VMware Cloud Community
tlyczko
Enthusiast
Enthusiast
‎12-23-2009 07:58 AM

Has anyone tried HyTrust appliance community edition??

If you have tried it or if you use it, please tell about it??

How does it compare to vShield Zones??

Thank you, Tom

Tags (2)
0 Kudos
2 Replies
AnatolyVilchins
Expert
Expert
‎12-24-2009 06:54 AM

That is all I can tell you:

VMware vShield Zones provides a inline firewall that sits between two

different virtual switches, much like the older versions of Altor and

Reflex Systems products. vShield Zones is integrated directly into the

VMware Distributed Switch, but at the same time has an external

management interface which makes it fairly difficult to configure.

There is a rumour that this will change in future releases however. For

Zone to Zone firewalls, this is a valuable tool and comes with Advanced

or higher VMware vSphere licenses. Which will account for its

popularity.

HyTrust product on the other hand approaches compliance from the

management of the virtual machines by providing an access control

gateway between virtualization management tools and the virtualization

hosts. Their approach to compliance is to use tags attached to

components of the virtual environment (vSwitches, VMs, Hosts, etc.) and

only allow those elements with like tags to be attached to each other.

As an added bonus, the HyTrust product comes with a mechanism to apply

one of the existing security standards and your own policies to a given

virtualization host. While HyTrust can be bypassed in an emergency the

gateway is robust enough to handle requests made by the vSphere Client,

vSphere SDK, VI SDK, PowerCLI, and SSH connections. HyTrust can also

be used with VMware vSphere and Virtual Infrastructure 3. We may

eventually see this tool be coded for XenServer and Hyper-V as there

are no real dependencies on a given virtualization host.

Starwind Software Developer

www.starwindsoftware.com

Kind Regards, Anatoly Vilchinsky
0 Kudos
Texiwill
Leadership
Leadership
‎01-02-2010 08:31 AM

Hello,

HyTrust and Vshield Zones are TWO completely different products and devices.....

HyTrust is a centralized Authentication/Authorization Appliance for use within the Virtualization Administration Network so that you can control at a fine grain exactly what administrators can do on each ESX host, vCenter, etc. It is a proxy type device that fits before your administrative service or management consoles, it is NOT a firewall. I.e

Outside <-> Firewall <-> Administrator VMs/Systems <-> HyTrust <-> Virtualization Administration Network Systems (vCenter, Service Consoles, Management Consoles, etc.)

vShield Zones is a generic Zone to Zone firewall that fits between virtual switches within your environment. I.e

vSwitch1 <-> vShield Zones <-> vSwitch2

vShield Zones does not provide authentication/authorization control that HyTrust does and HyTrust does not provide FW capability.

Two very different appliance, both useful, but very different.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|
[url=http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcast]Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos