VMware vShield App 5 with Data Security
Protect Applications from Network-Based Attacks and Discover Sensitive Data

Overview:

VMware vShield™ App with Data Security, part of the VMware vShield family of virtualization security products, protects applications and data in the virtual datacenter from network-based attacks. Organizations gain visibility and control over network communications between virtual machines. The product also scans within virtualized workloads for sensitive data, such as credit card information, and reports violations of regulations (such as PCI-DSS), enabling IT organizations to quickly assess the state of compliance with regulations from around the world. Also included is VMware vShield Endpoint, which offloads antivirus file scanning, minimizing antivirus "storms."

Key Benefits

• Increase visibility and control over network communications between virtual machines.
• Reduce the risk of noncompliance through visibility into sensitive data stored in virtual machines.
• Eliminate the need for dedicated hardware and VLANs to separate security groups from one another.
• Optimize hardware resource utilization while maintaining strong security.
• Simplify compliance with comprehensive logging of all virtual machine network activity.

vShield App with Data Security enables granular policy enforcement using security groups.

What is vShield App with Data Security?

vShield App with Data Security is a hypervisor-based application-aware firewall solution for virtual datacenters. It provides dynamic discovery of sensitive data, such as credit card information, that might be stored in files of unstructured data resident in virtual machine containers. Administrators can meet regulatory compliance audits by using this product to scan data centers, clusters or resource pools for the presence of sensitive data.

The product plugs directly into VMware vSphere® to protect against internal network-based threats and reduce the risk of policy violations within the corporate security perimeter. To accomplish this, the product uses application-aware firewalling with deep packet inspection and connection control based on source and destination IP addresses.

It also simplifies policy control by enabling IT to rapidly create business-relevant security groups, and its flow-monitoring controls help IT analyze virtual machine network traffic and dynamically enforce security group policies. Administrators can centrally manage vShield App with Data Security through the included vShield Manager console, which integrates seamlessly with VMware vCenter™ Server to facilitate unified security management for virtual datacenters.

The product also eliminates dependence on hardware and legacy controls such as vLANs, resulting in reduced hardware and policy sprawl that is cost-effective and goes beyond the limitations of physical security.

How Does vShield App with Data Security Work?

The product provides an administrator console for managing sensitive data discovery policies. Administrators form a policy by selecting applicable regulations to scan across target virtual machine containers—datacenters, clusters and resource pools. Files to scan can be further filtered by file extension, size or date modified. Scan output can identify datacenters, clusters, virtual machines and filenames that are not compliant with the selected policies. Administrators can use Representational State Transfer (REST) APIs to remediate noncompliant files.

vShield App with Data Security installs on each vSphere host, controlling and monitoring all network traffic on the host, even for packets that never cross a physical network interface card (NIC). The product can create and enforce policies based on administrator-defined, business-relevant security groups instead of physical boundaries or static assumptions about application deployments. It also provides a centralized interface that leverages vCenter Server to consistently apply these policies across multiple vSphere hosts in the virtual datacenter.

How is vShield App with Data Security Used?

• Meet compliance audits of data on virtualized hosts – Using REST APIs, administrators can manually or programmatically perform scans to validate compliance with selected policies.
• Supplied templates are selected by the administrator to form a policy which is then applied against specific virtualized resources to be scanned
• Output from scans for sensitive data are placed in a report that can be used to identify and quarantine non-compliant virtual machines
• Provide application aware protection – Administrators can define and enforce granular policies for all traffic that crosses a virtual NIC, increasing visibility over internal virtual datacenter traffic while helping to eliminate detours to physical firewalls.
• Maintain change-aware protection – Firewall protection is continuous as virtual machines migrate from host to host, helping to ensure that network topology changes do not impact application security.
• Efficiently manage dynamic policies – Administrators have a rich context for defining and refining internal firewall policies as business needs evolve over time.
• Reduce botnet risks – Security administrators can protect against botnets and other attacks by dynamically allocating ports to trusted applications.
• Control access to shared resources – Security administrators can restrict access to shared services such as storage and backup on vSphere hosts according to IP address.
• Accelerate IT compliance – Visibility and control over virtual machine network security increases, and logging and auditing controls enable enterprises to demonstrate compliance with internal policies and external regulatory requirements.

Key Features:

Sensitive Data Discovery

• Policy Management console lets administrators select regulations to be used in compliance scans.
• Organizations can choose from more than 80 templates of regulations, such as PII (personally identifiable information), PCI-DSS cardholder data and PHI (protected health information), from around the world (North America, EMEA, Asia-Pacific).
• Output report identifies which scanned resources contain data that violates selected compliance regulations.
• Functionality can be programmed using REST APIs or the operator console.
• Infected virtual machines are quarantined and remediated through VMware vCenter Configuration Manager.

