The Full Virtualisation Using Binary Translation

Published Date: 02 Nov 2017

University of Greenwich

Discussion

What is Virtualisation

Virtualisation aaccording to Popek and Goldberg, 1974, is "A virtual machine that is taken to be an efficient, isolated duplicate of the real machine," .[1] Virtualisation has been studied since the early days of computing and as defined in the preceding chapters, it can be summarised as a form of technology that allows multiple operating system to run simultaneously on a single computer. It emerged as a means to more fully utilise hardware resources and facilitate time-sharing systems.

http://www.novell.com/communities/files/img/11383-1.jpg

Figure

After Virtualisation: Multiple OS sharing hardware resources

Without Virtualisation: Single OS owns all hardware resources

Because the virtualisation system is situated between the "guest" and physical Host Hardware, it can basically control the hosts’ use of CPU, memory, and storage, even permitting a host OS to migrate from one device to another. Using a specially developed software, an IT administrator can configure one physical device into several virtual machines and each virtual device then acts like a distinctive physical device, capable of running its own operating system (OS).

In the following, chapters, this document shall discuss the different types of Virtualisation, the key benefits using this specific type of technology and its limitations. In the subsequent part of this report, some of VMware’s solutions will be presented to the various challenges posed by the management of virtualised datacenters.

Types of Virtualisation

Full Virtualisation using Binary Translation

Any x86 operating system can be virtualised using a combination of binary translation and direct execution technique. This combination of binary translation and direct execution provides Full Virtualisation because the guest OS is completely separated from the underlying hardware by the virtualisation layer as shown in figure 4 below.

Hypervisorhttp://clearwaterthoughts.files.wordpress.com/2011/05/2-virtual-server-rings-and-levels.jpg

Figure 4 The Binary Translation approach to x86 virtualisation

This type of virtualisation is the only one that requires no operating system or hardware assist to virtualised sensitive and privileged instructions. Because it uses a software known as hypervisor. This hypervisor then converts all operating system instructions on the fly and stores the results to be used in the future, while user level instructions run unmodified at natural speed. Full virtualisation offers the best seclusion and security for virtual machines, and streamlines migration and manageability as the same "guest" OS instance can run virtualised on native hardware. VMware’s virtualisation products and Microsoft Virtual Server are typical examples of full virtualisation.

Para-Virtualisation

This approach is a bit different from the full virtualisation procedure described above, it refers to the communication between the guest OS and the hypervisor aimed at improving performance and efficiency.

https://encrypted-tbn1.gstatic.com/images?q=tbn:ANd9GcQ2CICTdTpsZ2sPH4Lto-ITGj4U4cr1T4agN1VHAeSS3tC6xFgoNQ

Figure 5 Para-virtualisation

Paravirtualisation, as shown in Figure 5, involves the modification of the OS kernel to replace non-virtualisable commands with hypercalls that communicate directly with the virtualisation layer hypervisor.

In this type of virtualisation, each virtual device is aware of one another. A hypervisor in this type of virtualisation doesn't need that much of a processing power to manage the "guest" operating systems, because each OS is knows already of the load the other operating systems are placing on the physical device. As a cohesive unit, the whole system works together.

OS-level Virtualisation

Hardware

Host Operating System

Virtual server

Virtual server

Virtual server

Single Kernel

Figure OS-level Virtualisation implementation

OS-level Virtualisation approach is based on the chroot concept of the Unix-based operating systems. It doesn't use a hypervisor. As an alternative, the capability is part of the operating system of the host, which carry outs all the functions of a fully virtualised hypervisor. The major drawback of this method is that all the guest devices must run a similar OS and A kernel problem can cripple all the virtual machines.

Which method is best?

The choice entirely depends on the network administrator’s requirements. If for example, the administrator’s physical servers all run on the same operating system, then an OS-level approach might be the better choice. On the other hand, if the servers are running on several different operating systems, para-virtualisation might be a better choice. One would-be drawback for para-Virtualisation systems is support — the method is quite new and only few firms offer para-virtualisation software. In general, majority of companies support full Virtualisation, but interest in para-Virtualisation is rising and may possibly replace full Virtualisation in the near future.

Limitations of Virtualisation

The profit of server virtualisation are so desirable that it’s quite easy to overlook its limitations. Research was carried out to discover the drawbacks. This part of this report shall list some of the limitations associated with virtualisation.

For devices configured strictly for applications with high demands on processing power, virtualisation is not an optimum choice. For example for servers dedicated to running applications with high demands on processing power, creating too many virtual servers on a single physical machine will be unwise as this will overload the server's CPU

Access to I/O resources: I/O devices like printers are shared between all the hosts. Therefore, if one virtual machine is logging onto the device, other virtual machines are held in a queue or may sometimes denied access.

