Internet Network Security Blog

Intel, which played a key role in the creation of the InfiniBand high-speed networking standard a decade ago, has come full circle and bought the IB assets of Qlogic, one of the two remaining companies still actively pushing this technology. While $125 million is chump change for a company that netted $3.4 billion in profits last quarter, Intel says the acquisition will enhance its networking portfolio and provide scalable high-performance computing (HPC) fabric technology as well as support the company's vision of innovating on fabric architectures to achieve ExaFLOP/s performance by 2018. At a hundred times faster than today's fastest supercomputers, it's an aggressive move, seeking to accelerate performance to a quintillion computer operations per second.

The InfiniBand specification defines a low-latency, high-bandwidth input/output architecture used to interconnect servers, communications infrastructure equipment, storage and embedded systems. It is a true fabric architecture that leverages switched, point-to-point channels with data transfers today at up to 120 gigabits per second, both in chassis backplane applications as well as through external copper and optical fiber connections.

Last year the InfiniBand Trade Association reported the technology is seeing continued growth on the TOP500 list of supercomputing sites. InfiniBand connects the majority of the top 100 with 61 percent, the top 200 with 58 percent and the top 300 with 51 percent. The total number of InfiniBand-connected CPU cores on the TOP500 list has grown 65 percent, from 1.4 million in Nov. 2009 to 2.3 million in Nov. 2010.

IDC says the HPC market was worth $19 billion in 2010, up 10 percent, and expected to see 7 percent growth through 2015. While Ethernet remains the leader, the research company predicts InfiniBand will continue to take market share from proprietary interconnects.

Supercomputing is the key to the deal, says Intel. While the percentage of HPC CPU shipments will drop from 15 percent to 12 percent between 2010-2015, it still represents a sizable chunk of the total market. However, next year the top 100 supercomputing CPU (total addressable market) will reach 1 million units, double in 2015, and reach 8 million units by 2019.

Intel says InfiniBand was seen as the missing piece to developing a scalable fabric by 2018. The acquisition also rounds out the company's Ethernet portfolio, it says. HPC is one of thetwo key pillars of growth within Intel's data center business, along with cloud.

The other company remaining in the IB market is Mellanox Technologies), which along with Qlogic, has been an Intel partner. Oracle uses InfiniBand technology in its database appliances and bought a 10.2 percent share of Mellanox in late 2010.

The Qlogic deal, which is is expected to close this quarter, involves the product lines of and certain assets related to its InfiniBand business. A significant number of the employees associated with this business are expected to join Intel's network and communications unit.

Learn more about OpenFlow vs Traditional Networks by subscribing to Network Computing Pro Reports (free, registration required).

Arguing that multiple point appliances intended to secure a network only add to complexity without providing the intended protection, F5 Networks is introducing what it calls a Data Center Firewall to combine multiple security solutions into one appliance. The appliance, called BIG-IP model 11050 and carrying a starting price of $129,995, delivers such security features as dynamic threat defense, DDoS protection, protocol security, SSL termination and a network firewall.

"The current environment just doesn't scale, it doesn't extend and it doesn't respond. We think this model is broken and it's very, very real in our customer base today," said Mark Vondemkamp, director of product management for F5.

ICSA Labs, an industry accreditation body for network firewall solution, certified the F5 BIG-IP product family as a secure socket layer (SSL), transport layer security (TLS) and virtual private network (VPN) compliant appliance line.

The appliance is designed to respond to some of the latest types of attacks on networks, Vondemkamp said, such as dedicated denial of service (DDoS) attacks where web sites are pinged millions of times to bring them down. Lately this has been done for political reasons such as the attacks on sites targeted in the wake of the WikiLeaks document dumps of U.S. State Department cables in 2011.

F5 has also seen a rise in the number of blended threats on the Internet, combining a DDoS attack with an application-level attack. Lastly, the BIG-IP appliance protects against zero day attacks, in which a vulnerability in a software program, such as Microsoft or Adobe, is discovered before a patch for it can be developed and deployed.

The array of point solutions to address these threats -- network firewalls, DDoS appliances, domain name server (DNS) appliances, web application firewalls and load balancers -- are difficult to manage, can be a drag on network performance, and can result in multiple points of failure, said Vandemkamp.

"The traditional approach needs to be replaced by a unified security architecture," he said.