Firewalls

• Hypervisor-level firewall provides inbound and outbound connection control enforced at the virtual NIC level through hypervisor inspection, supporting multihomed virtual machines.
• Layer 2 firewall (also known as a transparent firewall) protects against multiple types of attacks, such as password sniffing, DHCP snooping, and Address Resolution Protocol (ARP) spoofing or poisoning attacks. It also provides complete isolation of SNMP traffic.
• Protection can be enforced according to network, application port, protocol type (TCP, UDP) or application type.
• Protection is dynamic as virtual machines migrate.
• IP-based stateful firewall and application layer gateway supports a broad range of protocols, including Oracle, Sun Remote Procedure Call (RPC), Microsoft RPC, LDAP and SMTP. The gateway improves security by opening sessions (ports) only as needed. For a complete list of supported protocols, see the VMware vShield Administration Guide.

Flow Monitoring

• Administrators can observe network activity between virtual machines to help define and refine firewall policies, identify botnets, and secure business processes through detailed reporting of application traffic (application, sessions, bytes).

Security Groups

• Administrators can define business-relevant groupings of any virtual machines by their virtual NICs.

Policy Management

• vShield Manager provides control of product features, many of which are also accessible through the vCenter Server interface.
• Administrators can enforce policies on security groups, vCenter Server groupings and TCP-5 tuple (source IP, destination IP, source port, destination port, protocol).
• REST APIs provide a programmable interface for management and policy enforcement.
• The product supports integration with enterprise security management tools.

IP Addressing

• Flexible IP addressing includes the ability to use the same IP address in multiple tenant zones to simplify provisioning.

Logging and Auditing

• Logging is based on industry-standard syslog format.
• REST APIs and vShield Manager provide access to logging and auditing tools.
• Administrator defines logging on and off for firewalls at rule level.

VMware vShield App with Data Security FAQs:

Which existing VMware products are compatible with VMware vShield App?

vShield App is compatible with:

• (Required) vSphere 4.1 (including ESX, ESXi 4.1, 4.0), 5.0
• vCenter Server 4.0, 4.1, 5.0
• vShield Edge 1.0, 5.0
• vShield Endpoint 1.0, 5.0

Is vShield App compatible with earlier versions of VMware ESX (3.0, 3.5) and VMware vCenter (2.5)?

vShield App is not compatible with these earlier versions of VMware ESX and VMware vCenter. Customers are encouraged to upgrade to current versions of VMware vCenter and VMware vSphere (including ESX 4.0, 4.1) to benefit from security and other advanced virtual datacenter management capabilities.

What are the main use cases for vShield App?

There are two key use cases for the vShield App product:

• Identify sensitive data
• Protect every VM from hackers and malware
• Create trust zones to segment applications

Enterprises must comply with industry regulations and corporate policies by deploying production and development applications in a shared infrastructure with:

• Traffic segmentation between applications
• Strict monitoring and enforcement of rules on inter-VM communications
• Ability to maintain security policies with VM movement
• Compliance to various audit requirements

What is the relationship between vShield Edge and vShield App?

While both products provide virtual network firewall capabilities, their implementations are different and address different use cases. vShield Edge creates a barrier between resources in a virtual datacenter and un-trusted networks, such as other virtual datacenters in the same private cloud. In contrast, vShield App controls traffic between virtual machines AND between the virtual and physical datacenters. The following table summarizes key differences between the two products.

Attribute	vShield Edge	vSphere App
Purpose	Secure traffic between the virtual data center and un-trusted networks	Secure traffic between virtual machines within a single vSphere host
Deployment	Virtual Appliance	Loadable Kernel Module (hypervisor level)
Features
Security	Firewall, VPN	Firewall
Firewall	Stateful, IP-based, 5-tuple*	Application-based, 5-tuple plus use of Security Groups
NAT, DHCP Services	Yes	No
Availability	Load Balancing across VMs	No
Use Cases
Site-to-site VPN to Connect Partners	Yes	No
Multi-Tenant Hosting Service	Yes	No
Securing Business-Critical Applications	No	Yes

* A 5-tuple is defined as the combination of Source IP address, Destination IP address, Source Port, Destination port, protocol.

How are vShield App and VMware vShield Endpoint related?

Both vShield App and VMware vShield Endpoint protect vSphere-based virtual machines. vShield App is a self-contained solution that provides visibility and control over network communications between virtual machines. vShield App with Data Security also includes vShield Endpoint.  vShield Endpoint is an enabling technology used in conjunction with third-party endpoint security solutions. This technology enables the offload of anti-virus processing from workload virtual machines to a dedicated security virtual machine. Please read the respective datasheets for these products for more information.

What are the similarities and differences between the various VMware security solutions?

