by Edward L. Haletky

VMware Answers Virtual Security Questions With VMsafe Details

Sep 22, 20084 mins

While much is still unclear about VMware's vision of the future, the company painted a more complete picture of the VMsafe program at last week's VMworld show, adding detail about how third-party security tools will work with VMware's security APIs.

One of the more interesting developments coming out of the VMworld conference in Las Vegas last week was a richer understanding of how VMsafe works.

VMsafe, announced at VMworld Europe in February, is a set of application programming interfaces designed to allow third-party products to add security to VMware virtual servers without having to run an agent inside each. Here are some key points to keep in mind.

First, to use VMsafe you need Virtual Datacenter OS which includes VMware’s latest evolution of its hypervisor technology for servers. VDC-OS is currently in beta test, so release dates are currently unknown. VDC-OS made APIs out of many of the internal features of VMware ESX, so that third parties could add in new security, networking, and management features.

Second, VMsafe is all about the vApp, VMware’s new term for either a virtual appliance or a Virtual Machine (VM). A vApp can contain multiple applications and objects, either multiple VMs or ThinApps.

A vApp digitally signed by the proper authority will be able to access the VMsafe API, which will give that vApp the ability to peer into a VM, either its memory, disk, or network.

Unfortunately, VMware hasn’t said much about what ‘authorized’ means in that context. It’s not clear who the certifying authority will be, or if the signatures will be used just for installation or for continual use of the vApp.

Personally, I hope a valid signature will be necessary to allow a vApp to continue to function. This would prevent other vApps or tools from modifying the VMsafe vApp after installation and opening security holes after a VM image has already been locked down. VMware and VMsafe partners are currently working out these details.

VMsafe provides antivirus vendors with the ability to deploy a single instance of an antivirus (A/V) application per physical host, rather than requiring one for each virtual server. The theory is that this will decrease overall CPU utilization and increase A/V performance. The demos we saw at VMworld in which one A/V application served all the VMs on single host certainly bore this out. Even with single A/V instances however, I expect there to be some operation issues with respect to I/O performance, and the timing of A/V scans. Currently these issues force full disk A/V scans to be almost serialized on an VMware ESX host.

VMsafe should not be confused with the vNetwork API or vStorage API—a set of interfaces designed to allow simpler integration of VMware virtual infrastructures with third-party products such as the Cisco vSwitch.

Projected designs for VDC-OS describe it as being broken up into one set of infrastructure vServices that interact with a separate set of application vServices. Security (and VMsafe) is clearly in the application vServices layer.

But most VMsafe vApps will most likely be hybrid devices that use VMsafe and the vNetwork APIs to protect and inspect memory, disk as well as the network.

VMware has said very little about how VDC-OS will manage and use the digital signatures for VMsafe vApps. We also don’t know how many APIs a VMsafe vApp can use, and whether VDC-OS can prevent unauthorized use of the API.

Products from Trend, Symantec, and McAfee were demoed at VMworld, so it’s probably safe to expect compatible products from them when VDC-OS ships. Other APIs have third-party products attached to them as well, most notably Cisco’s Nexus 1000V, which uses the vNetwork API to add high-level bandwidth and I/O management..

Chris Hoff of the Rational Survivability security blog and I had an unofficial bet on where we felt the Cisco Nexus 1000V would fit into the overall scheme. Chris thought it was a drop in replacement for the vSwitch, and I thought it would use VMsafe. Well we were both right and wrong. It is not a drop in replacement, but makes use of the vNetwork API and could extend to using VMsafe, but at the moment it may not.

Like so much else about VDC-OS and the security APIs themselves, the answer to that is yet to come.

Edward L. Haletky is a VMware Communities User Moderator and Champion; author of the book ‘VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers’, Copyright 2008 Pearson Education; and runs the Virtualization Wiki at