Get basic protection from network-based threats in virtual datacenters with VMware vShield Zones, part of the VMware vShield family. The solution is included with VMware vSphere and offers an application firewall with policies based on basic traffic information.
- Get visibility and control over network communications between virtual machines
- Improve hardware resource utilization while implementing application security
- Simplify compliance with comprehensive logging of all virtual machine network activity
Questions?
1-877-486-9273
VMware vShield Zones FAQs
- 1. What VMware products are compatible with vShield Zones?
-
vShield Zones is compatible with:
- (Required) vSphere: 4.0 U1, 4.1 (including ESX, ESXi 4.1, 4.0), 5.0
- vCenter Server: 4.0, 4.1
- 2. Can vShield Zones be purchased separately from VMware vShield App?
-
Customers will often start with vShield Zones, as it is included with vSphere Advaned (and above), and then will upgrade when they desire more advanced-policy enforcement for application security.
- 3. Can vShield Zones be upgraded to vShield App?
-
No. vShield Zones is managed by vShield Manager 1.0 which is not compatiable with vShield App, which uses vShield Manager 5.0.
- 4. If vShield Zones provides an application firewall, why would I need vShield App?
-
There are two main reasons for upgrading to vShield App:
- Simplified policy management through Security Groups, which allow administrators to define business-relevant groupings of any virtual machines by their virtual NICs
- Hypervisor-level firewall provides Extensive visibility into traffic between virtual machines
Security Groups, used in conjunction with the application firewall, enable any administrator – new or experienced – to observe firewall rules and determine which business or security policies are addressed as a result. For example, a business/security policy may mandate that no virtual machine in a VDI (VMWare View) group can communicate with another virtual machine in the same group. Rather than identify these machines by their IP addresses, a Security Group called VDI Users can be created and the firewall policies can be applied to this group.
- 5. What are the similarities and differences between the various VMware security solutions?
-
There are four solutions for virtualized network security on vSphere-based environments:
- vShield App
- vShield App with Data Security
- vShield Edge
- vShield Endpoint
The following table summarizes a comparison of key features for these products:
Feature vShield Edge
vShield App
vShield App with Data Security
vShield Endpoint
Deployment Method
Per port group
Per host
Per host
Per host
Enforcement
Between virtual datacenter and un-trusted networks
Between virtual machines
Between virtual machines
Within the guest virtual machine
Anti-virus, Anti-malware
No
Yes
Yes
Yes
Site-to-Site VPN
Yes
No
No
No
NAT, DHCP services
Yes
No
No
No
Load balancing
Yes
No
No
No
Sensitive Data Discovery
No
No
Yes
No
Stateful firewall
Yes
Yes
Yes
No
Change-Aware
Yes*
Yes
Yes
No
Hypervisor-based firewall
No
Yes
Yes
No
Application firewall
No
Yes
Yes
No
Flow Monitoring
No
Yes
Yes
No
Groupings for policy enforcement
Only 5-tuple** based policies
1) 5-tuple
2) Security Groups: resource pools, folders, containers and other vSphere groupings
1) 5-tuple
2) Security Groups: resource pools, folders, containers and other vSphere groupings
Any available vCenter groupings for virtual machines
* Edge security and services are maintained within the host where the edge appliance is deployed. If the virtual appliance were moved to another host, the edge security policies would need to be updated.
** A 5-tuple is defined as the combination of Source IP address, Destination IP address, Source Port, Destination port, protocol.
