VDI Oh My!

This is a post originally written for the company blog — posted here for posterity.

Have you seen the cost analysis sheets from various entities over the years pointing out how much money you can save with Virtual Desktop Infrastructure (VDI)? In most cases, they’re wrong. But like most things, there are outliers. Today I want to look at VDI and break it down and tell you why you might want to use it – and why you might not. Then we’ll take a look at a few options for VDI, along with their specific advantages and maybe even a few disadvantages thrown in.

Why VDI?

  • Security: I believe that the number one benefit to any organization that VDI brings to the table is security. Security advantages to VDI include:
    • When you abstract the desktop away from the end-user environment, you also have the ability to abstract the data away and into the data center where you can better manage, backup and protect that data.
    • When you use VDI, you create a smaller attack surface. It also makes the attack surface easier to patch, update, monitor and audit.
    • Through proper policies, a VDI environment can be centrally controlled and harder to subvert – basically you have the ability to restrict data transfers, unauthorized access, and even revoke unwanted access from miles away. In the simplest terms, you can better control the number one cause of data breaches: people (Source: Baker & Hostetler, LLP. “BakerHostetler 2016 Data Security Incident Response Report”).
  • Application Management: This one may get me in trouble from VDI purists. I tend to look at VDI today as more than just delivering a desktop, and I suspect most consumers do as well. Most major VDI products have the capability to handle application package management, provisioning and access controls. What this allows you to do is maintain a stranglehold on software access and subsequently licensing usage. Licensing costs are HUGE in enterprises, and true-up and/or violation costs can be surprisingly daunting. Avoid them (or get really close) with VDI. It can make a real difference in cost. I won’t tell anyone if you don’t.
  • Availability: When you put your VDI in your data center, you are inherently gaining redundant power, UPS backup, dual connectivity and typically a better hardware class for your VDI infrastructure than you would have with haphazard desktops. Need I say more?
  • Management: Management become much easier. While I hinted at it above in the security section, it is necessary to point out that you make things easier to manage when you can update a single shared image, application or host server and have that roll out to all your users with the click of a button (or two).

Why Not VDI?

  • Security: If you are looking to invest in VDI and you do not take the time to properly secure the solution, it can be a disadvantage too. Security disadvantages to VDI include:
    • You just allowed all of your users to access their desktops from anywhere…maybe. If you have not properly locked down remote access to the right groups, secured peripheral access, and/or set up security policies, you could be opening some additional risks while eliminating others.
    • When you implement VDI using best practices, your VDI environment will become isolated from your server platforms. If you just throw VDI in without working through proper segregation, you can end up with users in the same network space as the server farms. This is generally not a good thing.
  • Management: It may be easier to manage those desktop images and you won’t need to manually go to desktops as much anymore, but the trade-off is that you’ll likely need a more skilled engineering staff to manage the underlying VDI infrastructure. With the proper staff, training, and/or the right partner (like Sentinel), you can head this off at the pass fairly well.
  • Cost: I don’t deal in money much, but I can tell you that you would be sorely mistaken to think that you will save money with VDI. You may lower either capital or operational expenditures, while increasing the other. The reality is, you are gaining features (security, application management, central management and even controlled costs) while spending the same if not more in some cases. Your mileage will vary.

Which VDI Is Best?

There are two major players in the VDI and published application world: Citrix (XenApp & XenDesktop) and VMWare (Horizon/View). Both are fully capable application and desktop delivery platforms. Citrix has the historical install base and decades of experience, but VMWare has been making leaps and bounds with their very solid product offering. VMWare owns the hypervisor space that most deployments will be installed on, yet there are some bells and whistles in Citrix that the advanced VDI deployments may need. The truth is, without sitting down and having a discussion to review your specific needs, no one can tell you which is best. I won’t try here.

Outside of the vendor platform, there is always Desktop-as-a-Service, which is available through Sentinel CloudSelect®.

Bottom Line

The bottom line is this: If you plan it well, implement it on solid technology (check out my previous article on HyperFlex as an example) with the right policies, procedures, and partner, your business and customers will be very happy. Just don’t expect to fill up a piggy bank with the extra savings.


