A major VMware security initiative announced more than six months ago has still not resulted in any new products, but VMware and partners this week are demonstrating several prototypes of technology that will better secure virtual machines.
VMware publicly revealed plans in February for VMsafe, a set of APIs that will give security vendors more direct control over the hypervisor, allowing them to catch viruses, Trojans and keyloggers before they do any real damage.
VMsafe development is far enough along to build some “pretty effective” security products, and the APIs are being built into VMware’s hypervisor, says Nand Mulchandani, VMware senior director of security products and marketing. But VMsafe won’t be publicly available until the shipment of VMware Infrastructure 4.0, the next version of VMware’s virtualization software, and it’s not clear when that will occur, Mulchandani said during an interview at VMworld in Las Vegas Tuesday.
“The APIs are built into the hypervisor and will ship concurrently with the next release,” Mulchandani said.
No third-party security vendor can release VMsafe-related products available until then. But Symantec, Check Point, Trend Micro, and IBM’s Internet Security Systems (ISS) division are among those demonstrating prototypes this week, he said.
Symantec is demonstrating a rootkit detector that utilizes VMsafe. Today’s intelligent malware is able to replace drivers and masquerade as part of the operating system, making them very hard to detect, Mulchandani said. Symantec’s prototype allows a thorough security scan at the moment a virtual machine boots up or restarts, so it’s able to intercept rootkits before they are encrypted and before the malware has been executed.
Check Point, meanwhile, is demonstrating a VMsafe-enabled network firewall, bringing granular firewall capabilities down to the level of individual virtual machines, a capability Mulchandani called “really revolutionary.”
“The integrated firewall protects traffic and provides access control between virtual machines on the same subnet, eliminating the threat of a compromised virtual machine gaining access to other virtual machines on the same subnet,” Check Point states.
VMware’s goal is to provide “infinite flexibility” for deploying firewalls to any virtual machine, and enabling the firewall to move with the virtual machine even when it’s transferred from one physical server to another, Mulchandani said.
Also this week, IBM ISS is demonstrating a firewall, and Trend Micro is demonstrating an offline virus scanning product that could potentially be put on the market even before VMsafe is ready, Mulchandani said. The Trend Micro technology allows customers to do a complete virus scan of virtual machines even when they are powered down, he said. This particular capability can be accomplished without the VMsafe portion of the hypervisor and so could be available before VMsafe itself.
But many security features can’t be implemented without VMsafe, Mulchandani explained. One of the VMsafe APIs allows a third-party security product to see inside virtual machines, and manipulate malicious code before it executes. A second API provides more flexibility in deploying firewalls to virtual machines, and a third allows security products to modify virtual machine disk files on storage devices.
VMware has been working on the APIs for two years, and decided to announce them before they were ready to give security partners time to build products and have them be available when VMsafe is eventually released, Mulchandani said.
“We’re pretty much at the point where we feel the products they’ll be able to build out with these [APIs] are pretty effective,” he said. “We call this better than physical. Stuff they’ll be able to do on VMsafe they won’t be able to do on a physical machine.”