1. Technical Field
This application relates to managing authentication of virtual clients.
2. Description of Related Art
Computer systems may include different resources used by one or more host processors. Resources and processors in a computer system may be interconnected by one or more communication connections. These resources may include, for example, data storage systems, such as the Symmetrix™ or CLARiiON™ (also referred to herein as Clariion) family of data storage systems manufactured by EMC Corporation. These data storage systems may be coupled to one or more host processors and provide storage services to each host processor. An example data storage system may include one or more data storage devices, such as those of the Symmetrix™ family, that are connected together and may be used to provide common data storage for one or more host processors in a computer system.
In a common implementation, a Storage Area Network (SAN) is used to connect computing devices with a large number of storage devices. Management and modeling programs may be used to manage these complex computing environments.
Virtualization is becoming more prevalent in the information technology industry, transforming computational functionality into information that can be stored and managed.
Platforms that support virtualization normally use virtual machine systems (Virtual Machine Monitor or VMM) to orchestrate and provision virtual machines (VMs) on the fly. The VMM software system typically co-exists with the operating system (OS) to provide the functionality of resident software on the platform controlling access to all the resources that belong to that platform. On top of this resident software layer, sits the VMs running their individual applications within their own operating system shell. They either time-share the underlying physical resources or simultaneously execute with dedicated physical resources. This mapping from virtual machines to physical machines is achieved by the VMM either independently or in conjunction with the OS.
In essence, virtualization of computer resources involves abstracting computer hardware, which isolates operating systems and applications from underlying hardware. Hardware is therefore shared among multiple operating systems and applications wherein each operating system and its corresponding applications are isolated in corresponding VM and wherein each VM is a complete execution environment. As a result, hardware can be more efficiently utilized.
A VM executing on a virtualized computer system will typically be limited to hardware resources (such as memory space, CPU cycles, network bandwidth, and so on) provided by that virtualized computer system, i.e., VMs executing on a first virtualized computer system typically share the hardware resources of the first virtualized computer system, and VMs executing on a second virtualized computer system typically share the hardware resources of the second virtualized computer system. As such, the performance of a VM will depend on the hardware resources of the virtualized computer system on which the VM is executing, as well as demands of any other VMs executing on the same virtualized computer system.
Further, uses for the Internet and the World Wide Web are continually increasing, and have expanded into “secure” areas. Different mechanisms for maintaining security in a network such as the Internet have been developed, such as the Secure Sockets Layer (SSL) security protocol. The SSL protocol uses a public key infrastructure to maintain security. In establishing an SSL connection between a client computer and a server computer hosting a web page, the server computer transmits a certificate to the client computer for verification or validation.
Typically in practice, when a user's Web browser first tries to contact a server for a secure transaction, the server sends its digital certificate to the browser. This certificate includes (among other things) the server's public key, the server's identity, the name of the certificate authority (CA) that signed the certificate and the signature itself (which is a mathematical hash of the certificate encrypted with the CA's private key). To validate the certificate, the browser computes the certificate hash and compares the result with the hash obtained by decrypting the signature using the CA's public key (as well as checking the validity dates and identity included in the certificate against the desired server). To then validate the server, the browser encrypts a message with the public key obtained from the certificate and sends it to the server. If the server can prove it can decrypt that message then it must have the associated private key and the authentication has succeeded. If desired, the server may likewise validate the browser. Once the browser and (optionally) the server is/are satisfied that each is the computer it claims to be, the browser and server can exchange session keys (additional keys that are used to encrypt the data transfers between the computers from then on).
Further, as the size and diversity of the Internet grows, so do the applications that use the network. Originally, network applications such as web browsers, terminal clients, and e-mail readers were the only programs accessing the Internet. Now, almost every application has a networking component, whether it is to obtain updates, manage licensing, or report usage statistics.
Although pervasive network connectivity provides a number of benefits, it also introduces security risks. Many programs that access the network allow users to leak confidential information or expose them to new attack vectors. An example is instant messaging (IM) software. Most IM programs permit direct file transfers. Also, so-called IM viruses are able to circumvent security systems by going through the IM network itself. Peer-to-peer file sharing software presents a risk as well because files often come packaged with Trojan horse malware. These unwanted applications are not outright malicious and therefore not detected by conventional security software, but they can still pose a serious threat to system security.
In addition to unwanted applications, many programs that directly harm their host computers communicate over the network. The resulting malware traffic may contain sensitive information, such as log-in names, passwords, and credit card numbers, which were collected from the host. This traffic may also have command and control information, such as instructions to download other malicious programs or attack other computers.
As the Internet grows and network bandwidth continues to increase, administrators are faced with the task of keeping confidential information from leaving their networks. Today's link speeds and traffic volume are such that manual inspection of all network traffic would be unreasonably expensive. Some security solutions, such as intrusion prevention systems and anti-virus software, focus on protecting the integrity of computers that house sensitive information. Unfortunately, these approaches do not stop insider leaks, which are a serious security threat. In response to the threat of insider leaks, some vendors have provided data loss prevention (DLP) systems that inspect outgoing traffic for known confidential information.
In the computer field it is known to employ authentication techniques to establish trust or confidence as a condition to allowing access to protected operations. One simple but well known authentication technique uses passwords that are handled confidentially and supposedly known to only a user and a computer system to which the user is to be authenticated. During authentication, the user presents the password, and the computer system checks the presented password against a password that is stored in association with an identifier of the user. If the values match, authentication has occurred and access to protected operation(s) is granted. Many other forms of authentication are known, usable in a variety of types of systems and operating circumstances.
One particular type of computer system employs so-called “virtualization” techniques in which physical host computer hardware executes instances of “virtual machines”. A virtual machine is a software construct that presents a machine-like interface to a guest operating system and application program(s) executing in the context of the virtual machine, isolated from similar programs executing in the context of other virtual machines executing on the host computer hardware. One aspect of virtualization technology is the ability to very quickly and flexibly deploy new virtual machines as needed to accommodate changes in a system's workload. As an example, virtual machines can be used to deploy client type machines usable by a set of users in an organization. A new client machine is brought into service by instantiating a new client virtual machine on the existing host computer hardware. The new client virtual machine may be created as a clone of a standardized “template” client virtual machine defined in the system.