The article here is my opinion, I wrote it.  I work for/with the companies/technologies mentioned here — if you don’t like that, tough.  If you want to learn more about Virtual Desktop Infrastructure (VDI) and determine the best solution for your business, please contact Sentinel; they pay me and that allows me to keep work on technologies like these and writing these blogs.  If you ask really nice, you might even be able to work with me.  Never know.  If you really want to help me out, contact me directly — I will get you all setup with the right people to help you out.

A Data Center Engineers Look At Ransomware Protection

Your worst nightmare just happened.  You have just been presented with a screen popup telling you that your data is being encrypted and that you have so many days to pay.  It gets worse.  Every day you delay, chunks of your data are deleted.   It happens.  I have been on the outside – helping restore data, remove the threats, and salvage business operations and prevent further damage.  I have a unique perspective on ransomware.

We have things like Cisco AMP, a truly robust and state of the art anti-malware system that integrates at every level from the firewall to the endpoint with telemetry systems and response rates beyond anything else in the industry at a crazy fast 13 hours!  However, even Cisco will tell you that it is not possible to rely on prevention alone.  That is why they embed their AMP endpoints into everything – they keep watch for Malware that may have slipped through that 13-hour window.  If you don’t have Cisco AMP, you could have a much larger “window”, an industry average of 100 days.

So, how do you as a data center engineer protect your data when something gets through.  How do you guarantee the ability to recover and restore?  Will you be ready when that popup box shows up?

Backups

This may seem obvious, but backups are critical to a recovery.  When your data is encrypted, there is a very strong chance you will not be able to recover it using decrypting tools, so having proper backups will help.  So, what is a proper backup?  I like Veeam Backup & Replication as it has some really handy features that can make it, and its backups a little more resilient to malware.

  • Out of the box, it will backup its own configuration and repository data. If the Veeam Controller is infected, you have the ability to restore the Veeam system quickly.
  • It can replicate itself. In fact, it should if you can.  Having a secondary copy in another location can be handy – especially if you have non-real-time replication scheduled for the Controller.
  • It can backup to a variety of locations, including the cloud to protect your data from afar.
  • You can backup to deduplication appliances like Dell EMC Data Domain appliances that use protocols that are not typically prone to malware attacks.

If you don’t have Veeam, you can still achieve some of this, or all of it.  It just may not be as easy.  Either way, multi-location and multi-type backup and/or replication strategies are critical to protecting data.

SAN Snapshots

How can snapshots help?  If you are using a snapshot inclusive EMC Unity or Nimble Storage array, you can configure snapshots with retention schedules to allow you to quickly rollback to a point in time – BEFORE the malware got into the system.  You might lose a few minutes or an hour of data, but it is much better than the alternative.  If your SAN supports snapshots and you are not using them, set them up as soon as you can.

Patching

Patching is crucial.  Without patching you are more vulnerable to ransomware and malware attacks.  Typically, security patches for software are free.  A no cost or low cost measure to protect your systems, yet they are so often overlooked.  Why?  Usually it is a lack of a management system or personnel to perform the patching.  This can be addressed with things like WSUS, Microsoft System Center, or VMware Update Manager.  Use them.

Control System Access

This is more than making sure you have passwords for employees – it is often protecting employees from themselves.  You can invest in, or make use of several of the following options to restrict access to data – which is how ransomware propagates in general – through data access.

  1. Grant read-only access. If ransomware can’t write – it can’t encrypt.  Write access should be only as necessary.  This applies to databases, file systems, servers, Active Directory, etc.  You can use things like Microsoft Identity Manager to help control and automate that access.
  2. Use VDI to your advantage. Create an air-gap of sorts between your end user’s local systems and the critical systems.  Lock down folder redirection and USB redirection.  Both Citrix XenDesktop and VMware Horizon with View apply here.
  3. Use Group Policies to lock systems down. If allowing users to set a screen background worth losing all your data?
  4. Use things like Cisco ISE with posturing to ensure that only secure systems connect to the network.

