Automotive Digital Response Management

Catherine Edwards

Subscribe to Catherine Edwards: eMailAlertsEmail Alerts
Get Catherine Edwards via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Virtualization Magazine, Security Journal

Blog Post

How Does VMsafe Work?

VMsafe security solutions are not “one size fits all”

VMsafe is a set of security-oriented APIs created by VMware and introduced with the launch of vSphere 4. These APIs are not available in older versions of VMware. VMsafe enables 3rd-party ISVs to develop products that closely integrate with vSphere to deliver new capabilities for securing the virtual environment. (Watch: "What VMware Says About Security" [Flash] » )

The three main areas covered by VMsafe are Memory, Disk and Network. In general, these APIs enable a security product to inspect and control certain aspects of VM access to memory, disk and the network from “outside” the VM, leveraging the hypervisor to look inside a VM without actually loading any host agents.

There are several key advantages offered by the VMsafe approach:

  1. Central processing of security functions is more efficient than distributing security controls and related overhead to each VM
  2. No host agents required – guaranteeing security for all VMs regardless of operating system type and patch level, and with no impact to applications running inside the VMs.
  3. Tamper-proof security. Host-agents are subject to getting compromised by the very malware they aim to thwart (e.g., Conficker turning off A/V). By contrast, hypervisor-based security resides outside the guest-VM, and is thus tamper-proof to any malware infections inside a VM.

When it comes to performance (see #1 above), VMsafe implementations can vary widely. The ultimate performance is delivered by integrating security controls directly into the hypervisor kernel, via “kernel-mode” VMsafe (i.e., processing security controls in the vKernel). Latency and throughput speeds for “kernel-mode” VMsafe can be 5-10x faster than “VM-mode” VMsafe (i.e., processing all security controls inside a VM), benefiting from faster processing and fewer context switching in the VMware kernel.

In summary, VMsafe security solutions are not “one size fits all”. When selecting or evaluating vendors, it is important to understand their performance impact on the virtual server, as well as their roadmap for leveraging the full suite of VMsafe APIs (Memory, Disk and Network) to deliver innovative solutions. (Read more: "Some Criteria To Consider When Evaluating VMsafe Solutions" »)

When done right, virtual security can make the virtual data-center more secure than its physical counterpart, a truly exciting prospect for the entire industry.

Read more:
"Why Do We Need Virtual Security?"

More Stories By Catherine Edwards

Catherine Edwards is a marketing consultant.