Introduction to virtualisation

Posted on By Mark Wilson

When thinking of IT security, there are a few names which immediately come to mind. One of these is Bruce Schneier, another is Rafal Lukawiecki and another is Steve Gibson. I recently began to listen to Steve Gibson’s Security Now podcast with Leo Laporte and originally I thought a security podcast would be dull – although it does seem to me that this one is as often about new hardware and software technologies as it is about security – but I was pleased to discover that it’s enjoyable listening as Steve does a very good job of describing security issues in basic terms (he can be very outspoken though and does sometimes let himself down on his broader knowledge of the non-security elements).

I’ve written a lot on this blog about virtualisation technologies but never really covered the basics of what virtualisation is. I had thought of writing a blog post on the topic but, as there are a number of Security Now podcasts that do a better job, I recommend listening to (or reading the transcript for):

Security Now episode 50: Introduction to virtualisation (transcript).

I found this particularly interesting, describing the history of virtualisation technology, from 1960s IBM mainframes right up to the present day. If that whetted your appetite then the following episodes may also be interesting:

Security Now episode 53: Virtualisation part 2 (transcript).
Security Now episode 54: Blue pill (transcript).
Security Now episode 55: Application sandboxes (transcript).
Security Now episode 57: Virtual PC (transcript).
Security Now episode 59: Parallels (transcript).

I should point out though that I did notice a few errors:

It’s a shame that these errors crept in as it would have a huge effect on the overall positioning of Microsoft’s virtualisation products in the Virtual PC podcast (episode 57). Having said that, Virtual Server does has a number of issues when it comes to managing it in a cross-platform environment – it may have a web interface but it relies on ActiveX (so, requires Internet Explorer on Windows) and the Virtual Machine Remote Control (VMRC) client is not available for non-Windows platforms (despite using port 5900, suggesting it may be related to VNC, I can’t seem to get it working using a VNC client).

VMware may well have a more advanced product set (with Workstation, Virtual Infrastructure 3 and VirtualCenter 2) but from my experiences of dealing with the company it seems that they are going through some growing pains and I am sure that Microsoft will catch up over time. What seems to be certain, is that virtualisation is more than just the buzzword of 2006.

Ripping analogue recordings using GarageBand and iTunes

Posted on By Mark Wilson

In common with many people, I’m in the process of digitising my music collection – and my collection is not small. At last count I had something like 250 compact discs (CDs), 500 CD singles and a couple of hundred compact cassettes and MiniDiscs as well as some vinyl, a few VHS cassettes and digital versatile discs (DVDs).

Of course, ripping CDs is no big deal – iTunes takes the pain out of that for me (I rip as 192kbps MP3s – maybe not the ultimate quality, although good enough for most people’s ears) but the analogue content is not so easy. Over the last week or so I’ve worked out a method to rip from analogue sources, using standard software on my Mac… this is how it works:

  1. Firstly, open GarageBand. I’d never used this package before but it’s amazing – only a few years back this sort of application would have cost thousands (and I’d have been mixing using a standard mixing desk and recording to MiniDisc, not a computer). GarageBand looks scary at first, indeed I originally used iMovie to record my analogue feed and then transferred that to GarageBand but that step is unnecessary – simply create a new real instrument track and set it to record as you play the analogue source through the line in jack on the computer.
  2. Using GarageBand, edit the recording to cut out unwanted sections, adjust volume levels, etc., then view the Podcast track and add episode artwork and other information. You can also add markers for chapters within the recording.
  3. Set the audio podcast settings to Higher Quality in the export preferences. Optionally chose a Composer Name and Album Name in the general preferences (these can be changed later in iTunes).
  4. Once the recording is complete, save it, and then either select Export Podcast to Disk… or Send Podcast to iTunes from the Share menu in GarageBand (the result is the same – an MPEG 4/AAC file with an .M4A extension – but depending on the menu item selected it will either be in the chosen folder on the disk or within the iTunes Library).
  5. Open the recording in iTunes and edit the ID3 tags using Get Info option on the File menu.

