Here’s why IT decision makers shouldn’t ignore Red Hat’s submission of the cloud neutral Deltacloud cloud API to the Distributed Management Task Force (DMTF) and Apache Software Foundation.

Deltacloud sputtered under a single vendor’s control
Deltacloud was announced nearly a year ago at the 2009 Red Hat summit. Brian Stevens, CTO and VP, Engineering at Red Hat described Deltacloud’s goal:

The goal is simple. To enable an ecosystem of developers, tools, scripts, and applications which can interoperate across the public and private clouds.

Today each infrastructure-as-a-service cloud presents a unique API that developers and ISVs need to write to in order to consume the cloud service. The Deltacloud effort is creating a common, REST-based API, such that developers can write once and manage anywhere.

A cloud broker if you will, with drivers that map the API to both public clouds like EC2, and private virtualized clouds based on VMware and Red Hat Enterprise Linux with integrated KVM.

Red Hat’s approach was simple and seemingly appealing enough. Write to the Deltacloud APIs and your workloads can be ported across any cloud provider’s infrastructure that Deltacloud is able to interoperate with. However, the prospects of trading cloud provider API lock-in for Red Hat API lock-in wasn’t an appealing prospect for potential Deltacloud adopters. Whether “The World’s Open Source Leader”, as Red Hat bills itself, or not, lock-in is lock-in.

Choosing open standards & open source for Deltacloud
Red Hat wisely decided to contribute their Deltacloud API implementation to an independent third party, the Apache Software Foundation. By moving the implementation to an Apache Incubator project earlier this summer, the Deltacloud project is no longer saddled with the chains of a single vendor controlled open source project. This in turn has made it easier for multiple vendors to consider adopting and contributing to the Deltacloud project.

Red Hat appears to be following the standardization through implementation approach, and has submitted the Deltacloud API specifications to DMTF cloud standards body.

Regardless of how successful Red Hat’s cloud and PaaS business results are, they will likely pale in comparison to the customer value enabled should Deltacloud become a widely adopted industry standard.  By leveling the cloud workload portability playing field, Red Hat is enabling other vendors to compete based on the quality and completeness of their PaaS offering rather than portability itself.

It’s encouraging to see that Deltacloud already allows a high level of portability across six different cloud providers, with support for two more providers on the way.

Bryan Che, Red Hat cloud product manager, explained the Deltacloud announcement:

We do not want Deltacloud to be under the control of any one particular vendor, including Red Hat. If you want true interoperability and true portability, you need a third-party governance structure.

On the other end of the spectrum are vendors such as Eucalyptus that have decided to adopt Amazon EC2′s APIs. Marten Mickos, Eucalyptus CEO explains:

We believe the Amazon API is becoming the industry standard, and that many companies will follow it.

Choosing defacto standards vs. open standards
Deltacloud’s success as the standard for controlling cloud operations is far from guaranteed. In the same token, Amazon’s EC2 API remaining the defacto standard is not guaranteed as cloud usage shifts from early adopters to the mainstream enterprise market. Enterprises have been increasingly educated to demand open standards for which multiple implementations exist. IT decision makers must weigh the short term benefit of adopting a cloud specific API, such as Amazon’s EC2 API, versus the long term benefit of a cloud agnostic API such as Deltacloud.

Comments

Network neutrality is the philosophy that all things related to the network of the internet be neutral, i.e. unregulated. In a completely neutral network, there would be no regulations on what can connect to that network and what data can be transferred across that network. This is the environment in which the Internet has grown in and thrived upon, and thus the environment that most Internet purists strive to maintain.

