VMTN Blog

More reactions about the VMsafe program introduced at Wednesday's VMworld Europe keynote. The reactions are good, especially considering most people haven't seen the actual technology yet. I think everyone is very conscious that opening up access to the hypervisor layer must be done very, very carefully -- but at the same time everyone seems to be hoping that this opens the door to innovative new functionality only possible through virtualization. Who will deliver the "VMotion" of virtual security?

Alessandro Perilli gives a good introduction. Link: virtualization.info: VMware announces VMsafe APIs.

While security products like antivirus will still have to install inside a dedicated VM, they will be able to monitor what's happening inside other virtual machines from a completely new perspective: the hypervisor level.

This will allow checking which traffic is entering or leaving a VM, or even which data is being executed inside it (looking at CPU states, memory pages and OS processes list). All done in a transparent way.

The revolutionary approach has two remarkable benefits: first of all it saves precious physical resources and management efforts without duplicating the same security agent inside each guest OS, secondarily it prevents the security agents from being directly attacked and possibly disabled.

Christofer Hoff likes what he sees so far.  Link: Rational Survivability: VMware's VMsafe: The Good, the Bad, the Bubbly....

...it's a little early to opine on the extensibility of VMsafe, but I am encouraged by the fact that we will have some more tools in the arsenal, even if they are, in essence, re-branded versions of many that we already have.

However, engineering better isolation combined with brokered visibility and specific authorized/controlled access to the VMM is both a worthy endeavor that yields all sorts of opportunities, but given my original ramblings, makes me a bit nervous. ...

I am sure we will see more claims surface soon suggesting with technology such as this will produce virtualized environments that are "more secure" than their non-virtualized counterparts.  The proof is in the pudding, as they say.  At this point, what we have is a very tantalizing recipe.

John Peterson has seen the APIs, and he does like what he's seen. Link: Security In The Virtual World: VMSafe = A Safer More Secure VMWare Environment.

My educated guess though, is that most security vendors will just be offering their existing security products that are in many cases physical firewalls, anti-virus, UTM, etc. The real value will be from solutions that bring unique value to the virtual environment vs. network designs that dictate routing traffic out of the Virtual Environment to a physical security appliance and back in.  The other question is ; will the software vendors just be installing their software on the operating systems of Virtual Machines vs. Physical Machines? ...

I've had the privileged of reading the API documents as the CTO of Montego Networks which is also part of the VMSafe program that was just announced and am very excited about the future possibilities of the program.

Pete Lindstrom compares VMsafe to the history of kernel access in Windows. Link: Spire Security Viewpoint: VMware vs. Vista - Hooking the Kernel.

This is a timely announcement that should serve its purpose of allowing some "authorized" access to kernel operations of the hypervisor.

I say "authorized" because this approach stands in stark contrast to the challenges Microsoft had when it implemented Kernel Patch Protection, which had an API to allow security products access to kernel operations, also in an "authorized" manner. (I would enjoy hearing about specific functional differences between Vista's KPP API and VMsafe).

Of course, the big difference is that it was essentially a time-honored custom to hook Microsoft's kernel in all sorts of unauthorized ways ...

So VMware is doing what is widely seen as "the right thing" out of the gate.

And let's give Alessandro the last word:

With VMsafe VMware has the unique chance to improve the efficiency and effectiveness of security products like never before. If the company will release the interface soon enough and its partners will execute properly, VMsafe alone will be a reason valid enough to adopt VMware Infrastructure.