You will be attacked.  That attack may not breach your systems – or it might.  Don’t say I did not warn you.  Protect your data.  Thank me later.


For the record, I work a lot with Microsoft, EMC Unity, VMware, Cisco, VCE, EMC Data Domain, Veeam, and the other technologies here.  They are what I know best, so if you feel I am biased — well, I am.  They are what I know best!

HyperFlex: An Enhanced Look

This is a post originally written for the company blog — posted here for posterity.

In the IT industry, the phrase “we are pretty much a 100% physical shop” is one that you dread to hear – especially from a fast-growing company. Such was the case with a leader in the financial services industry recently when they asked Sentinel to install a Virtual Desktop Infrastructure (VDI) solution for a new call center rollout of around 250 desktops as well as fully re-deploy their physical desktop and server infrastructures. They were pretty set on a hyper-converged solution and were looking for something scalable and easy to manage. To be successful, in the eyes of the business, the solution had to:

  1. Be solid. With internal hesitation to virtualization from the business, there had to be reliability.
  2. Be fast to deploy. To meet the aggressive deadlines, there could be zero delay on delivery or deployment.
  3. Be lightning fast. To aid in business buy-in and adoption, the solution had to deliver a better end-user experience than the current desktops. Performance was critical to that.

After reviewing the vendor options, the customer ultimately chose Cisco HyperFlex and VMware Horizon for their hyper-converged VDI solution. Aggressive deployment timelines were set and equipment was on the way. From there we moved onto the fun stuff.

The HyperFlex cluster was delivered quickly. Really quickly. Once the gear was on-site it was time to deploy. Before we go there, I want to touch on one particular aspect of the solution. Sentinel knows that maintaining data integrity and availability is essential to our customers as they adopt and adapt to new technology. How the Cisco HyperFlex solution delivers that can be summed up pretty easily:

  • The Cisco HyperFlex product line is a variant of the Unified Computing System (UCS) product line, and with that you have the full redundant design of dual fabric interconnects, full multi-pathing, and server hardware that is designed with zero single point of failure. In this particular deployment, we had four nodes (N+1) with dual fabric interconnects, and two 10GB paths from each of the HX240c nodes. Everything also ran on fully redundant power. It was a strong platform to begin from.
  • The SpringPath HALO Architecture is a file system – I am simplifying things here a bit – that allows for distribution of writes onto multiple solid-state drives (SSDs) across multiple nodes BEFORE acknowledging the writes. This maintains the data integrity by ensuring that there are multiple copies of the data on separate nodes in the cluster to prevent potential data loss.
  • The HALO Architecture enhances the data integrity by using a Log Structured Distributed Object Store to allocate the data as small objects across multiple servers in a sequential pattern, which are in turn replicated to other pool members to achieve data redundancy. By doing so, they increase not only performance, but the life of the flash layer disk in the servers as well as redundancy overall.

Back to the deployment. In a post on my personal blog, I mentioned that the HyperFlex deployment was pretty fast. Once you rack and cable the cluster, the HX installer is a breeze. What I love about the HX installer is the fact that it really does build the entire UCS deployment and makes adding a node to an existing cluster just as easy. Click. Click. Done. Overall, the deployment of the HX system after rack and cable took less time than installing the vCenter server that was required for the deployment (Note: The vCenter must be on separate hardware but can be moved into the HyperFlex cluster for ongoing operations).

After meeting the first two objectives, we needed to look at the speed. Since this was a VDI cluster, we made one small change (one line in a configuration file) to optimize the cluster’s L3 Cache for a read-heavy environment. Once that small change was made, it was time to run some tests. Since Sentinel doesn’t own the environment I will only include the following observations:

  • During testing of the 4-Node cluster with 4xVMs pushing I/O, the cluster achieved well over 125,000 I/Ops. Even in the worst-case boot storm of 250 users logging in within a one-minute period you would only really require 117,500 I/Ops, leaving plenty of room to spare. Keep in mind, this was not done in a controlled lab under ideal circumstances.
  • I was able to clone a 100GB (65 Used Thin) VM from template in less than three seconds. Seriously.
  • I deployed 250 linked clone desktops including two boots, customization, and domain join in under seven minutes. The bottleneck was the VDI limit on the maximum concurrent operations sent to vCenter (which I tweaked to 25) and probably the Active Directory domain join tasks as part of the customization. It was fun watching the vCenter task pane roll by so fast I couldn’t keep up with it.

