More reactions about the VMsafe program introduced at Wednesday’s VMworld Europe keynote. The reactions are good, especially considering most people haven’t seen the actual technology yet. I think everyone is very conscious that opening up access to the hypervisor layer must be done very, very carefully — but at the same time everyone seems to be hoping that this opens the door to innovative new functionality only possible through virtualization. Who will deliver the "VMotion" of virtual security?
Alessandro Perilli gives a good introduction. Link: virtualization.info: VMware announces VMsafe APIs.
While security products like antivirus will still have to install
inside a dedicated VM, they will be able to monitor what’s happening
inside other virtual machines from a completely new perspective: the
hypervisor level.This will allow checking which traffic is entering or leaving a VM,
or even which data is being executed inside it (looking at CPU states,
memory pages and OS processes list). All done in a transparent way.The revolutionary approach has two remarkable benefits: first of all
it saves precious physical resources and management efforts without
duplicating the same security agent inside each guest OS, secondarily
it prevents the security agents from being directly attacked and
possibly disabled.
Christofer Hoff likes what he sees so far. Link: Rational Survivability: VMware’s VMsafe: The Good, the Bad, the Bubbly….
…it’s a little early to opine on the extensibility of VMsafe, but I
am encouraged by the fact that we will have some more tools in the
arsenal, even if they are, in essence, re-branded versions of many that
we already have.However, engineering better isolation combined with brokered
visibility and specific authorized/controlled access to the VMM is both
a worthy endeavor that yields all sorts of opportunities, but given my
original ramblings, makes me a bit nervous. …I am sure we will see more claims surface soon suggesting with
technology such as this will produce virtualized environments that are
"more secure" than their non-virtualized counterparts. The proof is in
the pudding, as they say. At this point, what we have is a very
tantalizing recipe.
John Peterson has seen the APIs, and he does like what he’s seen. Link: Security In The Virtual World: VMSafe = A Safer More Secure VMWare Environment.
My educated guess though, is that most security vendors will just be
offering their existing security products that are in many cases
physical firewalls, anti-virus, UTM, etc. The real value will be from
solutions that bring unique value to the virtual environment vs.
network designs that dictate routing traffic out of the Virtual
Environment to a physical security appliance and back in. The other
question is ; will the software vendors just be installing their
software on the operating systems of Virtual Machines vs. Physical
Machines? …I’ve had the privileged of reading the API documents as the CTO of
Montego Networks which is also part of the VMSafe program that was just
announced and am very excited about the future possibilities of the
program.
Pete Lindstrom compares VMsafe to the history of kernel access in Windows. Link: Spire Security Viewpoint: VMware vs. Vista – Hooking the Kernel.
This is a timely announcement that should serve its purpose of
allowing some "authorized" access to kernel operations of the
hypervisor.I say "authorized" because this approach stands in stark contrast to the challenges Microsoft had when it implemented Kernel Patch Protection,
which had an API to allow security products access to kernel
operations, also in an "authorized" manner. (I would enjoy hearing
about specific functional differences between Vista’s KPP API and
VMsafe).Of course, the big difference is that it was essentially a time-honored custom to hook Microsoft’s kernel
in all sorts of unauthorized ways …So VMware is doing what is widely seen as "the right thing" out of the gate.
And let’s give Alessandro the last word:
With VMsafe VMware has the unique chance to improve the efficiency and effectiveness of security products like never before. If the company will release the interface soon enough and its partners
will execute properly, VMsafe alone will be a reason valid enough to
adopt VMware Infrastructure.