F5, in the leaders quadrant in the Gartner research "Magic Quadrant" analysis of SSL and VPN security vendors, released in December 2011, shares top spot with Cisco Systems and Juniper Networks, while competitor Citrix Systems is identified as a viable "challenger."

However, in its analysis of vendors, Gartner faults F5 for lacking an Internet Protocol Security (IPsec) capability in its products. IPsec is a protocol for securing IP communications by authenticating and encrypting each IP packet in a communications session."F5 faces an uphill contest with vendors that offer both SSL and IPsec, and should reconsider whether to build or acquire client-based IPsec support," Gartner reported.

That aside, the F5 approach of combining different point solutions into one powerful data center firewall is a viable approach, said Jeff Wilson, a principal security analyst at Infonetics research.

Even though the typical enterprise data center may not be as much of a target of a malicious DDoS attack as would a financial institution or a government agency, data centers are still high-value assets that need enhanced protection for today's threats, Wilson said.

"Since data centers typically process a lot of traffic, have high bandwidth connections and have a lot of high-capacity gear, when attacks are aimed at them they tend to be very fast attacks, but the typical firewall isn't designed to handle a DDoS attack," he said. "The scale of the attacks is really what's at issue in a data center."

F5 compared its BIG-IP 11050 to the Juniper SRX 3400 on throughput, connections per second and the number of concurrent connections it can support. Wilson says that's because Juniper has a significant foothold in the data center and, like F5 and other network security vendors, is trying to expand its presence in those data centers. He identified HP's Tipping Point and CheckPoint as among other vendors going up against F5.

Learn more about Data Encryption by subscribing to Network Computing Pro Reports (free, registration required).

Migration to Windows 8 won't be a shoo-in, with a number of issues remaining to be addressed before Microsoft can expect the majority of its users to migrate to the new version of the operating system. A new survey from Information Week Analytics, Research: Windows 8, finds that the migration strategy appears to be predicated upon people migrating from Windows 7 to Windows 8, when it has already been clear that a significant minority of existing users are still running Windows XP – which demonstrates the sort of problem that Microsoft is facing. The new OS is scheduled to come out in beta in February and for final shipment in the second half of the year.

According to the survey of 973 business technology professionals, 90 percent of them still have Windows XP, and 81 percent of them have Windows 7. Just over half, 52 percent, plan to upgrade, while 48 percent will not. Of those planning to upgrade, 82 percent will be upgrading from Windows 7 and 54 percent will be upgrading from Windows XP. Half plan to stay with Windows XP, while 30 percent plan to stick with Windows XP. And even those who do plan to upgrade, 28 percent, the largest percentage, have not yet established a timetable for when they will be upgrading. Moreover, 21 percent said they do not plan to deploy Windows 8 on mobile devices.

Issues cited by the survey respondents included having to redesign applications in order to support the new Metro tile-based touch user interface, the requirement for touch devices and monitors to take advantage of the new interface, Windows 8 compatibility among different browsers, and the requirement to develop back-end systems that can service a variety of devices.

Barriers to upgrades cited by respondents include other IT projects with higher priorities, compatibility issues, testing requirements, a lack of business drivers or ROI, training requirements, lack of staff, lack of money, and the fact that they're still in the process of migrating to Windows 7.

Another survey, Information Week's 2012 forecast found the prospects are good for Windows 8 Server, and not so bright for Win Mobile. At the end of 2011, 63 percent of respondents said they'll run Windows 8 on at least 50 percent of their servers. Only 30 percent of respondents say they'll run the phone/tablet version on that fraction of these devices, which was considered surprisingly high.

Migrating from Windows 7 to Windows 8 is supposed to be seamless, but migrating from Windows XP to Windows 8 will be another issue, since like the migration to Windows 7, it will require a clean install. "Essentially, you have to save your data, do the install, and migrate your data in," says analyst Roger Kay, owner of Endpoint Technologies Associates Inc. Moreover, Windows XP users may find they need more memory or processing power to support Windows 8.

"If a system is more than two or three years old, it might not have the processing power to make Windows 8 work correctly," says Charles King, principal analyst for Pund-IT Inc.