There are four solutions for virtualized network security on vSphere-based environments:

• vShield App
• vShield App with Data Security
• vShield Edge
• vShield Endpoint

The following table summarizes a comparison of key features for these products:

Feature	vShield Edge	vShield App	vShield App with Data Security	vShield Endpoint
Deployment Method	Per port group	Per host	Per host	Per host
Enforcement	Between virtual datacenter and untrusted networks	Between virtual machines	Between virtual machines	Within the guest virtual machine
Anti-virus, Anti-malware	No	Yes	Yes	Yes
Site-to-Site VPN	Yes	No	No	No
NAT, DHCP services	Yes	No	No	No
Load balancing	Yes	No	No	No
Sensitive Data Discovery	No	No	Yes	No
Stateful firewall	Yes	Yes	Yes	No
Change-Aware	Yes*	Yes	Yes	No
Hypervisor-based firewall	No	Yes	Yes	No
Application firewall	No	Yes	Yes	No
Flow Monitoring	No	Yes	Yes	No
Groupings for policy enforcement	Only 5-tuple** based policies	1) 5-tuple 2) Security Groups: resource pools, folders, containers and other vSphere groupings	1) 5-tuple 2) Security Groups: resource pools, folders, containers and other vSphere groupings	Any available vCenter groupings for virtual machines

* Edge security and services are maintained within the host where the edge appliance is deployed. If the virtual appliance were moved to another host, the edge security policies would need to be updated.

** A 5-tuple is defined as the combination of Source IP address, Destination IP address, Source Port, Destination port, protocol.

Support:

VMware Production Support & Subscription

Technical Support, 24 Hour Sev 1 Support -- 7 days a week.

Focused, 24-Hour Support For Production Environments

• Global, 24x7 support for Severity 1 issues
• Fast response times for critical issues
• Unlimited number of support requests
• Remote Support
• Online access to documentation and technical resources, knowledge base, discussion forums
• Product updates and upgrades

Overview

VMware Production Support is designed with your production environments in mind. Our global support centers are staffed around the clock to provide you access to our industry-leading expertise in virtualization and years of experience supporting virtual infrastructure products in real-world customer environments. We are committed to delivering enterprise-class, worldwide support with a single objective in mind: your success.

VMware Basic Support & Subscription Service

Technical Support, 12 Hours/Day, per published Business Hours, Mon. thru Fri.

Weekday Support for Test, Dev and Non-Critical Deployments

• Global, 12x5 access to support
• Unlimited number of support requests
• Remote Support
• Online access to documentation and technical resources, knowledge base, discussion forums
• Product updates and upgrades

Overview

VMware Basic Support is designed for non-critical applications and platforms that require support during normal business hours. Our global support centers have been strategically placed to provide you with fast and efficient access to the support center in your region. Each center is staffed with engineers that can provide industry-leading expertise in virtualization and years of experience supporting virtual infrastructure products in real-world customer environments. We are committed to delivering enterprise-class, worldwide support with a single objective in mind: your success.

Feature	Production Support	Basic Support
Hours of Operation	24 Hrs/Day 7 Days/Wk 365 Days/Yr 1	12 Hrs/Day Mon–Fri 1
Length of Service	1 or 3 Years	1 or 3 Years
Product Updates	Yes	Yes
Product Upgrades	Yes	Yes
Products Supported	All Products (excluding VMware Fusion and Player)	All Products (excluding VMware Fusion and Player)
Method of Access	Telephone/ Web	Telephone/ Web
Response Method	Telephone/ Email	Telephone/ Email
Remote Support	Yes	Yes
Access to VMware Web site	Yes	Yes
Access to VMware Discussion Forums and Knowledge Base	Yes	Yes
Max Number of Support Admins per Contract	6	4
Number of Support Requests	Unlimited	Unlimited
Target Response Times Critical (Severity 1 Major (Severity 2) Minor (Severity 3) Cosmetic (Severity 4)	30 minutes or less: 24x7 4 business hours 8 business hours 12 business hours	4 business hours 8 business hours 12 business hours 12 business hours
Business Hours North America and Latin America Alaska, Hawaii South America (NASA) Europe, Middle East, Africa (EMEA Asia, Pacific Rim, Japan (APJ) Australia/New Zealand	Monday - Friday 6 a.m. to 6 p.m. (local time zone) 6 a.m. to 6 p.m. (PST/PDT) 6 a.m. to 6 p.m. (EST/EDT) 7 a.m. to 7 p.m. (GMT/GMT+1) 8:30 a.m. to 8:30 p.m. (Singapore Time) 7 a.m. to 7 p.m. (Sydney AET)	Monday - Friday 6 a.m. to 6 p.m. (local time zone) 6 a.m. to 6 p.m. (PST/PDT) 6 a.m. to 6 p.m. (EST/EDT) 7 a.m. to 7 p.m. (GMT/GMT+1) 8:30 a.m. to 8:30 p.m. (Singapore Time) 7 a.m. to 7 p.m. (Sydney AET)

1Hours of operation for Gemstone are Monday - Friday, 8 a.m. to 5 p.m. (PST/PDT) globally.
1Hours of operation for VMware Go Pro and vCenter Protect products are 7 a.m. to 7 p.m. (CST/CDT), except holidays.
1Hours of operation for VMware IT Business Management and IT Financial Management are 8 a.m. to 5 p.m. (EST/EDT/GMT) except holidays.
1Hours of operation for Socialcast are 6 a.m. to 6 p.m. (PST/PDT).

Documentation:

Download the VMware vShield App Datasheet (PDF).

Download the VMware vShield Brochure (PDF).