VMware seeks security 'manager of managers' role for vShield

VMware says it has an even more ambitious goal: Make the VMware vShield Manager product the ultimate "manager of managers" for security in the VMware vSphere environment

With the popularity of its virtual-machine software soaring, VMware has been focusing on optimizing security for its vSphere platform both through cooperation with third-party security vendors and encouraging a shift to its own software-based security architecture known as vShield.

Now, VMware says it has an even more ambitious goal: Make the VMware vShield Manager product the ultimate "manager of managers" for security in the VMware vSphere environment by having robust reporting, control, configuration and administration of third-party products tied directly to it. While that remains an ongoing project today, Director of Product Marketing Dean Coza says traditional security product approaches do not tend to work well in the enterprise's or service provider's VM-based environment, but often can be adapted to vShield.

COMPANY NEWS: VMware debuts sign-on service for cloud applications

"Virtualization and the cloud are breaking traditional security models," Coza says. "Traditional security tools don't scale in this environment" where there could be 50 VMs running on a single physical machine, and antivirus software for them "creates an A/V storm" that affects performance.

For instance, the use of hardware-based firewalls to carve out VLANs for islands of physical servers running virtual-machines is not an optimum approach to try to cordon off VMs, he says, as it just leads to firewall "ACL [access-control list] spaghetti" that ends up being unmanageable. "The Fortune 1000 companies want visibility and better controls and better compliance."

Instead, VMware has been pushing for its VM-based customers to shift toward the vShield architecture for vSphere announced late last year. This offers ways to use built-in application firewalls through what's known as vShield Zones, or to use vShield App, the hypervisor-based application-aware firewall for the virtual data center. Basically, vShield App uses application-aware firewalling installed on the vSphere host to control and monitor all network traffic on the host.

In this model, the role for third-party security software, such as anti-malware, also changes by removing the multiple agents that would run in the guest operating systems and instead "have a special kind of guest, a security virtual machine" that third-party software providers support through API libraries supplied by VMware, Coza says.

"This agentless approach is better protection," Coza says.

Antivirus vendors, including McAfee and Trend Micro, have opted for this agentless approach, with Symantec expected out soon as well, according to Coza. He says the next stage of this vShield initiative at VMware will go beyond antivirus to "file-integrity monitoring and sensitive data discovery," with VMware working with vendors specializing in those areas to support the vShield platform.

He also says the vShield approach for vSphere is the successor to what has been the VMsafe APIs for VMware's older ESX platform, which has achieved some success in adopting third-party security products for scanning and intrusion protection in virtualization.

LogLogic, which provides a hardware appliance for collecting log data in order to help IT administrators gain a record to ensure compliance with security policies, says it also has a software version of its product for vShield and vCenter that can provide the IT administrator with reports related to data covered under the Payment Card Industry (PCI) guidelines.

"We can get hourly and daily PCI reports related to PCI stats off of virtualized hardware," says Bill Roth, executive vice president at LogLogic.

By working under what Roth says is a joint technology arrangement with VMware, LogLogic ensured it goes down to a "bare-metal VMware" level to log everything possible. Coza says the partnership "allows customers to deploy PCI workloads" and have the ability to use "multi-tenant security capabilities in the hypervisor."

But VMware's aspirations to have vShield Manager become the manager of managers for VMware-based anti-malware, event logging, e-discovery and file integrity, among other security functions and configuration management, is still a work in progress. And it hasn't yet won wide applause.

Some are skeptical, having seen many attempts at the manager of managers approach ultimately not prove successful.

"Years ago, HP OpenView was supposed to be the center of the universe for security. It never happened," says Gartner analyst John Pescatore. Among others, Microsoft also tried it with systems management and McAfee with its ePolicy Orchestrator, each with varying success, he points out.

Pescatore says the approach VMware proposes with vShield would probably be more attractive with service providers than with enterprise customers. In any event, centralizing security controls in this manager of manager approach raises questions about the impact of mistakes that are made and reliability.

VMware's Coza says the vShield approach is finding some traction at hundreds of companies, and at Los Alamos National Lab, as well as some of the cloud-service providers, including Terremark, Savvis and AT&T, which are either evaluating it or have already deployed vShield.

Read more about wide area network in Network World's Wide Area Network section.

Join the PC World newsletter!

Error: Please check your email address.

Tags Configuration / maintenancevirtualizationsecurityhardware systemsData CenterVMware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?