The customer was extremely happy with the performance, scalability and easy management of their new infrastructure. The Cisco HyperFlex and VMware Horizon solution met the requirements so well that I better understand the hype around Cisco HyperFlex and the SpringPath HALO Architecture.

Of further interest in terms of scalability comes confirmation from Cisco that node capacity expansion beyond the current self-imposed limitation is in the works and will not be limited to hardware. External storage is also fully supported. This means you will have the capability to hyper-converge your core systems and still make use of external storage area networks (SAN) where business needs dictate.

All in all, HyperFlex is a rock solid platform with a fantastic and robust architecture that you would be wise to evaluate. Couple it with VMware Horizon for desktop deployment, and you have an infrastructure built to help your business achieve unprecedented levels of success. If you would like to learn more about HyperFlex or other converged/hyper-converged infrastructure solutions, please contact Sentinel for more information.

FIGHT! The VMware vs. Hyper-V Debate Continues

Year over year, the debate continues.  Even after I write this blog post, the debate will continue.  VMware vs. Hyper-V.  The truth is that both hypervisors have their advantages and disadvantages.  To start with, let’s take a look at the prominent ones.

VMware Advantages

  • Thin hypervisor with a tiny install that can be run on a SD card.
  • FAST live migration (vMotion). This allows you to perform maintenance operations faster, without downtime.
  • Memory isolation. This is critical to prevent VM memory errors from crashing the hypervisor and vice versa.
  • Streamlined automatic dynamic memory management and transparent page sharing allowing for better consolidation ratios – to the tune +25-50% more VMs per host. It is important to note that Hyper-V does support dynamic memory management with manual configuration when all the VMs and hypervisor are on the same patch level.
  • No downtime needed to clone a VM.
  • Storage IO Control (SIOC) which is necessary to optimize storage access to VMs!
  • Dynamic serial and parallel ports.
  • Virtual Volumes & VSAN!
  • Direct driver capabilities which allow for a shorter IO path and better overall VM performance.
  • Overall better Linux, Unix, and Mac guest level support.
  • Anti-Virus offload. This is critical for VDI based deployments and helps to reduce/eliminate AV impacts to underlying disk; though we will see how this shakes out with NSX.
  • Overall Hot Add/Remove support for memory, NICs, CPUs, and disks.
  • Unified web based management through vCenter.

Hyper-V Advantages

  • Native storage support for ODX at the hypervisor level by default.
  • Network bandwidth, capping, and reservations are more flexible than Network IO Control.
  • Native clustering without central management system like vCenter.
  • Native HA without central management system like vCenter.
  • Native live migration without central management system like vCenter.

 

Really, what we have are two hypervisors that are fairly equal in basic day to day feature sets if you don’t care about consolidation ratios, high performance, and can suffer downtime to perform a large majority of management tasks – with Hyper-V.  So, if you can survive that…  Cost.