However, users who migrate from Windows 7 may see improvements, says Rob Enderle, principal analyst for the Enderle Group. While Windows 8 has the same memory requirements as Windows 7, it is less resource intensive. "The cheapest systems that run Windows 7 or Vista should be as fast or faster with Windows 8," he says. Systems should have at least 2 gigabytes of memory, though Kay suggests that 4 gigabytes would be better.

Learn more about Research: Windows 8 by subscribing to Network Computing Pro Reports (free, registration required).

IBM and NEC are collaborating on high-performance OpenFlow deployments. OpenFlow, developed at Stanford University, has enjoyed acceptance in university networks because an OpenFlow network can run alongside the campus production network without impacting it. In 2011, OpenFlow broke out of its education niche into the mainstream with announcements from Big Switch, Fulcrum and NEC. IBM's and NEC's announcement is a proof point that OpenFlow has a role in enterprise IT and can be used in high-performance applications.

There are a number of myths surrounding OpenFlow, including that there is a delay on the first packet of a flow to perform a lookup and that the controller is a single point of failure. Both are easily addressed through sound management practices. In fact, the upsides of using OpenFlow--such as simplified traffic management, policy-based networking that creates paths through the network based on higher-level decisions than the destination address, and software-defined networking where there is tight integration between applications and network configuration--can far outweigh any downsides. The IBM and NEC announcement describes how enterprises are overcoming these obstacles in OpenFlow on their production networks

One customer of the combined IBM and NEC products is Selerity which provides financial information from primary sources to their subscribers. Their service-level commitments are on the order of microseconds, required so that all subscribers receive the same information at the same time. In addition, Selerity has to manage subscription entitlements to its customers to ensure they are getting what they paid for. Selerity's entitlement application needs to make those decisions and dispatch the data in near real time. The challenge Selerity faces in meeting all of those competing goals is in maintaining low latency and traffic separation.

Selerity satisfied those requirements using a convoluted set of VLANs and high-end firewalls to forward traffic to the proper locations, or by using an application-level process to make the forwarding decisions. In either case, the solution was complex, inflexible and expensive. Adding a new subscription to a customer meant making a number of changes to networking equipment, which took time and was error-prone.

Using OpenFlow on NEC's Programmable Flow Controller, Selerity was able to move the forwarding decision off the servers and firewall/switch layer into an OpenFlow-controlled network. Using flow rules defined once on the Programmable Flow Controller, the UDP packets coming from Selerity's servers are rewritten, added to a multicast group and forwarded to the destination ports corresponding with individual customers in a few micro-seconds. Selerity ensures that the correct data goes only to intended customers and that all of the customers receive the data at the same time. Selerity was also able to easily add more redundancy to its delivery network since an OpenFlow network isn't hobbled by Ethernet constraints like having a loop-free network.

Selerity's application and SLA requirements are unique to the financial industry, but many enterprises have similar demands that could be addressed using an OpenFlow-managed network.

IBM and NEC also described unnamed customers using OpenFlow to solve common issues such as forwarding network traffic to multiple analysis devices and forwarding traffic to load balancers. Companies like Anue Systems, Gigamon and NetOptics offer in-line network taps that can combine many network connections into a single output or split a single input into many outputs, either replicating all frames across all output ports or slicing the output stream based on data in the frame like addresses and port numbers. These taps work well but are expensive and require that they sit in-line with the monitored link. The security customer connected taps and switch span ports to an IBM G8264 OpenFlow switch, ran the traffic though a deep packet inspection engine and then forwarded the flows to one or more analysis tools. The monitoring is much more flexible than a fixed tap.

More vendors are hopping on the OpenFlow bandwagon, including networking giants Cisco and HP. Juniper Networks added OpenFlow to its Junos SDK in 2011, while OpenFlow controller vendor Big Switch introduced an open source OpenFlow controller early this year. We will continue to see interesting use cases of OpenFlow in production environments.

Learn more about OpenFlow vs. Traditional Networks by subscribing to Network Computing Pro Reports (free, registration required).

HTML5 is the new "it" protocol on the Internet. Among other things, it is an alternative to Adobe's Flash for displaying content through a Web browser. No less an industry authority than the late Steve Jobs declared in 2010 that browsers on Apple devices such as the iPad would support HTML5 and not Flash. But as HTML5 gains wider adoption some of its security flaws are beginning to get noticed, including the WebSocket specification that renders Web pages more quickly than does Flash.

