My Thoughts About VMware vShield Data Security

VMware this summer released a new addition to their vShield family of security products – vShield App with Data Security. Its purpose is to discover sensitive data in the VMs and thus enabling of the assessment of organization’s compliance with regulations such are PCI-DSS (Payment Card Industry Data Security Standards). In other words vShield Data Security is DLP (Data Loss Protection) solution which scans files in the virtual machines for a known patterns (credit card numbers, social security numbers, etc.). It is very similar to an antivirus solution.

I am posting some of my findings from the testing of vShield Data Security to help others to evaluate it.

  • Although Data Security is bundled with vShield App and is called vShield App with Data Security technically it does not use vShield App infrastructure at all and is very similar to vShield Endpoint antivirus solution. It also relies on EPSEC framework where files are passed from VM via loadable kernel module to Endpoint security appliance which does the actual scanning. Data Security relies on RSA licensed code to do the scanning.
  • The installation must be done in the following steps:
    • vShield Manager appliance must be installed. This is a common management component for the whole vShield product family and is delivered as OVA virtual appliance. There must be one vShield Manager per vCenter. It has 1 CPU and 3MB RAM and should be HA or better FT protected. It can be managed via web UI and also integrates with vCenter. The current version that supports Data Security is VMware-vShield-Manager-5.0.0-473791.ova.
    • Each host running virtual machines that will be scanned has to be prepared by installing the EPSEC kernel module. This does not require host restart nor maintenance mode. It is done from vSphere client by clicking on the host, then selecting the vShield tab and installing the vShield Endpoint service. It must be done manually for each host.
    • vShield Data Security endpoint appliance is deployed next. It is done similarly to the previous step again from the host vShiled tab by installing vShield Data Security service. It is a 1 CPU 512 MB RAM virtual machine. There must be one service VM per each participating host. The service VM does not migrate to other hosts and can be installed on local storage. It has two NICs, one for communication with vShield Manager (it needs IP management address) and one for standard virtual switch used for communication with vmkernel which is created automatically. This switch is also used for vShield App service machines or other Endpoint (antivirus) machines if they exist on the hosg.
    • All the guest VMs that will be scanned by Data Security endpoints need a vShield driver. This vShield driver is included in VMware Tools released in September ESXi5.0 update (Patch Release ESXi500-201109001). I am scratching my head here as why is VMware not releasing the driver as a separate download. vShield Data Security is compatible with ESX(i) 4.1 and there has been no VMware Tools update with vShield driver released as of now. As a VMware employee I have access to internal VMware Tools builds and was able to download the most recent build that contained the driver. The other way is to download vSphere ESXi5, install it (for example in VMware Workstation), upload the patch or better just the VMware Tools VIB (unziped from the patch) to accessible datastore and from CLI install it (~ # esxcli software vib install -v /vmfs/volumes/Local_Datastore/VMware_locker_tools-light_5.0.0-0.3.474610.vib). The upgraded VMware Tools can then be found in one of the other local volumes. Following command copies the tools to Local Datastore from which it can be retrieved with vSphere Client (replace the x)

      ***edit 11/10/2011 The vib can be openned and extracted in 7zip. So just rename the *.vib to *.7 and then extract the windows.ISO file.

      ~ # cp /vmfs/volumes/xxxxxxxx-xxxxxxxx-xxxx-xxxxxxxxxxxx/packages/5.0.0/vmtools/windows.iso /vmfs/volumes/Local_Datastore/

    • Now global scanning policies can be set with vSphere client by clicking Datacenter, vShield tab, Data security, Policy. They consist of what patterns to look for categorized by Regulations (e.g. EU Debit Card Numbers), which datacenters, clusters or resource pools to exclude, and which files to scan (list of extensions). The policy must be published after the editing is finished.
    • Now the scanning can be started from the same page.
  • The scanning process runs only once, sequentially one VM per host. There is no way to see the progress other then to go to Task & Events > Events of each VM and to look for “vShield Data Security scan started / ended on the VirtualMachine” message.
  •  If a file with sensitive information is found no action is taken other than it is included in Violation Counts report (number of violating files per regulation) and Violating Files  report, which contains exact file location and can be downloaded as csv.
  • Although scanning is reported as “In Progress”, once all the machines are scanned nothing is scanned anymore until a new VM is added or the policy is changed and published. There is no way to schedule the scans other than using REST API scripts.
  • Things I would like to see to improve in future releases:
    • enterprise features such are easier bulk deployment of the kernel module and endpoint appliance, centralized logging, scheduler, reporting tool
    • more granular selection of VMs to be scanned
    • definition of actions based on scanning results
    • more visibility into scanning process
    • on demand scanning of accessed files
    • vmdk offline scanning of turned off VMs

3 thoughts on “My Thoughts About VMware vShield Data Security

  1. Thanks Tom,

    the install process was a bit cumbersome.

    1. it also needs more documentation on policies specifically custom account numbers, examples, etc… for example, 10 digit numbers…do we put in XXXXXXXXXX or 1234567890 to help it find these account numbers on the VM’s?

    2. and to allow us to access the CLI (there is no username/password that we know of) and edit the dns hostname of the vShield Endpoint Virtual Appliance for each esxi host, you can change but if the appliance is rebooted, it loses the settings and reverts back to localhost.localdom, so allowing CLI access would allow us to edit the appropriate files so the hostname will stick OR have vmware fix the network settings macro from the blue screen.

    3. Real-time monitoring would be nice too but that might be a stretch/cpu hog.

    4. email alerts

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s