Recycling Security Technology

Remember when IDS was supposed to be dead? I thought it was funny to see the very same inspection technologies that concentrated on inbound traffic suddenly turned around to watch outbound traffic. Never mind that the so-called "IPS" that rendered the "IDS" dead used the same technology. Now, thanks to VMware VMsafe APIs, vendors looking for something else to do with their packet inspection code can watch traffic between VMs, as reported by the hypervisor.

We've seen Solera, Altor, and others jump into this space. It's popular and helpful to wonder if having the ability to monitor traffic on the ESX server is a feature or product. I consider it a feature. The very same code that can be found in products from Sourcefire and other established players is likely to be much more robust than something a startup is going to assemble, assuming the startup isn't using Snort anyway! Once the traditional plug-into-the-wire vendors hear of this requirement from their customers, they will acquire or more likely squash any "pure virtualization" bit players. Traffic collected via VMsafe will just be another packet feed.

Although I am a big fan of visibility, it seems a little disheartening to think we must resort to adding a packet inspection product to VMware in order to determine if the VMs are behaving -- never mind the fact that the hypervisor itself could be compromised and omitting traffic sent to the VM-based network inspection product. Sigh.