Migration is another limitation because at the moment, it's only possible to transfer a virtual server from one physical machine to another if both physical devices use the same manufacturer's processor.

Restricted volume of disk space: Excessive amount of virtual servers could have an impact on a server’s ability to store data.

The issue of reliability comes into questions because if a company’s vital data are stored a Virtual servers and the physical server goes down, there will be no access to those data.

Conclusion

Research carried out has shown that the concept of Virtual machines is not new one, it has been around for years and it allows several users to safely share expensive machines. This is an idea that few people knew about or even understood and as computers became cheap, the motivation behind the concept of virtualisation decreased. The founders of VMware then felt it was better to bring back the virtual machine concept due to problems IT Managers were facing in regards to the rapid increase in the deployment of servers for example and the need to run multiple applications in some operating systems became a serious issue. Vitualisation as claimed, can help IT Managers spend less time on repetitive jobs, enabling them be quicker to respond to business needs and it helps businesses reduce the cost and complexity of business. Nevertheless, virtualisation in general can be technically challenging and may be the cause of significant operational disruption. Companies considering the concept of virtualisation would succeed when with a partner with vast experience in virtualisation technologies in other to address the limitation associated with this technology. There is no doubt that Virtualisation can intensely reduce IT costs while significantly improving efficiency but there are some limitation and further research is needed to fully derived an overall understanding of this new technology within the IT environment.

Bibliography of VMware

Books

Popek, G. J., Goldberg, R. P. 1974. Formal requirements for virtualizable third-generation architectures. Communications of the ACM 17(7): 412-421.

Fred Douglis , Deepti Bhardwaj , Hangwei Qian , Philip Shilane, Content-aware load balancing for distributed backup, Proceedings of the 25th international conference on Large Installation System Administration, p.13-13, December 04-09, 2011, Boston, MA

URLs

VMware Inc, 2006. "Virtualisation Overview"

Orran Krieger , Phil McGachey , Arkady Kanevsky, Enabling a marketplace of clouds: VMware's vCloud director, ACM SIGOPS Operating Systems Review, v.44 n.4, December 2010

VMware Inc. (2006). Virtualisation Overview. Califonia: VMware Inc.

http://www.scribd.com/doc/28332572/Virtualisation-PPT

http://ezinearticles.com/?Academic-Research-on-New-Challenges-in-IT-Systems-and-Networking&id=5109370

http://www.etcoindia.net/modernitsystemstopics.html

http://www.datadisk.co.uk/html_docs/vmware/introduction.htm

http://networksandservers.blogspot.com/2011/11/full-Virtualisation-explained.html

http://www.articlesbase.com/information-technology-articles/recommendations-on-academic-topics-for-dissertations-and-thesis-projects-pertaining-to-modern-challenges-in-it-infrastructure-and-systems-3353121.html

http://www.yoyoclouds.com/2012/05/how-server-Virtualisation-works.html

http://www.scribd.com/doc/37170624/Understanding-Full-Virtualisation-Para-Virtualisation-and-Hardware-Assist

http://pubs.vmware.com/vsphere-50/topic/com.vmware.vsphere.introduction.doc_50/GUID-7EE617A2-4A10-424F-BAE2-56CA6692A93F.html

http://www.anandtech.com/show/2480/8

http://www.howstuffworks.com/server-Virtualisation.htm

http://networksandservers.blogspot.com/2011/11/para-is-english-affix-of-greek-origin.html

http://pubs.vmware.com/vsphere-4-esx-vcenter/topic/com.vmware.vsphere.intro.doc_41/c_vmware_infrastructure_introduction.html

http://www.dc.uba.ar/events/eci/2008/courses/n2/Virtualisation-Introduction.ppt

http://www.edn.com/design/systems-design/4398677/1/Memory-Hierarchy-Design---Part-4--Virtual-memory-and-virtual-machines

http://www.scribd.com/doc/31339214/2/Packet-Filtering-Example

http://www.gartner.com/technology/topics/cloud-computing.jsp

VMware (2007b). Understanding Full Virtualization, Paravirtualization, and Hardware Assist. Retrieved March 01, 2009, from www.vmware.com/files/pdf/VMware_paravirtualization.pdf.

Von Hagen, W. (2008). Professional Xen Virtualization. Indianapolis: Wiley Publishing, Inc.

