Likewise Blog

In 1995 we worried about users bringing in their own software. In 2010, we’ve got users downloading their own virtual machines. This week at VMworld, Gartner’s Chris Wolf conducted a session on private cloud security that raised a few eyebrows and called into question the security of virtualized environments.

The entire VMworld show has been enlightening, but Wolf’s session was particularly interesting given Likewise’s role in the data center. While he was talking, I couldn’t help but realize I’ve seen this cycle before — like when networking started taking off inside most companies in the mid-90s and the security controls weren’t quite ready for the combination of computers that were suddenly chatty with each other and users bringing in software from home.

Companies have learned their lesson about user-installable software, and you’ll find very few companies that haven’t locked down their desktops and servers to prevent unauthorized software. Instead, companies — according to Wolf — are starting to see a rash of unauthorized virtual machines that pose real threats to internal security.

The obvious gap here is adequate privileged user management. Users are prevented from installing software through company policy, usually enforced by Microsoft Active Directory, on their Windows machines. But admin privileges at the hypervisor level mean that people are downloading and running unverified, unauthorized, and occasionally malicious virtual machines. Wolf described one scenario where a company suffered an internal Denial of Service (DoS) attack by a malicious virtual machine.

In the rush to embrace virtualization, companies haven’t always treated virtual machines as carefully as they have other forms of software. That’s changing now, and policies are reflecting that. The next step, of course, is to enforce that policy at the authentication layer and audit what the users are doing to ensure that the virtual machines that are running in your environment are acquired and deployed properly.

VMware has shown that it’s well aware of the needs that enterprises have to keep control of their network and the machines — both physical and virtual — running within. This is why we’ve worked closely with the company to integrate Likewise identity service into ESXi, to provide organizations with the ability to set policy and enforce it using Microsoft Active Directory and across Windows systems, Linux systems, Unix systems, Mac OS, and ESXi hosts. Technology keeps leaping ahead, but the basic problems always remain — companies need to keep a tight control over the services, software, and even virtual machines running on their network.

Many Linux users are familiar with sudo these days. Ubuntu has done a lot to popularize sudo by enforcing its use in place of encouraging users to use su to switch to the root account to install software and perform other administrative tasks. But there’s much more to sudo that users and admins should know.

What many users aren’t aware of is that sudo can be used to execute commands as any user, not just the root user. In the hands of a skilled admin, sudo can be used to set up fine-grained permissions to provide users with access to perform a few administrative tasks without giving away the keys to the kingdom. Let’s look at some of the best practices for controlling system access with sudo while still allowing users to be productive.

Read the rest on Linux Planet here:
(http://www.linuxplanet.com/linuxplanet/tutorials/7165/1/)

If you’re not on the floor at Moscone Center this week, you’re missing out on one of the best virtualization conferences of the year. VMworld 2010 is one of the best attended industry events I have seen in at least three years. Virtualization, and VMware, are still at the top of mind today if the turnout at VMworld 2010 is any indication. Attendees are very engaged, and actively looking for solutions to support their virtualization initiatives.

Likewise has a great booth location (#1606) this year, near the show floor entrance.  We have a steady stream of people visiting our booth showing strong interest in Likewise Open, Likewise Enterprise, and the tech preview for the Likewise Virtual Storage Appliance. Interest at the booth ranged from enterprises looking to better integrate Unix and Macs with their existing AD infrastructure, to storage vendors asking how they could leverage Likewise to enhance their product offerings.

Likewise support for VMware environments is highlighted on several fronts at the show.  The Active Directory support now shipping as part of the ESXi 4.1 release which Likewise provides was highlighted as a main feature of the release.  In a track session on ESXi 4.1, our support was covered in a detailed demonstration and the presenter directed attendees to the Likewise booth to find out more about what Likewise can do to better integrate Linux, Unix, and Mac OS environments with Windows Active Directory. As a result, we saw a steady stream of attendees at the Likewise booth to learn more.

We also had a chance to talk to attendees and hear the reaction to our directory integration in ESXi 4.1. Reactions ranged from moderate enthusiasm to “this is amazing!” when we confirmed that upgrading their environment from vSphere 3.x to 4.1 would provide directory integration automatically. We’ve been really excited about our announcement since March, but having an opportunity to hear what it means to users has us even more stoked.

