VMware recently previewed three new security features that may prove especially compelling for large shops with...
complex security requirements.
Two of the features, vShield Edge and vShield App, strive to reduce "firewall choke points" and "VLAN sprawl" and to identify mobile virtual machines' level of security, according to Rob Randell, a VMware security specialist systems engineer. The goal of these features is to eliminate the burdens associated with identifying and addressing security concerns in a dispersed virtual environment.
The first two features went into public beta on July 15 and were previewed at the New England regional VMware User Group (VMUG) meeting in Brunswick, Maine last week. A third feature, the concept for "near-agentless antivirus" protection of virtual machines, was also demoed. (More information on the beta program is available on the VMware website.)
The new vShield Edge feature is designed to augment the existing capabilities of VMware's vShield Zones, which introduced the concept of a virtual firewall.
But vShield Zones are intended to serve as firewalls on internal networks rather than at the "edge" of a virtual data center. While not intended to replace firewall hardware at the physical edge, vShield Edge 1.0 -- by supporting routing and leveraging VMsafe's application programming interfaces (APIs) -- will introduce the routing virtual firewall, Randall said.
This means vShield Edge could be used to more securely containerize virtual data centers among business units in a large enterprise, or among customers of a cloud service provider. The changes in vShield Edge are also part of ongoing work to extend the Layer 2 domain for workload federation and portability to the cloud. Meanwhile, the support for VMsafe APIs will allow logical zoning down to the virtual network interface card (vNIC) level, according to Randall's presentation.
The vShield Edge approach could help avoid "VLAN sprawl" while retaining isolation of applications, and VMUG attendees said that they could envision eliminating physically separate clusters for apps that fall under regulatory audits using this feature. But that remains a possibility rather than a certainty. When questioned by attendees about how such an approach would go over with auditors, Randell said VMware should have "more specific guidance" later this year.
VShield App offers cross-host isolation and container-based rules at the application level according to user-defined security zones (e.g., applications contained in the group "Web Servers"). It could then be specified that Web Servers can't communicate with certain other machines, such as those regulated by PCI or that they have to go through a certain port to access more sensitive applications.
This would also be an alternative to creating a separate "Web Server" VLAN, further alleviating VLAN sprawl. REST-based client APIs will also be available for third-party enforcement tools. Rules follow migrating virtual machines, through the use of flow monitoring that analyzes inter-VM traffic, according to the beta website.Near-agentless antivirus
Another feature that drew attendees' attention was a preview of a "near-agentless antivirus" feature, which is also due out in the second half of this year. Randell said that VMware partner Trend Micro had already demoed its version of the approach to antivirus scanning at the RSA Security conference this year, and that more demos will be available at VMworld 2010.
Currently, many antivirus programs running on virtual machines require an application agent within each guest, a holdover from the physical world. The presence of these agents can slow performance, particularly when scheduled activities kick off on several guests simultaneously, which is known as an "AV storm."
With the near-agentless approach, VMware would introduce a VMware Consolidated Backup-like proxy virtual appliance to centralize antivirus services, including on-access and on-demand file scanning, away from production clusters. Antivirus programs also typically scan only portions of files for virus activity, and VMware has developed a method for sending only portions of these files over the wire to the virtual appliance to cut down on network bottlenecks. What had been a separate software agent running in each guest will now become a lighter-weight driver within the VMware kernel.
Currently, Trend Micro is the only partner that supports the near-agentless approach. Several attendees asked Randell whether McAfee had a near-agentless integration in the works. Randell indicated that VMware is in talks with both McAfee Inc. and Symantec Corp. but advised users, "If you're a McAfee or Symantec customer, hammer them [to support this]."Users ponder vShield App, vShield Edge
For some users, the most exciting security feature is this approach to antivirus. "Not to have to pay for a license for every single one of my servers and to get rid of the additional overhead would be pretty impressive," said Brad Blake, Boston Medical Center's CTO.
Blake said he hadn't yet looked into the new vShield products but was intrigued, given the large number of security policies and regulations his organization has to follow, and the difficulty of balancing ease of access with security requirements. "We don't have the ability today, for example, to really segment off systems because our users need access to our data center VLANs in order to run some applications. It seems like this would potentially allow us to put up those security gates, but not doing it in the traditional manner of having to separate out VLANs and firewalls and all of the overhead that has to be managed with that."
VMUG attendee Eric Wallace, systems administrator at a 75-employee financial services firm in the Northeast, noted that the features require an Enterprise Plus license, which is too rich for his organization's blood. But Wallace said that previously he'd worked for larger organizations, including L.L. Bean, where "it was a real challenge figuring out how to tear up the network. I can see how in a big environment it would be very helpful to look at all the security settings in one place."
Beth Pariseau is a Senior News Writer for SearchServerVirtualization.com. Write to her at firstname.lastname@example.org.