back to article VMware's secret security plan revealed

VMware has shown off a working prototype of “Project Goldilocks”, its long-hinted-at plan to develop a new approach to security. The new idea is inspired by the NSX network virtualisation product's ability to create network “microsegments”, isolated virtual networks walled off from the rest of the network in a “least privilege …

  1. A Non e-mouse Silver badge

    Virus Checker

    I remember years ago VMWare were talking about embedding a virus checker in the hypervisor to scan guests in real-time.

    I guess they couldn't keep the performance of that approach.

    1. Anonymous Coward
      Anonymous Coward

      Re: Virus Checker

      Or maybe that most servers don't need virus checking because they only allow admin logins so there's no way for users to deliver viruses to them so the utility of a virus checker that only works for VM guests is somewhat limit.

      It could be a win for a VDI server though, as there's no way a virus checker running on the hypervisor could be slower than running one in each of a thousand VMs.

    2. Lost_Signal

      Re: Virus Checker

      This was released years ago (vShield inspection, using the vShield API). Its largely been deprecated for new NSX based introspection.

  2. P. Lee

    The real question is

    Why are hypervisor vendors the only ones at the party?

    Where is MS? Surely this is actually about application behaviour and should be managed by the OS?

    All those billions for so many years... and all we get is Windows 10?!

    1. thondwe

      Re: The real question is

      MS may be coming top this from the OS with "Desired State Configuration" - which is a more robust version of GPOs to nail a server to specific config - presuming it'll alert when config drifts....

  3. Anonymous Coward
    Anonymous Coward

    Goodbye Symantec product then!

    Looks like we'll be able to dump their Data Center Security product (experiment) then which is great news. The overhead on our hosts should go way down as will the amount of B.S. we won't have to deal with from our ITS guys.

    Happy days!

  4. Anonymous Coward
    Anonymous Coward

    Does anyone know how this differs compared wiht grsecurity, app armour or SE Linux? Sounds vaguely similar but based on VM instead of OS.

  5. tr1ck5t3r

    The beauty of switching on cpu virtualisation in the bios is DuQu can operate unhindered. The TinyOS core is only 64KB in size, hardly detectable by todays bloatware standards.

  6. Anonymous Coward
    Anonymous Coward

    Playing catch up?

    Didn't XenServer already release this feature via their DirectInspect APIs?

    Doesn't look as complete as the VMWare screenshots, but seems to be along the same lines

    https://www.citrix.com/blogs/2016/06/21/a-revolutionary-approach-to-advanced-malware-protection/

  7. g33k3ss
    FAIL

    I would like to see this

    As we're currently undergoing a massive Altor failure that at one point both blocked everything and then gave up and let everything through, this is very relevant to my (or our VM admin's) interests.

  8. Anonymous Coward
    Anonymous Coward

    I think this could be a very good thing

    Especially if vendors get on board and ship apps complete with "birth certificate" (or VMware builds them and allows you to download them) that you could import, so very little post hoc adjustment would need to be made.

    The best part is that you could integrate the updating of VMware's expected behavior with updating the documentation, so you would have documentation that actually represents the running state of an application/environment, instead of just what it was (hopefully) like when it was rolled out. And if someone didn't follow proper procedure when making a change, it would quickly become apparent from the alerts VMware would pop.

    It could even be used for discovery, i.e. if you need to map out the data flows of an application that has no documentation and no one left at the company who knows anything about it. Just look at the alerts VMware pops up, and keep adding them until it runs without generating new ones, and you'll at least have a pretty good idea of what talks to what during any phase you tested against. Since it would come for 'free' once you have this, it would save you a ton of money versus the very expensive software you have to buy that would produce the exact same output.

    1. Scott 26

      Re: I think this could be a very good thing

      @Doug Some kind of "mapping mode", would go a long way to help you learn an undocumented environment. I likey.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like