Perhaps the best story yet is a Likewise user that stopped by the booth on Tuesday and talked virtualization security with us for a while, and learned what more we can do for them.  We gave him a t-shirt, and he went on his way.  This morning, he walked by the booth wearing his t-shirt.  He came and told us, “I received a bunch of t-shirts from vendors yesterday.  But I decided to wear the one from the company that does the most for me.” And that’s us!

If you’re at VMworld this week, stop by the booth and say hi. We’ve got plenty of t-shirts to hand out and are looking to talk to as many VMware and virtualization users as possible, live and in person. We’d like to hear about how you’re using virtualization, cloud technologies, and the challenges people are seeing integrating integrating all these technologies in a rapidly changing data center.

The show is half over, but this promises to be a great week!

Who’s watching the watchmen? This is one of the top concerns inside IT shops as companies work to protect both their own and their customers’ valuable and confidential information.  And this problem is getting worse, not better, with the growth in applications and infrastructure.  The current merger and acquisition frenzy causes yet another set of problems around privileged users as companies grow through acquisition and merge disparate IT infrastructure, people, and processes.

Specifically, who’s ensuring that administrative privileges are doled out to the right users, and how do you integrate those controls so that it’s not only possible to provide limited administrative access – but centralize the process as well?

We are at VMworld this week in support of the partnership with VMware announced in March.  Likewise’s authentication technology has been licensed by VMWare and ships with ESXi and is exposed in VMware vSphere beginning with 4.1. By integrating Likewise Identity Service into ESXi, we’re able to fill a major gap in privileged user management for enterprises using vSphere.

By tying vSphere users into Microsoft Active Directory (AD), we can reduce the complexity of managing users and ensure that there’s no “identity sprawl” when deploying VMware. In addition, IT can delegate the appropriate level of permissions using AD so that department IT staff are limited in the services they can administer and deploy. Want to make sure a branch office IT staff can administer virtual machines, but not deploy new machines? By integrating ESXi with Microsoft Active Directory, it’s easy to set up fine-grained permissions for administrators across the enterprise – just as we’ve always done with users on Linux, Unix, and Mac OS systems.

Furthermore, by integrating Likewise Identity Service into ESXi, VMware is helping companies improve security right out of the box. When someone leaves a company it is a simple, easy and automated task – using AD – to ensure that person’s email and computer privileges are shut down. That’s not always true with privileged users outside of AD. Often, the process is manual and time consuming and leaves“ghost accounts”– a big red flag for auditors because it opens up significant vulnerabilities. By having a single directory in Active Directory for HR provisioning and deprovisioning, we remove the problem of having to manually manage each privileged account. Companies are able to extend privileged user management from Windows desktops to Linux servers and VMware ESXi. The company password policies, syslog configuration, time synchronization, limiting access to sudo and su all flow from your policies in Active Directory to ESXi.

Now we have one set of credentials, one user, but with fine-grained permissions that ensure that company policies are enforced, and the user has the appropriate permissions – and no more – from their desktop to the VMware infrastructure. One set of credentials encompasses the user’s desktop login, their server login and sudo settings on Linux and Unix, and their role in VMware ESXi. Active Directory’s security settings follow users everywhere – from first hire to retirement, when the account is turned off by HR.

By integrating VMware into the same infrastructure that is now shared by Windows, Linux, Unix, and Mac OS, everybody wins.

It’s been less than a year since we debuted Likewise CIFS – a Linux-based, high-performance, Windows-compatible file server. Ever since our  first Likewise CIFS licensing wins, HP and EMC/Data Domain, we’ve had a steady stream of requests to package Likewise CIFS in a way that could be easily provisioned for end-users. Frankly I’ve been stunned by the number of requests that we get regarding Likewise CIFS from a range of enterprise, mid-enterprise, and SMB customers.

Initially, our foray into CIFS was purely as a technical piece of our AD-bridge solution.  We were unsatisfied with other options and we wrote our own CIFS client module to solve file transfer issues for Likewise Open and Likewise Enterprise.  Later we were prodded, pushed, and cajoled by several of licensees of our authentication technology, Likewise Identity Services, to provide our CIFS solution as a commercial offering.

