My Thoughts On IT…

Brian Lewis's Thoughts on all things Information Technology related

vmwareThe article today in our “VMware or Microsoft?” series is about the Guest Operating System support differences between VMware and Microsoft.

I am a technologist, who happens to work for for Microsoft (a leading provider of software, services, and now devices). With that disclaimer out of the way, let me state for the record, I try to  make fair apples to apples comparisons of the technology I evaluate. As a matter of fact, I think VMware ESX is a great product. I also think Hyper-v is a great product.

It irks me when any company, including Microsoft, puts out ridiculous marketing about a product. I know that companies are going to put there best spin on things but sometimes marketing goes too far. One of the reasons my group choose to do this blog series on VMware or Microsoft is because of this type of marketing. Here is a perfect example in this PDF that compares vSphere 5 vs. Hyper-V 3 (Beta). Wow, from that marketing it is obvious Hyper-v really sucks! What a misleading piece of “propaganda”. They could have made two more things green so it wasn’t so obvious.

I am not going to address the whole document today, I will just focus in on one of the statements. In my last series article, When it comes to hypervisors does size really matter?, I  addressed the claim that ESXi has a smaller attack surface (and is there for more secure and easier to patch). In this article I will take a look at the guest Operating Support claim that VMware Supports the Largest Number of Guest Operating Systems. This seems like a pretty straight forward fact but the details are a bit more muddy.

What is support? That all depends on how you define “is”

Support at Microsoft:
At Microsoft, when something is supported it means more than just we will take your phone call. Most supported scenarios need to be tested by the product group before the product is even allowed to ship. For unsupported scenarios we still do what we call “best effort support”. Which means we will take your call and try to help you get it working even though it isn’t a fully supported scenario. Heck, for a customer with a support agreement where you are paying by the minute, we will put in as much time as you want us to.  Winking smile For Hyper-v Guest OSs, support means that we have tested the OS and there are para-virtualization drivers for the OS. A lot of operating systems including DOS will run just fine in a Hyper-v but are still considered unsupported.

Support at VMware:
At VMware supported OS’s go into one of six categories. I pulled this from the VMware knowledge base article that you can view here.

Tech Preview

Operating system releases that have a Tech Preview level of support are planned for future support by VMware but are not certified for use as a guest operating system for one or more of these reasons:

  • The operating system vendor has not announced the general availability of the operating system release.
  • Not all blocking issues have been resolved by the operating system vendor.
  • One or more required enabling changes are not available in the form of a VMware product update or patch release.
  • Compatibility testing of a new OS update release is not complete.
Supported

Operating systems with this support level are fully supported by VMware. This includes technical support and engineering fixes.

Legacy

The Legacy support level is between Supported and Deprecated. These guest operating systems are typically no longer supported by the original vendor. As a result, VMware’s ability to support this guest operating system is reduced.

VMware does not implement support for most newer VMware features and functions on operating system releases that are classified under this support level.

Deprecated

Prior to terminating support for operating system releases, VMware announces that the support for selected operating system releases has been deprecated in the product release notes and the VMware Compatibility Guide shows the support level for these releases as Deprecated.

A Deprecated operating system release is still supported by VMware and still receives technical support and engineering fixes (similar to Legacy) until it moves to the Terminated support level.

Terminated

VMware does not provide support for operating system releases with terminated support.

Operating system releases with terminated support do not appear in the search results in the

Unsupported VMware does not provide support for operating system releases with Unsupported support level. This includes technical support and engineering fixes.

To find out if a guest OS is supported you can use this tool here: VMware Compatibility Guide. I used this tool to look up MSDOS 6.22 which was listed as supported by VMware and not by Microsoft. MSDOS 6.22 is listed in the Depreciated category and not the supported category. So does that count as supported? I looked up other OSs with the tool and noticed that even OSs in the supported category often have different things listed as unsupported. Many don’t support paravirtualization and hot Add of Memory or CPU. Under the fully supported category you have various levels of support. It may not even have VMware tools to install, so is it really supported better than “best effort support”? I guess it is better than best effort support but I don’t know if it is fully supported. Have all the supported OSs been tested before this version of ESXi shipped? I don’t know. Anyone, anyone, Bueller? It would be an impressive test matrix if they did. It would also be hard to ship a product if they required it to ship.

Conclusion:

VMware’s comparison is not an apples to apples comparison. I feel their premise is true – VMware does have more supported OSs for ESXi than Microsoft does for Hyper-v; however, it is not the list that their marketing group put out. Also, just because an OS is in their supported column doesn’t mean that it is a first class citizen in their Hypervisor. Make sure to look up the OS that you want to use to see what things may or may not work.