"Anything new comes with some new security concerns," said Joe Bulman, systems architect for Wedge Networks, a network security company specializing in what it calls "deep content inspection" of traffic on Web networks.

HTML5 security issues have drawn the attention of the European Network and Information Security Agency (ENISA), which studied thirteen HTML5 specifications, defined by the World Wide Web Consortium (W3C), and identified fifty one security threats.

A recent alert from security vendor Sophos stated HTML5 provides far more access to the computer's resources than its predecessor, offering capabilities like location awareness, local data storage, graphics rendering and system information queries, which are built in and quite powerful. However, the alert cautions that while the enhancements are great, "they radically change the attack model for the browser. We always hope new technologies can close old avenues of attack. Unfortunately, they can also present new opportunities for cybercriminals."

Bulman identified four main concerns. First is the problem of cross-origin resource sharing (CORS), in which a web server can allow its resources to be accessed by web page from a different domain. While useful in aggregating content from several sites, he said there is a risk that some content may be shared that shouldn't be. Second is the problem of click-jacking, in which malicious code is surreptitiously placed on a web page image behind a digital mask that makes an item appear to be safe and invites the user to click on it. Third, HTML5 has unique geolocation and privacy issues that need to be addressed, although he added that HTML5 standards bodies as well as browser vendors are addressing them.

In fact, to its credit, the HTML5 community is responsive and "transparent" in how it operates, he said. Also, HTML5 applications have more restricted access to system resources than with Flash while HTML5 protocol updates are delivered through browser updates, so they're more likely to be applied. All the major browser vendors are working on HTML5 security issues and the HTML5 community enjoys the support of the Internet's biggest brands, including Facebook, Google, PayPal and Bing, which means that use of HTML5 should be on a strong growth curve.The fourth potential flaw relates to one of the HTML5's best features. The WebSocket API enables two-way communication over one transmission control protocol (TCP) socket. The Websocket.org web site uses the example of a stock ticker Web application to explain how WebSocket works. In a traditional HTTP designed browser, in order to display the most current price for a stock, the browser constantly pings the web server for new information, a process called "polling." Because that wastes time and compute resources, WebSocket allows the web server to push the information out to the browser only when it has new information to share.

The feature, called asynchronous full duplex communication, drastically reduces the amount of unnecessary traffic between server and browser, said Bulman. In the example of the stock ticker app accessed by 10,000 end users in the experiment, the data traffic reduction ratio was 500:1.

The downside is that WebSocket disables a number of important network security tools. It takes over key network ports such as Port 80 that screen packets for any maladies and, in a WebSocket port, the packets lack the traditional headers that would be seen by a web application firewall to block suspicious packets. Reputation-based defenses also fail with WebSocket deployed.

Wedge Networks' solution to this dilemma is an approach it calls "deep content inspection," a feature, introduced in November 2011, of its WedgeOS operating system that powers its security appliances.

"We judge the content, the structure and the intent of the data in motion," said Hongwen Zhang, CEO of Wedge Networks.

Wedge offers a "unique architecture" to deliver high performance deep packet inspection, wrote Chenxi Wang, a Forrester analyst, in a report providing a market overview for the content security space for the third quarter of 2011.

"Using this deep content inspection engine, customers can conduct in-depth malware detection, DLP processing, and content classification at line speed," Wang noted.

But Wedge competes with a number of well known players in this space, including Cisco, Google, McAfee, Microsoft, Sophos and Symantec, among others, she said.

Learn more about Data Encryption by subscribing to Network Computing Pro Reports (free, registration required).

Mainstream network players and those chasing them are all out to erase the lines between wireless and wired networking. As the network edge gets redefined and the cloud makes its presence felt in LAN and WLAN spaces, announcements like Meraki's latest update are getting to be more commonplace, and exciting. With a number of interesting product updates to share, Meraki is starting 2012 with a bang.

As mentioned before in this blog, I am a single-site Meraki customer. Though my main wired and wireless networks are built on Cisco gear, last year I opted to run with Meraki in one of my overseas locations for a campus deployment that features site-to-site VPN back to our main campus, routing, and thirty-five access points in a framework that is all-Meraki except for the handful of Cisco edge switches that handle Layer 2 duties. The Meraki deployment has been rock-solid and reliable, but soon will be even better.

