Virtualization Security Strategy from VMworld 2010

Virtualization Security was one of the BIG Deals at VMworld with several announcements:

  • VMware vShield Edge, App, and End Point
  • Trend Micro will have the first product making use of vShield End Point
  • Cisco Virtual Security Gateway (VSG)
  • HyTrust and their growing list of technology partners

But the biggest news is that Virtualization Security is finally on the radar of most if not all C-level as it is now seen as the gate to entering the cloud. But before we can solve the cloud security issue we have to solve the virtualization security issues. VMware’s announcement has the most impact on the virtualization security ecosystem. At once they are competing head-to-head with some vendors while providing a platform to use for other vendors.

VMware’s apparent strategy moving forward is to provide a simple to use no ‘driver’ required mechanism to implement virtualization security products. There are currently 3 ways to implement virtualization security within vSphere.

  • As an inline device sitting between two portgroups or virtual switches. The following are examples of these type of appliances: Catbird, vShield Zones v1.0, Smoothwall, IPCop, m0n0wall, etc. In general, these devices could have scaling issues as you need new devices if you exceed 10 virtual switches on a single host for vSphere, 4 for Virtual Infrastructure. The advantage is that your appliance does not share CPU resources within the vmkernel.
  • As a device that requires agents to be installed in every VM such as Trend Micro’s current version of Deep Security and many other agent-full security tools. These have issues with scaling as many fire off at the same time and cause performance problems across the entire host.
  • As a VMsafe driver which requires a virtual appliance to handle the heavy lifting. The use of a driver implies the need for a third-party driver to be installed within your environment which can lead to confusion and possible issues if more than one driver is installed for more than one product. VMsafe tools include Altor Networks, Reflex Systems, IBM VSP, Trend Micro Deep Security, and now Checkpoint. These resources are also shared within the vmkernel as well as live within a virtual appliance. VMsafe improves overall system performance by centralizing all access to network and memory within the VMsafe drivers.

Now VMware has introduces VMware vShield Edge, App, and End Point and each have an entirely new API available to software developers. The idea behind these APIs is to provide a new way to access the VMsafe functionality other products are using now in such a way as to not require a third party driver. This is important:

The new vShield products provide VMsafe-like functionality without the need for a third party driver.

Which in essence opens up the development of security tools to many other developers and not just a select few allowed by VMware. In my post,If the Virtualization Security Products had no Firewall?, I looked at many third party vendors from the view of no longer requiring their own VMsafe driver, in essence if their firewall disappeared. What would be within these products. There are many aspects that would be there, but many would end up disappearing unless they were converted to use the vShield APIs.

Since the vCloud Director makes use of vShield Edge and App, any using vCloud Directory would be stuck with VMware’s firewalls, but how about IDS/IPS, Continual Compliance, Anti-rootkit, Anti-Virus, and Anti-malware tools just to name a few. Well for the Anti- tools there is vShield End Point which is just an enabling layer. For the others you may need to hook directly into the new vShield APIs.

I believe this is where VMware is going with their security products. To become the layer that enables functionality and not a direct competitor with any product that is not just a firewall. The vShield set of APIs removes several issues I mentioned previously:

  • No need for a third party driver within your hypervisor
  • No collisions between third party drivers within your hypervisor
  • The VMsafe bits for vShield App and End Point are for transfer only so have a low CPU and memory overhead
  • vShield Edge provides another VMsafe capability of portgroup isolation instead of just vSwitch isolation.
  • You can grant to your security virtual appliances as much CPU as required. You can do this now unless much of the process runs within the VMsafe kernel driver.

Will the third parties move along this path as well? Only time will tell but Trend Micro has started down this path with at least Anti-Virus. Will Deep Security eventually use the other APIs? Time will tell but the strategy from VMware is pretty clear:

Provide the ability to easily develop security appliances on top of VMware’s vShield suite.


If the Virtualization Security Products had no Firewall?

Posted in SecurityTagged , , , , , , , ,