The whole idea of choosing your virtualization platform based on how many OSs the vendor claims to support is pretty “silly”. The best way to pick your virtualization platform is to choose what works best for you and your workloads. For example, if you want to run Solaris 11 as a virtual machine in production then ESXi is the right choice because it is supported on ESXi and is not in Hyper-v. If you want to virtualize your Windows Small Business Server then Hyper-v is the way to go.

If you want to run the versions of  SUSE, CentOS, Red Hat, Ubuntu, Oracle Linux, or Windows that are supported on both; then take a look at both Hyper-v and ESXi. Do a real comparison and see how well does your actual workload performs in Hyper-v vs ESXi. Lab it up and let us know your experience in the comments! The price of Hyper-v sure is right. Hyper-v is included in Windows Server and we have a fully functional version called Hyper-v Server which is completely free. 

If you want to try our Free Hyper-v Server 2012 – download it here: http://www.microsoft.com/click/services/Redirect2.ashx?CR_CC=200256658

You can also get the Hyper-v Server 2012R2 preview here:
http://www.microsoft.com/click/services/Redirect2.ashx?CR_CC=200256659

Brian

OMG: Ooma is awesome!

2 comments

oomaOMG… Ooma is awesome! I just ported my home phone to Ooma three weeks ago and I am extremely happy with it!

History of the Lewis home phone:

Four years ago I switched from a traditional phone company land line to my cable company’s internet phone offering. I was able to lower my bill from over $80 a month to about $30 a month. I was able to port my phone number over and didn’t notice any difference in phone service.

I was very happy with the reduction in price from my traditional phone company for the past four years but, now that my kids all have cell phones, and I was wondering if I should pay for a home line at all. I do like having a home phone so I decided to look at my options. I looked at Vonage and Ooma. I ultimately decided on Ooma because it was cheaper. It is almost free.

Ooma – The Costs:

It is not free but it’s close. I purchased the Ooma device from amazon for $119. Then I paid an optional $40 porting fee to have my number transferred to Ooma. Lastly I do have to pay a monthly fee to cover the cost of taxes and fees in Wisconsin. That amounts to about $3.50 a month for me.

So now I have a home phone for $3.50 a month and it works great! Ooma does offer advanced features that cost about $10 a month. The advance / Premier features are very cool but I don’t really need them so for now I am skipping them. For more details on the advanced / premier features see Ooma’s website: http://www.ooma.com/products/premier

What it takes to setup Ooma:

setup

First, I purchased the Ooma device from Amazon. After the device arrived I setup an account and registered the device on the Ooma website. That was it and I had a phone line up and running. After I verified that it worked well I went back to the Ooma website and requested a phone number port. A week later my phone number was ported over. It took a phone call to support to have the number port “fixed” because it had a configuration error. After that was fixed it has been working perfectly since. For the past three weeks I have been using Ooma as my home phone and it has worked flawlessly. I am now a happy Ooma customer.

There are several ways you can hook up the Ooma Telo device to your network. I just plugged it into my switch along with all my other devices. Then I plugged in my phone line into the device. My home phones work just as they did with the traditional phone company.

My Network and Phone Setup:
ooma9

For more information checkout their website: http://www.ooma.com

If you have a question, negative experience, or better setup leave a comment and let us all know.

-Brian

Windows-8_1Great News for IT Pros! If you want to get your hand on the latest and greatest version of Windows all you need is an MSDN or TechNet subscription. It was posted up there at yesterday September 9th. That’s right Windows 8.1 RTM code.

Originally we were not going to release the code to until the October 18th launch date, but based on the strong community feedback we have adjusted the release schedule. Smile

Here is an excerpt from the email communication I received:

We’ve listened, we value your partnership, and we are adjusting based on your feedback. As we refine our delivery schedules for a more rapid release cadence, we are working on the best way to support early releases to the various audiences within our ecosystem. That’s why starting today, we will extend availability of our current Windows 8.1, Windows 8.1 Pro and Windows Server 2012 R2 RTM builds to the developer and IT professional communities via MSDN and TechNet subscriptions. The Windows 8.1 Enterprise edition will be available through MSDN and TechNet for businesses later this month. Additionally, today we’re making available the Visual Studio 2013 Release Candidate, which you can download here.