Meraki has just announced new hardware and features that bode well for existing and prospective customers, and for the industry in general as a sign of things to come. In my own little corner of the Meraki cloud-managed world, I manage wired and wireless networks via a common dashboard on the web. Though effective, I have found areas where Meraki could do better by their customers. One of these minor pain points is in managing my site-to-site VPN, as the current UI is pretty sparse on relevant information for this important function. Thankfully, the latest incarnation of the Meraki cloud-based management system rectifies this with two-click site-to-site VPN configuration and welcome details on each tunnel's latency and status.

Even bigger to me, no-extra-cost WAN acceleration has come to the Meraki MX series. Legacy customers like me who use the MX 50 or 70 will see modest gains in WAN acceleration after our free and automatic code upgrade, but customers who get in on the latest MX hardware series also get the benefit of increased processing, memory, and a 1 TB hard disk cache for what Meraki estimates to be "up to 197x improved" WAN transfer times. As enterprises like mine continue to globalize, squeezing the most from site-connecting over-the-Internet WAN links is of paramount importance. That you get WAN optimization as part of the MX purchase without additional licensing is huge.

Also part of the latest release, Meraki is introducing their new cloud-managed Layer 2/3 switches with Power over Ethernet. In my own current deployment, I can manage my Meraki MX appliances (routing, security, DHCP, traffic classification and control, guest access, etc) and wireless APs, but not my Cisco switches through my cloud-based dashboard. When I rolled out my environment, Meraki did not offer an edge switch. The new MS series switch comes in branch and campus network flavors, and other than not having redundant and field-replaceable fans and power supplies (hint to Meraki), seem to have good feature parity with the big expensive competitors and some nice trouble-shooting value adds not typically found in other switching products . The beauty here is that wired and wireless users alike are identified, classified, controlled, and supported through the same administrative dashboard, regardless of whether they use a patch cable or wireless adapter to connect.

Given that wireless networking is fast coming to equaling or even surpass Ethernet in terms of criticality for user access across different business networks, it's not surprising that vendors are moving into even deeper "whole solution managed under single pain of glass" waters. Meraki may not be the biggest fish in the networking pond, but I can speak first hand on their effectiveness at providing a turn-key, cloud-managed solution that makes managing a network easy (and in my case, it's a network on another continent that tightly integrates with my main network). I'm tickled that a good thing is getting even better with Meraki's latest announcements, and am hopeful that others in the networking space are working on similar strategies.

Gone should be the days of thinking of wired and wireless networking as unique spaces, and needing racks full of appliances to gain VPN and enterprise-class security capabilities. Meraki has proven that for the right environments, a tremendous amount can be done with minimal box requirements and that installation and management don't need a team of IT pros to accomplish. Here's hoping we see more of the same from the competition.

Disclaimer: I am a single-site Meraki customer.

Boys and girls, today's homework assignment is a thought experiment. I want you all to put yourselves in the shoes of the CxO team making a decision to move to private cloud. There is of course one catch; you may not factor in ROI. We're dropping ROI because it clouds the subject (bad pun intended.) Let's skip the why should I do this experiment; I'd of course default to 'Because I told you so.'

Let's work through this together; it may be a tough one. Many of us have been trained to make all IT-related decisions based on ROI. Some of this is self-induced, some may come from vendors with ROI spreadsheets utilizing amazing formulas, industry data and handfuls of pixie dust to show how much money you'll save over the next 3 years with widget X.15. For whatever reason, ROI is a big part of most IT-related decisions.

IT decisions weren't originally made this way; instead they were made based on the business value that would be gained from an IT system. IT was purchased based on how it would enable the business to increase profits, build better products, or better service its customers. That's really what the technology should be about.

The decision to move to private cloud should be based on the competitive advantage it can provide. If we can justify that private cloud can give us the ability to do something better, faster, or at lower cost than the competition we're halfway there. Let's take a look at gaining competitive advantage with private cloud.

Let's start with some example numbers for the time it takes to bring a new service online:

1 week - Design and validate a BOM (bill of materials)

1 week - Receive approvals and submit PO

2 weeks - Wait on required gear

1 week - Rack, stack, cable and configure

3 weeks - Build service, test and validate

2 months - Total time

This is just an example; some of these times may be laughably short or long depending on your organization. Using these example numbers you have a 2-month period between identifying a new service that will enable your business and having that service online. This doesn't take into account the rollout and training of the service once online. If you could cut that time in half would that provide competitive advantage?