Introduction ACL on Cisco equipment

Firewall is a vital method that can help increase network security. Nevertheless, the security levels do not

Rest on this of firewall but the secure rules within it. While learning about firewall configuration, it is important to focus on creating accuracy and non-conflict rules set. A simple firewall such as Cisco ACL, should be the first step before studying on the other complex firewalls. This report, therefore, shall deal with Cisco ACL.

Objectives

The objectives of this part of the report is to:

Define and describe the purpose and operation of ACLs

Describe the process of creating and editing ACLs

Explain the processes involved in testing packets with ACLs

Describe standard and extended ACLs

Approach

A multistep approach was also taken while collecting data and compiling this report, approaches which includes:

Interview with Knowledgeable individuals with relevant experience to gather data relative to ACL.

Sourcing Journals, Books and articles from Online Database (e.g. Cisco website), to extract relevant information, in regards to ACL.

Carrying out simple Networking lab using packet tracer to understand how ACL works.

Define and describing the purpose and operation of ACLs

ACL stands for Access Control List. As the name already implies, it is used for access control. This is a router configuration command that controls whether a router permits or denies packets to pass based on criteria found in the packet header. As each packet approaches an interface with an associated ACL, the ACL is tested from top to bottom, one line at a time, looking for a pattern matching the incoming packet. A typical example of an ACL can be found in an everyday life. An example is "Take for instance the president of USA is having a birthday party at the white house. He does not know everybody coming to the party. He’s party organiser who is in this case the IT administrator, create a list of invitees known here as ACL. In that list are the names of those allowed and those not allowed. These names can be regarded as IP addresses. Next to these names, are further rules, these could be with or without a tie, a black shoe, etc. This is known as Extended ACL. The List is then given to the security at the gates either at the back or front gates. These agents are known as routers. They now have to enforce what the list contains allowing and deny guests based on the list.

ACL is a very versatile tools, it controls access both to and from network segments and can be used to implement security policies as described above. With a proper combination of an access lists, IT managers will be equipped with the power to carry out nearly any access policy they can create.

Although the deployment of ACL statement in a router, is no guarantee that the router is now a full-fledged firewall. A permit or deny rule associated with some kind of a pattern will determine the fate of that packet's chances of going through. A mask, similar to a wild card, can also be used to define how much of an IP source or destination address is to be applied to the arrangement match. The statement arrangement can also include port numbers or TCP, UDP, Telnet and ftp.

Once an ACL is created, it must be applied to either incoming or outgoing traffic on any interface for it to be effective. When an ACL is then applied to that interface, the router will then analyses every packet passing through that interface in the specified direction and will take action accordingly. However, there are a few significant rules a packet must follow when it’s being matched with an access list:

It’s always matched with each line of the access list in a sequential order, i.e., it always start with the first line, then go to line 2, then the third line, and goes on.

The packet will only be matched with lines of the access list until a match is made. Once that packet matches a line of the access list, action is taken, and no further comparisons takes place.

There is an implicit "deny" at the end of an access list, which basically means that if a packet doesn’t match up to any lines in the access list, that packet will be essentially dropped.

Processes involved in testing packets with ACLs

The order where ACL statements is placed, is very essential. When a router is determining whether to allow or refuse a packet, the Cisco Network Operating System (IOS) software tests the packet against each condition statement in the order in which those statements were created. After a successful match is found, no further condition statements are tested. Furthermore, if a condition statement that permits all traffic is created, no statements that is added later will ever be checked. In other to add any additional statements either in a standard or extended ACL, the ACL must be deleted and re-create with the new condition statements.

How ACLs Work

As mentioned above, an ACL is basically a group of statements that helps define how packets:

Enter inbound interfaces

Relay through the router

Exit outbound interfaces of the router

Figure ACL Test Matching Process

The preceding flow chart shows that ACL lines are processed in the order from top to bottom. When a packet is sent to an interface, it checks to see if there is any ACL applied to that interface in the inbound direction. If the condition is matched, the it goes to the next stage to see if there is any matching rule starting from the top to the bottom, again if the condition matches, it is then permitted or denied based on the rules and no other testing occurs on that packet; but if no ACL test matches, the packet it is denied by default.

Creating ACLs

This part of the document shows some configuration commands, global statements, and interface. ACL commands are created in the global configuration mode. Then the ACL number from 1 to 99 is specified. This tells the router to accept standard ACL statements. ACL number 100 to 199 tells the router to accept an extended ACL statements. (This shall be discussed in the next chapters). It is very important to select carefully and a logical order the Access Control List. Permitted IP protocols must be clearly specified and all other protocols should be denied. Though there is an implicit deny even if it is not stated.

