How virtualising applications can protect computers from their installed software

Installing some applications that run under Windows is like wiping a toffee apple on a suede jacket: try as you might, you can never get rid of the sticky mess.

Installing some applications that run under Windows is like wiping a toffee apple on a suede jacket: try as you might, you can never get rid of the sticky mess.

Dynamic link library (DLL) files used by these applications can sometimes be left on the machine; uninstalling the software sometimes fails to automatically delete Windows registry entries, forcing administrators to live with a polluted registry or waste time manually cleaning it. Redundant folders can also litter the file system as the uninstaller shrugs and tells you that some things could not be removed.

Combine these problems with incompatibilities between different applications on the same machine, and it is no wonder savvy IT managers try to standardise hard drive images as much as they can. The problem is that it is not always possible.

But application virtualisation could help to solve that problem. A relatively new development, virtualisation usually describes the separation of logical assets from physical resources.

Companies such as VMware and Microsoft offer machine virtualisation. VMware's Assured Computing Environment and Microsoft's Virtual PC products provide virtual operating systems that run on top of native Windows, providing what is essentially an operating system within an operating system.

Although such software offers a type of virtualisation, Gartner vice-president Brian Gammage advises users to wait for the technology built into Intel and AMD chips to move virtualisation into the hardware.

The difference between machine and application virtualisation is that instead of virtualising the operating system, the latter virtualises only the file system and registry. Applications think they are being installed on the native file system but are actually stored on a virtual file system.

The benefits of virtualising applications are varied. Because applications never directly see real Windows resources, the native file system and registry will not be polluted.

When implemented properly, virtualisation can lead to very fast installation, and applications with DLLs saved in their own virtual space do not conflict with one another and crash the system.

It also enables multiple versions of an application to be run on the same PC. This is useful because it allows IT departments to test applications in the field, for example, and to wipe all traces from end-users' machines when they have finished.

Applications can be switched on and off very quickly, making them available or unavailable as required. Richard Bentley, product segment manager at software services firm Altiris, said, "There is also the ability to fix an application very quickly so that if I have a problem, it is a case of flicking a switch so that it's back to its original state."

Altiris will soon be launching Software Virtualisation System (SVS), which uses technology acquired when it bought out FSLogic in 2004.

Administrators use a tool to capture a conventional software installation and create a virtual package to be distributed over the network. The package can be sent to a PC and "installs" instantly into a virtual file system. But it will introduce about a 3% increase in application start-up times, said Steve Morton, Altiris vice-president of product management and marketing.

Altiris' approach is to provide enterprise service management, tying inventory, helpdesk systems, patch management and security configuration into a back-end configuration management database. Administrators will be able to remotely administer, remove, and roll back virtualised applications from a central point. The system will be priced per user mode.

Altiris also wants to move nearer to the operating system kernel with its technology. Its next release of SVS will include the ability to virtualise operating system patches as well as applications. This will please IT administrators who have spent years agonising over operating system patch deployments, worrying that they will cause more system problems than they solve.

Theoretically, an application virtualisation product supporting operating system patches could remove some of that pain, although it remains to be seen how well the company tackles this task.

That raises interesting questions about the security ramifications of such software. If the virtualisation layer is intercepting communications between the application and Windows resources, it becomes possible to watch for suspicious behaviour, such as putting a DLL file with a known signature in a certain place, or writing suspicious keys to the registry.

Given that more advanced anti-malware tools already monitor application behaviour, it does not take much imagination to envisage an application virtualisation system with inbuilt anti-malware features.

It is far too early in the game for that to happen, and we are likely to see more players flock to the market before feature sets mature. In the meantime, though, Altiris will be complementing SVS with more functions.

When it bought FSLogic it acquired Protect, a software tool that saves a baseline operating system configuration, which can be restored after someone has used a PC. This would be useful, for instance, for public computers in hotel lobbies that need to restore themselves to a standard configuration after guest use.

