The second challenge is the required compatibility of CPUs within a given cluster of hosts. In order for a running machine to effectively transfer between hosts with near-zero interruption to service, the supported instruction sets of the CPUs on each host must be fully compatible. While many of the hardware manufacturers are building interoperability into their processors and virtualization tools are evolving for the hypervisor to abstract and normalize disparate hardware, there is a lack of maturity in this support to effectively prove this effectiveness. As one of the marketed benefits of virtualization is complete hardware abstraction, the practicality of this has been that most enterprises have been forced to standardize on a given hardware for each cluster to work within this limitation.

Limited Availability of Workload/Capacity-planning/Provisioning Tools

In the traditional world of appliance solutions, the full resources of a given hardware server are made available to the given OS and application, making the performance, behavior and availability very predictable, even in handling peak and sustained loads. Increasing server utilization by running multiple machines on a given host significantly changes this model, and highlights the obvious demand for tools that measure resource usage, capacity planning and workload efficiencies. Where the goal for administrators is to effectively balance these virtual machines between physical hosts to maximize utilizations, the reality is that the tools and individual features required to effectively manage this do not yet exist. In fact, most environments today allocate resources and map virtual machines to psychical hosts based on projected usage without much ongoing monitoring and migration to other hosts.  This is a result of the lack of tools being available to administrators to better measure each machine's workload to better plan their overall architecture and machine distribution. The net result here is that without these virtual machines continuously being redistributed based on workload, many organization's virtualization infrastructure contains far more physical servers than necessary, with far less utilization rates than expected.  Without discounting that the overall utilization rates are significantly higher when compared against the traditional appliance-based solution models, there remains much room for improvement once the availability of such tools can be leveraged.

Performance Constraints for Resource Intensive Applications

Message processing is, in general, both a CPU and I/O intensive application, and subject both to high sustained traffic rates as well as varying peak traffic rates. One of the most common performance limitations of virtualization, and only further exacerbated by the use of non-local centralized storage, is disk I/O, making any application requiring frequent disk usage an unlikely candidate for virtualization. Further, considering the CPU overhead of the hypervisor along with the sustained messaging rates that would already fully utilize a server's resources, messaging infrastructure is currently not the primary target for virtualization.

Security Standards for DMZ Applications

Applications exposed to the external world, residing in the de-militarized zone (DMZ), are the highly susceptible to attacks, and thus are logically, and in many cases, physically segregated from internal systems. With at the very least a firewall separating a solution in the DMZ from the internal network, organizations are extremely reluctant (if not explicitly opposed) to deploy both of these networks within the same virtualization infrastructure. Past security exploits of virtual switching have only re-affirmed the increased risk of intermixing both zones on the same infrastructure.  Even if organizations solve this threat through silos for DMZ vs. internal network applications, there is still the risk, or at least the perception, that any successful attack on a single virtual machine may affect or grant access to the host server and other virtual machines in the same cluster. This significantly increases the risk and impact of an attack.  Because such security vulnerabilities exist, and the general lack of maturity of virtualization in the DMZ, few critical external facing applications have been migrated from the traditional hard appliance model.

Conclusion

The implementation and roll out of an enterprise-scale virtualization environment expectedly includes several defined phases that can span several years. The success of such an implementation is as much dependent on the capabilities of the solution and associated tools/features as it is on the internal processes, procedures and people managing it. With the solutions to the above mentioned challenges still evolving and developing, I'm noticing most enterprises are taking a conservative phased approach in migrating their messaging infrastructure. Typically, this hybrid strategy that customers are implementing will retain appliance-based systems at the perimeter, or DMZ, while migrating internal systems based on function, location or other logical grouping. 

Despite this relative slow move toward virtualization, messaging administrators that are in the migration phase, or even in the evaluation/planning phase, are at a significant advantage over those that have yet to think about such an architectural shift. The long term benefits of being at the forefront in defining, testing and implementing solutions to the above challenges provides a much higher chance for success in both a hybrid and full-scale deployment of an email solution in a virtualization environment. 

 

Nicholas Filippi, Director of Product Development

Nicholas Filippi is currently responsible for Sendmail’s email security product line, setting product strategy for the Sentrion core messaging platform as well as all add-on applications to provide a comprehensive messaging solution.  He joined Sendmail in 2007 from Reconnex (acquired by McAfee) where he was responsible for the data leak protection (DLP) product line, providing solutions to detect and protect confidential and otherwise sensitive information from unauthorized distribution.  He holds a Bachelor of Science degree in Computer Engineering from the University of Notre Dame.