However, the issue with this idea of neutrality is the Internet is now a vessel of capitalism. Capitalism revolves around the creation and protection of wealth. Therefore, it has become in the best interests of many players in this industry to begin to protect their wealth. An example of where this protection of this wealth clashes against net neutrality is the Comcast and BitTorrent issues. As you may recall, Comcast began capping the rates at which their subscribers could use BitTorrent transfers. In Comcast’s defense, it was a matter of protecting their services for all their subscribers. The bandwidth required to support BitTorrent had never existed previously, and was a strain Comcast was not ready to support. On the net neutral end of things, what gave Comcast the right to dictate what John Q. Public could or could not do on the Internet?

Like many political documents, Google and Verizon attempt to avoid clearly defining their stance on net neutrality. It doesn’t appear that Google and Verizon intentionally sought any policies to hinder net neutrality, but by omitting language to specifically foster net neutrality, they opened the flood gates of opposition. For example, a specific clause of “Network Management” was introduced, encouraging the right of an ISP to “engage in reasonable network management.” This clause was skillfully crafted in such a manner to ride the fence of net neutrality. If this was a legal language that existed when Comcast decided to control BitTorrent usage, the outcome of that situation would not have been any more clearly defined than it was without this kind of guideline.

Google’s position shown in this document, is somewhat of an identity crisis. Google’s lifeline is this free and open Internet. However, Google must work with the other big players in the net to create a framework in which Google’s capital interests can be protected. It will be interesting to continue to follow how and what legal entities get involved. One thing is for certain: despite any goodwill shown by any of the parties involved, network neutrality is at risk.

See also:

http://googlepublicpolicy.blogspot.com/2010/08/joint-policy-proposal-for-open-internet.html

http://googleblog.blogspot.com/2010/08/facts-about-our-network-neutrality.html

A reverse situation is possible, too, where someone watching YouTube videos or playing online games on his lunch break would cause callers to have a bad experience. And it would be a real pain if it were necessary to make a company-wide announcement every time the phone rang.

So David Sims talked to officials at VoIP Insider about how to take VoIP calls into account, and they told him, “[Y]ou should calculate the total bandwidth needed to send and receive your calls. You can do this by multiplying the number of anticipated simultaneous calls times the packet size of the voice codec you will be using (like G.722 or G.729).”

Then, depending on how things look, the officials said, “[Y]ou may want to prioritize or even segment your voice traffic.” (This can also serve as a good precaution against unforeseen Internet problems even if the situation seems under control.)

If problems still exist after all this, it may be time to rework the VoIP cost analysis. Specifically, the cost of more bandwidth will have to be weighed against the cost of using traditional phones. It’s possible VoIP won’t represent such a great deal once the added expense is factored in.

The good news is that most organizations with decent Internet connections shouldn’t encounter a lot of problems when using VoIP tech. It’s just best to think about this sort of stuff before going through with any transitions; no one will win if all of a company’s phones are accidentally transformed into little more than paperweights.

What does this new standard mean for the IT industry? The intent of this standard was to support faster connection speeds for server-to-server operations, so don’t expect to be purchasing a 40 Gb/s router and NIC from your local electronics retailer anytime soon. In fact, the IEEE 802.3ba task force specifically recognized that the current 10/100/1000 Mb/s was appropriate for most implementations of LANs, but that the current 10,000 Mb/s standard was lacking for larger server and network implementations, including the backbone of the Internet.

This new standard doesn’t call for or utilize any new media technologies, but rather simply outlines the necessary procedures and protocols to follow when utilizing these connection speeds over existing optical and copper line technologies. The new standard also works with the existing IEEE 802.3 standards, and thus will not require a major overhaul of equipment or infrastructure to implement.

This standard will surely help the US government’s Broadband Plan (http://www.broadband.gov), which aims to provide broadband to all US homes. In particular, a large section of US homes are targeted to reach 100 Mb/s connections and all libraries, schools, and hospitals should reach speeds of 1 Gb/s.

With the continuing push and market trend to cloud services and large scale web applications, expect to see a fast availability and adoption of products and services utilizing these much needed connection standards.