That’s all that’s required for an AAC recording, but if you want to convert to MP3 (unfortunately this means double compression, leading to further clipping and a slight loss of quality), check that the advanced preferences in iTunes are set to import (yes, import – even though the conversion is an export process) using the MP3 Encoder at Higher Quality (192kbps). Finally, select Convert Selection to MP3 from the Advanced menu in iTunes. You can also use a similar method for Apple Lossless, AIFF or WAV conversion.

There are a couple of extra points to note: whilst AAC supports markers for the chapters added on the Podcast track these will be lost as part of a conversion to MP3; and GarageBand recordings are limited to 1999 measures (1 hour, 6 minutes and 16 seconds at 120 beats per minute) – to capture longer recordings it is necessary to adjust the tempo (beware of the Follow Tempo & Pitch checkbox on each track/region).

Will Vista’s 3D effects work in a virtual machine?

Posted on By Mark Wilson

As a Windows Vista beta tester who filed at least one bug report, I was recently given a complementary copy of Windows Vista Ultimate Edition (thanks Microsoft); however as I’ve been rationalising my PC infrastructure of late I only have a couple of PCs that could make full use of the visual effects in Vista – my Mac (which runs Mac OS X most of the time) and a 2.4GHz Pentium 4-based PC (which runs Windows Server 2003 and Virtual Server 2005 R2). Consequently I’ve been wondering if the best way to make use of my new Vista license (bearing in mind the restrictions of product activation should I later try to move it between PCs) would be in a virtual machine.

It seems not, as I checked with John Howard, who is a Microsoft Program Manager for Windows virtualisation (and was formerly an IT Pro Evangelist here in the UK) as to the likelihood of ever receiving suitable VM Additions or 3D device drivers within a Windows virtualisation product.

John kindly replied, pointing out that the S3Trio video adapter which is emulated within the Microsoft virtualisation products is nowhere near the level required to support Vista’s 3D graphics. He went on to add that there are no plans to change this within Virtual PC 2007 or Virtual Server 2005 R2 SP1, nor in Windows Server Virtualization (which is seen as a server solution and therefore unlikely to require client-focused features such as 3D graphics).

John’s reply doesn’t fill me with hope and despite VMware’s current push into enterprise desktop virtualisation I’m not sure that their position would be any different. In the meantime, it looks as though 2D graphics will be the limit to those of us who are heavy users of virtualisation on the desktop.

RDP backslash fix for an Apple UK keyboard

Posted on By Mark Wilson

A few days back, in my post about typing # on an Apple UK keyboard, I commented that I can’t type a backslash (\) on an RDP session to a Windows server from my Mac.

An anonymous contact very kindly tipped me off about Ira Rainey’s backslasher system tray application which Carl Slater has mirrored on his site (alongside a very nice VW Camper and motocrossing Honda C90s!). It works fantastically on my Windows Server 2003 SP1 system using the Microsoft Remote Desktop Connection Client for Mac v1.0.3 and Mac OS X 10.4.8.

The quick and easy way to create an SSL VPN

Posted on By Mark Wilson

A few weeks back, I mentioned to one of my colleagues that I was looking to find a secure method of getting into my home network from wherever I happen to be and he recommended his friend’s SSL VPN product – SSL-Explorer.

I should also add that the aforementioned colleague has since taken a position with 3SP, the creators of SSL-Explorer (good luck Chris), but I have no such conflicts of interest – I’m simply writing about a product that’s I’ve found to be very useful.

According to 3SP:

“SSL-Explorer is the world’s first open-source, browser-based SSL VPN solution. This unique remote access solution provides users and businesses alike with a means of securely accessing network resources from outside the network perimeter using only a standard web browser.”

The community edition of SSL-Explorer is an open source product licensed under the GNU general public license (GPL) and the enterprise edition builds on this to provide additional functionality for organisations who require enhanced features and dedicated commercial support.

I used a (remarkably) similar product from Neoteris a few years back; however that required a dedicated appliance server and was a commercial product. There’s also the OpenSSL project but, despite earlier versions of SSL-Explorer requiring compilation using Apache Ant, the installer I used (v0.2.8_01) required no such effort and I was amazed at how quickly I was able to install SSL-Explorer onto a standard Windows server (I could also have used a Linux box). Furthermore, despite not yet being a version 1 product (and using Java, which I’m not a fan of), SSL-Explorer seems to be remarkably stable.

