Skip Links

Battle looms over securing virtualized systems

VMware's vSphere security works but has risks; Cisco, Check Point, others have their own virtual security plans

By , Network World
June 03, 2011 06:07 AM ET

Network World - There's growing consensus that traditional approaches to network security -- the firewall and intrusion-prevention appliances, the host-based antivirus software -- simply do not work well in virtualized environments for which they were never designed.

With virtualization becoming the foundation for corporate users and cloud service providers, many security vendors, including Check Point, McAfee, Trend Micro and Symantec, are adapting their products to maximize performance for the main virtualization platforms from VMware, Microsoft and Citrix. VMware, as the market leader, carries a lot of clout, and the security architecture now proposed by VMware, called vShield, could radically transform how security services will be delivered in the VMware vSphere environment.

REVIEW: New security tools protect virtual machines

But despite its advantages, some analysts are warning vSphere carries risk.

VMware is ahead of Microsoft and Citrix in putting forward a security architecture aimed at maximizing functionality and performance for its virtual machine (VM) platform, says Gartner analyst Neil MacDonald. But unlike Citrix, which is pursuing something similar with a more open-source approach under the XenAcess initiative, he says VMware's strategy is totally proprietary and carries the risk of vendor lock-in.

"They don't want to make it easy for people to switch," says MacDonald about VMware and vShield. "It prevents the hypervisor from being commoditized. Any vendor wants you to stay with their platform, and VMware has very large market share."

"With the lock-in, you get these specialized functions," says MacDonald. But anyone adopting vShield, whether service provider or enterprise, for VM-based security "should do it with eyes wide open" by weighing the potential benefits and drawbacks, he advises.

In VMware's vShield, security services are delivered to VM-based applications through a specialized "security virtual machine" capable of introspection into VMs via an agentless approach that can be supported by third-party security vendors. However, Dean Coza, VMware's director of product management in security, acknowledges VMware is hand-picking the select group of vendors allowed to use the vShield APIs. And VMware is taking on the firewalling and management role through vShield products that are already out for vSphere.

Coza says physical firewalls don't work well in a VM environment and VMware is supplanting them with VMware's software-based firewalls, including vShield App, the hypervisor-based application-aware firewall for the virtual data center, and the built-in application firewalls called vShield Zones.

This is the foundation for what's known as "logical policy management" so it becomes possible to immediately apply firewall rules whenever a new VM drops in or is moved, says Coza, even with three-tier applications logically separated into virtual-machine containers.

In contrast, he says, a "Cisco PIX has 5,000 rules on it, you have to tread very carefully to transfer those rules; it can take two hours." Coza says one of the main problem is knowing where the workloads actually are in a virtualized environment when they can move around rapidly.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News