> > VMsafe


Posted on Thursday, June 18, 2009 | No Comments

Is VMsafe the same as vShield?

I have been getting this question a bit since my last post on VMware vShield Zones . It is a question that people really should be asking because there is confusion between the two technologies that needs to be cleared up.

vShield Zones is a product that is released and uses the existing network switching techniques in vSwitches to intercept, monitor and control Layer 2/3 networking traffic. It only does networking. It happens to be part of vSphere licensing wise and it was released after vSphere was released.

VMsafe is a new technology or function inside vShere. It allows a 3rd part to build a solution, based on a virtual machine, which can inspect the memory, CPU, Networking, Storage and process execution of a virtual machine.

Here is how VMware explain the different elements.

  • Memory and CPU. VMsafe provides introspection of virtual machine memory pages and CPU states.
  • Networking. VMsafe enables filtering of network packets inside hypervisors,,as well as within the security virtual machine itself.
  • Process execution. VMsafe provided in-guest, in-process APIs that enable complete monitoring and control of process execution.
  • Storage. Guest virtual machine disk files can be mounted, manipulated and modified as they persist on storage devices.
Here is a picture that trys to represent what its doing.

I think Aaron Bawcom, VP of Engineering at Reflex Systems sums up VMsafe nicely when he writes
VMsafe is a low level enforcement API that allows developers to intercept and inspect memory, CPU, and network traffic for a virtual machine without requiring an agent to run inside the virtual machine itself. VMsafe allows a small kernel module to run inside the ESX hypervisor which intercepts traffic between the virtual
network interface of a VM and the virtual switch. This capability offers an entirely new dimension to enterprise security. VMsafe will enable a whole new type of enterprise security that has been impractical to achieve until now. VMsafe will also allow an entire class of new security applications for the virtual environment by allowing organizations to specify granular security policy down to the virtual network interface of a virtual machine.
Whitepaper : New Directions in Virtualization Security: How Segmentation Can Strengthen Your Security Posture

VMsafe enables a lot and I don't think we will see one vendor do the whole stack, although some may try. A network security vendor may just use VMsafe as a better way to get at the networking flow of a VM (compared to the hoopes that vShield has to go through). Another vendor may simply use it to scan the disks of VMs regardless of their power state to search for viruses or do data mining. An anti-virus vendor may use VMsafe to watch the CPU execution, outside of the VM.

So things to remember.
  • VMshield does not equal VMsafe
  • VMshield could one day use VMsafe to do its functions a different way
  • VMsafe as a technology is not released yet
  • A 3rd party product will be required that uses the VMsafe technology to actually do something
Hope that helps.


Leave a Reply

Powered by Blogger.