My brain hurts! Maybe it was all the sessions, perhaps even the great party, but the old noggin definitely needs a rest after this one.
But before I get into all of that, let me just say: Wow, have conferences changed in the past few years! Gone are the lines of people queuing up just to get access to e-mail from a relative handful of kiosks–we can obviously thank all the mobile phones for that–but so too were all the printed guides. Internet access was even solid and widely available. And while the backpacks were still everywhere, I didn’t even use mine, instead leaving it for hotel housekeeping to do what they will with it. With the conference guide in PDF form and the great mobile apps that brought up my selected schedule in just seconds, I was able to travel fast and light, switching back and forth between my Android phone and iPad, as they were the only items I carried each day. Never before have I been to a conference with this level of mobility and efficiency. Never.
Now on to what I actually learned at VMworld…
As this is my 4th VMworld in a row, it’s always a bit of a challenge to find the gems that I am looking for in helping to fine tune the virtualized product strategy over the next year and beyond. There is always just soooo much recycled information in the presentations, which, while very important for all the first timers, does me very little good to hear over and over again. But for the most part, each presentation yields at least one good thought or inspires others as I ponder things through inspiration. For competitive reasons I’m not going to be able share all my thoughts here in the open, but will share what I can.
Virtual Appliances:
It pains me to say this, but I’m starting to think we made a mistake in calling our SSL VPN appliance the “Service Provider Edition”. Why? Well, let’s just look at that, shall we?
The market potential for just about anything virtualized these days is huge, including virtual appliances. While it is certainly true that we designed the virtual appliance and the subscription licensing use cases primarily around service providers, that implicitly sends a message out that it is for, well, service providers only.
But that’s absolutely NOT the case!
The virtual SA is there for any service provider or customer that operates like a service provider. That pretty much fits the description of any enterprise IT department, doesn’t it? After all, doesn’t IT provide services for the entire organization? The bottom line on this is that, starting here and now, it should be known–and we will continue to do our best to make it known–that the virtual appliances are available for any organization who feels they could benefit from them.
Now that raises another question: Which organizations can benefit, and how? The answer is actually quite simple, especially if you believe that building virtualized security models are different than the old-school DMZ way of doing things. As many customers are moving away from vertical security models with the SSL VPN positioned prominently in the DMZ and instead placing more and more security where it can do the most good by also helping to protect the horizontal security (nosy neighbor) needs. And thanks to the virtual SA appliances, many SSL VPN instances can be build (they are free, after all) and put right in front of the separate systems and cloud security zones that need to be protected.
To put all of this another way: Do you need to build just one remote access architecture at the edge and separate users by Realms, Roles or Resources (the 3 R’s as many would call them), or does it make more sense to move the VPN right into the heart of the network/cloud and separate the users by simply bringing up a dedicated instances for each unique need? Why put a partner who just needs access to a single appliance in order to provide support for it on the same edge gateway that everyone else uses when you could just as easily–and more securely–bring up a dedicated SSL VPN instance directly adjacent to the server that is already virtualized?
Worth noting here is that security no longer has to be the protected domain of the network security team. The vSphere administrators can be a key component in all of this as well, providing key insight into the true business needs of the organization and enabling highly secure access in perhaps a fraction of the time that it would take to provision more systems in the DMZ. Such virtualization opens up great opportunities for network and application architects to join forces and provide breakthrough levels of security and agility to better enable the business to achieve more.
ESXi 5
I’m not going to rattle off the new features of this latest version of ESXi. Without a doubt, we will have support for it just as soon as we can. The upgrades seems simple enough and I think some of our earlier observations around HA/FT and vMotion supportability for high traffic virtual appliances are certainly worth revisiting in in much more detail under this version.
Management is really where it is at when it comes to futures though. While the Juniper DMI interface is well suited for scripted management tasks, a more fully integrated vSphere management is needed as the overlay into vSphere, either with VMware based tools such as REST and/or 3rd party options such as Puppet or Chef (hint, hint to any solution integrator out there who believe they have the right stuff to make our virtual appliances dance all across vSphere and want to reach out to me to see how we might partner to build something spectacular).
Virtual Desktops:
Overall I’m pretty excited to see the potential performance upgrades to PCoIP. I say “potential” simply because this seems to be very much up in the air if true production environments will get the “up to 75%” gains that are being touted. Adding the APEX2800 offload card, tuning things up via some of the new performance configuration options and then tagging the external header so that a WAN accelerator can make more room for it all is definitely something that we will be looking at as we move forward in qualifying the 5.X release. I definitely welcome any feedback from those who might be testing it out.
There is one thing that I can’t believe still hasn’t been solved, which is the requirement that PCoIP work only on a layer 3 connection. For Juniper customers running Pulse and/or NC this will hardly be a problem as the tunnel will already be established and PCoIP can send all of its TCP and UPD packets through without any real concerns. But for all the others out there, they will need to go through the View Security Server. Not that I mind if the View boxes are put into service for this use case as there are still plenty of other remote access needs out there that will continue to require the more robust enterprise SSL VPN features, but simply for operational and capital expense management, most would agree that being able to consolidate around the more capable VPN solution serves the organization much better. But if it has to be this way then that’s fine as well. At least this way the PCoIP load can be distributed across more boxes, most likely offering an even higher quality of service to the rest of the remote access users.
Miscellaneous:
It was great to see Juniper SSL VPN being shown during the Tuesday keynote address!
And yes I’m aware that another competitor–who shall remain nameless–has popped up saying that they, too, will be supporting their SSL VPN virtual appliance. But they haven’t announced when, at what price, or even at what possible scale. Oh yeah, assuming that they won’t be getting it out the door anytime soon, that will put them a few years behind…again.
Finally I just have to highlight the great announcement for the vGW Virtual Gateway product (the former Altor product that Juniper acquired), which makes for an unbeatable story when matched up with the SSL VPN virtual appliances (among many other uses, of course). A new version was announced and promises to again set a the bar very high.
vGW 5.0 integrates monitoring, firewall, intrusion detection and compliance capabilities with new layers of defenses including antivirus protection, hypervisor compliance monitoring, and large-scale virtualization security management capabilities, making it a universal threat management (UTM) solution for cloud computing.
Additional vGW Virtual Gateway 5.0 enhancements include:
* VM gold image enforcement provides a sophisticated compliance checking mechanism and continuous monitoring of desired security state with alerting and mitigation options for instances when that state is negatively impacted.
* Multi-center/ management support that synthesizes security policies for large-scale deployments into a single manageable whole across geographies and data center locations
* Split-center management capabilities that segment information contained in one VMware vCenter(TM) Server instance into multiple, independently-managed vGW to improve resource isolation for cloud services or multi-tenancy.
* Tree search features along Smart Group expression builder and the ability to easily quarantine VMs that become non-compliant supporting quick and easy search, classification and mitigation across a large number of tenants.
The post VMworld 2011 Review appeared first on SSL VPN Insider.