VMware vSphere brings new security features but does it really bring more security? This is the question the latest Virtualization Security Round Table podcast tried to answer. Unfortunately, the answer was not conclusive. I will try to explain the features and why things are so inconclusive.

• VMware VMsafe works with the other VMware APIs (vStorage, vNetwork, vCompute), to provide a security tool running within a virtual appliance, the ability to provide introspection into the hypervisor. Each of these APIs allows new drivers and virtual appliances the ability to see hypervisor data structures.
• VMware host profiles and distributed virtual switch functionality adds the ability to have a more uniform configuration across all your VMware vSphere 4 hosts. This is the start of unified configuration management across all the hosts within a VMware Cluster.
• VMware vShield Zones, which does not use VMsafe, provides a virtual firewall with intrusion detection functionality that currently exists from third party vendors within the virtualization security space. VMware vShield Zones is what became of the Bluelane product that VMware purchased.
• There is also a subtle change when you run VMware vSphere 4 ESX version. This subtle change is that the service console now runs within a virtual machine disk file (VMDK) and not from partitions on the installation media as it has in the past.

• VMsafe exposes to the virtual machines critical data structures used by the hypervisor. It allows special VMs the ability to inspect these data structures and in some limited sense make some changes. Because of this, the hypervisor foot print has grown drastically and now extends into a realm that is considered hostile to the hypervisor: the realm of the virtual machines. So special consideration must exist when placing VMsafe aware vApps into your virtual infrastructure. These vApps must be secured the same way you secure your service console or management appliance when using VMware ESXi 4. VMware leaves the security of these vApps to the implementer.
• Host profiles and the distributed virtual switch which are only available to Enterprise Plus customers limit its availability to the rest of the users of VMware vSphere. In addition, while these tools are extremely useful for ensuring the configurations of the ESX and ESXi hosts are the same, they do not go deep enough into the security configuration to not require the use of a third party tool or a script to ensure the security of your ESX and ESXi hosts are in sync with your security policy and standards.
• VMware vShield Zones does not provide any new functionality that does not already exist within the current virtualization environment. First it does not use VMsafe which implies it suffers from all the inefficiencies that are currently involved in using similar tools within VMware Virtual Infrastructure 3.   There are other tools that provide similar functionality and more already available such as Altors, Catbird V-Security and Reflex Systems VMC.
• The last item is the subtle difference in how the service console is created within VMware ESX 4. This difference appears to be more secure as the service console is now a fully contained VM. But is it more secure? Does this mean that access to your storage network would now give you access to the service console at a disk level where before this was not the case?

• Cisco Nexus 1000V virtual Switch which uses the vNetwork and VMsafe APIs to implement their features, and also has an associated vApp that requires protection.
• Reflex Systems vTrust component of their VMC product which uses the vNetwork and VMsafe APIs to implement its features and also has an associated vApp that requires protection. vTrust will be more efficient as you only need one vApp per ESX host and not one for every 3 virtual switches.
• Trend Micro's offline disk introspection which uses the vStorage APIs to implement its features and allows for efficient offline scanning of virtual disk contents.