Projected designs for VDC-OS describe it as being broken up into one set of infrastructure vServices that interact with a separate set of application vServices. Security (and VMsafe) is clearly in the application vServices layer.

But most VMsafe vApps will most likely be hybrid devices that use VMsafe and the vNetwork APIs to protect and inspect memory, disk as well as the network.

VMware has said very little about how VDC-OS will manage and use the digital signatures for VMsafe vApps. We also don't know how many APIs a VMsafe vApp can use, and whether VDC-OS can prevent unauthorized use of the API.

Products from Trend, Symantec, and McAfee were demoed at VMworld, so it's probably safe to expect compatible products from them when VDC-OS ships. Other APIs have third-party products attached to them as well, most notably Cisco's Nexus 1000V, which uses the vNetwork API to add high-level bandwidth and I/O management..

Chris Hoff of the Rational Survivability security blog and I had an unofficial bet on where we felt the Cisco Nexus 1000V would fit into the overall scheme. Chris thought it was a drop in replacement for the vSwitch, and I thought it would use VMsafe. Well we were both right and wrong. It is not a drop in replacement, but makes use of the vNetwork API and could extend to using VMsafe, but at the moment it may not.

Like so much else about VDC-OS and the security APIs themselves, the answer to that is yet to come.

Edward L. Haletky is a VMware Communities User Moderator and Champion; author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education; and runs the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization