Datasheet
24
|
CHAPTER 1 VMware VSphere 4 OVerView
Security
Security services help you secure your virtual infrastructure from vulnerabilities. They also
enable applications to enforce an appropriate level of security policies in an operationally effi-
cient way. VMware vSphere includes the following security services:
VMware vShield Zones VMware vShield Zones is an application-aware firewall that can
be integrated with VMware vCenter Server to enforce corporate security policies and ensure
regulatory compliance at the application level in vSphere environments. It continuously mon-
itors and controls the network traffic flowing to and from virtual machines in its inventory,
while still maintaining trust and network segmentation of users and sensitive data.
VMware VMsafe VMware VMsafe provides an application programming interface (API)
that security vendors can leverage to develop VMware-aware security products. VMsafe enables
partners to build virtual appliance–based security solutions that can monitor and protect virtual
machine CPU state, memory pages, network traffic, and disk files and any processes executing
inside them.
In the next sections, we will provide more details about each of these security services.
VMw a r e VSh i e l d zo n e S
VMware vShield Zones helps you protect the privacy and confidentiality of virtual machines
and their data. vShield Zones builds an inventory of the operating systems, applications, and
open ports within your virtual data center. You can then use this information to monitor and
enforce network access to sensitive areas of the virtual data center, including the DMZ, or to
servers with sensitive data that is subject to regulations such as PCI, SEC 1742a, or SOX compli-
ance. It also allows you to build logical trust or organizational boundaries within existing vCen-
ter Server deployments, while still leveraging the flexibility and availability of shared resource
pools. You can then define security policies to bridge, firewall, or isolate traffic across these
boundaries.
The components that make up vShield Zones environment are as follows:
vShield This is a virtual appliance located on each vSphere host and is used to inspect
traffic flow and provide firewall protection.
vShield Manager This manages all of the distributed vShield instances by providing
monitoring, centralized configuration, and software updates.
Once deployed, vShield sits in between your protected virtual machines and the external
network interfaces. This allows vShield to intercept each network packet and enforce the poli-
cies that have been created for the particular security zone.
VMw a r e VMS a F e
VMware VMsafe enables an open security architecture with a set of APIs from VMware that
gives security vendors the insight into the inherent properties of virtualization, similar to a hyper-
visor. Using this set of APIs, the security partners can develop virtual appliance–based security
solutions that can monitor and protect virtual machine CPU state, memory pages, network traf-
fic, and disk files and the processes executing inside them. Because these products will work in
563601c01.indd 24 6/29/10 4:41:03 PM