Data Centers

How to deploy SkySecure hyperconverged infrastructure

Hyperconverged infrastructure is all the rage these days. This post talks about how to set up a secure, on-premises HCI for critical assets and why it's a good idea to do so.

Is a cloud-managed infrastructure for critical applications a good idea? Good question right? I mean, what could go wrong? I suppose it depends on what one considers a secure infrastructure to be. While many folks are moving as much as possible to the cloud, there are still critical systems that should remain on premises such as your AD servers for example. When you want to deploy these systems remotely, it's likely that you want the focus to be on the application rather than building out the entire infrastructure that it sits on. You just want it to work and be secured every time. This is one of the benefits of migrating to a cloud solution.

But not everything should go to the cloud. That's just a hard fact. So how do we get this plug-and-play type of experience and still make sure everything is secure without investing tons of hours, tons of equipment, and ending up with a headache by the time the solution is in place? One option is to deploy a solution like SkySecure hyperconverged infrastructure.

This is an inherently secure, hyperconverged platform that rolls compute, virtualization, networking, and storage onto a single platform without sacrificing security or performance. How so? Let's take a brief look at the solution, starting with that hyperconverged hardware that you would deploy in your rack and get a sense of how security has been at the fore from the ground up. Then we'll look at how to deploy an AD server, step-by-step, in just a few minutes which will highlight the cloud experience.

SEE: Research: Cloud vs. data center adoption rates, usage, and migration plans (Tech Pro Research)

The hardware

There is no management interface built into the Skyport appliance. That means no IPMI, no additional avenue that may be open to attack, no inherent security hole. No, instead, this x86 system is delivered in a tamper-resistant state. By design, it is entirely hands-off. The x86 uses a TPM during the boot cycle (many servers include the TPM but don't make use of it) to generate signatures that the cloud-managed SkySecure Center can validate in the attestation phase of the measured boot sequence. From a customer perspective, all you need to look for is the flag that identifies the status as valid. You can see this in the image below.

2017-10-0911-07-47-d8a4974cd1c14d2b96b9145a5914ae65.jpg

The hardware appliance has a secure connection back to the cloud management service. This is used to establish the identity of the platform and validate its integrity. This sets Skyport apart from agent-based solutions, which would be another way of getting on-premises equipment registered into a cloud-based management system. The problem with the agent-based solution is that it needs to be installed on top of the operating system and it's likely that the OS hasn't been validated, nor has the hardware itself been validated. While I'm glossing over several other key components that make the Skyport solution secure from the ground up, the point is that it's been designed from the ground up to be secure as they control the entire experience.

The cloud-managed software and how to deploy a secure compartment

From the end user perspective, we want to get a compartment deployed because this is where our VM will run. The hypervisor technology that is used by Skyport is KVM. Fortunately, we don't have to mess with any of that configuration.

To begin, we create a compartment right from the home page. During the creation of the compartment, there are a few values we will need to provide. In the image below we have defined a name for our VM, in this case, MyNewDC, and we've set the security posture to whitelist everything even before the VM is created. This is because a compartment starts out completely isolated.

2017-10-0911-11-47-7a4ddd19f0844bb380cc04d4805b444c.jpg

Now in the previous image, we have the source type set to use an existing image, but we want to do a clean install from an ISO. We need to change to source type to reflect that. You can see this in the following screenshot.

2017-10-0911-15-12-e2ff624aa01c44ffb723c703fc0861f7.jpg

Next, we will define the VM information. This includes the OS type, Windows Server 2012 R2, compute, and RAM values.

2017-10-0911-16-39-1641c039ba114f3d85a5973f4cc590e6.jpg

Now here's another area where security is at the fore and ease of use is paramount to the solution. Skyport hosts the install media for you. When you deploy a VM, it downloads a valid boot ISO image from Skyports CDN and then validates the SHA-256 checksum to guarantee the integrity of the install media. You can see this in the following screenshot.

