The virtual winner: VMware's ESX KOs a roughly built Hyper-V package

VMware wins due to manageability, stability that comes with maturity

1 2 Page 2
Page 2 of 2

A loaded machine took seconds for the snapshot to complete. The snapshot feature can be used to roll-back or restore a server's use state, but there are implications. For example, as transactional states of applications are frozen, the server becomes unavailable for a short period of time, and so users may find their applications performing badly because they cannot access the server while the snapshot state is being taken. Further, the snapshot of a system state, where the image rendered is then used subsequently as an instance on another machine, may or may not be supported in operating system and/or application licensing. Microsoft recently changed its policy to allow VM instances to be migrated (for various versions of Windows) from one host to another, but licensing prohibits spontaneous movements of VM instances, whatever their state. That state may also represent application or file states that when re-instantiated, require maintenance. Transaction states may also have to be verified as well.

VMware's Virtualized Consolidated Backup (VCB) that’s included in the VMware Infrastructure Foundation edition that we tested, adds full and incremental backup to disk or tape of guest hosts. The file system is quieted during backup to keep things synchronized, possibly, and temporarily, removing VM guest operating system/applications from availability through the process. VMware says VCB also has integration capability with CommVault EMC, HP, Symantec, IBM/Tivoli, and other backup applications, but we did not test that level of integration.

VMware's ESX uses one of two capture systems to pull VM images, one that develops a VM image from a live, running server, or one that takes a shutdown-server’s disk and captures the state of the disk. We captured several operating systems (see How we did it) and found that this is a simple process that works well and consistently.

Monitoring capabilities

VMs are allocated shared resources when they’re born, and then must live within the confines of those settings. When VM instances use their maximum allocation or are allowed to constantly plug into shared (oversubscribed) resources, administrators need to know so that the help desk doesn’t light up with complaints of apparent application inadequacy.

We used SC-VMM's instance monitoring capabilities to watch CPU, memory and disk use (how much and how frequently) to gauge its capabilities vs. VIC’s ability to monitor VM performance attributes. To make a long discussion short, they're nearly the same. Important VM characteristics are monitored in each. VIC comes out on top when it comes to watching if exceeding thresholds triggers an alarm. Thresholds aren’t monitored inside SC-VMM as this requires use of other products in the Systems Center family. VIC, however, allowed us to set thresholds in areas such as CPU utilization, where zero utilization meant that perhaps an application had crashed or hitting a ceiling meant the application was peaking.

Using VirtualCenter Infrastructure Client, you can set alarms based on conditions that we needed to know about such as when CPU, memory, network or disk usage goes above or below a certain threshold or when the machine state changes or there is no VM heartbeat. There are three colors for severity, green, yellow and red. Green means everything is fine, yellow is like a warning and red is severe. Once it is triggered, it was recorded in a log file. We could set how often it would trigger again either by frequency (in seconds) or tolerance (a certain percentage). We could also set an action to follow when a trigger is set off. These actions include sending an e-mail, sending a notification trap, running a script, powering on/off a VM, suspending a VM and resetting a VM.

While there are no alarm or trigger options built-in SC-VMM, there is a limited set of options that allowed us to start specific virtual machines as the server boots up. Or when the server shutdowns, Hyper-V can both save the state of an turn off the virtual machines.

Security could use some beef

We had issues with both hypervisors in terms of security in several areas. The first big issue is the fact that images that are used to build virtual guests aren’t serialized and/or authenticated in either platform. Should the image storage area be accessible, only file system time/date/modification meta data will be able to indicate that a virtual machine image has been either used or worse, tampered with.

As both hypervisors lack a native repository, images must be stored in an area chosen by the administrator and would desirably be authenticated through external methods, such as MD5 hashing, rudimentary checksums, or other ways that can validate image contents. VMware does embed an ID number into the image contents for enumeration, but not for authentication, purposes. As both ESX and Hyper-V produce images in formats that are easily mountable file systems, hackers with even rudimentary skills and file system access can tamper with images. This begs for at least a minimal image repository scheme that records authentication hashes or data to be included even in a basic bundle.

We also found that ESX doesn't police password strength in its strictly Windows-based VirtualCenter. If the passwords are weak, access can be garnered through dictionary password attacks.

Hyper-V when managed through SC-VMM is accessed through default or defined Active Directory passwords, which are by default strong and can be made stronger and/or with additional authentication schemes.

Third-party authentication devices are virtually ignored. Controlled access to both hypervisors is lacking, although, the Windows 2008 Server that runs underneath Hyper-V has some authentication mechanisms in place. Still, no direct authentication for either Hyper-V or ESX exists.

VMware added a basic firewall to surround itself by default when we installed it. The Windows Firewall components built into Windows Server 2008 ostensibly protect Hyper-V VM guests, but we didn’t assault either product to see if we could crack them. We could fingerprint the VM guests if ports were open to do so, and therein lies an unexplored attack vector.

Summary

VMware's long standing virtual history has given the ESX product ample time to mature to a very stable, usable product.

The dribbleware nature of the release of virtualization products from Microsoft -- with Hyper-V, the Linux Interface Connector Kit (LinuxIC) and SC-VMM 2008 arriving six months, eight months and 10 months after Windows 2008 Server editions hit the streets — certainly won’t help with the rapid deployment of Hyper-V into environments where it will earn its chops. Microsoft’s development power is obvious, but the devil will be in the technical details as Microsoft plays catch up in the explosive virtualization marketplace.

Henderson and Allen are researchers for ExtremeLabs, of Indianapolis. Contact them at kitchen-sink@extremelabs.com.

NW Lab Alliance

Henderson is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
SD-WAN buyers guide: Key questions to ask vendors (and yourself)