This list deny traffic from all addresses in the range 172.16.1.2 to 172.16.1.255

Of901

Of901#config t

The third step is to apply the access list on the correct interface; as the access list being configured is standard access list, it is best for it to be applied as close to the destination as possible.Of901 (config) #access-list 50 deny 172.16.1.2 0.0.0.255

Of901 (config) #access list 50 permit any

Of901 (config) #interface f0/0

Of901 (config-if)#ip access-group 50 out

How ACL can be used to filter traffic and used to protect a network from viruses

ACLs can be used to filter traffic according to the "3 P's" as shown above. They are per protocol, per interface, and per direction. Only one ACL per protocol, per interface and one ACL per direction can be used. An ACL can also be used to protect a network against viruses by acting as a packet sniffer to display packets that comply with certain requisite. For example, if a virus exists on a network that's transferring out traffic over IRC port 194, an extended ACL (e.g. 103) can be created to identify that traffic.

Order of operations in which an ACL works

Routers process information on an ACL from top to bottom. When the router assesses traffic against the ACL, it commences from the beginning of the list, then works its way down, it either permits or deny traffic as it moves down. After completing the process from top to bottom going through the list, the processing then stops. That basically means whichever rule arises first takes priority. Another point is that if the top part of the ACL rejects a traffic, however a lower part of the list still allows it, the router still denies that traffic.

Other uses of ACLs.

ACLs are not just for filtering traffic, as discussed above in this document, it can be used for numerous reasons; for example to control debug output, and to control route access: (i.e. it can be used as a routing distribute-list to only permit or reject specific routes either into or out of a routing protocol). It can also be used as a BGP AS-path: i.e. to permit or deny BGP routes. Finally it is useful to encrypt traffic: For example, when encrypting traffic between two routers, information can be giving to the router as to what traffic needs encrypting, what traffic to send needs unencrypted, and what traffic to be disposed of.

The process of creating and editing ACLs

In the Cisco implementation, each supplementary criteria statement added to the configuration is attached at the end of the ACL statements. It is important to note that after a statement has be created and applied to a router, it is not possible to remove an individual statements, to remove an individual statement, the whole ACL must be deleted and re-created.

Furthermore, as stated in the previous chapter "Processes involved in testing packets with ACLs

"The order of access list statements is important in regards to determining whether to permit or deny a packet, as the IOS software tests the packet against each criteria statement in the exact order the statements was created. After a successful match has been established, no more criteria statements are checked. So for example if a statement in the ACL explicitly permits all traffic, no statements added after will obviously be checked.

A text file like notepad can be used to make any changes to an access list and then copied to the router via the command line interface (CLI) once all changes have been made. Up to two ACLs can be applied to each interface of a router: one on the inbound access list and one at the outbound access list.

Types of ACL

Since the 90’s network administrators have been using two basic ACLs: standard and extended ACLs. As discussed in this document, Standard IP ACLs filters on only the source IP address in an IP packet header, while an extended IP ACL filters on the following: Source IP address, Destination IP address and TCP/IP protocol, such as IP (all TCP/IP protocols), ICMP, OSPF, TCP, UDP, and others

Standard ACLs

A standard ACL, only allows a statement to either permit or deny traffic from an exact IP address. The destination of the packet and the ports involved do not affect processing. Standard ACL statements can be grouped in two ways: either by number or by a name. To create a numbered standard ACL, the following command is given:

Figure

The example above permits traffic from a class B network 172.16.2.0 and 172.16.1.0 and though not specified, implicitly rejects traffic from other IP address.

Standard ACLs must be placed close to the destination.Figure

Extended ACLs

Extended IP ACLS are much more flexible than standard ACLs since their conditions can match on many more criteria in a packet header. They can allow traffic to be allowed or dropped from specific IP addresses or ports or both at the same time, to specific destination IP addresses or ports or both at the same time. In an extended ACL, specification of several types of traffic such as ICMP, UDP, SMTP, and TCP can be made. To create an extended ACL, the following command is used:

Figure

Extended ACLs must be placed close to the source

Figure Processes involved in testing packets in an extended ACL

Configuration

http://2.bp.blogspot.com/-VHznCZO_kqc/USH1C2-KbVI/AAAAAAAAAU0/_sO3AL6c560/s1600/ACL.gif

Figure

Verifying ACLs

With the "show ip access-list" command, it is possible to view the contents of configured ACLs. This command does not however show which interface the acl is applied to.

Conclusion

With these considerations in mind, router access-lists can be improved. However, there are some significant issues related with ACLs that are important to consider and act upon. Therefore, it is common practice to partner filtering routers with other security systems that look at upper layer network information in order to increase security, manageability, and visibility of the enterprise security policy.