Home > Virtualization, VMware > VMWare’s VirtSec Vision…Virtual Validation?

VMWare’s VirtSec Vision…Virtual Validation?

September 20th, 2008 Leave a comment Go to comments

Rich Miller from one of my favorite blogs, Telematique, wrapped up his VMworld 2008 coverage in a post titled "What Happens In Vegas…"

Rich made a number of very interesting observations, one of which caught my eye:

The theme I noted most at VMworld 2007 a year ago was "security."  This
year, it seemed noticeably absent.  My sense is that the industry has
yet to catch up and capitalize on VMsafe. Because all of the "next
generation" of offerings from VMware and the independent providers are
still in development, no one made too much of security issues.

I'd agree with Rich to a point, except for the part about how "no one made too much of security issues…"
There was at least one schmuck waving his arms and I'm wearing his underwear 😉

As I alluded to in my post titled "VMWorld 2008: Forecast For VMware?  Cloudy…Weep For Security?" the messaging associated with this years re-branding certainly had the word "security" front and center under the Application vServices pillar:


…but as Rich alluded to and my post made mention, the bulk of VMware's security efforts would appear to focus primarily on what's coming from VMsafe and the ecosystem partners supporting it:


I think, however, this would be a rather short-sighted perspective.

While the tremendous amount of re-branding and messaging certainly "clouded" the horizon in some cases, it was clear that the underlying technology roadmap that was shown (and demonstrated as being real in the labs I participated in) lays down some pretty significant clues as to what's in store from VMware in regards to security.  More on that in a minute…

You might recall my debate with Citrix's CTO, Simon Crosby, on what, where and how virtualization platform providers should invest in terms of security.  Our divergent views were quite passionate, but I maintain that my perspective is that echoed by the majority of the folks I've spoken to over the last 3 years.

My position, presented in this post, is best summarized thusly:

"…that it is the responsibility of virtualization platform
providers to ensure that their [virtualized] data center operating
system platforms of the future" don't become the next generation of
insecure infrastructure. 

It's important to understand that I'm not suggesting that virtualization platform providers should secure the actual guest operating systems
but they should enable an easier and more effective way of doing so when virtualized.

I mean that the virtualization platform providers should
ensure the security of the instantiation of those
guests as "hosted" by the virtualization platform.  In some cases this
means leveraging technology present in the virtualization platform to
do things that non-virtualized instances cannot. That's more than just
securing the hypervisor."

What did I mean by that?

Obviously since I was using VMware as the model for my position, I was referring to VMsafe as the ecosystem enabler, but I was also referring to VMware's prior security acquisition in 2007 of Determina as a fundamental building block for the virtualization platform's security efforts.

Pair that with the root of VM/VMM introspection that Mendel and Tal Garfinkel envisioned back in the day, and things start to make sense…

So back to the original point of this post, which is where VMware's efforts are focused in terms of security.  I think that this year's show concreted a two definites in my book:

  1. VMware will make additional acquitisions in the security space.  Yes, I know this sounds heretical given the delicate balance most "platform" providers keep with their ecosystem partners, but VMware have already shown that they are ready to buy as well as build and ally with prior acquisitions and security will continue to be a key differentiator for them.  They've done it once already with Determina, they'll do it again.
  2. The level of commitment and investment shown by both Cisco and VMware shows there will be a continuing deeply-concreted technology integration between the two beyond the Nexus 1000v.  The software instantiation of the Nexus functionality is a fantastic story when combined with the larger vNetwork/distributed virtual switch approach, but I maintain it's a stop-gap. 

    The real picture (for Cisco) is clearly a thinner software layer within ESX and a further dependence upon switching hardware external to the host (the Nexus 5000/7000) with of course more security capabilities being provided by the external iron.  Why?  Read my Four Horsemen presentation: virtual switching and virtual security appliances — both in software — ultimately don't scale, don't perform and don't play well with the rest of the stack.

    What does that have to do with VMware's strategy?  Well, to me it's an indication that while virtual appliances are great for many things, security isn't necessarily one of them and that the platform has to be bolstered with as much security huevos as makes sense, allowing the commodity functionality to be shipped off to ISV's software.  I mean, that's why the stuff demo'd by the ISV's looks just like existing solutions — with VirtualCenter integration.  A firewall's still a firewall, AV's still AV…the model changes a bit, so back we go to the network.

    Remember this post?: Security Will Not End Up In the Network… It sounds a little contradictory to the point I just made, but read the post.  For the sake of this one, it simply illustrates that cyclically, we're swinging the pendulum back to the "network."  However, where the "network" is becomes a little nebulous.

    More on this concept in a separate post soon.

What this ultimately means to me is that within the next 24 months with the delivery of VI4, a mature VMsafe API and shipping ISV code, we'll see some of the natural market consolidation activity occur and VMware will lock and load, snap up one or more of the emerging security players in the VirtSec space and bolster their platform's security capabilities.

Meanwhile Cisco will help secure VMware further in the enterprise with their integrated play and the remaining security ecosystem players will begrudgingly fight to stay on the good side of the fence…while they hedge their bets by supporting Microsoft and Hyper-V.

I think we've just seen the beginning of what VMware has to offer from a security perspective.  They (and us) have a tremendously long way to go, but every cloud's got a silver lining…


Categories: Virtualization, VMware Tags:
  1. Bob Albers
    September 23rd, 2008 at 09:49 | #1

    "The real picture (for Cisco) is clearly a thinner software layer within ESX and a further dependence upon switching hardware external to the host (the Nexus 5000/7000) with of course more security capabilities being provided by the external iron. Why? Read my Four Horsemen presentation: virtual switching and virtual security appliances — both in software — ultimately don't scale, don't perform and don't play well with the rest of the stack."
    What else would you expect from the dominant provider of network iron? This has everything to do with protecting that position & perhaps less to do with how well s/w net/sec functions ultimately could scale, perform & play. If folks like Cisco don't try to make it work, then there will be a huge opportunity for new players.
    VMware's vision is clearly different than Cisco's; VMware seems to believe that s/w net/sec can be made to scale, perform & play to acceptable levels over time.

  2. Bob Albers
    September 23rd, 2008 at 09:51 | #2

    Cisco's Nexus 1000V "thinner software layer" is 8-10M of code per Cisco booth staff at VMworld. Compared to 32M starting point for ESX3i, this doesn't sound very thin to me. How much does adding 30% more unproven 3rd-party code add to the attack surface of ESX3i?

  3. September 23rd, 2008 at 11:03 | #3

    I believe we're saying the same thing, Bob?
    Read my other posts regarding "big iron" and the slides from my Four Horsemen — it's pretty clear to me what's going on and yet it's being danced around by both Cisco and VMware…but then, as you mention, what would you expect?
    The thinner code I'm referring to is *NOT* the 1000v, it's the next iteration which is basically an "initiator" which combines with tagging to redirect flows to the external 5000/7000 series.
    You bet the visions are different; perhaps I haven't made that clear in the first batch of posts, but I certainly will be in my 1000v/VN-Link/vNetworking follow-ons.
    Great insight.

  1. No trackbacks yet.