Last year we renewed our SAN storage and our backup systems. They had been serving us for 5 years and where truly end of life as both technologies uses are functionally obsolete in the current era of virtualization and private clouds. The timing was fortunate as we would have been limited in our Windows 2012, Hyper-V & disaster recovery plans if we had to keep it going for another couple of years.
Now any time you dispose of old hardware it’s a good idea to wipe the data securely to a decent standard such as DoD 5220.22-M. This holds true whether it’s a laptop, a printer or a storage system.
We did the following:
Un-initialize the SAN/VLS
Reinitialize the SAN/VLS
Un-initialize the SAN/VLS
Swap a lot of disks around between SAN/VLS and disk bays in a random fashion
Un-initialize the SAN/VLS
Create new (Mirrored) LUNS, as large as possible.
Mounted them to a host or host
Run the DoD grade disk wiping software against them.
That process is completely automatic and foes faster than we were led to believe, so it was not really such a pain to do in the end. Just let it run for a week 24/7 and you’ll wipe a whole lot of data. There is no need to sit and watch progress counters.
Un-initialize the SAN/VLS
Have it removed by a certified company that assures proper disposal
We would have loved to take it to a shooting range and blast the hell of of those things but alas, that’s not very practical nor feasible . It would have been very therapeutic for the IT Ops guys who’ve been baby sitting the ever faster failing VLS hardware over the last years.
Here’s some pictures of the decommissioned systems. Below are the two old VLS backup systems, broken down and removed from the data center waiting disposal. It’s cheap commodity hardware with a reliability problem when over 3 years old and way to expensive for what is. Especially for up and out scaling later in the life time cycle, it’s just madness. Not to mention that those thing gave us more issues the the physical tape library (those still have a valid a viable role to play when used for the correct purposes). Anyway I consider this to have been my biggest technology choice mistake ever. If you want to read more about that go to Why I’m No Fan Of Virtual Tape Libraries
The old EVA 8000 SANs are awaiting removal in the junk yard area of the data center. They served us well and we’ve been early customers & loyal ones. But the platform was as dead as a dodo long before HP wanted to even admit to that. It took them quite a while to get the 3Par ready for the same market segment and I expect that cost them some sales. They’re ready today, they were not 24-12 months ago.
The next years the storage wares will rage and the landscape will change a lot. But We’re out of the storm for now. We’ll leverage what we got . One tip for all storage vendors. Start listening to your SME customers a lot more than you do now and getting the features they need into their hands. There are only so many big enterprises so until we’re all 100% cloudified, don’t ignore us, as together we buy a lot of stuff to. Many SMEs are interested in more optimal & richer support for their windows environments if you can deliver that you’ll see your sales rise. Keep commodity components, keep building blocks and from factors but don’t use a cookie cutter to determine our needs or “sell” us needs we don’t have. Time to market & open communication is important here. We really do keep an eye on technologies so it’s bad to come late to the party.
IPsec has been around for a while now. In an ever more security conscious & regulated world you want and/or are required to protect your network communication by authenticating and encrypting the contents of at least some of your network traffic. Think about SOX and HIPPA and you’ll see that trade or government security requirements are not going anywhere but up for us all. This is not just restricted to military of intelligence organizations.
We’ve seen the ability to offload IPsec traffic to the NIC for a while now. This is great as the IPsec processing is a very CPU intensive workload. Unfortunately it didn’t work for virtual machines . Until now IPsec offloads was only available to host/parent workloads in using Windows Server 2008 R2. The virtualization of high volume network traffic workloads that require encryption means a serious hit on the resources on the host. If you’re willing to pay you might get by by throwing extra host & CPU power at the issue. But what if the load means a single virtual machine with 4 vCPUs can’t hack it? Game over. Sure Windows Server 2012 Hyper-V allows for 32 vCPUs now, but that is very costly, so this is not a very cost effective solution. So in some cases this lead to those workloads being marked as “unsuited for virtualization”.
But with Windows Server 2012 Hyper-V we get a very welcome improvement, that is the fact that a virtual machine can now also offload the IPsec processing to the physical NIC on the host. That frees up a lot of CPU cycles to perform more application-level work, resulting in better virtualization densities, which means less costs etc.
Let’s take a look where you can set this in the Hyper-V GUI where you’ll find it under the network adaptor /Hardware Acceleration.
IPsec offload is also managed by the Hyper-V switch, this controls whether the offloading will be active or not. This is to prevent that the IPsec offload stopping the services if insufficient resources are available. Please do note that IPsec when required in the guest will be done anyway creating an extra CPU burden. So this does not disable IPsec, just the offloading of it. On top of this and in the gravest extreme you can guarantee that IPsec servers can get the resources they need by sacrificing less important guest if needed. by using virtual machine prioritization. The fact that you can configure the number of security associations helps balancing the needs of multiple virtual machines requiring IPsec offload.
To conclude, this wouldn’t be Windows Server 2012 if you couldn’t do all this with PowerShell. Take a look at Set-VMNetworkAdapter and notice the following parameter:
This specifies the maximum number of security associations that can be offloaded to the physical network adapter that is bound to the virtual switch and that supports IPSec Task Offload. The thing to notice here is that specify a zero value is used to disable the IPsec Offload feature.
You have to hand it to Microsoft. At the moment a customer is contemplating buying MDOP they announce a sweet added benefit with that package, code named “Malta” or the Microsoft BitLocker Administration and Monitoring (MBAM) Beta. You can sign up for this via the connect page and the Béta is expected in March 2011, yes this month Would be nice to see how it holds up in use.
According to the Connect site Malta, is a BitLocker management solution that will enable IT to more easily deploy and manage BitLocker volume encryption technology across the enterprise. Using Malta:
IT can automate the process of encrypting volumes on client machines across enterprise
Helpdesk can reduce the time required for BitLocker PIN and Recovery Key information
Security officers can quickly produce reliable evidence that indicates the compliance state of individual computers or even the enterprise itself.
Security Officers can easily audit access to Recover Key information.
Windows Enterprise users are empowered to continue working anywhere knowing their corporate data is protected.
Look people even if you just a low profile outfit, don’t become road kill because some bad guys got to your data and published or sold it. Protect your assets and reputation. The technology to do this is available and it’s getting better and better. You do have to use it to be protected, so to paraphrase Nike, just do it. When your CFO forgets his laptop on the commute train he’ll thank you for it. More info on the Microsoft TechNet page Microsoft BitLocker Administration and Monitoring (MBAM)