environment, including public clouds. Control data pathways and data encryption security with the VNS3 all-in-one network device. 
VNS3 is different from other SDN and NFV solutions by creating customer controlled overlay networks over top of underlying network backbones. Learn more & please vote!
The CohesiveFT Team

Cloud Price Wars

The race to $0 is heating up in the IaaS space

  • March 25th - Google fires the first salvo in the pricing wars at their Google Cloud Platform Live event by reducing GCE by 32% across all sizes, regions, and classes.
  • March 26th - AWS quickly responds by reducing EC2, S3, RDS, ElastiCache, and Elastic MapReduce pricing effective April 1st.
  • March 31st - Microsoft wants to play too and after renaming Windows Azure to Microsoft Azure, they are cutting prices on compute by up to 35% and storage by up to 65%.
Bingo. Bango. Bongo...  Hey Rackspace, where you at?

And this isn't the start of the price wars either.  Things started in 2012 and continued through 2013 (see RightScale's solid cloud price analysis for 2013).  The above is just the most reactive back-and-forth we've seen yet.

Is there margin at $0?

Fiduciary responsibility will govern the cloud providers' behavior over time.  Some might operate at a loss for a period, but if their margin doesn't rebound over time, their stock prices will drop.  Those in management making the negative margin decisions will be replaced.  At least that's the idea...


So where is all this pass through savings coming from?  What's really reducing providers' cost to provide cloud:

  • Economies of scale, 
  • maturity in the technology, 
  • reduction in human cost to admin/monitor, and 
  • energy savings (bulk buy contracts, reduced heat and advances in data center cooling) 

It's interesting to bring in Moore's Law into the conversation as Google does in their pricing announcement.  Our CEO, Patrick Kerpan, and I were recently talking about this over burritos.  At some point the total data center square footage a particular provider has built out will be able to accommodate all future demand.  This assumes, of course, that the provider continues to utilize their data center space with the latest hardware to operate their cloud offering.

I am guessing that the 4 bigs in the market (AWS, Rackspace, Microsoft, and Google) all have an estimate of when that will happen, if it hasn't already passed.  That removes a significant source of cost when providing cloud services.  Couple that with the the other reductions in cost and path to cloud absolute zero starts to take shape.

This race to zero also creates a huge benefits to cloud users. Now someone else is spending their capital to chase Moore's Law for you.  This means cloud users stop spending capital on compute and storage which restructures what and how they spend on network hardware and bandwidth.

What does it mean for the smaller provider?

Unfortunately as the bigs continue to push the prices down on storage and compute, pressure to follow suit increases on the smaller cloud providers.  Their smaller size often prevents them from following the larger market peers lower and lower.  It's unfortunate because some of the smaller guys are doing the most interesting things in order to differentiate (industry and geographic targeting, application container virtual instances a la Docker, etc.).

So what's the little guy to do?  Try to position as premium targeted providers? Differentiate from what could be described at the big dumb commodity clouds?  Perhaps. I would say it's time for the smaller players to start talking about consolidation.  Dimension Data or HP is best positioned to gobble up some littles to solidify themselves as the 5th and perhaps last big cloud player.

What does it mean for everyone else?

Party time!... Responsible party time.  It means no one provider has the market power to drive price.  Also no one market leader has the power to regulate an ecosystem (see my AWS Bio-Dome post).  This would translate into lower costs, greater choice, and freedom from lock-in.  Yes, I just used the FUD buzz work lock-in. 

That's the good - but let's not get ahead of ourselves.  Price wars does not a commodity make.  There is still massive difference in basic cloud offerings both in fact and market perception.
  • Storage - persistent, ephemeral, vs ss
  • Instance sizes - while no human sin is unique each deployed application must need different server specs
  • Geo location - where is the big European cloud with multiple eu regions?
  • API - lets not get into a religious debate here
  • Network - to VLAN or not to VLAN
  • Network - what controls are offered to the user
  • Network - hybrid cloud connectivity options
  • Network - encryption and isolation choices
  • Network - ok I work at a network company...

The point is this is all a good thing.  The other large players in the IaaS market seem ready to finally challenge AWS in real time.  While its not pure competition, it's a start. The cloud market is finally catching up to the marketing.

Who you calling a floozy?

In defense of our Floozy Cloud Networking Device - an open letter to cloud gossip news sites

Lately our VNS3 product has been in the spotlight. Here it is, straight from the cloud gossip tabloids:

Perez Cloud recently reported that the VNS3 software "gets around."

It's true. 

VNS3 likes the cloud scene.  It has a number of qualities that make it confident and successful.  It has fans and users around the world.

VNS3 does not deny it has been with Amazon AWS (in both VPC and EC2!), Google GCE, IBM SCE (rest in peace) and Softlayer, GoGrid, Rackspace, CloudSigma, VMware vClouds, Flexiant back in the day when they called it Flexiscale, and even some private cloud action.

Lately VNS3 has been spending a lot of time with Docker. CTO Chris Swan is openly talking about the union and the pair have been working well together.

So is it slutty software?

I won't get into oppositional discourse here, but I'd like to make some points in defense of the older, independent, and quite fit VNS3.

  • VNS3 has been around. Starting in 2009, users first got a look at the virtual network appliance. Early admirers saw some of VNS3 in AWS, Flexiant, GoGrid and CloudSigma.
  • But, being around so long as lead to some "maintenance" work lately. The 3.5 version release shows there is still room for growth, with a recent conscious coupling with Docker technology
  • It's been lean and in good shape all along. It only wears Ubuntu 12.04 and OpenVPN, but always keeps options on hand to do more with Nginx, HAproxy, Snort, or Varnish. 
  • It gets along well and is rather social, what can we say? VNS3 has always been know as a good interoperability partner. All VNS3 really wants to do is bring applications together, regardless of location or cloud provider.
  • VNS3 is on the hunt. While already friendly with the likes of HP Cloud, Google GCE, and Abiquo VNS3 is still looking for new and exciting places to go. Old standbys include AWS, GoGrid, Rackspace, CloudSigma, VMware vClouds, and Flexiant. 
  • But, it makes sure to be safe. VNS3 is always a big proponent of safe data transport, and makes sure to provide both IPsec secure connectivity to clouds, and end-to-end encryption within clouds. Double the security always makes for a more comfortable cloud encounter. 

How is VNS3 taking this recent media attention? 
VNS3, that silver fox, is back in action after getting “some work done” recently. She’s always been popular with the users, and now is making her rounds with cloud providers with her new look.

Looking for some cloud guidance? Let the experienced VNS3 guide you to your first cloud encounter. With this level of expertise, VNS3 can help your applications navigate those first, nerve-wracking forays into public cloud. Pretty soon, your applications can be noticing new end points in no time. Get in touch with VNS3 today.

PS - Happy April Fool's Day!
Related Posts Plugin for WordPress, Blogger...