Protect applications in the virtual datacenter from network-based threats with VMware vShield App, part of the VMware vShield family. Get deep visibility into network communications and enforce granular policies with security groups. Eliminate hardware and policy sprawl with a cost-effective solution that offers better-than-physical security.
- Increase visibility and control over network communications between virtual machines
- Eliminate the need for dedicated hardware and VLANs to separate different security groups
- Optimize hardware resource utilization while maintaining strong security
- Simplify compliance with comprehensive logging of all virtual machine network activity
Questions?
1-877-486-9273
VMware vShield App FAQs
- 1. Which existing VMware products are compatible with VMware vShield App?
-
vShield App is compatible with:
- (Required) vSphere 4.1 (including ESX, ESXi 4.1, 4.0), 5.0
- vCenter Server 4.0, 4.1, 5.0
- vShield Edge 1.0, 5.0
- vShield Endpoint 1.0, 5.0
- 2. Is vShield App compatible with earlier versions of VMware ESX (3.0, 3.5) and VMware vCenter (2.5)
-
vShield App is not compatible with these earlier versions of VMware ESX and VMware vCenter. Customers are encouraged to upgrade to current versions of VMware vCenter and VMware vSphere (including ESX 4.0, 4.1) to benefit from security and other advanced virtual datacenter management capabilities.
- 3. What are the main use cases for vShield App?
-
There are two key use cases for the vShield App product:
- Protect every VM from hackers and malware
- Create trust zones to segment applications
Enterprises must comply with industry regulations and corporate policies by deploying production and development applications in a shared infrastructure with:
- Traffic segmentation between applications
- Strict monitoring and enforcement of rules on inter-VM communications
- Ability to maintain security policies with VM movement
- Compliance to various audit requirements
- 4. What is the relationship between vShield Edge and vShield App?
-
While both products provide virtual network firewall capabilities, their implementations are different and address different use cases. vShield Edge creates a barrier between resources in a virtual datacenter and un-trusted networks, such as other virtual datacenters in the same private cloud. In contrast, vShield App controls traffic between virtual machines AND between the virtual and physical datacenters. The following table summarizes key differences between the two products.
Attribute vShield Edge vShield App Purpose
Secure traffic between the virtual data center and un-trusted networks
Secure traffic between virtual machines within a single vSphere host
Deployment
Virtual Appliance
Loadable Kernel Module (hypervisor level)
Features
Security
Firewall, VPN
Firewall
Firewall
Stateful, IP-based, 5-tuple*
Application-based, 5-tuple plus use of Security Groups
NAT, DHCP Services
Yes
No
Availability
Load Balancing across VMs
No
Use Cases
Site-to-site VPN to Connect Partners
Yes
No
Multi-Tenant Hosting Service
Yes
No
Securing Business-Critical Applications
No
Yes
* A 5-tuple is defined as the combination of Source IP address, Destination IP address, Source Port, Destination port, protocol.
- 5. How are vShield App and VMware vShield Endpoint related?
-
Both vShield App and VMware vShield Endpoint protect vSphere-based virtual machines. vShield App is a self-contained solution that provides visibility and control over network communications between virtual machines. vShield App also includes vShield Endpoint. vShield Endpoint is an enabling technology used in conjunction with third-party endpoint security solutions. This technology enables the offload of anti-virus processing from workload virtual machines to a dedicated security virtual machine. Please read the respective datasheets for these products for more information.
- 6. What are the similarities and differences between the various VMware security solutions?
-
There are four solutions for virtualized network security on vSphere-based environments:
- vShield App
- vShield App with Data Security
- vShield Edge
- vShield Endpoint
The following table summarizes a comparison of key features for these products:
Feature vShield Edge
vShield App
vShield App with Data Security
vShield Endpoint
Deployment Method
Per port group
Per host
Per host
Per host
Enforcement
Between virtual datacenter and un-trusted networks
Between virtual machines
Between virtual machines
Within the guest virtual machine
Anti-virus, Anti-malware
No
Yes
Yes
Yes
Site-to-Site VPN
Yes
No
No
No
NAT, DHCP services
Yes
No
No
No
Load balancing
Yes
No
No
No
Sensitive Data Discovery
No
No
Yes
No
Stateful firewall
Yes
Yes
Yes
No
Change-Aware
Yes*
Yes
Yes
No
Hypervisor-based firewall
No
Yes
Yes
No
Application firewall
No
Yes
Yes
No
Flow Monitoring
No
Yes
Yes
No
Groupings for policy enforcement
Only 5-tuple** based policies
1) 5-tuple
2) Security Groups: resource pools, folders, containers and other vSphere groupings
1) 5-tuple
2) Security Groups: resource pools, folders, containers and other vSphere groupings
Any available vCenter groupings for virtual machines
* Edge security and services are maintained within the host where the edge appliance is deployed. If the virtual appliance were moved to another host, the edge security policies would need to be updated.
** A 5-tuple is defined as the combination of Source IP address, Destination IP address, Source Port, Destination port, protocol.
