Home > Cloud Computing, Cloud Security, Compliance, Virtualization, Virtualization Security, VMware > How To Wield the New vShield (Edge, App & Endpoint)

How To Wield the New vShield (Edge, App & Endpoint)

Image representing VMware as depicted in Crunc...
Image via CrunchBase

Today at VMworld I spent my day in and out of sessions focused on the security of virtualized and cloud environments.

Many of these security sessions hinged on the release of VMware‘s new and improved suite of vShield product offerings which can be simply summarized by a deceptively simple set of descriptions:

  • vShield Edge – Think perimeter firewalling for the virtual datacenter (L3 and above)
  • vShield App – Think internal segmentation and zoning (L2)
  • vShield Endpoint – Anti-malware service offload

The promised capabilities of these solutions offer quite a well-rounded set of capabilities from a network and security perspective but there are many interesting things to consider as one looks at the melding of the VMsafe API, vShield Zones and the nepotistic relationship enjoyed between the vCloud (nee’ VMware vCloud Director) and vSphere platforms.

There are a series of capabilities emerging which seek to solve many of the constraints associated with multi-tenancy and scale challenges of heavily virtualized enterprise and service provider virtual data center environments.  However, many of the issues associated with those I raised in the Four Horsemen of the Virtualization Security Apocalypse still stand (performance, resilience/scale, management and cost) — especially since many of these features are delivered in the form of a virtual appliance.

Many of the issues I raise above (and asked again today in session) don’t have satisfactory answers which just shows you how immature we still are in our solution portfolios.

I’ll be diving deeper into each of the components as the week proceeds (and more details around vCloud Director are made available,) but one thing is certain — there’s a very interesting amplification of the existing tug-of-war  between the security capabilities/functionality provided by the virtualization/cloud platform providers and the network/security ecosystem trying to find relevance and alignment with them.

There is going to be a wringing out of the last few smaller virtualization/Cloud security players who have not yet been consolidated via M&A or attrition (Altor Networks, Catbird, HyTrust, Reflex, etc) as the three technologies above either further highlight an identified gap or demonstrate irrelevance in the face of capabilities “built-in” (even if you have to pay for them) by VMware themselves.

Further, the uneasy tension between  the classical physical networking vendors and the virtualization/cloud platform providers is going to come to a boil, especially as it comes to configuration management, compliance, and reporting as the differentiators between simple integration at the API level of control and data plane capabilities and things like virtual firewalling (and AV, and overlay VPNs and policy zoning) begins to commoditize.

As I’ve mentioned before, it’s not where the network *is* in a virtualized environment, it’s where it *isn’t* — the definition of where the network starts and stops is getting more and more abstracted.   This in turn drives the same conversation as it relates to security.  How we’re going to define, provision, orchestrate, and govern these virtual data centers concerns me greatly as there are so many touchpoints.

Hopefully this starts to get a little more clear as more and more of the infrastructure (virtual and physical) become manageable via API such that ultimately you won’t care WHAT tool is used to manage networking/security or even HOW other than the fact that policy can be defined consistently and implemented/instantiated via API across all levels transparently, regardless of what’s powering the moving parts.

This goes back to the discussions (video) I had with Simon Crosby on who should own security in virtualized environments and why (blog).

Now all this near term confusion and mess isn’t necessarily a bad thing because it’s going to force further investment, innovation and focus on problem solving that’s simply been stalled in the absence of both technology readiness, customer appetite and compliance alignment.

More later this week. [Ed: You can find the follow-on to this post here “VMware’s (New) vShield: The (Almost) Bottom Line]


Related articles by Zemanta

  1. Anon
    September 4th, 2010 at 06:19 | #1

    So, now VMware charges you 4500$+ (25 VMs) for what was included in vShield Zones shipped with vSphere 4.0.

  2. Anon
    September 4th, 2010 at 06:21 | #2


    To clarify, vShield Zones 1.0 included vShield App funcionality.

    vSphere Advanced, Enterprise and Enterprise Plus included vShield Zones.

    Now VMware wants his customers to pay again for such functionality.

  3. Sean
    September 4th, 2010 at 09:43 | #3

    Anyone who has used vShield 1.0 would be glad to pay ,ore for new vShield as it is so much better.

  4. donote
    January 14th, 2012 at 03:13 | #4

    hi, vshield endpoint and vmsafe are tow different products, but from the offical websit introducing, their functions looks like same, can you help to explain their difference? thinks, email the best comm.

  1. August 30th, 2010 at 23:47 | #1
  2. August 30th, 2010 at 23:56 | #2
  3. August 30th, 2010 at 23:56 | #3
  4. August 30th, 2010 at 23:56 | #4
  5. August 31st, 2010 at 00:27 | #5
  6. August 31st, 2010 at 08:42 | #6
  7. September 1st, 2010 at 01:27 | #7
  8. September 23rd, 2010 at 08:25 | #8
  9. December 10th, 2011 at 09:58 | #9
  10. January 8th, 2012 at 16:55 | #10