For a more detailed information, you can check out the IEEE 802.3ba Task Force’s page here: http://grouper.ieee.org/groups/802/3/ba/index.html. However, the actual standard itself is only available for purchase. You’ll have to wait six months after release to obtain any of IEEE’s standards for free.

HP says as organizations move to a more virtualized and converged infrastructures, the importance of security is increased. Virtualized environments and their applications are subject to the same threats that impact traditional data centers.

The HP TippingPoint Secure Virtualization Framework (SVF) is a suite of products designed to help prevent network threats from impacting virtualized environments. The TippingPoint Virtual Controller (vController), the first product introduced under the SVF, extends TippingPoint security protection from physical to virtual networks by routing it through an HP TippingPoint N-Platform Intrusion Prevention System (IPS) appliance. The vController prevents security attacks by inspecting all VM traffic as it moves through the network — either between VMs or from VMs to traditional servers.

Additional vController features include:

*Increased network security by extending HP’s automated threat-prevention capabilities to virtual environments.

*Reduced deployment complexity by enabling customers to extend the same processes, tools used in securing their physical environments to their virtual infrastructures.

*Simplified management of network security by providing single-pane-of-glass management, visibility and control across both physical and virtual networks.

While Brandon’s example is great, and Ray Camden also has some details to add, neither example had all the pieces I needed, particularly an example of not just authenticating a Flex application properly with a CFC but also how to log out again (and to jump ahead, simply running a cflogout tag did not work…).

I ended up using a combination of what Ray did, plus roughly the logic Brandon deployed, and added a Flex example to show (like Ray) how to call a secured and an unsecured CFC method. In addtion I added a separate, explicit call to Flex’s setRemoteCredentials() on the RemoteObject class in order to trigger the cflogin logic in ColdFusion’s Application.cfc.

Unfortunately I cannot show you a working example, but I am providing the sources for the Flash Builder project and CF files. Note that my example is set up to run on localhost, and I also specified a compiler flag of -locale en_US -services “services-config.xml” in Flash Builder. My services-config file is also included.

Here’s how I structured my example:

1) Application.cfc: this file contains an onRequestStart which gets invoked on every request to this application, including cfm pages as well as cfcs. It contains a cflogin tag which executes only if the user making the request has *not* yet been authenticated. Inside the cflogin tag is a cfif tag which logs the current user in as long as the necessary credentials are passed in – this happens by using setRemoteCredentials() on RemoteObject in Flex/ActionScript.

2) MyComponent.cfc: This file contains all the remote methods we call from Flex. One method (called ‘normalMethod’) can be called by any user (unauthenticated), another can only be called once logged in, and a third is used to log out (more details on that below).
Access control is provided by using the CFC’s built-in roles attribute. An authenticated user is assigned a role of ‘Client’ and the ‘secureMethod’ in the CFC is locked down by specifying that role.

3) The Flex Application: this is slightly more complex than it needed to be for the purposes of this example, but hopefully it’s not too confusing. Rather than trying to explain the classes in detail please feel free to post any questions you may have in the comments below.

Log Out Issues
In detail, what I was seeing was that I could still invoke the secure method from Flex after I had run the CFC’s logout method and included cflogout tag. Switching directly to the browser – keeping the Flex app open in another tab – did NOT allow me to invoke the secure CFC method, so from that angle the cflogout tag appeared to had done its job.
To really ‘kill’ the user’s session inside the Flex app itself I had to explicitly call setRemoteCredentials again from Flex passing invalid login credentials. I have a theory on what is happening: the logout method does do its job as described and the user is actually logged out, but only until he tries to invoke another CFC method via the Flex app. As soon as that happens, Flex will re-send the previously set credentials (username, password) and re-authenticate the user using the cflogin tag in Application.cfc. This can apparently be confirmed by invoking the CFC method directly using a web browser both after the logout method has been called and then again after another CFC method has been invoked via Flex. Calling it via the browser after invoking logout in Flex results in a failed request, but after the next call from Flex it succeeds in the browser. For that reason I recommend to send a setRemoteCredentials(null, null) if you don’t want the Flex user to be able to call any further methods unless he re-authenciates (bascially logs in again via some sort of login form which re-runs setRemoteCredentials() using valid credentials.