  • Hyper-V is free!  This is the one major thing that I ALWAYS hear from Hyper-V fans.  But is it really?  Hyper-V is included as part of the Windows OS – great.  Let’s not forget that VMware provides ESXi for free as well.  Granted, with the free ESXi hypervisor,  you won’t have the native cluster, HA, or Live Migration.  Also, with VMware, you do get better consolidation ratios, so you will save on the overall hardware costs since you can potentially fit more VMs on a single host.  This may not be a great thing on a single server, but if you can fit 5 Hyper-V server’s worth of VMs on a three node cluster of ESXi servers – the low cost that you pay for a base vSphere Essentials license is more than covered for in the hardware savings alone.
  • The Hyper-V management interface for a Hyper-V cluster consists of a disparate set of tools.  You need to use Failover Cluster Manager, Hyper-V Manager, and other tools just to perform basic administration tasks.  Even with SCVMM – which you will pay $10K+ for, you still can’t do full centralized management.  In a VMware environment, if I want to clone a template and spin up a VM – I am talking less than 5 minutes by clicking a wizard and assigning the customization template.  With Hyper-V I have to go through a myriad of steps that waste 20 minutes of time.  If I have to deploy 10 machines, that is no longer 50 minutes as it might be with VMware – but a total of 200 minutes with Hyper-V.  Take that across all the disconnected management tasks required and you are talking an operational cost increase of around 300% in man hours PLUS a 300% increase in maintenance windows potentially which will impact mission critical business functions.

 

I suppose if all you care about is the CAPEX cost and don’t really care about on-going OPEX costs, extended outage windows, and really feel like adding additional servers to handle your VM load while increasing power and cooling costs – well then Hyper-V is free.  VMware is not cheap, and admittedly you do have to pay for add-ons, up to a point.  Also, with VMware, the cost is upfront and renewed for support w/upgrade rights yearly (same for Hyper-V on the support if you want it).  If all you need is the basics, they both work.  If you know Hyper-V and feel like scripting PowerShell for automation, then it is quite capable.  But don’t ever tell me it is free.  Remember you mother probably told that there is nothing in this world for free – so why should you think Hyper-V is?

 

Now, I am not saying Hyper-V is bad.  But I would not use it for mission critical applications where my job depended on it.  Not yet anyway.  There may come a day.  For now, it is relegated to the lab.

Cisco HyperFlex

Cisco HyperFlex: A Zero Day Review

Cisco HyperFlex.  A converged solution from Cisco.  Scary words, right?  Wrong!

Today I had the privilege of working with Cisco on a deployment of HyperFlex.  I was expecting to run into issues and bugs galore with this being a new to market product, and I can say that I was surprised.  Everything, and I mean everything, went as smoothly as can be expected.  Not a single error.  Not one bug.  Not a single problem with the HyperFlex solution.  Out of the box, it just worked.  To keep this straight and to the point, some quick thoughts are:

  1. The HX installer is clean.  It is straightforward, easy to understand, and makes the install a nearly click…click…done scenario.  Almost.
  2. There is some planning to do upfront, and if you don’t think about the VLAN/Network structure upfront — you could be in for a bit of a setback.  While not really a big deal, proper planning for a minimum of four VLANs/Networks is needed.  Still, if you are not doing this, your are not doing it right anyway.
  3. Did I mention that their deployment tool builds all the UCS based configuration for you?  Swing and a hit!  Again, you need a little planning, but it is really a nice tool.
  4. Provisioning storage is as simple as clicking a button.
  5. I can see the design that went into this solution has taken every possible failure point into consideration, and isolated this solution from failure everywhere it can.  Of course, you have to monitor it just like any other system, but solid design is there.
  6. Cisco claims 1 hour to deploy HyperFlex.  Yes…and…No.  If you have the prerequisites in place and have the planning done ahead of time, I can see that being done in under and hour (rack/stack aside).  You could probably even do the rack/stack in that time as well, if you are a tough guy — I can’t.  🙂

I can’t say this will fit every need and every environment and SANs are not dead (oh, by the way — I am pretty sure we can add a SAN to this solution if desired — though I am not sure it is needed, but don’t quote me on that).  It is currently limited in node capacity — but unlike some naysayers out there believe, I am pretty certain this is a limitation for the initial releases.  Better to err on the side of caution than to promise more than you can deliver.  I really like that.

Good job Cisco & Springpath!

For more on HyperFlex: http://www.cisco.com/c/en/us/products/hyperconverged-infrastructure/index.html
Springpath HALO Architecture: https://vimeo.com/122110510

Interested in getting one?  Let me know, I am sure I can find someone to help you out. 😉