Next week at VMworld we’re going to debut a technology preview of a Virtual CIFS Storage Appliance that will be shipping later this year.  The appliance allows customers to migrate physical legacy file servers, and achieve the cost and power savings of virtualization as well as significant performance advantages for SMB1 and SMB2 file shares on Likewise CIFS.

Likewise CIFS on top of VSphere/vCenter brings a new level of flexibility to file sharing. Our customers have told us that redundancy is king for their data, and they’ll be able to enjoy load balancing and automatic failover with the Likewise CIFS appliance on top of VMware solutions. They’ll also be able to ensure the continuity of business data with snapshotting, and simple backup and restore functionalty.

The VMware appliance is just part of the Likewise vision of bringing interoperability to mixed networks. Earlier this year we partnered with HP to bring Likewise CIFS and Likewise Identity Service to the StorageWorks platform and, as requested, we’re busy working with other Likewise partners to offer Likewise CIFS and Identity Services as part of other solutions.

Come by the Likewise booth (#1606) next week at VMworld and see why Likewise has the answer to file-sharing woes in large organizations.

In 2009, the Linux Foundation started its own Linux conference, dubbed LinuxCon. The event brought together a mix of industry experts and Linux developers to meet and talk about the state of the Linux ecosystem. Last year the foundation hosted the event in Portland, and moved it to Boston for 2010. The move didn’t do anything to diminish the event, though.

One of the highlights of LinuxCon 2010 was the keynote by Jeffrey Hammond of Forrester Research. Hammond looked at open source adoption in the enterprise, a topic near and dear to Likewise. The bad news? Hammond said that the “urgency to adopt” open source has diminished. The good news? That’s because it’s already so pervasive that it’s hard to find an enterprise without significant investment in open source.

Hammond’s overall message was that open source has largely “won” in terms of enterprise mindshare. Few enterprises are without open source deployments, and they’re choosing Linux and open source not just because it’s cheaper – but also because it’s more flexible and the developers working with open source find it easier to deploy and work with once it’s deployed. Hammond also noted the rapid uptake in Linux among developers and, Ubuntu is leading the pack there with more than 17% of developers working with Eclipse choosing Ubuntu.

Judging by the presentations at LinuxCon the overall health of Linux is excellent, with a lot of interesting work going on in areas of interest to the enterprise. Chris Mason’s presentation on the state of Btrfs was standing room only, as were many talks at the event.

Linux is also getting smaller. That is to say, while about half of the talks at LinuxCon were focused on enterprise issues like scaling or server adoption, databases for cloud services, and so on – a pretty hefty swath of talks focused on Linux on mobile devices. The MeeGo keynote co-presented by Intel and Nokia was very well attended, and Dawn Foster’s “where are we now” community talk was also standing room only.

Linux on the desktop received less attention this year, compared to 2009. The year of the Linux desktop may be a few years away, but Linux in the enterprise and on mobile devices seems extremely healthy.

Next year, LinuxCon will be packing its bags and heading West once again, this time to Vancouver, BC. Since that’s just a car trip away from the Likewise headquarters, we’re already looking forward to attending next year’s LinuxCon and seeing how the industry is faring in 2011.

These days, it’s getting more and more rare to see in-depth reviews of products. The imploding publishing industry means speedier coverage and less time spent on everything, especially product reviews. So we were pleased to see eWeek is continuing its tradition of product reviews with heft by putting Likewise Enterprise through its paces.

Frank Ohlhorst wrote up Likewise Enterprise recently, and we’re happy to see that he mostly gave Likewise a thumbs up. He tested Likewise on Ubuntu, Mac OS X, and openSUSE against Windows Server 2008 R2, and said he was surprised how easy it is to install and work with. We’re glad to hear that, because a lot of work has gone into making Likewise as easy to install and manage as possible. Authentication and user management should just work, whether you’re on Windows, Linux, UNIX, or Mac OS X.

The complaint Frank surfaced in the review about log in time is something we’ve been working on for our next release, and have improved dramatically in Likewise Open 6. Those improvements will be rolling up to our enterprise customers this fall, and we think Frank (and our users) will be pleased with the results.

