VMware Discusses vShield Zones and Secure Multi-Tenancy

The Virtualization Security Podcast on 8/5 was all about VMware vShield Zones and how the currently beta version will provide defense in depth, be a lever to achieve Secure Multi-Tenancy, and its impact on the virtualization security ecosystem. Dean Coza, Director of Product Management for Security Products at VMware joined us to discuss the vShield Zones Beta which consists of 3 parts given names and a nameless third part that was hinted at and we shall see more about at VMworld. vShield Zones consists of

  • vShield Zones Edge
  • vShield Zones Application
  • vShield Zones API
  • Something else without a name…


vShield Zones Edge
vShield Zones Edge improves the current virtual appliance based firewall to provide edge protection. In other words, it is no longer designed just for zone-to-zone protections, but contains the functionality required to use the appliance on the edge of your networks. It includes the following technologies and many more not discussed.

  • Network Address Translation
  • Port Redirection
  • Better integration with vCenter
  • It is a Virtual Appliance non-VMsafe firewall

The reason vShield Edge is not a VMsafe firewall is due to the fact that it does NAT and Port Redirection, two very difficult things to do using VMsafe as we have discussed previously.
vShield Zones App
vShield Zones App provides application level and zone-to-zone protection from without the virtual machine. Can we assume this is using VMsafe? I am not sure as Dean did not mention VMsafe by name, which prompted one of the listeners to mention that he heard that VMsafe was disappearing.
VMware’s stance is that this is a rumor with nothing to do with reality. My thoughts and those I mentioned in chat is that VMsafe will be changing and that the new vShield Zones API may play a larger part in the future of VMware’s VMsafe program. Which also leads me to believe that vShield Zones App is VMsafe related.
vShield Zones API
Not spoken about much on the podcast is the fact that vShield Zones now has a robust API for controlling the virtual firewalls programmatically. This has been a large issue with VMsafe based appliances. No centralized API that non-VMsafe program third parties could make use. Now they seem to have an API they can use. How robust this API is, is still up in the air.
Something Else…
Dean hinted that more will be forthcoming at VMworld about vShield Zones functionality and that not everything is currently in public beta. We need to keep this in mind, vShield Zones is growing in functionality.
Secure Multi-Tenancy (SMT)
VMware feels that the new version of vShield Zones will offer the ability to present a secure multi-tenant solution. Questions from our panelists about log files, management, and auditing show that we are still taking baby steps. If you use a different vShield Edge for EACH tenant then from a networking perspective you may achieve SMT for only the networking aspect of the problem. If you do not, then log files are commingled and you need additional code within your log analysis server to split them out by tenant and present them in some coherent way.
As for control of vShield Zones it is either via the API we discussed or via the vCenter Server and at the moment there is no cloud portal that integrates these together. Perhaps one will be announced at VMworld.
Even so, this does not cover the case where the cloud administrator can STILL see and manipulate all the data within the vSphere hosts without the tenant knowing about it. Auditing will tell you when things may have changed, but it leads to a reactive security model where you are closing the barn door after the horse has fled. Is there continuous monitoring capability? That is still to be seen. I imagine Envision from RSA may play a role in this.
What is the impact on the ecosystem?
We also looked at the impact on the echo system of vShield Zones, and the answers were varied, but they pointed to, that there is still a need for education on the benefits of virtual firewalls and all their add on features.
The competition is based on C-levels believing that there is one product they can buy to achieve all their virtualization security. There is not. vShield Zones is just one of many products that could be purchased to produce End-to-End Virtualization Security. No one product currently can provide every aspect of SMT and virtualization security.