VMsafe – What is happing?
Since the introduction of VMware vSphere 4.0 a new API became available to the security world know as VMsafe. This new API can provide security vendors with an interface inside the virtualization stack where they can build there security solutions like firewalls, virus scanning, intruder detection systems, etc. Unlike the physical world, if would allow security products to be 100% isolated from the environment they are trying to protect while having a complete understanding of that same environment.
So what is happening with all the VMsafe stuff? I personally was hoping on many releases during VMworld in San Francisco, but this did not happen Just to give you some background on the VMsafe program, the security vendors have different ways to build security solutions on top of VMware. The new thing about VMsafe is that they can build a module that sits inside the VMkernel and inspect virtual machines, this is called fast-path. Besides fast-path, there is also a slow-path option, which is more a virtual machine approach, where the actual security product sits inside a Virtual Machine and can be information/copied about all the actions the other Virtual Machines take. Separately of the fast or slow patch concept, there is the VMware VDDK (also being seen as part of the VMsafe initiative, but has been available for longer). The VDDK is an disk API, that allows other programs to access a virtual machine’s harddisk like the VMware Consolidated Backup solution does. It does not matter is the VM is powered on of off, but a disk can just be ‘extra’ mounted to an other virtual machine that for instance runs a virus scanner. The clear downside of VDDK is that nothing is realtime.
So with that in mind, here a status update of what I know to date. (please feel free to correct me and add information).
Altor Networks, almost a neighbor from VMware in California, was Founded in 2007 by security and networking experts from Check Point Software, Cisco and Oracle, released their Altor VF 3.0 product at VMworld. Well almost, the product is finished and has been submitted to VMware for certification (a requirement that is part of the VMsafe program to ensure stability of the ESX server). Altor is using the VMsafe Fast-Path API to build their firewall, claiming that they can handle much more throughput because of this. Besides being a firewall it will also be able to segment Virtual Machines without having to change your networking layout and do intruder detection. The product will work on a distributed switch and with the Cisco Nexus 1000v virtual switch.
Reflex Systems, is like Altor Networks a company focused on security for the virtualized datacenter. They have a product called VMC (Virtualization Management Center) that offers security for VMware, Citrix and Microsoft. A new component in this security product is vTrust, which is their component that is based on VMsafe. vTrust provides Dynamic Policy Enforcement and Management, Virtual Segmentation, Virtual Quarantine and Virtual Networking Policies. It is unclear if this is done with fast or slow path, but their website states it is done at the VMkernel level, so I would assume they are using fast-path. I am not clear if this vTrust component is already released, the software manual on the site does not talk about this component yet, so I guess it still needs to be released (or their manual needs to be updated on their site).
Trend Micro, a more broader security company is developing 2 solutions based on the VMsafe program. The upcoming product (within 2 months or so) called Deep security will use VMsafe slow path (based in a virtual appliance) to do network security like firewall and intruder detection. The product that they have on the market today is called ‘Core Protection for virtual Machines‘ which uses the VDDK API to do offline virus scanning of powered on and off virtual machines.
More security companies to follow in next article…
|Print article||This entry was posted by Richard Garsthagen on September 14, 2009 at 1:50 pm, and is filed under Security. Follow any responses to this post through RSS 2.0. You can skip to the end and leave a response. Pinging is currently not allowed.|