Cisco should embrace VMsafe, big time!

June 26th, 2008 | by Jan Bervar |

If you missed the announcement of VMware’s VMsafe a while ago, go check it out. VMsafe is an open API for vendors to add security services to VMware’s ESX hypervisor. It allows third-party add-ons to control connectivity with virtual networking and execution of guest operating systems or applications. In this manner, you can run a network firewall, network IPS, a NAC appliance, host IPS and similar “classic” security controls inside the hypervisor layer.

The benefit of running inside the hypervisor is obvious: much less overhead compared to security services implemented as a dedicated, specialized guest VM, or compared to external, network-attached physical security devices. The downside is the increased complexity of the hypervisor (imagine stuffing loads of security products into your favorite OS kernel…), which necessarily increases its attack surface and potential for logical flaws.

Cisco has been curiously absent from the set of vendors that have joined the VMsafe ecosystem, although the possibilities for integration are very appealing. Imagine the following products implemented inside the hypervisor, and hence deployable flexibly across the entire virtualized infrastructure:

  • Cisco ASA or Cisco IPS providing access control between virtual networks, using host resources (CPU cores, memory) to the extent needed for current traffic levels.
  • Cisco Security Agent controlling the behavior of guest VMs from outside the VM.
  • Cisco NAC appliance providing admission control to virtualized servers, or from virtualized clients.
  • Catalyst security services such as 802.1x, ARP inspection, DHCP snooping and so forth inside the hypervisor’s virtual switch.

Embracing VMsafe has the potential of impacting Cisco hardware sales and increasing piracy, which may be the reason that Cisco has been shy about it so far. I believe that Cisco should bite the bullet and start participating in the program, or risk being years late to the concept of flexible, movable virtualized security services inside hypervisors, and the seamless integration of virtual and physical networking. Of course, we should all do our part by bugging our local Cisco SE or AM to build this business case within Cisco.

  1. 2 Responses to “Cisco should embrace VMsafe, big time!”

  2. By Bostjan Sustar on Oct 28, 2008 | Reply

    Cisco Security Agent cannot really do its job outside the VM. Its main strength is that it is tied into the OS to control its behaviour.

  3. By Jan Bervar on Feb 5, 2009 | Reply

    A bit late in my reply… Sure it could, if Cisco provided it with VM introspection capabilities.

You must be logged in to post a comment.