保护引擎-VMware虚拟化技术详解

保护引擎虚拟化safe组件API通过检查与管理程序一起使用的虚拟组件来保护虚拟机将保护引擎与恶意软件隔离广泛的覆盖范围，包括虚拟机CPU、内存、存储器和网络应用程序操作系统*虚拟化VMSafe announced earlier in 2008, is a set of APIs that enable protection of VMs by a protection engine that : tWorks with the hypervisor to inspect a VM’s mem, cpu and storage from a higher privilege point tIs isolated from the malware tCovers all aspects of security – not limited to network or host.虚拟化VMSafe based products from our security partner ecosystem will work with虚拟化vSphere™ editions to provide higher levels of security than even physical systems. A number of partners have demo-ed prototypes of products that use VMSAfe to protect their environments. MORE DETAIL tSecurity solutions have an inherent problem. Protection engines are running in the same context as the malware they are protecting against and as a result, malware is able to subvert these engines by simply using the same hooks into the system as the protection engine. Worse, with Longhorn and Vista, Microsoft has enabled Patchguard, effectively eliminating the kernel hooks available to both the security solutions and the malware. While this helps, it doesn’t change the fact that malware and rootkits still exist and can run in those environments. The context that these security solutions need to protect against is also not limited to one set of interactions (e.g. attacks from the network and from spyware and from rootkits). Even those solutions that are in a safe context (outside the OS), they can’t see information from other contexts (e.g. network protection has no host visibility). tSecurity API’s built into the hypervisor allow for 2 key advantages: tBetter Context – Provide protection from outside the OS, from a trusted context tNew Capabilities – now they can view all interactions and contexts tNow, new security solutions can be developed and integrated within the虚拟化virtual infrastructure and we can protect the VM by inspection of virtual components (CPU, Memory, Network and Storage). Provides complete integration with VMotion, Storage VMotion, HA, etc. for any new security solution using the API’s. The end-result is an unprecedented level of security for VMs that’s better than the physical infrastructure. These API’s are already being made available to the security ISVs ecosystem. tWe utilize VC for role-based privileges to assign protection to any single VM and虚拟化certifies the solutions developed by our partners to ensure the security VM is created by a real security ISV and not a malicious hacker. tSome potential use cases: tAn AV virtual appliance that intercepts all storage IO and is able to scan files as they are read/written from disk. This can be done without loading an AV agent on each machine. tInline Network Security for each ESX host. Now you can ensure that ALL network IO traffic is inspected by an inline appliance, regardless of your virtual networking setup. This includes even inter-VM traffic and allows state to be transferred from host to host during VMotion so that the security protection is never lost.