In contrast, he says, a "Cisco PIX has 5,000 rules on it, you have to tread very carefully to transfer those rules; it can take two hours." Coza says one of the main problem is knowing where the workloads actually are in a virtualized environment when they can move around rapidly.
Cisco did not want to discuss how useful physical firewall appliances can be in a virtualized environment or any role Cisco might play in the vShield program, but Rajneesh Chopra, Cisco senior product manager, says Cisco has taken steps to design products specifically for vSphere, including the Virtual Security Gateway for Cisco Nexus 1000V Series Switches, intended to provide trusted access, firewalling, filtering and security policies for VMware VMotion events and more. Chopra says Cisco's goal is to "maintain a consistent policy and definitive enforcement" in both virtualized and non-virtualized environments. He adds Cisco's relationship with VMware from an architecture perspective "runs broad and deep."
With vShield Manager, security policy can be applied immediately, not just for firewalling, but decisions can also be made on how to do antivirus scanning, event logging, intrusion prevention, e-discovery, vulnerability management, file-integrity checking and data-loss prevention.
VMware so far has not figured out exactly how to bring encryption into this architecture but is working on it, Coza acknowledges. One goal with vShield is to adhere to the recent guidelines from the National Institute of Standards and Technology for use of virtualization.
Coza notes that VMware also wants to be able to provide an "application discovery manager" that can "sniff traffic" to discover sensitive data "so you can write business context around these containers" and design automated security procedures customized for data restricted under the Payment Card Industry guidelines, for example.
VMware's vShield Manager can act as middleware to accept instructions from management consoles of third-party security vendors, or conversely, send information to them, once integration with third-party security products is completed. But VMware is not interested in working with potentially hundreds of security vendors and making the vShield APIs available to them. Rather, VMware wants to work with a select group in a more controlled way than it did with its earlier security APIs, VMsafe, which will eventually be phased out; vendors expect that to happen by the end of 2013.
The selected vendors today working with VMware include Sourcefire, HP TippingPoint and Trend Micro, Coza says, with more vShield third-party vendors expected to be showcased at the upcoming VM World Conference this summer. He says vShield has been adopted or is under evaluation with several service providers, including Terremark, Savvis and AT&T.
Ty Smallwood, information services security officer at Medical Center of Central Georgia, the second largest hospital in the state with about 4,600 employees, says his hospital is a big VMware shop. The lock-in argument does not take the upper hand for the hospital, especially as one of the main security vendors it has relied on for a long time, Trend Micro, is supporting vShield through its Deep Security product.