Through SSL-Explorer, I can provide users with access to file shares (read-only or read-write – and the product only enumerates those folders for which the user has access), reverse proxy to internal web servers (including single sign-on to Outlook Web Access) and access internal servers (using RDP or VNC – other modules are also available). Some features require an agent to be loaded on the fly but the SSL-Explorer product is still a clientless VPN (all interaction is within a web browser). Management is via a web interface and self-signed certificates can be used (for those of us who don’t have the budget to buy third party certificates).

I still have some issues with the remote desktop functionality from behind my employer’s proxy server; however I suspect that is related to the ISA Server configuration in use – SSL-Explorer is working perfectly from other networks. I also operate using a single NATted IP address, so if I want to forward all HTTPS traffic from my firewall to the SSL-Explorer server then I can’t do the same for any other web servers that I might like to expose to the Internet directly (at least not on the same port).

Of course, there are other solutions that may better suit an organisation’s network or security policies; however for many smaller companies and private individuals, SSL-Explorer could be the perfect solution to remote access – it’s definitely worth a look.

Using RIS as a TFTP server

Posted on By Mark Wilson

Earlier tonight I needed to upgrade the software on an Ethernet switch. Most network administrators will be aware that this generally requires access to a trivial file transfer protocol (TFTP) server and it’s widely believed that to set up TFTP on a Windows server requires third party software. Not so – Microsoft remote installation services (RIS) includes a built-in TFTP daemon and I found that this can be used to serve files to any TFTP client (I’ve written before about using RIS to PXE boot non-Windows images and this was a effectively a variation on the same theme).

All that was required was to copy the binary that I needed to run on my Ethernet switch to the RIS server’s remote installation share (\\servername\RemInst). Once the file had been copied to the RIS server it was simply a case of following the switch upgrade process and supplying the appropriate TFTP server address (i.e. the IP address for the RIS server) and filename.

More blog spam

Posted on By Mark Wilson

A few months back I had to enable comment moderation on this site to deal with the blog spam I was getting. Unfortunately, over the last few days I’ve had to delete hundreds of spam comments sent to my e-mail for moderation so, with regret, I’ve had to turn on word verification to make sure that comments are only left by humans.

Please continue to leave comments on the blog – it’s always nice to hear when something was useful, or when someone has some additional information relating to one of my posts. I’m just sorry that I have to put these blocks in to make it harder for the ‘bots – unfortunately it also makes it harder for people to leave genuine comments too.

Office Groove 2007 overview

Posted on By Mark Wilson

Microsoft Office

At the risk of annoying yet more people at Microsoft after my comments in this week’s Computer Weekly, last night I attended what was probably the worst Microsoft event I’ve ever been to. To be fair to Microsoft, they are kind of pre-occupied this week… some sort of big launch happening today… something called Windows Vista and Office 2007… but this was Bad (note the capital B).

I’m not sure if I should name the presenters – I’ll just say that there was an IT Pro Evangelist who is normally both a good presenter and who generally gives the impression of possessing detailed product knowledge (something which was sadly lacking at this event) supporting someone from the marketing side of the organisation as she gave a very superficial run through a slide deck with which she was clearly unfamiliar.

Microsoft Office Groove 2007

The topic was Office Groove 2007 and this was supposed to be a technical overview. To me, it felt like an unrehearsed dry run of a presentation about a product that has been bought into the company and which, based on last night’s presentation, very few Microsoft people understand. Luckily, Ray Jordan from D2i Solutions – the UK distribution partner for the original Groove Networks product line – was extremely knowledgeable and stepped in to rescue the event (although he seemed to disappear at the refreshment break – presumably embarrassed at having to answer questions from the audience to pick up on the Microsoft presenters’ shortcomings).

For those who are not familiar, Groove Networks was a company founded in 1997 by Ray Ozzie (originally of Lotus Notes fame and now Microsoft Chief Software Architect) which specialised in collaboration products and was purchased by Microsoft in 2005. There’s some speculation as to whether Microsoft wanted the company’s products or were really after Ray Ozzie himself, but whatever the politics, Groove Virtual Office is now being absorbed into Microsoft Office.

