New VMware API allows third parties into the hypervisor

VMware has released the long-awaited VMsafe API, enabling third-party security vendors to apply security within the hypervisor to better secure virtual machines.

This means VMsafe-compatible security products, running as protected virtual machines, will be able to safeguard VMs at the host level. For example, a malware attack could be stopped at the host, protecting multiple guests.

The API will also give security products greater visibility into the virtual environment, granting them the ability to monitor and filter packets both inside the hypervisor and in a virtual security appliance.

Until now, for the most part, security products such as firewalls and IPS were placed in-line to protect the host, with little or no awareness of the VM guests, their roles and attached policies. Alternatively, some products have been offered as virtual appliances, but with little or no awareness of the virtual network in which the protected VM lives.

VMsafe should give enterprises the ability to manage their virtual networks and servers with the same level of control and visibility available for physical systems, while leveraging VMware-specific capabilities, such as VMotion, which dynamically moves VMs between physical devices as needed, and tracks the retirement, reactivation and creation of guest VMs.

A VMware spokesman was not available for comment on deadline.

"What we're seeing right now is the transition to really exploiting the capabilities of virtualization with VMsafe," Steve Herrod, VMware CTO, said in a recent interview with SearchSecurity.

"You'll see a lot of transformation around leveraging VMsafe and moving from just protecting the virtualization layer as if it were a normal machine," Herrod said, "to really exploiting the benefits of introspection and being ready for the mobility that comes with a virtualized data center."

The VMsafe release comes as part of the latest version of VMWare's data center product, vSphere 4 (previously known as VMware Infrastructure), which it bills as the "first cloud operating system for delivering efficient, flexible and reliable IT as a service."

vSphere is designed to help deploy and manage virtualization rapidly and efficiently for large data centers or virtualized private hosted services, for both service providers and large enterprises that want to adopt a "cloud"-style environment within the organization.

To date, VMware has not publicly linked vSphere to VMsafe, although it has discussed other enterprise-scale security capabilities, such as new large-scale management features that facilitate server security, storage and network settings, automate configuration management and reduce errors due to misconfiguration.

vSphere also features vShield Zones, which enforce application security policies based on logical zones.

The VMsafe release should trigger a flurry of virtualization security products from among the more than two dozen VMsafe security partners, which have been working with VMware through the development and beta programs, many since VMware first announced VMsafe in February 2008.

Host intrusion detection/prevention and application security vendor Third Brigade Inc. stole a march on everyone at the 2009 RSA Conference Monday, announcing VMsafe support with the release of its Deep Security Virtual Appliance.

The announcement gives customers the option of using the VMsafe-supported product or Third Brigade's existing agent-based product for individual VMs requiring high performance and/or using VMotion in a cloud environment. In large virtual deployments, that means managing a lot of agents.

"And that's a challenge," said Bill McGee, Third Brigade's vice president of products and technology. "That's why we adapted our technology to use the VMsafe API for virtual machines that don't have an agent."