VMware derives vShield Zones
For security purposes, most organizations establish network zones with different levels of trust, such as the Internet-facing "DMZ" (or demilitarized zone) and other areas that are "behind the firewall," Balkansky said. "But when you overlay virtualization on top of that model, it breaks," Balkansky said, and you lose many of the efficiencies of virtualization, such as consolidation, better utilization and dynamic mobility."It's a classic problem of overprovisioning," Balkansky said, adding that "it's not so much a technical problem as a compliance problem." Now, with vShield Zones, virtual machines can be spread around on different physical ESX hosts while still preserving the network security policies of their associated zones. According to Tom Becchetti, senior infrastructure engineer at a Fortune 1000 company, enterprise shops' practice of segmenting virtual machines onto physical hosts is very real. The security risks of mixing VMs with different network policies are probably minimal, but "is it really worth the argument with your security team? Sometimes it's easier to take the path of separate physical hosts so that everyone involved can have their level of comfort."
On Wednesday, VMware Senior Director of Engineering and former Blue Lane CEO Allwyn Sequeira will speak in depth about vShield Zones. According to the preview, he will provide an overview of the technology and discuss use cases, such as how to collapse an Internet-facing virtualized DMZ to meet Payment Card Industry (PCI) firewall standards for cardholder privacy and isolate multiple tenants in the cloud.
The vShield Zones administration will occur from the vCenter management console. Pricing and packaging have not been announced, and availability is set broadly for the 2009 calendar year.Check out the rest of our VMworld Europe news coverage.