VMware vShield: A Good Start, but. . .

You’ve got to hand it to VMware — it clearly understands the strengths and weaknesses of the ESX environment and is focused on improving the platform. Case in point at this week’s VMworld when the company announced the VMware vShield family of security products. From the early announcement, it seems that vShield is composed of:* vShield Edge. To enable secure multi-tenancy, vShield Edge virtualizes data center perimeters and offers firewall, VPN, Web load balancer, NAT, and DHCP services. * vShield App. VMware calls this hypervisor-based application aware firewall that creates application boundaries based upon policies. It’s a bit confusing but I believe it manages and secures VM-to-VM traffic in a logical virtual application. VMware needs to clarify this as the term “application firewall” has a completely different meaning.* vShield endpoint. This one’s much easier to understand. Rather than run endpoint security software on each virtual endpoint, vShiled endpoint virtualizes security components like signature databases, scanning engines, and schedulers. Much more efficient than pretending that virtual endpoints are physical devices.* vShield zones. Again, a bit confusing but it seems like basic ACL capability built into vSphere.Now I’m not at VMworld so I’m reading between the lines. Nevertheless, I like the direction VMware is taking. ESG Research indicates that security is a big issue with server/desktop virtualization. This is true from virtualization newbies to sophisticated shops.The vShield products are a great foundation for VMware but I believe there is still a lot of work to do beyond clearing up the messaging. I suggest that VMware:1. Dedicate ample resources for user education. ESG Research points to a general lack of virtualization knowledge and skills, especially with security professionals. Note to VMware: If security professionals don’t understand the ESX environment, they won’t buy your products.2. Clarify your partnering strategy. I can’t really tell if VMware intends to partner or compete with companies like F5, Juniper Networks, Check Point Software, etc. I’m sure I’m not the only one.3. Work on standards. If my standard firewall is a Juniper SRX, I really don’t want a one-off VMware product in my virtual infrastructure. If vShield can’t “talk” to other products through some new security standards, no one will want it.4. Stop talking about “better than physical security.” I get the concept but the vast majority of users don’t have the baseline knowledge about server virtualization to believe this so it sounds like nothing more than vendor hyperbole (note: Anyone else remember “unbreakable Oracle?”). Improved security should be a destination/vision and not an overly bold tag line.