If you haven’t tried Likewise yet, give Frank’s review a read and download Likewise Open 6 for a trial run. We’re sure you’ll be impressed with the results.

It must be something in the summer air that’s making people’s thoughts turn to Linux and Windows interoperability. Likewise was featured twice this week in pieces about authenticating Linux machines against Microsoft Active Directory.

Likewise Enterprise was featured in this round-up of solutions for integrating Linux into Windows networks as a method of joining non-Windows systems to Active Directory, and for providing centralized administration for users. Likewise Open also gets a shout as a great way to try out Likewise .

Want a quick and easy guide to authenticating Ubuntu against AD? Linux.com’s Jack Wallen takes a look at setting up Likewise Open on recent Ubuntu releases – just follow along and you’ll be logging into Windows networks with your Ubuntu machine in no time! Wallen provides a great step-by-step guide, so if you’re setting up Likewise Open for the first time, it’s a great resource.

It’s good to see that some reporters are still filing informative pieces on working with mixed networks, rather than the filler columns you usually see when the heat index rises.

I just finished reading Mike Vizard’s excellent post, “Authentication in the Cloud” and I thought it would be worthwhile to go into more depth about the issues regarding authentication and cloud computing. While the topic seems pretty straightforward (“validate my username/password”), it gets incredibly messy very quickly.

Before I talk about authentication in the cloud, let me review something more mundane: authentication on your private network. What happens when you login to your machine and then try to access some resource, say a file server or database, on your network? Yes, of course, when you login to your computer, something needs to assure that your username and password are valid.

If you’re logging into a Windows machine, this authentication is performed by a component called the “Local Security Authority Subsystem Service”. If you run Windows Task Manager and list the running processes for all users, you will see a program called “lsass.exe” – that’s the one. By the way, if you run Likewise on a Linux/UNIX/Mac machine, you will notice that we add a daemon called “lsassd” – guess what that does?

LSASS (Microsoft’s or ours) can authenticate a user one of two ways: using “local” credentials or using Active Directory credentials. If your machine is “joined” to Active Directory, you will typically login to your machine with your AD account (including the appropriate “domain” name). If your machine is not joined to Active Directory (it’s in “workgroup” mode), you will login to the machine using local credentials. In the local case, your username and password are validated against account information stored on your own machine. In the AD case, however, something more significant happens: LSASS authenticates your credentials using the Kerberos protocol to talk to an AD domain controller.

Kerberos is a wonderful thing. It can authenticate credentials without ever transmitting a password in either clear or hashed form. This is important because it makes it impossible to perform offline password cracking (i.e. trying millions of passwords until the cracking code matches your hashed password). Kerberos is also great because it supports single sign-on. Once you are logged in to your machine, you have a special “ticket” that can be used to acquire additional tickets for other services. Once you are logged on to your machine, if you go and access a Windows file server, the file server will not prompt you for credentials if your logon credentials are sufficient. Under the cover, the authentication code automatically acquires a “service” ticket for the file server based on your logon ticket. If you access a SQL Server database or a Microsoft IIS-protected web site, again, you don’t need to enter additional credentials because the necessary service tickets are automatically acquired. Nifty.

If you logged in using local credentials, you don’t get any of this goodness. When you try to access a file server, it will perform older “NTLM” authentication and realize that it doesn’t know anything about your local account – if the files on the server are protected, you will be prompted for credentials in order to access them. With SQL Server and with IIS you’ll need to use more primitive authentication techniques (“SQL authentication” or basic authentication, for example).

Challenges of Authentication in the Cloud

Consider now “the cloud.” Or, rather, clouds, because you’ll find several offerings that fit under the cloud umbrella.

Well, first consider that the initial cloud that any of us will encounter is really “the local VMware datacenter” or as it’s now being called, “the Private Cloud.” No problems with the Private Cloud – it’s connected to our network and can fully participate in the goodness of Active Directory and Kerberos.

The second cloud we’ll encounter is “the Hybrid Cloud” – an external cloud of computing resources that serves as an extension of the internal datacenter allowing workloads to be offloaded as needed. How authentication takes place in the Hybrid Cloud depends on exactly how its implemented. Many in the cloud business, however, suggest that it should be connected to the Private Cloud via virtual private network (VPN). If this is the case, the external cloud resources are effectively part of the internal network and we’re back to the simple Private Cloud scenario.