For more information see the official announcements on the following Blogs:

Steve “Guggs” Guggenheimer’s blog
http://blogs.msdn.com/b/stevengu/

Blogging Windows
http://blogs.windows.com/windows/b/bloggingwindows/archive/2013/09/09/download-windows-8-1-rtm-visual-studio-2013-rc-and-windows-server-2012-r2-rtm-today.aspx

Somasegar’s blog
http://blogs.msdn.com/b/somasegar/archive/2013/09/09/announcing-the-visual-studio-2013-release-candidate.aspx

In The Cloud blog
http://blogs.technet.com/b/in_the_cloud/

Microsoft-Surface-4This works on both the Surface RT and Surface Pro machines to take a screen shot.

Simply hold down the capacitive Windows button on the front of your tablet and press the Volume Down button on the volume rocker once. If you see the screen dim for a moment you’ll know if it worked. The Screenshot will be saved in My Documents> Pictures > Screenshots.

sanfranciscounitedstates_146301San Francisco here I come!

I have the pleasure of presenting on Windows Azure IAAS next week in San Francisco! On September 5th, YOU are welcome to join me for FREE, as long as seats last!
(Oh, and you have to cover your travel costs) Smile

This event will be held at the Microsoft San Francisco Office starting Thursday, September 05 at 9:00 AM and ending around 4:00PM.

At this ITcamp I will show you that YOU can have the best of both worlds! With Windows Azure, you can easily extend an on-premises network to embrace the power and scale of the cloud – securely and seamlessly. These Hybrid Cloud scenarios present real solutions that you can implement today to solve pressing IT issues such as:

  • Right-sizing Storage Investments
  • Protecting Data with Off-site Backups
  • Business Continuance and Disaster Recovery
  • Cost-effective, On-demand Dev/Test Environments
  • Internet-scale Web Sites… And MORE!

Join me for this FREE full-day hands-on event to experience the power of Hybrid Cloud. I will guide you through the process of jumpstarting your knowledge on Windows Azure Storage, Virtual Machines and Virtual Networking for key IT Pro scenarios. Complete all of the hands-on labs and you’ll walk away with a fully functional Windows Server 2012 cloud-based test lab running in Windows Azure!

Session Requirements:
Be sure to bring a modern laptop that is capable of running the following prerequisites. For more detailed system specs, click on the city nearest you.

  • Modern operating system, including Windows 7, Windows 8, Linux or Mac OS X
  • Modern web browser supporting HTML5 and Javascript, including IE 9, Chrome, Firefox and Safari
  • A remote desktop (RDP) client – included with Windows platforms. Mac and Linux RDP clients can be downloaded for free

All participants registering for the event should have an active Windows Azure subscription. If you have not already done so, sign up for a FREE trial of the Windows Azure platform and services, including access to the Virtual Machines preview.

Register now and reserve your seat for this FREE, full-day event in San Francisco

clip_image001
http://www.microsoft.com/click/services/Redirect2.ashx?CR_CC=200243263&CR_EAC=300102301

*** Update ***  Here is the Link to both the PowerPoint and Hands on Lab Manual for this event…
http://sdrv.ms/1dS7xdy

windowsazure497e851aa948Windows 8.1 has hit RTM and will be Generally Available on October 18th, 2013.

This release is a little different than the past. In the past releases customers were able to get the finished product from TechNet, MSDN, and the Volume Licensing website a few days after RTM.

This time around is a little different as customers will not be able to get the code until October 18th. The idea is that only OEM’s are getting the code to build and test systems, so they can introduce solid systems on release. Many techs are understandably angry that they can’t get their hands on the code this time around. If thing change and you can get a copy I will update this site.

Update: Microsoft will release the bits for Windows 8.1 before October 17th on MSDN and the Volume Licensing site. See http://mythoughtsonit.com/2013/09/windows-8-1-and-server-2012-r2-download-available-from-msdn/

For more details see the Windows Team Blog:
http://blogs.windows.com/windows/b/bloggingwindows/archive/2013/08/27/readying-windows-8-1-for-release.aspx

Windows Server 2012 R2 also RTM’ed and has the same availability date of October 18th. You can read the announcement in Brad Anderson’s Blog:
http://blogs.technet.com/b/in_the_cloud/archive/2013/08/27/today-is-the-rtm-for-windows-server-2012-r2.aspx

3365_evangelist-series-buttonMy Team at Microsoft is writing a series of articles this month looking at Server Virtualization between VMware and Microsoft. You can follow the full series of our articles this month at:

VMware or Microsoft? – The Complete Series
http://blogs.technet.com/b/kevinremde/archive/2013/08/12/vmware-or-microsoft-the-complete-series.aspx

The Hyper-V vs. vSphere Hypervisor Footprint War Continues

When it comes to hypervisors does size really matter?  In the ongoing “footprint war” between Hyper-V 2012 and vShpere ESXi 5.1, the key is to be smaller, smaller attack surface that is.  However, both Microsoft and VMware both claim to have a smaller attack surface.  In my evaluation, I argue that when it comes to secure virtualization it doesn’t matter how big your footprint is, it is more how you use it.  In order to understand the footprint war and why I believe the battle is moot you have to first assess and compare the architectures of both Hyper-V 2012 and vShpere ESXi 5.1 as I’ve done below. I then conclude with my thoughts on the technical merits of the security argument.