2017-10-0911-19-19-26932c5c9d824eaf897a71395696344e.jpg

Next, we want to assign the server where this should be deployed and the network information that we want to connect to. Then you click the Save and Deploy button and wait for your compartment to be created. You can see this below.

skyport-deploy-compartment-96-dragged-fbe8b357ee7745b2af9083203ae153ad.jpg

A status message at the bottom lets us know where we are in the creation process.

skyport-deploy-compartment-112-dragged-f9ef641d91404f46a33724544c07f200.jpg

Once your VM is up and running

Once the compartment is deployed, and the VM is running we can view it by navigating to Home>Libraries and selecting your compartment. As you can see below we have the device status, in this case, it's pending because we just created it and it's not finished. You can also see additional details about the VM.

skyport-up-and-running-1-dragged-5b9e4a0b027445c189b6f79cafe772e9.jpg

If we scroll down the page, we can see the following.

  1. We can view the network adapter and can view the routing table if we'd like to.
  2. We can see the Security posture and note that all inbound and outbound connections are blocked unless they are permitted by a whitelist entry.
  3. We can see the server and client roles.
skyport-up-and-running-15-dragged-169896ba978c434a8f420cdcc023d2af.jpg

What's the significance of the server and client role? Taking a look at the image below you can see that we are adding the Active Directory Controller or Client.

skyport-up-and-running-63-dragged-c0e28c70a80b4e5ba3c533d22a59b365.jpg

This is followed by the domain information.

skyport-up-and-running-98-dragged-3660b611cbb4411bb86080d3a6394ee2.jpg

And then the entitlements that will be created for me.

skyport-up-and-running-111-dragged-5260074f8a5a4b0db1548ba352a360cd.jpg

These entitlements are like access-control entries that permit necessary AD traffic. Recall that when we selected the security posture option of Whitelist, we were blocking all traffic in and out of the compartment. With this entitlement, we have just allowed AD traffic while keeping everything else nice and secure.In the image below we have created another entitlement for Windows update.

And after adding our entitlements, we can scroll back up to the top of the page and see that our compartment is now working properly.

skyport-up-and-running-346-dragged-c995d336e2b24eaaa9e36ebb8fe16720.jpg

SEE: Special report: How to choose and manage great tech partners (free PDF) (TechRepublic)

Managing the VM

Managing the VM is very easy to do. From the same page, we are viewing our compartment on we can select the Show Console link.

skyport-secureconsole-21-dragged-dbf3cb3a17cc476cbca1a564fd631e60.jpg

This brings up our console the the VM.

skyport-secureconsole-27-dragged-228d9dccacb6404085fe08fdf204b232.jpg

What's notable here is that it's all done in a web browser. There is no need to install or open any additional tools to gain access to the VM. Additionally, this session is TLS encrypted and strongly authenticated and audited by the SkySecure Center service. Another important security feature of this console connection is that also there is no file transfer here, so this guarantees that there is no binary code transferred via the console. This is unlike RDP, where you can expose VMs to file or device sharing over additional streams within the RDP protocol. One last item of note here is that you can paste local commands into the console through the paste option in the web console interface. I can't tell you how many times I've needed to paste into an ESXi console and couldn't.

skyport-secureconsole-97-dragged-614a6dd8567141cca077db20a2fde7fe.jpg

Final notes

In the very beginning of this article I asked the question; is a cloud-managed infrastructure for critical applications a good idea? To answer that question I would say yes, provided it is done the right way. The focus needs to be on securing the solution while providing ease of use. I think that this solution provides that cloud-like experience that you would expect in deploying a VM to AWS or Google Cloud and with the depth of security controls. I'd feel pretty safe using it to deploy an on-premises application. Comparing this to what one would have to go through up front with other vendors solutions makes me cringe when I think of all the hoops I would have to jump through just to piece together something that's even close. Saving time, but not sacrificing security, is a win in my book.

Also see:

istock-638041564.jpg
Image: iStock/spainter_vfx

About Brandon Carroll

Brandon Carroll has been in the industry since the late 90s specializing in data networking and network security in the enterprise and data center. Brandon holds the CCIE in security and is a published author in network security.

Editor's Picks

Free Newsletters, In your Inbox