So, finally, let’s consider the “Public Cloud.” This is where things get messy.

The Public Cloud is generally defined as being external to the companies that use it. It is where SaaS-type applications (typically web-based) will run.  Microsoft’s Azure platform, for example, defines a very compelling set of libraries and software architecture that simplify the creation of massively scalable apps. “Let a hundred [web app] flowers bloom”, to misquote Mao Zedong. How does authentication work in this context? When you login to a web application, how are your credentials validated? The answer is, unfortunately, “all kinds of ways” – LDAP, database lookups, file lookups, even Kerberos, sometimes.

Tower of Babel in the Clouds

The problem with this lack of cohesive authentication strategy is that it makes it difficult to effect things that we take for granted in the Private Cloud. When somebody leaves the company, how do we disable his/her user accounts on outside SaaS apps? How do I keep track of my passwords for all my various applications, since they don’t support single sign-on? How can we enforce password policies when no two systems use the same authentication mechanism?

We are just beginning to solve some of these problems.  SAML (Security Assertion Markup Language) and ADFS (Active Directory Federation Services) are protocols, for example, that allow “identity federation.” They enable apps that run on the Public Cloud to authenticate users with their own corporate credentials. SalesForce, for example, allows you to login with your own corporate username and password if you set up a federation agreement with them. Unfortunately, identity federation is well defined only for some simple web application use-cases. There’s no easy way for me to back up my local disk to a Public Cloud service automatically using my corporate credentials to authenticate me to the service. I can’t write a local application that accesses a SQL database on a Public Cloud that enforces security using my federated corporate identity.

Ultimately, we need to remove the distinction between corporate and web authentication – all authentication should be based on Internet-routable protocols and the nature of identity federation should become simpler (there should be no need for internal/external identity federation servers).

This will take a long time – Microsoft’s version of LSASS knows nothing about web-based authentication protocols. When we do figure this out, however, we should make sure that we do not lose the many benefits of our current mechanisms. Kerberos is a great security protocol, offering the user much convenience. Let’s figure out how to more broadly apply it in the Public Cloud context.

I was reading a blog a couple of days ago about a company’s security manager being left out of the loop when the company reorganized its Active Directory architecture — and a couple of thoughts occurred to me that I thought I’d share. The post recounts how his company made some directory topology decisions without involving him, the Security Manager for the company.

Now, I don’t know  the writer and it’s possible that he’s a superb Security Manager and that his company made a serious oversight in not consulting him regarding these decisions. I think it’s also possible, however, that the company deliberately chose to exclude him from these deliberations. Why would they do this? Maybe he doesn’t understand the issues. Maybe he’s so security conscious that he’s obstructive. Maybe he’s too slow at making decisions.

At Likewise, we frequently have to deal with Security Managers or with CSO’s (Chief Security Officers) and we’ve run into both good and bad ones. Security is a difficult topic. Understanding it requires familiarity with high-level policy and regulatory issues (e.g. HIPAA, SOX, etc.) and with low-level details (ACLs, roles, etc.). It’s hard to find security personnel who have mastery over the entire gamut of issues. It’s also hard to find people who have the right balance of risk and reward. It’s easy to ensure security simply preventing everyone from doing anything risky. A good Security manager has to have both the right technical chops and the right balance of risk and reward.

As to the specific technical issues in the blog post, the Security Manager suggests that his company’s decision to go with a single-forest/single-domain Active Directory design sounds wrong to him that, perhaps, it would be better to go with single-forest/multiple-domains. He doesn’t explain why he thinks this is better. It’s possible that he’s right, but I would make the following observation: our largest customers tend to have the simplest AD topologies. Many ended up with simple topologies after suffering through more complex ones. Although child domains are simpler than inter-forest trusts, they still add complexity to the design and sometimes result in LDAP referral messages that can trip up applications. He’s certainly right about other issues however, for example, the dangers of centralized v. distributed domain controllers.

So, my advice to  the writer is that when your girlfriend tells you “it’s not about you, it’s about ME”, that it sometimes really is about you. But then, again, I don’t know him.