Virtual machine (VM) security still a work in progress

Secondary approvals. Similar to Dome9, if your users want to do something out of the ordinary, such as modify a VM or move it to a new hypervisor host, if you were running an earlier Hytrust version they would be simply blocked. Now the software incorporates a workflow so they can request these actions and the Hytrust administrator can approve or deny within the control console.

Expanded two-factor support for authentication. Hytrust pulls directory and user information directly from vCenter and Active Directory, and in the past worked with RSA’s SecurID appliance and tokens. They have added CA’s AuthMinder service as another two-factor provider.

Monitor-only ability. Earlier versions of Hytrust had the ability to watch access traffic before it was turned on and started running its policies, but nothing in between. Now there is a monitor-mode that will report on traffic that matches particular policies, which is useful as you try to craft and debug your policies as your virtual infrastructure becomes more complex.

There are a few other features, such as not requiring public IP addresses on each hypervisor host and the addition of CEF to the list of logging formats that it supports.

Hytrust costs $63,750 for 20 ESX CPU sockets, which the vendor claims should handle up to 250 VMs.

Trend Micro Deep Security

Deep Security comes in two different packages, either as SaaS or on premises. The latter has a few additional features, such as the demo mode that can send out data to show its protective abilities.

Trend has beefed up its product in several ways. First is support for hybrid clouds running on VMware’s vCloud along with VMs running on AWS. This means that it can work in a variety of situations, such as private and hybrid cloud deployments, as well as with a stack of VMs as it did before. 

Second, it has protective policies in seven broad areas: in addition to its existing firewall and anti-malware protection, Deep Security also includes web reputation management, intrusion prevention, file system integrity monitoring and log inspection services. There are hundreds of rules available in each area, and you can quickly set up protective policies and have them apply to particular VMs with just a few mouse clicks, or drill down and get very specific about what you are trying to protect. You can clone policies from the default rule set, which include things such as allowing SSH access but do not allow remote access to MySQL across the firewall.

Deep Security’s biggest weakness is that it is oriented around individual VMs and groups: it doesn’t have the view of the virtual networking or hypervisor infrastructure that Catbird or Hytrust has, but treats each VM as its own independent entity.

Unlike Catbird, it supports different roles so the security administrator can have separate access than the database services manager, for example. You start by importing your users from Active Directory. This is fairly substantial part of the product, with screens to set up a very granular access policy and restrict Deep Security users on any number of fronts. For example, you can set up firewall admins who have only read-only access to system areas, but who have full access to the firewall rules and policies sections. You can also create custom roles on the fly as you add users.

Deep Security’s dashboard, which was always a thing of beauty, has been significantly expanded and just about every chart or item is hotlinked so you can drill down and get more details. You can arrange the widgets to your liking as well.

Deep Security supports 18 types of reports in various forms including user reports, security module specific reports, and other events. Each report can be scheduled on a daily, hourly or weekly basis with custom filtering options. Reports can be sent via email in either PDF or RTF formats.

Deep Security costs $150 per each VM. 

Strom is the founding editor-in-chief of Network Computing magazine and has written thousands of magazine articles and two books on various IT and networking topics. His blog can be found at strominator.com and you can follow him on Twitter @dstrom. He lives in St. Louis.