VMware seeks security 'manager of managers' role for vShield

VMware says it has an even more ambitious goal: Make the VMware vShield Manager product the ultimate "manager of managers" for security in the VMware vSphere environment

With the popularity of its virtual-machine software soaring, VMware has been focusing on optimizing security for its vSphere platform both through cooperation with third-party security vendors and encouraging a shift to its own software-based security architecture known as vShield.

Now, VMware says it has an even more ambitious goal: Make the VMware vShield Manager product the ultimate "manager of managers" for security in the VMware vSphere environment by having robust reporting, control, configuration and administration of third-party products tied directly to it. While that remains an ongoing project today, Director of Product Marketing Dean Coza says traditional security product approaches do not tend to work well in the enterprise's or service provider's VM-based environment, but often can be adapted to vShield.

COMPANY NEWS: VMware debuts sign-on service for cloud applications

"Virtualization and the cloud are breaking traditional security models," Coza says. "Traditional security tools don't scale in this environment" where there could be 50 VMs running on a single physical machine, and antivirus software for them "creates an A/V storm" that affects performance.

For instance, the use of hardware-based firewalls to carve out VLANs for islands of physical servers running virtual-machines is not an optimum approach to try to cordon off VMs, he says, as it just leads to firewall "ACL [access-control list] spaghetti" that ends up being unmanageable. "The Fortune 1000 companies want visibility and better controls and better compliance."

Instead, VMware has been pushing for its VM-based customers to shift toward the vShield architecture for vSphere announced late last year. This offers ways to use built-in application firewalls through what's known as vShield Zones, or to use vShield App, the hypervisor-based application-aware firewall for the virtual data center. Basically, vShield App uses application-aware firewalling installed on the vSphere host to control and monitor all network traffic on the host.

In this model, the role for third-party security software, such as anti-malware, also changes by removing the multiple agents that would run in the guest operating systems and instead "have a special kind of guest, a security virtual machine" that third-party software providers support through API libraries supplied by VMware, Coza says.

"This agentless approach is better protection," Coza says.

Antivirus vendors, including McAfee and Trend Micro, have opted for this agentless approach, with Symantec expected out soon as well, according to Coza. He says the next stage of this vShield initiative at VMware will go beyond antivirus to "file-integrity monitoring and sensitive data discovery," with VMware working with vendors specializing in those areas to support the vShield platform.

He also says the vShield approach for vSphere is the successor to what has been the VMsafe APIs for VMware's older ESX platform, which has achieved some success in adopting third-party security products for scanning and intrusion protection in virtualization.

LogLogic, which provides a hardware appliance for collecting log data in order to help IT administrators gain a record to ensure compliance with security policies, says it also has a software version of its product for vShield and vCenter that can provide the IT administrator with reports related to data covered under the Payment Card Industry (PCI) guidelines.

"We can get hourly and daily PCI reports related to PCI stats off of virtualized hardware," says Bill Roth, executive vice president at LogLogic.

By working under what Roth says is a joint technology arrangement with VMware, LogLogic ensured it goes down to a "bare-metal VMware" level to log everything possible. Coza says the partnership "allows customers to deploy PCI workloads" and have the ability to use "multi-tenant security capabilities in the hypervisor."

But VMware's aspirations to have vShield Manager become the manager of managers for VMware-based anti-malware, event logging, e-discovery and file integrity, among other security functions and configuration management, is still a work in progress. And it hasn't yet won wide applause.

Some are skeptical, having seen many attempts at the manager of managers approach ultimately not prove successful.

"Years ago, HP OpenView was supposed to be the center of the universe for security. It never happened," says Gartner analyst John Pescatore. Among others, Microsoft also tried it with systems management and McAfee with its ePolicy Orchestrator, each with varying success, he points out.

Pescatore says the approach VMware proposes with vShield would probably be more attractive with service providers than with enterprise customers. In any event, centralizing security controls in this manager of manager approach raises questions about the impact of mistakes that are made and reliability.

VMware's Coza says the vShield approach is finding some traction at hundreds of companies, and at Los Alamos National Lab, as well as some of the cloud-service providers, including Terremark, Savvis and AT&T, which are either evaluating it or have already deployed vShield.

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityVMwareData Centervirtualizationhardware systemsConfiguration / maintenance

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments



Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?