by Edward L. Haletky

vApps May Ease App Migration, But Require Closer Security Scrutiny

Sep 25, 20083 mins

Abetted by ThinApps, VMware vApps may make application management and provisioning a lot easier, but will require even more attention to security in depth, real-time monitoring and auditing after an incident.

It’s all about the vApps baby.

In VMware’s new nomenclature, the new name for virtual machines is, apparently, vApps. In the big announcement of VMware’s new Virtual Data Center Operating System (VDC-OS) the term virtual machine was almost entirely absent. But vApps abound.

There are vApps for security, vApps as a service, and the Open Virtual Machine (OVF) format specification defines a vApp encapsulation. At some point one will be able to buy a vApp in OVF form from vendors.

A vApp could contain one or more virtual machines, according to the descriptions we’ve seen so far.

But I wonder about being able to not only provide VMs via vApp, but to eventually use ThinApps as a part of the vApp delivery. I believe this is where VDC-OS will eventually go.

By packaging a virtual OS, registry, file system plus any DLLs or other components within the same application package, ThinApps bypass traditional Operating System models in favor of encapsulated applications that can run as a vApp.

However we are a long ways from that at the moment.

The interesting thing about the vApp is that it will become the link to various VMware APIs, to which other vendors write. A registered vApp will be able to connect to the vStorage, vNetwork, VMsafe APIs and be able to control them from within a virtual appliance.

Since the vApp is the lever in the process of leveraging the APIs, what is to protect the lever from being broken or discarded in favor of another vApp? Will vApps collide in management functionality?

There are several security related vApps being worked on today: Antivirus vendors and Cisco. Will the development of these vApps be limited to these rarefied heights or can the small security company get into the game as well?

Either way, these specialized vApps represent more attack points into the system. If these are also network aware vApps, upon what OS are they based? Or do you install an application within a Windows vApp.

I have found that treating something as an appliance is not always the best route to take when we are discussing security. Even appliance makers have multiple security layers within their devices, which can make things complex at best and less secure at worst.

I assume the same will be true for a vApp. Defense in depth, auditing, and monitoring of a vApp will now be extremely important. Will this functionality be provided by the vendor or VMware?

Virtualization expert Edward L. Haletky is the author of “VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers,” Pearson Education (2008.) He recently left Hewlett-Packard, where he worked in the Virtualization, Linux, and High-Performance Technical Computing teams. Haletky owns AstroArch Consulting, providing virtualization, security, and network consulting and development. Haletky is also a champion and moderator for the VMware discussion forums, providing answers to security and configuration questions.