By using a private cloud model for delivery of IT services, this process can be trimmed to 3 weeks (using the same example numbers.) The infrastructure would be in place, carved into flexible pools and the tools to automate deployment of the required subset would be available to IT staff, developers, or both. Through a self-service portal the first 4 steps above can take place in minutes.

Additionally, scale is simplified through standardized infrastructure components. Rather than deciding on which server, storage, or switch is required per project, pre-defined components are purchased and plugged into the resource pools as capacity is required. Is your network at capacity? Add a switch to the mesh. The hardware itself becomes nothing more than CPU, RAM, storage and I/O capacity for the delivery model you've built.

The flip side of the above model is removing old or under-performing services. When an application or service is removed from the cloud the resources are returned to the pools. In a legacy data center build, it is difficult to repurpose hardware when a service is no longer needed, and as such often doesn't happen. Scaling down occurs, and services are eventually retired. This model allows for seamless return of the underlying hardware resources to the cloud.

The last piece of competitive advantage is of course cost. Any reduction in cost without a reduction in revenue will inherently increase profits. This is why the ROI model persists so strongly. Private cloud can, and does in many cases, reduce costs but this depends on how mature your IT organization is at the onset. Much of private cloud's cost reduction comes from the virtualization of the underlying hardware; automation and orchestration are not required for that, but help provide the business value shown here.

While cost is always a factor, and quite important, it should not be the first or most important criteria. Cost is more easily modeled and budgeted for once the end goal has been defined. If you begin with an attempt to show ROI you end up with models of very subjective soft costs showing savings over time. These are not solid foundations for such a large change. Define the advantages private cloud can provide your organization, decide whether they provide enough value to embark on the journey, and then model the costs into your budget.

Faced with rapid growth and increases in the amount and complexity of data and its IT operations, RJ Lee Group went looking for a way to simplify its computing infrastructure. The company ended up selecting Spiceworks as an alternative to adding staff or spending a lot of money on network and system management software.

"By moving to Spiceworks, we were able to manage our infrastructure more effectively without increasing our expenses," says Justin Davison, senior systems engineer at RJ Lee Group. In business since 1980, the company is an industrial forensics laboratory offering specialized materials characterization, forensic engineering, and information management services. For instance, it helped the United States Environmental Protection Agency (EPA) develop a method to analyze asbestos.

The company's research-based services chew up a lot of IT resources: they have 30 Terabytes of data stored on a Storage Area Network (SAN), and servers primarily running Microsoft's Windows operating system. The 300-person operation works mainly in Monroeville, PA, but has spread its wings to more than half a dozen satellite locations, including New York City and Quebec City.

The small IT staff oversees the dispersed computing infrastructure. Traditionally, this group relied on each component's (server, router) inherent management functions to ensure that its applications were up, and its network connections were functioning well.

By 2008 that approach was proving to be inadequate. "Our applications and IT infrastructure were growing and becoming more dispersed," says Davison. Consequently, tasks such as determining what might be causing a slowdown on a network link, were taking more time to complete. "We needed a tool that would automate some of our routine administrative tasks," he says.

There was no shortage of options available, but the company wanted to keeps its expenses as low as possible. So Davison started searching on the Web for free management tools and Spiceworks emerged as an intriguing option because of its all-encompassing nature. Although it began life in 2006 as a basic network inventory and scan tool, the offering has grown into a full-fledged help desk and IT support community with more than 1.5 million users. To stand out from the competition, it uses an advertising-based model: customers do not pay for the product but are exposed to Google-like advertisements.

"Spiceworks is like a 'Swiss Army knife' for system and network management," notes Davison. The product includes a series of modules that can be used autonomously or in conjunction with one another.

After making the decision to go with Spiceworks in the spring of 2008, RJ Lee had the product up and running in a few weeks. "Spiceworks includes an intuitive user interface, so the initial configuration was straightforward," he says.Once the tool was installed, the company streamlined a few of its management functions. The product's core management features automatically track configurations and report any changes, so technicians no longer had to manually enter that information. A network monitoring feature correlated network activity so the staff had more insight into any performance issues.

While some companies may view the ads as annoying, Davison has found them helpful. His company has purchased more than half a dozen products after seeing various ads.

Another benefit from the freeware is its substantial use of social networking to encourage users to interact with one another. "The Spiceworks community gives me a million people I can reach out to and ask for and share advice," says Davison. The community has become an ad hoc extension to the firm's IT department, offering advice that has remedied a handful of problems that the staff could not figure out on its own.

In the spring of 2010, RJ Lee augmented its use of the system through Spiceworks' Reach program, which enables cloud services vendors to create custom plug-ins so customers can add, manage, and monitor cloud services within its software. Hundreds of management plug-ins are available from vendors such as HP, LogMeIn, Rackspace, and Symantec. "With Spiceworks, we don't have to work with different Web-based portals to monitor and provision any of our cloud resources," he says.

Next on the agenda is to create a portal so employees can submit trouble requests. Spiceworks IT Help Desk Portal's trouble ticket module organizes and prioritizes tickets based on customized criteria, such as due dates. A project management function will enable RJ Lee to delegate, prioritize, and track time spent on various initiatives.

To date, the management tool has been a good fit for the company. One potential concern is the possible lack of the scalability and features mid-size and large companies desire from their management tool. Also, as a relatively new player in the management space, Spiceworks may encounter skepticism about its long term viability, especially since it has a non-traditional business model.

However, RJ Lee has no qualms about the vendor or its product. "Companies do not need to be scared off from free software," concludes Davison. "We have found one that meets our needs."

Learn more about IT Pro Ranking: Data Center Networking by subscribing to Network Computing Pro Reports (free, registration required).

Atlantis Computing has announced Atlantis ILIO Diskless VDI, a virtual desktop infrastructure product that makes use of server-based blade storage that it claims eliminates storage for Citrix and VMware virtual desktop operating system images. This means that users can reduce the capital expenses associated with VDI to less than $200 per desktop while providing boot times of 12 seconds. The company has particularly tested the product with Cisco UCS blade servers, which can deploy up to 6,400 virtual desktops in one rack, and is promoting it with Cisco, but it is server-agnostic.

"So far it's really interesting, really good," says Steven Bell, infrastructure systems architect for PAETEC Communications Inc., now a part of Windstream Communications, a telecommunications company based in Fairport, NY. "It's definitely a paradigm shift compared to traditional storage. We have yet to deploy it on a larger scale, but we're hoping it'll be able to fulfill those needs."

The company was looking for alternatives to big-box vendor storage arrays, because it wanted to treat its storage in the same non-persistent way it treats its virtual desktop – that is, information is destroyed once a user logs off. "We didn't want to buy a huge expensive frame for something that's here one second and gone the next," he says. It expects to save both operational and capital expenses but does not yet know the amount.

The Mountain View, Calif.-based Atlantis has been selling the ILIO product for some time; what is new is the ability for it to run only on server-based memory, says Seth Knox, director of marketing.

The Atlantis implementation reviewed both with the company and the user is the highest-performing real-world VDI installation seen to date, says James Bagley, senior analyst and business development consultant for Storage Strategies NOW. In particular, the combination of Atlantis' input-out reduction with the Cisco blades creates phenomenal performance, especially since the end-user already used Cisco for switching fabric across its network.

While other VDI implementations have used flash memory appliances, Atlantis is the first to demonstrate such an implementation on blade servers without using a storage appliance or disk array, he says. This is unique and is responsible for the high performance which is 10 to 20 times the speed of other implementations in terms of IOPs, he says.

However, the "diskless" aspect is a bit misleading, says Henry Baltazar, senior analyst of storage and systems for 451 Research. While the technology is good for storing the operating system and applications, it does not account for user-generated data, such as spreadsheets, presentations, videos, pictures, pdfs, and so on, which ultimately need to be stored on some sort of disk storage system, he says.

VDI has been very popular with vendors and industry pundits, but the market traction has not met expectations. Gartner estimated that there will be as many as 20 million virtual desktops in place by 2014 and last year CDW found that 90 percent of businesses were considering or implementing client virtualization projects. CDW also found that companies were having a number of problems with VDI, from far more than expected complexity, to hard-to-calculate ROI and the challenge of training end users. According to IDC, U.S. thin-client sales will amount to less than 2 million units by 2013.

