VMware seeks security 'manager of managers' role for vShield

VMware says it has an even more ambitious goal: Make the VMware vShield Manager product the ultimate "manager of managers" for security in the VMware vSphere environment

With the popularity of its virtual-machine software soaring, VMware has been focusing on optimizing security for its vSphere platform both through cooperation with third-party security vendors and encouraging a shift to its own software-based security architecture known as vShield.

Now, VMware says it has an even more ambitious goal: Make the VMware vShield Manager product the ultimate "manager of managers" for security in the VMware vSphere environment by having robust reporting, control, configuration and administration of third-party products tied directly to it. While that remains an ongoing project today, Director of Product Marketing Dean Coza says traditional security product approaches do not tend to work well in the enterprise's or service provider's VM-based environment, but often can be adapted to vShield.

COMPANY NEWS: VMware debuts sign-on service for cloud applications

"Virtualization and the cloud are breaking traditional security models," Coza says. "Traditional security tools don't scale in this environment" where there could be 50 VMs running on a single physical machine, and antivirus software for them "creates an A/V storm" that affects performance.

For instance, the use of hardware-based firewalls to carve out VLANs for islands of physical servers running virtual-machines is not an optimum approach to try to cordon off VMs, he says, as it just leads to firewall "ACL [access-control list] spaghetti" that ends up being unmanageable. "The Fortune 1000 companies want visibility and better controls and better compliance."

Instead, VMware has been pushing for its VM-based customers to shift toward the vShield architecture for vSphere announced late last year. This offers ways to use built-in application firewalls through what's known as vShield Zones, or to use vShield App, the hypervisor-based application-aware firewall for the virtual data center. Basically, vShield App uses application-aware firewalling installed on the vSphere host to control and monitor all network traffic on the host.

In this model, the role for third-party security software, such as anti-malware, also changes by removing the multiple agents that would run in the guest operating systems and instead "have a special kind of guest, a security virtual machine" that third-party software providers support through API libraries supplied by VMware, Coza says.

"This agentless approach is better protection," Coza says.

Antivirus vendors, including McAfee and Trend Micro, have opted for this agentless approach, with Symantec expected out soon as well, according to Coza. He says the next stage of this vShield initiative at VMware will go beyond antivirus to "file-integrity monitoring and sensitive data discovery," with VMware working with vendors specializing in those areas to support the vShield platform.

He also says the vShield approach for vSphere is the successor to what has been the VMsafe APIs for VMware's older ESX platform, which has achieved some success in adopting third-party security products for scanning and intrusion protection in virtualization.

LogLogic, which provides a hardware appliance for collecting log data in order to help IT administrators gain a record to ensure compliance with security policies, says it also has a software version of its product for vShield and vCenter that can provide the IT administrator with reports related to data covered under the Payment Card Industry (PCI) guidelines.

"We can get hourly and daily PCI reports related to PCI stats off of virtualized hardware," says Bill Roth, executive vice president at LogLogic.

By working under what Roth says is a joint technology arrangement with VMware, LogLogic ensured it goes down to a "bare-metal VMware" level to log everything possible. Coza says the partnership "allows customers to deploy PCI workloads" and have the ability to use "multi-tenant security capabilities in the hypervisor."

But VMware's aspirations to have vShield Manager become the manager of managers for VMware-based anti-malware, event logging, e-discovery and file integrity, among other security functions and configuration management, is still a work in progress. And it hasn't yet won wide applause.

Some are skeptical, having seen many attempts at the manager of managers approach ultimately not prove successful.

"Years ago, HP OpenView was supposed to be the center of the universe for security. It never happened," says Gartner analyst John Pescatore. Among others, Microsoft also tried it with systems management and McAfee with its ePolicy Orchestrator, each with varying success, he points out.

Pescatore says the approach VMware proposes with vShield would probably be more attractive with service providers than with enterprise customers. In any event, centralizing security controls in this manager of manager approach raises questions about the impact of mistakes that are made and reliability.

VMware's Coza says the vShield approach is finding some traction at hundreds of companies, and at Los Alamos National Lab, as well as some of the cloud-service providers, including Terremark, Savvis and AT&T, which are either evaluating it or have already deployed vShield.

Read more about wide area network in Network World's Wide Area Network section.

Join the PC World newsletter!

Error: Please check your email address.

Tags Configuration / maintenancevirtualizationsecurityhardware systemsData CenterVMware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Most Popular Reviews

Best Deals on PC World


Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs


Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?