I spent quite a bit of time in the Catbird booth at VMworld, initially lured by their rather daring advertising campaign of "running naked." I came away intrigued by the Security SaaS-like business model provided by their V-Agent offering and saw that as the primary differentiator.I was particularly interested today when I read a latest press release from Catbird that suggests that their new "HypervisorShield" is specifically designed to secure the hypervisor from network access and attack:
Catbird, provider of the only comprehensive security solution for virtual and physical networks, and developer of the V-Agent™ virtual appliance, today announced the launch of HypervisorShield™, the industry’s first dedicated comprehensive security solution specifically designed to guard against unauthorized hypervisor network access and attack.
The paragraph above seems to be talking about protecting the "hypervisor" itself from network-borne compromise which is very interesting to me for reasons that should be obvious at this point.
However, the following paragraph seems to refer to the "hypervisor management network" which I assume is actually referring to the the virtual interface of the management functions like VMware's service console? Are we talking about protecting the service console or the network functions provided by the vKernel?
HypervisorShield, the latest service in Catbird’s V-Security product, extends best practice security protection to virtualization’s critical hypervisor layer, thwarting both inadvertent management error and malicious threats. Delivering continuous, automated 24x7 monitoring focused on the precise vulnerabilities, known attack signatures and guest machine access of the hypervisor management network, HypervisorShield is the only service to proactively secure this essential component of a virtualization deployment.
Here's where it gets a little more confusing because the wording seems again to suggest they are protecting the hypervisor itself -- or do they mean the virtual switch as a component of the Hypervisor?:
HypervisorShield is the first virtualized security technology which can monitor and control access to the hypervisor network, detect malicious network activity directed at the hypervisor from virtual machines and validate that the hypervisor network is configured according to best practices and site security policy.
...sounds like an IPS function that isolates VM's from one another like Reflex and Blue Lane?
OK, but here's where it gets really interesting. Catbird is suggesting that they are able to "...see inside the hypervisor" which implies they have hooks and exposure to elements within the hypervisor itself versus the vSwitch plumbing that everyone has access to.
Via the groundbreaking Catbird V-Agent virtual appliance, protection is delivered within the virtual network itself. By contrast, traditional security solutions retrofitted for virtual deployments cannot see inside the hypervisor. Monitoring from the inside yields significantly more effective coverage and eliminates the need to reroute traffic onto the physical network for validation. As an example of the benefits of running right on the virtual subnet, HypervisorShield’s exclusive network access control (NAC) will instantly quarantine unauthorized devices on the management network.
They do talk about NAC from the VM perspective, which is something I've been advocating.
From Catbird's website we see some more detail regarding HypervisorShield which again introduces an interesting assertion:
How do you monitor the Hypervisor?
Securing a virtual host does not only involve applying the same security controls to virtual networks as were applied to their physical counterparts. Virtualization introduces a new layer of abstraction entirely—the Hypervisor. Hypervisor exploits have grown 35% in the last several years, with more surely on their way. Catbird’s patent-pending HypervisorShield protects and defends this essential component of a virtual deployment.
Really? Hypervisor exploits have grown 35% in the last several years? Which hypervisor exploits, exactly? You mean exploits against the big, fat, Linux-based service console from VMware? That's not the hypervisor!
I'm trying to give Catbird the benefit of the doubt here, but this is confusing as heck as to what exactly Catbird does (with partnering with companies like SourceFire) that folks like Reflex and BlueLane don't already do.
If anyone, especially Catbird, has some clarification for me, I'd be mighty appreciative.
/Hoff