We are running vSphere vCenter and are migrating our ESX from 3.5 to 4 (like most others I bet), and now have a new requirement from our security group which they are hoping to fast track in this quarter. They like the Altor VF product as they are comfortable with those guys being ex-Checkpoint propeller-head types and it integrates with our current IDS gear. Altor's VF3 is also only 3-4 months out of Beta and one of the only vendors using fast-path so far (maybe Reflex is doing it too?). I should say that I am responsible to keep the infrastructure running and they are responsible for monitoring it. There seems to be a loggerhead here.

I have a huge problem with installing 3rd-party software at the host kernel level into our very stable environment. I've been steering the decision making toward the slow-path model instead. I'm very concerned that although a VMSafe implementation is certified by VMWare there will be a divergence between kernel compatibility at some point in the future... in other words, at some point we will do our monthly ESX patching and there will be a kernel panic that will kill my clusters because the 3rd-party software isn't certified with the newly-patched ESX kernel. We are not big enough to have a "test cluster", and although we test ESX patching on our test ESX, they are not clustered, and we've experienced cluster/HA problems just from ESX with different patch levels in the past, although that has improved a lot.

I was hoping I could get a discussion going that makes me feel better about this decision. My instincts tell me to go with vShield Zones and see what VMSafe implementation VMWare adopts for this product but our security folks want something RIGHT NOW.

Advice? Even if the discussion is non-vendor specific I could use some help.