The product is shipping now. It is priced per named user, in the same way as Citrix and VMware, at $100 per desktop for the first user and at varying prices per user after that, depending on how many users there are, says Bernard Harguindeguy, president and CEO. It is delivered through Atlantis' 60 resellers and partners.

For a VDI alternative, see The Win 8 Transition by subscribing to Network Computing Pro Reports (free, registration required).

System Center 2012 can do bare metal provisioning using IPMI. Relying heavily on templates through System Center 2012, you define the skeleton options like MAC address, networking, storage, etc which are resolved either at runtime, such as an IP address via DHCP or are taken from a template like a host name. What is interesting is that System Center can discover server hardware and make it available.

Inside Virtual Machine Manager, we defined our new hardware host and applied it to a server. You can readily track the progress of the deployment.In this lab, the hardware wasn't actually available, so it failed. However, you can drill into the task and see exactly which step failed and which steps remain. In our case, PXE boot failed, so we couldn't talk to the server. Not that VMM used BMC to power on the host.Creating a cloud is performed after you define the templates for the underlying hardware. A cloud is just a set of resources that are grouped into a unit. You can then assign them to users and roles. In our case, PrivateCloud20 Is using a logical network called Contoso and the lb01.contoso.com load balancer.

We set the capacity for this cloud offering at 12 GB of ram, total, unlimited storage, and a maximum of 10 virtual machines. All the VM's for this cloud service are based on Hyper-V but cloud have included Citrix XEN or VMware.

Microsoft's private cloud offering is multi-tenant by its very nature. IT defines the capacity of a cloud service and then users and roles are assigned capacity and rights within that cloud. You can define many cloud services that are ultimately shared across the physical infrastructure.Using quotas, you can offer control how cloud resources are consumed. In this case, this particular role is allowed to as much virtual CPU's, RAM, or storage as needed, but role is limited to five VM's total. That means that role can only run five VM's regardless of how many users are in the role.

Quotas can be further restricted on a per user basis. In our case, each member of the role can use 1024 bytes or RAM and may only use a single VM. This leaves room for other role members to use VM's and allows us to add additional roles that can use the same cloud service.

Quota management is very dynamic and administrators with the right access privileges can change these quotas at any time. You will have to think about your quota strategy so that you are managing your resources effectively.Users can also be restricted to the actions they can take with the cloud service. Consumers of your cloud service should only be allowed limited access to start and stop their VM's and deploy software. Different administrative roles can be defined. Access controls like these means IT can delegate cloud management to distributed staff and offload workflows.Once we define the hardware templates, we configure the OS images that we will deploy. If you have ever installed Windows Server 2008, or any Windows server for that matter, these options will be familiar to you. Tick off what you want. Fill in the server name (which itself can be pre-defined via a template), and you have a stock golden image ready to deploy. What is interesting is that you can patch and reconfigure the image and when it is active, you can then deploy it to your cloud automatically if you desire.This is where we begin to see the dynamism of the System Center. We define the underlying OS and assign an application template, defined elsewhere, to the host. The application template can also have user submitted fields which are filled out when requesting a new service or can be defined for the application.Must of the output from System Center 2012 are, behind the scenes, Powershell scripts that that get executed. From what I saw, there is no need to ever look at a script, which is great those who don't know Powershell. If you do however, you can customize the scripts to suit your needs. In fact with Powershell, you can do anything in the GUI in a script giving IT the potential for deep integration with existing IT systems without relying on third parties. Writing your own Powershell scripts isn't for everyone, however.In the VMM Service Template, you can visually arrange the various services and customize the options for them quickly and easily. This is one of the final steps before publishing the service in the service catalog and self service portal. All of the components are already built, here we are just putting them together. You can easily add more applications as needed.

Bear in mind that we are simply arranging systems together and we are not affecting application code in any way. The application code has to be written to talk amongst the various services. The best practice is to use names for systems and services and never to hard code dependencies. The templates should be able to build and resolve service names and locations dynamically.

While we don't show it, when we publish this application to the self-service portal, users can come to the portal, request an application and fill just a few relevant bits of information such as application name. The tehcincal bits should all be buried out of site. When they request the service, their permissions are validated and the request kicks off a workflow. That work flow could be fully automated or at any point, you could interject a person to take actions. It's entirely up to you.