I used Groove Virtual Office 3.1 for a recent project and found it both useful and impressive. With the launch of Office Groove 2007, I was interested to see what Microsoft has done to the product. It seems that the product bundling has changed and there are some minor changes but on the whole it’s very similar.

Office Groove 2007 is a team workspace application that provides for greater collaboration between customers, partners and colleagues which each user having access to a number of collaborative workspaces across a range of projects. These workspaces may be customised with a range of tools and templates to allow people to use their time effectively through offline working, yet remaining synchronised.

Whereas users in a corporate environment are used to sharing information using file servers and intranets, once a project or other collaboration requirement crosses organisational boundaries it gets more difficult. Groove overcomes this using a highly secure yet distributed architecture whereby each workspace member synchronises changes with others and a relay server acts as a broker when workspace members are offline.

The process of sharing a workspace involves either synchronising a local folder via Groove or creating a new XML datastore, protected using an internal PKI mechanism (with 192-bit AES encryption), then inviting others to join the workspace and sharing encryption keys between members. Each workspace member is allocated one of three roles – manager, participant or guest – and has an exact copy of the workspace. These roles can be amended within the workspace properties and the permissions assigned to each role can also be adjusted. When synchronising changes only the changed portions of the database are transmitted (a hash is calculated on the whole file and on each portion of the file – by comparing hashes it is possible to work out which portions have been modified) and because each change and the whole workspace is signed using the internal PKI (as well as all network traffic) it is impossible to inject any malicious changes.

If a workspace member does not access the workspace for 21 days then they are uninvited – a process which involves all other members having new keys issued – effectively locking the absent member out of the workspace. If a member cannot sign in they can still work offline and access data but no changes will be synchronised. When I suggested that this was a security loophole it was pointed out to me that it is really no worse than traditional methods of sharing data (e.g. transferring files via e-mail) and that digital rights management can be applied to further protect the data (although that would remove many of the advantages of offline access to the workspace).

In addition to controlling workspace members, Groove is able to synchronise data between devices (e.g. a home PC and a work PC) by inviting other devices into the workspace. If a conflict does occur during synchronisation, then two copies are created and the duplicate is suffixed with the username.

Within Groove, it’s easy to identify new content as it gains an additional red flash on the icon. There’s also a communications manager which can be used to monitor the status of synchronisation.

By default, Groove communicates using its native simple symmetrical transfer protocol (SSTP) over TCP port 2492. If this port is unavailable (e.g. blocked by a firewall) then the client and/or relay servers will encapsulate messages within standard HTTP and drop back to using HTTPS over port 443 or, as a last resort, HTTP on port 80, as described in Microsoft knowledge base article 917165.

Each workspace can be based on a standard template or can include additional collaboration tools, including file sharing, discussion tool, calendar, forms, SharePoint files, meeting tool, notepad, pictures and a sketchpad. It’s also possible to build custom forms (or to import them from InfoPath). In addition to workspaces, Groove provides an instant messaging and presence awareness capability for workspace members. I found it strange that Microsoft should continue the use of the Groove instant messaging feature (in addition to its other IM clients) but in reality this is the lowest common denominator – it will read contact lists for both Windows Live Messenger and Office Communicator but because there are no guarantees that all workspace members will be using the same instant messaging client, building the capability into Groove neatly circumvents any connectivity issues.

One of the main changes with Microsoft Office Groove is the product packaging – whereas the Groove Networks incarnation of the product was based around a distributed network of users and Groove’s own public (but highly secure) servers, corporate customers need to see that their data is stored on servers under their own control, with tight controls over account creation. Consequently, Microsoft have made it easier for corporate clients to run the Groove server product internally.

In addition to the Office Groove client application, there area number of server roles – manager, relay (store and forward synchronisation and messages between workspace members as they come online but others are offline), data bridge (to allow the extension of data to other teams) and an enterprise auditing management server.

