Author Archives: Warren Wu

VMware vShield Zones 1.0 is generally available

With the general availability of VMware vSphere 4 a few weeks ago, I just wanted to highlight for the security community that VMware vShield Zones is also part of that release and now generally available!

Zones is a new product for VMware and one of the newest members of the vSphere 4
product family, based on technology from our acquisition of Blue Lane
Technologies.  We had a lot of interest from customers around vShield Zones and
had over 200 customers around the world registered for our recent private
beta.  It is part of the vSphere package starting with the Advanced Edition and above.

VMware vShield Zones 1.0 offers the following key features and
benefits for vSphere 4 environments:

Central Management of Logical Zone
Boundaries and Segmentation

  • Leverage existing virtual
    infrastructure containers –  hosts, virtual switches, VLANs – as logical trust
    or organizational  zones

  • Define policies to bridge,
    firewall, or isolate network  traffic between zone boundaries
  • Manage and deploy policies
    across entire VMware vCenter  Server deployment
  • Integrate with VMware vCenter
    Server and automatically  deploy on existing virtual networks
  • Scan and discover existing
    applications running on  virtual machines to identify application

Network Enforcement and Flow Monitoring

  • Classify traffic by network
    or application protocol (e.g.  HTTP, RDP, SNMP)
  • Performantly filter traffic
    with stateful packet  inspection (SPI)
  • Track dynamic port
    connections for protocols such as  FTP
  • Track network connections
    across VMware VMotion migration  events.
  • Easily convert observed
    network flows into precise  network enforcement rules.
  • Monitor both allowed and
    disallowed activity

Management and

  • Access the Web-based vShield
    Manager interface remotely  from any Web browser
  • Configure administrators to
    be common with VMware vCenter  Server or distinct for separation of duties and
  • View activity hierarchically
    at individual virtual  machine or aggregate levels and generate graphical or
    tabular  reports

  • Retain log data for archival
    and compliance  purposes

  • Export events and data using
    syslog format

More information about vShield Zones can be found at the product page

vShield Zones 1.0 is downloadable as part of
the VMware vSphere evaluation at:

Documentation and release notes about vShield
Zones 1.0 can be found at:


VMware vShield Zones in private beta

Just in case anyone missed the news from VMworld Europe 2009 last month, VMware launched a new security offering called VMware vShield Zones for our vSphere (formerly VI) platform.  We think this is pretty exciting, as it's the first datacenter security product from VMware, and highlights Security's elevation to one of the six key pillars of our Virtual Datacenter OS architecture.  (For those keeping score, I don't count vCenter Update Manager as a security product only because the patch management vendors themselves tend to more self-identify with system and configuration management….)

vShield Zones is based on our acquistion of Blue Lane Technologies last October.  It is based on Blue Lane's mature application-aware network stack, but instead of offering virtual patching, it has all-new modules providing network flowing monitoring/auditing as well as network firewalling.  Of course these are packaged as a virtual appliance and provides inter-VM visibility and enforcement specifically for logically partitioning the interior of the virtual datacenter.  This is great for meeting security and compliance policies around virtualizing DMZ's, meeting PCI network segmentation requirements, or isolating multiple tenants in the cloud.  For more information about vShield Zones, visit the product page at

vShield Zones will be shipping in the vSphere 4 teimframe.  We just entered a private beta that is open to all vSphere 4 beta community members; look for a forum post in the vSphere 4 beta community on how to sign up to download the software and documentation.  We appreciate your time and feedback!

Virtualization in and around the RSA Expo

I posted a few weeks ago about VMware’s booth at RSA next week and Steve Herrod’s panel session next Friday.  However, virtualization and security is not just a VMware thing, it’s an entire security community thing, so expect to hear a lot of security vendors at the RSA Expo this year discussing their plans around virtualization.

Many vendors have recently announced or are announcing virtual appliance editions of their products and will be showing them off at RSA.  For example, Symantec will be demonstrating their Mail Security 8300 gateway security product for messaging threats as a virtual appliance.

Some notable booths and events to check out with VMware partners at the RSA Expo:

  • Tuesday, 1:15 pm, at the Tripwire booth – Dwayne Melancon and Gene Kim of Tripwire will be discussing "Controlling Risk in Virtual Environments"
  • Wednesday, 1 pm, and Thursday, 2 pm, at the Shavlik booth – Shavlik CTO Eric Shultze and VMware product management will be speaking about virtualization security and product roadmaps
  • Ongoing, at the McAfee booth – McAfee will be doing demos in their booth of potential new anti-malware capabilities using the VMware VMsafe API
  • Ongoing, at the RSA Partner Pavilion – RSA and VMware will have a full Virtual Desktop Infrastructure (VDI) deployment showing the out-of-box integration of the Virtual Desktop Manager with RSA Authentication for secure two-factor end-user authentication

In addition, we plan on having several partners at VMware booth to discuss their roadmap for VMware integration or the VMsafe API.  So far we have McAfee coming by at noon on Tuesday and Wednesday and Tripwire at 3:30 pm on Tuesday.  Look for additional announcements onsite at our booth #339.