I tried to find other ways for logging the user out and looking through some of the AS sources in Flex, it appeared that ro.channelSet.authenticated may be a good flag for deciding if a user is logged in or not, however it always returned false for me regardless of whether or not the user was logged on… I tried logging the user out via ro.channelSet.logout() as well as ro.logout() but neither function seemed to actually do anything. If you have any idea if and how this is used with Remoting please let me know.

So all in all, keeping the slight caveats above in mind, the combination of CFCs with role based ecurity applied and the setRemoteCredentials() method on the RemoteObject class in ActionScript work well and are easy to implement. Unfortunately the documentation in Flash Builder only covers part of the process, and the CF docs cover another part – the CF side. It takes some work to string both parts together, but once implemented the process works pretty well. Now that I got my head around it I am ready to hook this into my control panel application.

Comments

When creating an Amazon EC2 cloud instance, we can utilize the reduced pricing of a reserved instance. A reserved instance is instance that you intend to keep up for a high percentage of the time. Since this will be our only web server, we will want it up 100% of the time, and thus should take advantage of the reduced pricing of a reserved instance. On a small scale server (comparable to the VPS and dedicated servers priced above), we end up paying a $227.50 setup fee and $21.96 per month for our server. This averages out to $40.92 per month, and is clearly cheaper than the VPS and dedicated server options. What we gain with this option, however, is instant and easy scalability. Realistically, we won’t be switching our configuration from this minimal server to a fully scaled cloud overnight. However, we will be able to scale up our server as needed. We can also do something that we can not do with a VPS or dedicated server: on-demand load balancing. We can easily configure our EC2 cloud to add instances as needed, only getting charged when those instances are in use. When they aren’t needed, they shutdown and the meter stops running.

If you’re looking to deploy a project that has the potential of getting very large in the foreseeable future, deploying your environment in a cloud from the start seems like a viable and fiscally responsible option.

While quite stealthy, or maybe not so stealthily, this paper is clearly an advertisement, a 20 page advertisement at that, aimed at crackers (or “security researchers” or whatever they want to call themselves) who want to make money cracking software, asking them to contribute their skills for monetary rewards to iDefense and TippingPoint (owned by 3com). For proof, just look page four, there is a chart right in the middle of the page detailing how the best hack in a quarter can pull in 10 grand! While the lamest hack, of the top five, only earns $2000. So, technically, having the most leet hack for every quarter for four quarters would earn you $40,000 a year, better than a manager at Burger King!

So, you got your xsploitn’ skillz and you’re ready to go, but who are these companies you’ll be working for? iDefense specializes in reselling the information provided to them via their exclusive subscriber service. They also provide their paranoid readership with special workarounds to use until a vendor releases a patch. Mainly only government agencies and financial institutions with money to blow sign up for this type of service. TippingPoint sells Intrusion Detection System (IDS) products that use the information provided to them to supply their IDS systems with signatures that will block the offending exploit. Corporate behemoths on the Fortune 500 list are some of their customers. These two companies don’t rely on paid 0day exploits for their only their only fear tactic. They publish vulnerability reports and even IDS signatures for “public” vulnerabilities.

The report goes on to tell us about how its hard to get crackers, who normally shroud themselves in anonymity, are sometimes hard to work with because they, not surprisingly, don’t trust the companies. Ironically, this 20 page advertisement, tells us that most security researchers working with these companies are recruited by word of mouth. They also tell us that they advertise at cool shows like BlackHat and DEFCON. Then they bemoan how hard it is to work with companies and “ethical issues.” Apparently vendors seem to have a problem with them paying for hacks from people who could be “malicious.” Also, the industry cries about how they are encouraging people to find vulnerablitites.

