VMworld大会刚刚召开,VMWare的vSheild的策略是什么?革安全厂商的命吗?现在业界都在热议这个话题,以下转载一些业内人士的观点的文章。WMWare是要构建一个基于WMWare虚拟化的安全产品的生态系统并维护它,还是要统治这个市场?它与其它安全大佬之间的竞争与合作将会如何开展下去?
1)vShield, Cloud Computing, and the Security Industry
Thursday September 1, 2011
作者是ESG的Jon Oltsik
As VMworld winds down today, several security vendors including BitDefender, Catbird, Lumension, McAfee, Sophos and Symantec announced their intentions to work with VMware as a security partner or integrate with VMware vShield APIs. These vendors join Trend Micro, a company that bet on vShield integration and is clearly benefiting from this decision.
I spoke to VMware before the big event–good thing, since Hurricane Irene kept me from making it to Las Vegas. Given its focus on virtualization and cloud computing, VMware understands that if workloads are to be cloud-ready and mobile, then security must become a virtual service. In other words, each VM needs to have security properties assigned to it, and the cloud has to be able to understand, enforce, and monitor security controls on each and every VM regardless of where it resides at any given moment.
Let’s face it: traditional security tools based upon physical systems, IP addresses, network segmentation, and static rules just won’t cut it in the cloud. We need a new model, and VMware is developing security technologies to get there.
So why aren’t more security vendors jumping on the bandwagon? Many of them look at vShield as a potentially competitive security product, not just a set of APIs. In a recent Network World interview, Allwyn Sequeira, VMware’s chief technology officer of security and vice president of security and network solutions, admitted that the vShield program in many respects “does represent a challenge to the status quo” and that sometimes new ideas may be “viewed with suspicion” (see Ellen Messmer’s article here). This confusion is amplified by the fact that vShield does provide its own security services (firewall, application layer controls, etc.) in some cases. In the future, VMware plans to work with RSA Security to introduce DLP functionality into vShield as well.
VMware has its own agenda: tightly integrate security services into vSphere and vCloud to continue to advance these platforms. Nevertheless, VMware’s role in virtualization/cloud and its massive market share can’t be ignored. So here’s a compromise I propose:
- Security vendors should become active VMware/vShield partners, integrate their security solutions, and work with VMware to continue to bolster cloud security. Since there is plenty of non-VMware business out there, the best heterogeneous platforms will likely win.
- VMware must make clear distinctions among APIs, platform planning, and its own security products(会吗?). For example, if a large VMware shop wants to implement vShield for virtual security services but has already decided on Symantec (Vontu) or McAfee DLP, it should have the option for interoperability with no penalties (i.e., loss of functionality, pricing/support premiums, etc.).
This seems like a worthwhile “win-win,” as that old tired business cliche goes. Heck, customers would win too as they already have non-VMware security tools in place. VMware will still sell loads of vShield product and the security industry becomes an active champion instead of a suspicious player in another idiotic industry concept, “coopitition(合竞 / 竞合).” The sooner that VMware and the security industry pass the peace pipe around, the better for everyone.
2)Juniper的人的观点
A big point of confusion is that vShield simultaneously describes both an ecosystem program and a set of products that is actually more than just anti-malware capabilities which is where the bulk of integration today is placed.
Analysts and journalists continue to miss the fact that “vShield” is actually made up of 4 components (not counting the VMsafe APIs):
- vShield Edge
- vShield App
- vShield Endpoint
- vShield Manager
What most people often mean when they refer to “vShield” are the last two components, completely missing the point that the first two products — which are now monetized and marketed/sold as core products for vSphere and vCloud Director — basically make it very difficult for the ecosystem to partner effectively since it’s becoming more difficult to exchange vShield solutions for someone else’s.
An important reason for this is that VMware’s sales force is incentivized (and compensated) on selling VMware security products, not the ecosystem’s — unless of course it is in the way of a big deal that only a partnership can overcome. This is the interesting juxtaposition of VMware’s “good enough” versus incumbent security vendors “best-of-breed” product positioning.
VMware is not a security or networking company and ignoring the fact that big companies with decades of security and networking products are not simply going to fade away is silly. This is true of networking as it is security (see software-defined networking as an example.)
Technically, vShield Edge is becoming more and more a critical piece of the overall architecture for VMware’s products — it acts as the perimeter demarcation and multi-tenant boundary in their Cloud offerings and continues to become the technology integration point for acquisitions as well as networking elements such as VXLAN.
As a third party tries to “integrate” a product which is functionally competitive with vShield Edge, the problems start to become much more visible and the partnerships more and more clumsy, especially in the eyes of the most important party privy to this scenario: the customer.
...
Firstly, that’s not entirely accurate regarding firewall options. Cisco and Juniper both have VMware-specific “firewalls” on the market for some time; albeit they use different delivery vehicles. Cisco uses the tightly co-engineered effort with the Nexus 1000v to provide access to their VSG offering and Juniper uses the VMsafe APIs for the vGW (nee’ Altor) firewall. The issue is now one of VMware’s architecture for integrating moving forward.
Cisco has announced their forthcoming vASA (virtual ASA) product which will work with the existing Cisco VSG atop the Nexus 1000v, but this isn’t something that is “open” to the ecosystem as a whole, either. To suggest that the existing APIs are “open” is inaccurate and without an API-based capability available to anyone who has the wherewithal to participate, we’ll see more native “integration” in private deals the likes of which we’re already witnessing with the inclusion of RSA’s DLP functionality in vShield/vSphere 5.
3)VMware strives to expand security partner ecosystem
NetworkWorld的文章
August 31, 2011 03:17 PM ET
Along with technical issues, there are political implications to the vShield approach for security vendors with a large installed base of customers as the vShield program asks for considerable investment in time and money to develop what are new types of security products under VMware's oversight, plus sharing of threat-detection information with vShield Manager in a middleware approach.