The hospital is moving forward with its desktop virtualization project based on VMware's View as a migration path from stand-alone Windows-based desktop computers. Tests are showing that running antivirus scans and other services in the VMware environment does cause so-called "A/V storms" that can severely impact performance.
So far, the tests with Trend's vShield-based Deep Security, which does A/V scanning, shows the agentless approach eliminates that problem, although there have been some compatibility issues that have had to be resolved. For instance, VMware just issued some new endpoint drivers for vShield, which seem to have impacted how Trend Micro's software behaves, says Smallwood.
Deep Security also provides a virtual-patch capability, which the hospital wants to have to be able to scan and mitigate vulnerability risks without having to reboot, which helps the hospital avoid service disruptions. The vShield approach has "huge appeal," says Smallwood.
But even some vendors eyeing support for vShield have reservations.
Kim Singletary, McAfee's director of solutions marketing for virtualization, says McAfee's approach so far in creating antivirus scanning products specialized for virtualized environments has been "hypervisor-agnostic." McAfee's antivirus scanning software called McAfee Management for Optimized Virtualized Environments (MOVE), for example, is intended for use on either Citrix Xen, ESX, vSphere or Microsoft Hyper-V. While this has seen steady adoption among customers, McAfee is aware that a lot of them are waiting to see how McAfee and its ePolicy Orchestrator management console will integrate with vShield.
While McAfee couldn't provide complete details yet, Tyler Carter, product marketing senior group manager for network security at McAfee, says the security firm is working with VMware and seeking to determine how this integration could be done.
VMware's vShield elicits some scorn from arch-rival Microsoft.
"VMware is taking some technologies and trying to wrap it around virtualization," says Jeff Woolsey, principal program manager, lead for Windows Server virtualization at Microsoft. "It makes sense if you're a virtualization vendor. Virtualization is hot." But he adds Microsoft's view is broader because it's looking at security and management that will support both virtualized and non-virtualized environments -- at least those of Microsoft.
He says Microsoft doesn't have the kind of over-arching security framework like vShield, nor are there plans at present to introduce one, but it has already made technologies for integrating with Hyper-V, such as its virtual hard-disk format, openly available to vendors without royalties. He said it's being used by firms like McAfee that want to be hypervisor-agnostic. "Customers don't want to buy a technology that only works with one virtualization vendor," Woolsey says. He says Microsoft is offering free tools and configuration advice for Hyper-V.
He says the VMsafe APIs, known to become phased out, have been a failure with few vendors using them, and he predicts vShield may well suffer the same fate. Microsoft also argues against VMware's idea that the agentless approach is the best way to go for security in virtualization.
"Their whole point is you don't need agents anymore. That's a pipe dream," Woolsey says. Without the agent, you sacrifice getting a lot of information from the VM guest, he says.
Not surprisingly, VMware's push to be the software-based firewall for vSphere is disconcerting to traditional firewall vendors that have spent years building up product expertise, such as deep-packet inspection.
Check Point Software Technologies last fall introduced Security Gateway Virtual Edition, which includes a firewall, VPN, and intrusion prevention for use with VMware's ESX, ESXi and vSphere. But it's based on the older VMsafe APIs, not vShield. VMware's vShield firewalling concepts provide a good foundation but "there's a certain specialization in what we do," says Oded Gonda, vice president of network security at Check Point, adding customers are invested in equipment they'd like to extend into virtualized environments.
Read more about wide area network in Network World's Wide Area Network section.