Does VMware's VMsafe fully protect your datacentre?

Back in the bad old days when you deployed one app per server, you might have been a bit peevish about the idea that malware could start spraying itself around your data centre.Now we're all going virtual (or at least - let's get real - we will be at some point), for a hosting company or an enterprise, malware poses an even greater challenge.

Back in the bad old days when you deployed one app per server, you might have been a bit peevish about the idea that malware could start spraying itself around your data centre.

Now we're all going virtual (or at least - let's get real - we will be at some point), for a hosting company or an enterprise, malware poses an even greater challenge. There's not that much around these days that can make the leap between VMs inside a host computer, but you can bet that malware will, eventually, be developed that can do just that; the potential rewards are just too great. The worst that seems to have occurred is a vulnerability that could lead to denial of service attack.

That's why VMware reckons it included VMsafe APIs inside its latest rev of the data centre operating system vSphere 4.0.

The aim is to allow security vendors to develop products that detect and remove malware that tries to insinuate itself into the hypervisor. Trend Micro's just launched one such product, Core Protection for Virtual Machines, which it claims "leverages the VMsafe APIs from VMware to offer layered protection through the use of dedicated scanning VMs coordinated with real-time agents within the VM".

I haven't tested it and so can't tell you how effective it might be but it's symptomatic of further products from other vendors you can expect to see arriving in coming months.

But is it all it's cracked up to be?

This is by no means a finger-pointing exercise at Trend - it is only one of many companies currently offering or about to offer security product based around VMsafe, a concept which remains, in my view, a seriously good idea. But there are limits to what VMsafe-capable software packages can achieve, according to long-time VMware watcher Alessandro Perilli points out in his blog.

VMware concurs, as the company's technology evangelist Richard Garsthagen says: "It is true to say that the VMsafe API on its own does not allow files to be changed or deleted within VMs, but VMware does provide other APIs for this, so vendors can make complete solutions....Ultimately it will be up to security vendors how they architect their security products."

Trend claims that it does indeed delve into virtual machines - both running and dormant. "The Trend product offers full scanning and importantly remediation of virtual machines," says Trend Micro solutions architect Rik Ferguson.

The key here is to be aware that VMsafe on its own doesn't offer protection inside your VMs, only access to them from outside. Gartshagen again: "The VMsafe API will allow vendors to monitor and control the behaviour of virtual machines by blocking executions and/or filtering network traffic. The API on its own will prevent malicious code from reaching the VMs and bad code being executed."

Looks like you still have to run agents inside your VMs.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All