Near the end of their report the acknowledge the truth that everyone already knows. Why would a person with a profitable 0day exploit just submit it to them for a mere chance at $10,000 when they could just sell it to 5 people on IRC somewhere in China or Russian for $4000 each and be guaranteed to make twice as much? They also seem to poke fun of Microsoft and their Trustworthy Computing Initiate with this amusing swipe, “If clients lose confidence in a vendor’s ability to produce secure technology, the damage done to a vendor’s corporate reputation can be translated into lost sales. It is for this very reason that Microsoft has spent billions of dollars to launch their Trustworthy Computing Initiative .” Everyone knows how worthless the resulting Trusted Platform Module (TPM).

While I do see some benefit from these products, I can’t shake the feeling that this is just another form of blackmail or extortion. The problem is, that these services create a group of companies that are privy to this information while everyone else has to wait. This creates two worlds in which “private” vulnerability information sold by these companies is made available to their clients, while companies relying on “public” vulnerabilities could conceivably be attacked and exploited by the companies with access to the “private” vulnerability information. Maybe a non-profit that did the same while contributing the exploit information to normal vulnerability channels like cert would be something I could believe in. If these products end the world of closed source hardware and software then I’m all for it, otherwise I hope they sink to the depths never to return. For that matter is what these companies are doing even legal?!

The first answer is, if you don’t they will. Everyday malicious and sometimes just overly curious people use their computers to run automated testing scripts that look for system vulnerabilities to record and potentially later exploit. Sometimes the people running the scripts just want to find problems and notify the administrators that they need to be fixed. However, not all administrators are so lucky. If businesses do not take a proactive stance and run penetration tests on their own network to find and fix problems, it is likely that they will be the recipient of an attack that could have been prevented.

Today, its easy to run penetration tests, the Metasploit Framework provides fully automated network penetration testing. Some time ago, to test exploits on your own machines you’d have to go find them from obscure websites, download them, and sometimes even compile them. Today the Metasploit Framework can replace these time consuming tasks with a single tool.

Using Metasploit to find security holes may sound dangerous, but as long as you have your data backed up and are properly monitoring your systems there is little chance it will have any noticeable impact on your network. Metasploits is designed to find vulnerabilities, exploit them, and open a remote shell on the affected machine(s) if possible. It is possible that in doing this a service may be shut down and have to be restarted, but that is usually the worst of it. Also any printers on the network may print out some random data as Metasploit looks for vulnerabilities. As long as users are aware that the test is being run and it has the potential to cause minor annoyances for a short time, your testing should go smoothly.

Another question often asked is, “I keep my servers and desktop systems up to date, why would I need to?” This is a perfectly reasonable question, but the proper response is, “Why assume, when you can test and know?” Why not run a simple automated test to check for vulnerabilities so that they can be found and fixed before they are exploited by malicious tools. Nothing will ever prevent attackers 100%, but by using the Metasploit Framework, you can get one step closer.

Download the Metasploit Framework here.

Network-attached storage devices can often perform all sorts of nifty functions, and in an article for Gizmodo, John Mahoney started by writing about remote access.  His key point: “The easiest way to access your NAS from outside of your home network is to set up an FTP server.”

Next, Mahoney addressed the idea of using any device in conjunction with Apple’s Time Machine utility, which is important since Apple’s Time Capsule is all it’s really supposed to work with.  And on a related note, he later talked about Windows and Mac compatibility, as well.

What’s more, Mahoney covered the concept of RAID (“go RAID 1 or don’t worry about it”), and if you have any videos that someone would like to watch on a regular television, he even wrote about NAS devices as they apply to console video streaming.

Since network-attached storage still isn’t free – and since quite a lot can go wrong if data doesn’t travel and/or get stored as intended – it’s probably worth your while to follow these tips and get the most out of your NAS devices.