CANNES – On the first full day of VMworld Europe, VMware announced vShield Zones, designed to help VMware administrators comply with network security policies without having to resort to physical segmentation of their virtual machines.
VMware derives vShield Zones from its hush-hush acquisition of Blue Lane Technologies last year. Prior to the acquisition, Blue Lane sold the product as VirtualShield, an inline intrusion detection product.The problem vShield Zones attempts to fix is the seeming disconnect between network security policies and virtualization, explained Bogomil Balkansky, VMware's vice president of product marketing.
For security purposes, most organizations establish network zones with different levels of trust, such as the Internet-facing "DMZ" (or demilitarized zone) and other areas that are "behind the firewall," Balkansky said. "But when you overlay virtualization on top of that model, it breaks," Balkansky said, and you lose many of the efficiencies of virtualization, such as consolidation, better utilization and dynamic mobility."It's a classic problem of overprovisioning," Balkansky said, adding that "it's not so much a technical problem as a compliance problem." Now, with vShield Zones, virtual machines can be spread around on different physical ESX hosts while still preserving the network security policies of their associated zones. According to Tom Becchetti, senior infrastructure engineer at a Fortune 1000 company, enterprise shops' practice of segmenting virtual machines onto physical hosts is very real. The security risks of mixing VMs with different network policies are probably minimal, but "is it really worth the argument with your security team? Sometimes it's easier to take the path of separate physical hosts so that everyone involved can have their level of comfort."
On Wednesday, VMware Senior Director of Engineering and former Blue Lane CEO Allwyn Sequeira will speak in depth about vShield Zones. According to the preview, he will provide an overview of the technology and discuss use cases, such as how to collapse an Internet-facing virtualized DMZ to meet Payment Card Industry (PCI) firewall standards for cardholder privacy and isolate multiple tenants in the cloud.
The vShield Zones administration will occur from the vCenter management console. Pricing and packaging have not been announced, and availability is set broadly for the 2009 calendar year.Check out the rest of our VMworld Europe news coverage.