Centralised administration is made possible using policies to apply identity and device controls (e.g. throttling bandwidth). The Groove server maintains its own account database (which can be synchronised with other directory servers) for provisioning and revoking access and this is where Groove’s heritage is obvious – it would seem reasonable to expect future versions of the product to feature tighter Active Directory integration and possibly the use of ADAM where a connection to a non-Microsoft directory is required.

One potential issue for organisations looking at using Groove in a centralised manner is that of backing up the distributed data within Groove, because there is no central storage location and backups of local copies of the workspace can be invalidated by subsequent PKI key changes. Microsoft’s answer is that the synchronisation mechanism provides built-in protection – certainly more than is generally afforded to user data held on individual PCs.

There is still a hosted version of the product – Office Live Groove. This allows for workspace members to use the Groove client with a public relay server; however they do not lose any or the security within the product. All communications are still signed and all data on the relay server is transient. For many organisations that do not want to maintain their own Groove server infrastructure, this is an ideal solution.

In all, Office Groove 2007 looks to be a great product. The only problem I can see is persuading an IT Manager from a blue-chip corporate to look at a product called “Groove” (it’s probably not such an issue in a creative organisation). Maybe the usual bland Microsoft product names are not so bad after all…

To find out more, read the Microsoft Office Groove 2007 product guide or download a trial version of Office Groove 2007 – both are available from the Microsoft website.

VMware ESX Server and HP MSA1500 – Active/Active or Active/Passive?

Posted on By Mark Wilson

Recently, I’ve been working on a design for a virtual infrastructure, based on VMware Virtual Infrastructure 3 with HP ProLiant servers and a small SAN – an HP MSA1500cs with MSA30 (Ultra320 SCSI) and MSA20 (SATA) disk shelves.

The MSA is intended as a stopgap solution until we have an enterprise SAN in place but it’s an inexpensive workgroup solution which will allow us to get the virtual infrastructure up and running, providing a mixture of SATA LUNs (for VCB, disk images, templates, etc.) and SCSI LUNs (for production virtual machines). The MSA’s Achilles’ heel is the controller, which only provides a single 2Gbps fibre channel connection – a serious bottleneck. Whilst two MSA1500 controllers can be used, the default configuration is active-passive; however HP now has firmware for active-active configurations when used with certain operating systems – what was unclear to me was how VMware ESX Server would see this.

I asked the question in the VMTN community forums thread entitled Active-Active MSA controller config. with VI3 and MSA1500 and got some helpful responses indicating that an active-active configuration was possible; however as another users pointed out, the recommended most recently used (MRU) recommended path policy seemed to be at odds with VMware’s fixed path advice for active-active controller configurations.

Thanks to the instructor on my VMware training course this week, I learned that, although the MSA controllers are active-active (i.e. they are both up and running – rather than one of them remaining in standby mode), they are not active-active from a VMware perspective – i.e. each controller can present a different set of LUNs to the ESX server but there is only one path to a LUN at any one time. Therefore, to ESX Server they are still active-passive. I also found the following on another post which seems to have been removed from the VMTN site (at least, I couldn’t get the link from Google to work) but Google had a cached copy of it:

“The active/active description”… “seems to imply that they are active/active in the sense that both are doing work but perhaps driving different LUN’s? i.e. if you have 10 volumes defined you might have 5 driven by controller A and 5 driven by controller B. Should either A or B fail all ten are going to be driven by the surviving controller. This is active/active yes [but] this is also the definition of active/passive in ESX words (i.e. only one controller have access to one LUN at any given time).”

Based on the above quote, it seems that MSA1500 solutions can be used with VMware products in an active-active configuration (which should, theoretically, double the throughput) but the MRU recommended path policy must be used as only one controller can access as LUN at any given time.

Typing # on an Apple UK keyboard

Posted on By Mark Wilson

One thing that’s really annoying for UK-based Mac users is the lack of a # symbol on the Apple keyboard. In the US this is known as a “pound” but in UK English (or “English”, as I prefer to call it!), a pound symbol is £ for pounds sterling (our unit of currency) or lb for the imperial unit of weight and we call # “hash”.

Anyway, it turns out that UK keyboard users can type alt+3 to generate a # character.

Now all I need to do is work out how to get a backslash (\) when I’m working in Windows from a remote console (RDP) session on my Mac…