With the popularity of its virtual-machine software soaring, VMware has been focusing on optimizing security for its vSphere platform both through cooperation with third-party security vendors and encouraging a shift to its own software-based security architecture known as vShield.
Now, VMware says it has an even more ambitious goal: Make the VMware vShield Manager product the ultimate “manager of managers” for security in the VMware vSphere environment by having robust reporting, control, configuration and administration of third-party products tied directly to it. While that remains an ongoing project today, Director of Product Marketing Dean Coza says traditional security product approaches do not tend to work well in the enterprise’s or service provider’s VM-based environment, but often can be adapted to vShield.
“Virtualization and the cloud are breaking traditional security models,” Coza says. “Traditional security tools don’t scale in this environment” where there could be 50 VMs running on a single physical machine, and antivirus software for them “creates an A/V storm” that affects performance.
For instance, the use of hardware-based firewalls to carve out VLANs for islands of physical servers running virtual-machines is not an optimum approach to try to cordon off VMs, he says, as it just leads to firewall “ACL [access-control list] spaghetti” that ends up being unmanageable. “The Fortune 1000 companies want visibility and better controls and better compliance.”
Instead, VMware has been pushing for its VM-based customers to shift toward the vShield architecture for vSphere announced late last year. This offers ways to use built-in application firewalls through what’s known as vShield Zones, or to use vShield App, the hypervisor-based application-aware firewall for the virtual data center. Basically, vShield App uses application-aware firewalling installed on the vSphere host to control and monitor all network traffic on the host.
In this model, the role for third-party security software, such as anti-malware, also changes by removing the multiple agents that would run in the guest operating systems and instead “have a special kind of guest, a security virtual machine” that third-party software providers support through API libraries supplied by VMware, Coza says.
“This agentless approach is better protection,” Coza says.
Antivirus vendors, including McAfee and Trend Micro, have opted for this agentless approach, with Symantec expected out soon as well, according to Coza. He says the next stage of this vShield initiative at VMware will go beyond antivirus to “file-integrity monitoring and sensitive data discovery,” with VMware working with vendors specializing in those areas to support the vShield platform.
He also says the vShield approach for vSphere is the successor to what has been the VMsafe APIs for VMware’s older ESX platform, which has achieved some success in adopting third-party security products for scanning and intrusion protection in virtualization.
LogLogic, which provides a hardware appliance for collecting log data in order to help IT administrators gain a record to ensure compliance with security policies, says it also has a software version of its product for vShield and vCenter that can provide the IT administrator with reports related to data covered under the Payment Card Industry (PCI) guidelines.
“We can get hourly and daily PCI reports related to PCI stats off of virtualized hardware,” says Bill Roth, executive vice president at LogLogic.
By working under what Roth says is a joint technology arrangement with VMware, LogLogic ensured it goes down to a “bare-metal VMware” level to log everything possible. Coza says the partnership “allows customers to deploy PCI workloads” and have the ability to use “multi-tenant security capabilities in the hypervisor.”
But VMware’s aspirations to have vShield Manager become the manager of managers for VMware-based anti-malware, event logging, e-discovery and file integrity, among other security functions and configuration management, is still a work in progress. And it hasn’t yet won wide applause.
Some are skeptical, having seen many attempts at the manager of managers approach ultimately not prove successful.
“Years ago, HP OpenView was supposed to be the center of the universe for security. It never happened,” says Gartner analyst John Pescatore. Among others, Microsoft also tried it with systems management and McAfee with its ePolicy Orchestrator, each with varying success, he points out.
Pescatore says the approach VMware proposes with vShield would probably be more attractive with service providers than with enterprise customers. In any event, centralizing security controls in this manager of manager approach raises questions about the impact of mistakes that are made and reliability.
VMware’s Coza says the vShield approach is finding some traction at hundreds of companies, and at Los Alamos National Lab, as well as some of the cloud-service providers, including Terremark, Savvis and AT&T, which are either evaluating it or have already deployed vShield.