Probably we all use virtualization which in past few years has become new holy grail of personal computing and not only. We all use them (VMs), basically those of us who are working as developers, consultants or sys admins can't live without them. So it is only good about virtualization … ? It is cheap, it is handy … what can be wrong ?
Probably nothing and this is probably only my thought going around my head but some incidents with a network from past Friday and Brian Puhl's blog about problems with networking and IP addresses makes me think that maybe for corporate environments we are missing one piece of a puzzle – CONTROL.
Maybe it isn't so important if we think about VMWare ESX and Hyper-V closed in a data centers and hosting our main business services. Both technologies provides a way to control who can do what on given instance. However what we can't control is hundreds or maybe thousands of VMs running on desktops and laptops here and there in our networks.
As far as I know any of current virtualization products available on a desktop machine is not providing easy way to control simple things like:
- how many virtual machines is running on a host
- how many VMs user actually CAN run on host
- can user attach VMs to physical interface and in result to our network
- how many software licenses are being used in VMs.
This is aspect which completely missing form these products, which may be result of a fact that there is no need for such mechanisms and my thoughts around this are completely incorrect. What I know now is that if we will look at a clash of two sides which are "Administrator" and "User running VMs" the former is standing on a loose position.
From my perspective, what I'm thinking about as a solution on a Windows platform is:
- WMI interface which will allow to query for different aspects of virtualization running on a host (I'm not referring here to hypervisor based virtualization, but Hyper-V has some WMI interfaces built-in)
- GPO for controlling some of aspects of virtualization products, like:
- allow to use virtualization on a host
- if VMs can be connected to physical network interfaces
What could be also nice addition would be easy to use interface to distinguish if OS is running inside of VM, for Windows platform preferable as a WMI interface. When I wrote about it on my Polish blog my friend Pawel, who is very skilled guy when it comes to security pointed me out that in security world this isn't something you want to have as malware is checking if it is running in VMs to make analysis a bit harder. However I might think about interface which can be switched on\off by administrator as a solution.
So … this is something which was going around my head last Friday and maybe I'm completely wrong on this while thing. But … yes, there is but which makes mi think that I would be very glad to find a bit of more control over virtualization in my network.