VMware vSphere ESXi 5.1 Architecture

image

VMware vSphere 5.1 uses a Monolithic Hypervisor design that is about 144 Megabytes in size. As you can see in the picture above the drivers are in the hypervisor layer which leads to some good and some not as good points.

The Good

  • You have an API set in here that vendors can program against
  • Antivirus can run in this level and you can use that to scan all virtual machines.
  • You can run on CPUs that don’t have virtualization extensions
  • Only 144 Meg of code vs competitions 5 Gig*

The Not as Good

  • You have an API set in there that hackers can program against
  • Antivirus has access to all VMs – so would an exploited AV
  • You have 144 Meg of stuff running at Ring –1
  • Drivers must be written for this Hypervisor so supported hardware is limited

Microsoft Hyper-V 2012 Architecture

image

Microsoft Hyper-V uses a Microkernelized Hypervisor Design which means the hypervisor itself is very small. In Server 2012 it is about 600 kilobytes in size. As you can see in the diagram above it doesn’t have drivers in the hypervisor because it relies on a “special” virtual machine that has the hardware drivers in it. This means vendors don’t have to write drivers from Microsoft Hyper-V in addition to Windows drivers. You can just use the Windows drivers. This architecture, just as with VMware, has some good and some not as good points.

The Good

  • No 3rd party APIs for hackers to code against in Hypervisor
  • No global AV option that would could compromise all VMs
  • Lots of hardware choices because it relies on the Windows drivers.
  • 600k Hypervisor running in Ring –1 vs. 144 Meg in vSphere 5.1

The Not as Good

  • No APIs for third parties to add value in hypervisor
  • No option to run Anitvirus in the Hypervisor
  • Requires hardware with CPU virtualization Extensions
  • Requires Windows Management Partition for the drivers

If you are interested in reading a more indepth article on the architectures, I really like the article  at ServerWatch.com. You can find it here:

Hyper-V and VMware vSphere Architectures: Pros and Cons
http://www.serverwatch.com/server-tutorials/microsoft-hyper-v-and-vmware-vsphere-architectures-advantages-and-disadvantages.html

So How do we Measure Size?

VMware will claim that the attack surface of Hyper-V includes the management partition and is therefor 5 gig of disk space. Microsoft will claim that one component that is often overlooked in the VMware’s footprint size argument is the management tools machine. Do you measure Hyper-V at 600k or 5 Gig in size? Do you measure ESXi at 144 Meg or do you add the Management tools Machine to this? When considering the architecture both sides have valid arguments as to who is smaller. However, I frankly don’t think it matters who is bigger.

The Security Discussion (and why the whole discussion above is silly)

Sometimes things in computer security can be complex to comprehend and sometimes they’re easy. This one is easy…

It is true that in general, one tenant in security is that a smaller attack surface reduces the areas for vulnerabilities.  However, that general principle isn’t a law. When it comes to securing your virtualization environment size doesn’t matter.  It just is not true that a smaller disk footprint allways equals a more secure product. If that were true then Windows 95, at 80 Megabytes, would be more secure than both ESXi and Windows Server 2012. We all know that just isn’t the case. Oh, if it could be that easy.

Even if a software company built software without a single vulnerability it still wouldn’t be secure on it’s own because hackers often enter in via the same way other users and administrators get in. It is the security practices that keep a system secure. It’s your people and processes that keep you secure. Do your people know how to secure Windows?

There is a great post by Edward Haletky way back in August of 2009. He talks about virtualization security where he concludes:

For each company using virtualization products it is about assessing the Risk to the environment. If you have the proper compensating controls then the risk will be mitigated.

You can read his full post here:
Measuring Hypervisor Footprints
http://www.virtualizationpractice.com/measuring-hypervisor-footprints-1133/

 My Conclusion

The reality is that both products are solid offerings. Understanding which one is right for you is going to take more analysis than trying to understand which one is more secure via it’s hypervisor size. Not just because you can argue that either way but because it is irrelevant. The true analysis of the security between the two virtualization products is to look at your tools, knowledge, and processes. This is where a secure environment will come from. So can we stop the whole silly footprint thing?