Protect and SVS were developed using different code bases, and currently cannot run on the same machine. But by the summer, the company said it would merge the code paths of the two products.

Bentley said this would give administrators total state management. "That means being able to virtualise an entire user session," he said. "When I log on, if I download a virus that is not supposed to be there [the administrator] can just wipe that away when the user logs off because everything they are doing is virtualised."

Another approach is to mix software virtualisation with application streaming. This is what Softricity does: the application sits on the server, but executes on the client. Chunks of code are sent across the network to run locally as required.

On the desktop, the application uses Systemguard (a file virtualisation layer similar to the Altiris technology) but it forms part of a wider software caching product. When a user logs on to a machine and starts to use an application, segments of code begin streaming from the server and installing themselves in the local virtual file system. They stay there so that they can be used the next time that person logs on.

This all happens on the Softgrid Universal Desktop Client, which forms one part of Altiris' Softgrid application streaming system. The Softgrid Sequencer converts Windows applications into packages that stream from the Virtual Application Server. Streaming is administered using the Softgrid Management Web Service, which hooks into active directory and third-party systems management tools to handle details such as user permissions.

Softricity recently signed a strategic deal with Microsoft to deliver application streaming via Systems Management Server.

The system includes a back-end licence-compliant component to help manage end-user licences for streamed applications. It also supports mobile users with cached virtualised applications, enabling systems administrators to set time limits after which they must reconnect to the network to authenticate their applications. For £4,250 you can buy 25 end-user licences, with unlimited sequencers and application servers.

Citrix, the company known primarily for running applications on the server and streaming user interfaces to thin clients, is also getting into the application virtualisation business.

According to Brian Nason, product line executive for emerging products, its traditional server-side processing products are already virtualising applications. Tarpon, a project that the company began talking about late last year, will provide full application virtualisation space by essentially mimicking Softricity's streaming/isolation concept.

The technology behind Tarpon originally appeared in Presentation Server 4.0 as a way of isolating centralised applications in a protected environment to address software compatibility problems. Expect to see Tarpon this year.

The availability of this new Citrix product should increase the visibility of application virtualisation considerably. With its £513m revenue, Citrix has more sales and marketing muscle than £96m Altiris. Softricity is still privately owned.

With application virtualisation at the start of the growth curve, it is not surprising that few firms are involved at present, but one surprising omission is Microsoft.

It is clear that virtualisation is set to become a dominant part of future datacentre architectures as users see the benefits. It improves IT management and simplifies infrastructure by allowing servers to be consolidated.

Other benefits include the ability to distribute sets of applications on a USB key and having them run when you plug the key into the client. The applications would run on the PC's processor, but would write to a virtualised file system on the USB key.

Altiris is already pushing this model and Nason said Citrix has been discussing this concept with portable storage companies such as SanDisk.

"A lot of people are looking at that from a data protection perspective," he said. "You can take your sensitive applications, encrypt them and put authentication on them."

Why server virtualisation works

Server virtualisation, unlike many other emerging transformative IT infrastructure technologies, offers companies practical benefits today, in addition to long-term transformational potential.

It works with many or most existing applications. Because server virtualisation mimics server hardware, only software that requires direct control of hardware is incompatible.

It is supported by many leading software, hardware, and services suppliers. VMware has been successful, in part, because it recruited Dell, HP, and IBM as partners for reselling its software.

Virtualisation lends itself to incremental deployments and graduated use of its features. Initially, many firms used server virtualisation to simulate server environments for test and development purposes.

But as firms have gained experience with the technology - and as support from suppliers has improved - they have gradually expanded their use.

Virtualisation helps companies to cut hardware costs. Once firms gained confidence with virtualised servers, they realised they could consolidate many infrastructure servers, such as back-up domain controllers, DNS servers and print servers.

It increases server management flexibility. Virtual servers can be moved easily from one server to another by simply hibernating or shutting down the server and then restarting it on a new box.

Source: Forrester Research

Read more on Operating systems software