Finally, to unwind after a full day of conference activities, we’ve heard from some folks active on our Security and Compliance Communities forum that they’re planning to meet up informally for drinks Wednesday from 5-8 pm, at the Thirsty Bear Brewing Co. at 661 Howard (just past the W Hotel).  The VMware security team will be dropping in for a drink as well, several of us right after the Expo closes at 6 pm.  We look forward to chatting with customers and other security community folks there – look for us in light blue VMware polo shirts.

Check out the VMware Communities post here RSA 2008 Conference in San Francisco

See you at RSA!

VMware at RSA Conference 2008

Just a headsup to the infosecurity community – drop by our booth at this year’s RSA Conference, April 7-11, 2008, to learn more about the recent VMsafe technology announcement, the new Update Manager product for online and offline VM patching, or just to talk about VMware’s security initiatives in general.  We’ll be in booth #339 on the Expo floor.

Steve Herrod, VMware’s CTO and VP of R&D, will also be speaking on a panel on future trends in virtualization and security on Friday, April 11, at 10 am (session EXP-402).  Don’t miss it!

Keeping Your VMotion Traffic Secure

Recently a researcher published a proof-of-concept called
Xensploit which allows an attacker to view or manipulate a VM undergoing live
migration (i.e. VMware’s VMotion) from one server to
another. This was shown to work with
both VMware’s and Xen’s version of live migration. Although impressive, this work by no means
represents any new security risk in the datacenter. It should be emphasized this proof-of-concept
does NOT “take over the hypervisor” nor present
unencrypted traffic as a vulnerability needing patching, as some news
reports incorrectly assert. Rather, it a
reminder of how an already-compromised network, if left unchecked, could be
used to stage additional severe attacks in any environment, virtual or

On an insecure network, man-in-the-middle attacks can target both virtual and physical machines. The techniques
published are novel in that they go after the contents of migrating VM memory
to target credentials and data, rather than going after similar information
flowing across internal network transactions. Putting aside the question of whether it’s even worthwhile to target
memory instead of network traffic directly, the sensitivity of VM memory was
never the question.

Encryption of all data-in-transit is certainly one well-understood mitigation
for man-in-the-middle attacks.  But the fact
that plenty of data flows unencrypted within the enterprise – indeed perhaps
the majority of data – suggests that there are other adequate mitigations. Unencrypted VMotion traffic is not a flaw,
but allowing VMotion to occur on a compromised network can be. So this is a good time to re-emphasize hardening best practices for VMware
Infrastructure and what benefit they serve in this scenario.

  1. The most important VMotion best practice is to isolate your VMotion activity
    from all production network traffic. The
    current design of VMotion assumes that the VMotion network is secure within a
    data center, certainly within a rack or set of adjacent racks.  In a
    typical situation, servers in one or more co-located racks would each have one
    or two network cards dedicated for VMotion; these would be connected to a
    switch or VLAN that has no other endpoints connected.

    Isolating VMotion takes away that most common of staging points for
    man-in-the-middle: some unpatched box anywhere on the production network that
    has already been taken over by malware.  Indeed
    why any non-ESX box, compromised or not, would be on this network at all would
    be immediately in question. The researcher’s
    assumption is that long-haul VMotion over wide area networks might become popular
    in the future. However, most companies today
    already use encrypted links for inter-datacenter traffic.

  2. Tightly restrict access to VI administrative accounts and roles.  With VMotion isolated, a virtual rogue
    presence is more plausible than a physical one, but even a compromised guest VM
    does not have a virtual NIC on the VMotion network, only on the production
    network. Therefore the rogue VM must be
    configured in VI to have a vNIC on the VMotion network.

  3. Don’t enable promiscuous mode on vswitches. Unlike a physical network card, someone who
    has taken over a guest VM cannot cannot configure a vNIC to be
    promiscuous. Another VI admin setting, promiscuous
    mode (off by default) is configured on the virtual switch port separately from a
    VM.  Also, to manipulate rather than
    snoop, the proof-of-concept technique requires traffic actually route through
    the rogue VM, which would not occur naturally on the vswitch.

Warren Wu
Security Product Management