The analysis I recommend is to treat it like car shopping. You see they both have horsepower and shiny wheels. So take them for a test drive. Both have trial versions that you can get from the links below.

 

Download Links

Windows Server 2012 Download

http://www.microsoft.com/click/services/Redirect2.ashx?CR_CC=200256656

Windows Server 2012 R2 Preview Download

http://www.microsoft.com/click/services/Redirect2.ashx?CR_CC=200256657

VMware Trials http://www.vmware.com/try-vmware/

windowsazure497e851aa948Yesterday the Windows team announced that Windows 8.1 will be generally available on October 18th, 2013.

It will be available at retail stores for purchase on new machines. It will also be available as a free upgrade to Windows 8 from the online Windows store.

You can read their full announcement at the link below:

Blogging Windows – Mark your calendars for Windows 8.1!
http://blogs.windows.com/windows/b/bloggingwindows/archive/2013/08/14/mark-your-calendars-for-windows-8-1.aspx

***Update***
You may be asking “What about Windows Server 2012R2 and System Center 2012R2?”

Answer: I am glad you asked. They are releasing on the same day! October 18th.

For details on that see Brad Anderson’s announcement here:

Mark Your Calendars for Oct. 18: The R2 Wave is Coming!
http://blogs.technet.com/b/in_the_cloud/archive/2013/08/14/mark-your-calendars-for-oct-18-the-r2-wave-is-coming.aspx

windows8patchtuesday_r1_c1Yesterday we released 8 security bulletins fixing 23 vulnerabilities. Three of the bulletins are rated critical, which means evil hackers have the potential to take over your machine through them. As far as we know, they are not being actively exploited in the wild today. However, the clock is now ticking. Hackers are going to reverse engineer our patches and figure out how to exploit the holes they patch. You want to test and implement these patches in a timely fashion before the vulnerabilities they patch start to be used to exploit machines. 

The main products effected are Windows, Internet Explorer, and Exchange Server.

I have seen articles refer to one of the bugs as “the Ping of Death for IPV6”. It seems that this vulnerability, in the IPV6 stack, will cause a denial of service from a specially crafted packet. Could be a fun tool just like the old days where you could bring down your friends unpatched machine. Smile 

Back in the 90’s I called up a coworker (a sales guy) and asked him how his machine was working. As he told me fine, I sent a “ping of death” packet to his machine which halted his Windows 95 machine. It now showed the famous blue screen of death and he started to yell at me. – Now that was fun!

Microsoft Security Bulletin Summary for August 2013
https://technet.microsoft.com/en-us/security/bulletin/ms13-aug

I found that Symantec does a great job of explaining each of the 23 vulnerabilities and which patch they are contained in. I recommended reading this.
Symantec – Microsoft Patch Tuesday – August 2013
http://www.symantec.com/connect/blogs/microsoft-patch-tuesday-august-2013

imageInjecting Malware into iOS Devices via Malicious Chargers

Have you ever been out, and your phone is low on power, so you ask someone if you can borrow their charger? I bet you have! I have all the time and I never gave it a second thought – until now.

It is possible for a hackers to build a charger that cracks your phone when you plug it in to recharge. Wow – it seems so obvious now! I would never have thought about it if I hadn’t read about the Security researchers at the Georgia Institute of Technology.

They built a malicious USB charger that can inject malware onto an iPhone, iPad, or other current-gen iOS device. This USB charger, called Mactans, takes less than a minute to compromise a device once it has been plugged in. A lot less time than it takes to charge your phone.

This current exploit attacks Apple iOS devices but that is not why I am writing about it. I am sure that every smartphone on the market today is vulnerable to a similar attack.

So, next time your going to borrow some juice for your phone – make sure you trust the source or your phone may get rooted.

event-logo-us13For more information on this specific hack:

Description of presentation at the Black Hat conference
http://www.blackhat.com/us-13/briefings.html#Lau

Fake iPhone charger can hack iOS in under 60 seconds
http://www.welivesecurity.com/2013/06/03/fake-iphone-charger-can-hack-ios-in-under-60-seconds/

Black Hat hackers break into any iPhone in under a minute, using a malicious charger
http://www.extremetech.com/extreme/157207-black-hat-hackers-break-into-any-iphone-in-under-a-minute-using-a-malicious-charger?print

Black Hat hackers break into any iPhone in under a minute, using a malicious charger
http://www.extremetech.com/extreme/157207-black-hat-hackers-break-into-any-iphone-in-under-a-minute-using-a-malicious-charger