Malware
The Virtualization Treadmill
For 40 years, we moved from centralized (mainframe) to distributed (PC), hybrid (client/server), back to centralized (cloud) and hybrid (cloud + AJAX), seeking efficiency and new capabilities. Virtualization is on a similar cycle.
Is Virtualization stupid? It forces guest VMs sharing a host to do the same things over and over, without sharing. It takes up countless hours of otherwise useful – and expensive – server time. Sure, it’s better to consolidate servers using virtualization than to leave them on separate hardware, but it’s still just plain wasteful when dozens of VMs on a single server suck CPU cycles to do the same things their neighbors are doing.
Why do we allow this? For security and flexibility reasons. The predecessor of desktop virtualization was the Citrix Presentation Server, which sacrificed the flexibility of full virtualization for much higher user density – about 10x as many users per hardware server than you could get with early virtual desktop (VDI) efforts based on full hypervisors. Parallels (formerly SWsoft) Virtuozzo is another example of this.
Technology runs in cycles. In the past 40 years, we moved from centralized (mainframe) to distributed (PC) to hybrid (client/server), then back to centralized (cloud) and hybrid (cloud + AJAX), always in the name of seeking efficiency and new capabilities.
Virtualization is on a similar cycle. We started with shared mainframes, then moved to paravirtualization in the form of Citrix Presentation Server, then to the peak of the cycle – full virtualization in the form of VMware and to some extent Xen.
Along the way, we added cloud to the mix, so demand shot up. The result? The relentless quest for better performance in virtual environments is driving us in the direction of paravirtualization again. Here’s an example from Trend Micro, my employer, and VMware. VMware knows about the performance problems caused by having every guest on a host do the same thing simultaneously, like malware scanning. It takes forever if all guests start a scheduled scan at the same time, and it adds to the cost of setting up a VDI infrastructure. Trend Micro knows about efficiently deploying and managing our software in shared environments.
As a result, we created our Deep Security product using VMware’s Vsafe API to move malware detection to a single virtual appliance that provides agentless scans for all guests on a host. That change meant we were able to get 3x more guests per host. (see the test results from Tolly Group here)
Architecturally, this looks a lot like paravirtualization, as we move shared functions off each VM guest onto a single virtual appliance guest that services all other guests. It actually mirrors the way Windows and other operating systems service multiple applications installed on them.
We’re moving towards a computing model where you install an “application” (really a VM) on an “OS” (a hypervisor with a set of common shared features for guests), and the “applications” communicate via API calls to the hypervisor, which acts as a system bus. In fact, I predict that the hypervisor will eventually include all the features of Microsoft’s Azure AppFabric (formerly .NET), but apply them on single hosts and across clouds. That’s just plain cool. Wikipedia and Microsoft both do a good job of describing AppFabric.
The more things change, the more they stay the same. But faster and better too.
[Ed. note: Trend Micro would like to know what you think about this. We enthusiastically invite your comments and we will read every one of them. For very detailed information about Trend Micro and Security Built for Enterprise Virtualization and Cloud Environments, please visit our website: http://bit.ly/dEmlhv ]