VMware seeks security 'manager of managers' role for vShield

VMware says it has an even more ambitious goal: Make the VMware vShield Manager product the ultimate "manager of managers" for security in the VMware vSphere environment

With the popularity of its virtual-machine software soaring, VMware has been focusing on optimizing security for its vSphere platform both through cooperation with third-party security vendors and encouraging a shift to its own software-based security architecture known as vShield.

Now, VMware says it has an even more ambitious goal: Make the VMware vShield Manager product the ultimate "manager of managers" for security in the VMware vSphere environment by having robust reporting, control, configuration and administration of third-party products tied directly to it. While that remains an ongoing project today, Director of Product Marketing Dean Coza says traditional security product approaches do not tend to work well in the enterprise's or service provider's VM-based environment, but often can be adapted to vShield.

COMPANY NEWS: VMware debuts sign-on service for cloud applications

"Virtualization and the cloud are breaking traditional security models," Coza says. "Traditional security tools don't scale in this environment" where there could be 50 VMs running on a single physical machine, and antivirus software for them "creates an A/V storm" that affects performance.

For instance, the use of hardware-based firewalls to carve out VLANs for islands of physical servers running virtual-machines is not an optimum approach to try to cordon off VMs, he says, as it just leads to firewall "ACL [access-control list] spaghetti" that ends up being unmanageable. "The Fortune 1000 companies want visibility and better controls and better compliance."

Instead, VMware has been pushing for its VM-based customers to shift toward the vShield architecture for vSphere announced late last year. This offers ways to use built-in application firewalls through what's known as vShield Zones, or to use vShield App, the hypervisor-based application-aware firewall for the virtual data center. Basically, vShield App uses application-aware firewalling installed on the vSphere host to control and monitor all network traffic on the host.

In this model, the role for third-party security software, such as anti-malware, also changes by removing the multiple agents that would run in the guest operating systems and instead "have a special kind of guest, a security virtual machine" that third-party software providers support through API libraries supplied by VMware, Coza says.

"This agentless approach is better protection," Coza says.

Antivirus vendors, including McAfee and Trend Micro, have opted for this agentless approach, with Symantec expected out soon as well, according to Coza. He says the next stage of this vShield initiative at VMware will go beyond antivirus to "file-integrity monitoring and sensitive data discovery," with VMware working with vendors specializing in those areas to support the vShield platform.

He also says the vShield approach for vSphere is the successor to what has been the VMsafe APIs for VMware's older ESX platform, which has achieved some success in adopting third-party security products for scanning and intrusion protection in virtualization.

LogLogic, which provides a hardware appliance for collecting log data in order to help IT administrators gain a record to ensure compliance with security policies, says it also has a software version of its product for vShield and vCenter that can provide the IT administrator with reports related to data covered under the Payment Card Industry (PCI) guidelines.

"We can get hourly and daily PCI reports related to PCI stats off of virtualized hardware," says Bill Roth, executive vice president at LogLogic.

By working under what Roth says is a joint technology arrangement with VMware, LogLogic ensured it goes down to a "bare-metal VMware" level to log everything possible. Coza says the partnership "allows customers to deploy PCI workloads" and have the ability to use "multi-tenant security capabilities in the hypervisor."

But VMware's aspirations to have vShield Manager become the manager of managers for VMware-based anti-malware, event logging, e-discovery and file integrity, among other security functions and configuration management, is still a work in progress. And it hasn't yet won wide applause.

Some are skeptical, having seen many attempts at the manager of managers approach ultimately not prove successful.

"Years ago, HP OpenView was supposed to be the center of the universe for security. It never happened," says Gartner analyst John Pescatore. Among others, Microsoft also tried it with systems management and McAfee with its ePolicy Orchestrator, each with varying success, he points out.

Pescatore says the approach VMware proposes with vShield would probably be more attractive with service providers than with enterprise customers. In any event, centralizing security controls in this manager of manager approach raises questions about the impact of mistakes that are made and reliability.

VMware's Coza says the vShield approach is finding some traction at hundreds of companies, and at Los Alamos National Lab, as well as some of the cloud-service providers, including Terremark, Savvis and AT&T, which are either evaluating it or have already deployed vShield.

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags VMwareData Centervirtualizationhardware systemsConfiguration / maintenance

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments


Brother MFC-L3745CDW Colour Laser Multifunction

Learn more >



Sony WH-1000XM4 Wireless Noise Cancelling Headphones

Learn more >


Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?