Manage Learn to apply best practices and optimize your operations.

Zeroing in on vShield Endpoint and Edge features

VShield Endpoint and vShield Edge protect against different types of virtualization threats. Find out how both vShield products fit into VMware’s revamped security suite.

In mid-2010, VMware revamped vShield into a security suite that protects ESX-based and ESXi-based infrastructures. Part one of this vShield series covers vShield Manager, Zones and App. This installment of our series zeroes in on vShield Edge and Endpoint as well as vShield licensing costs.

VShield Edge
While VMware vShield Zones and App provide security within the virtual infrastructure, vShield Edge works at the edge of internal networks. It provides security and gateway services to isolated virtual machines, and its uses cases include demilitarized zones, virtual private network (VPN) extranets, and parameter security for multi‐tenant cloud environments. 

VShield Edge services include the following:

  • Network address translation (NAT). NAT service protects the IP addresses of internal, private networks from the public network. NAT rules can be configured for access to services on privately addressed virtual machines (VMs).
  • Dynamic Host Configuration Protocol (DHCP). This setting supports IP address pooling and one‐to‐one static IP address allocation. Static IP address binding is based on the vCenter-managed object ID and interface ID of the requesting client.
  • Site-to-site VPN. Edge supports site‐to‐site Internet Protocol security (IPsec) VPN connections between Edge and remote sites. It also supports pre-shared key mode, IP unicast traffic and no dynamic routing protocol between vShield Edge and remote VPN routers. Behind each remote VPN router, you can configure multiple subnets to connect to the internal network behind vShield Edge through IPSec tunnels.
  • Web load balancing. VShield Edge provides load balancing for HTTP traffic. Load balancing (up to Layer 7) enables Web application auto-scaling. You can map an external (or public) IP address to a set of internal servers for load balancing. The load balancer accepts HTTP requests on the external IP address and decides which internal server to use.
  • Port group isolation. This service creates a barrier between the Edge-protected VMs and the external network. Port group isolation has the same effect as virtual local area networks, but without the complexity of trunking switch connections and defining switch port mappings.

VShield Edge works with all vSwitch types in vSphere, including standard and distributed vSwitches as well as the Cisco Nexus 1000V.

VShield Endpoint
Instead of having a resource-intensive antivirus/anti-malware agent running in every VM, vShield Endpoint offloads the antivirus (AV) software to a dedicated, virtual security appliance. A vShield Endpoint driver is loaded inside a guest OS and linked to a hardened VM for security running on a secured vSwitch through the vShield Endpoint loadable kernel module (LKM) on the hypervisor. 

With this arrangement, the VM dedicated to security VM can look for viruses or malware on VMs through the Endpoint driver. (VM memory scanning is not currently possible, however.) Also, antivirus engine and signature updates are applied once to the vendor AV appliance, instead of having to update every AV agent running in each VM. Additionally, policies are centrally managed through the AV appliances, which instructs how the Endpoint thin agent should remediate malicious files on the guest OS.

VMware provides a library and application programming interfaces, so security vendors can integrate their products with vShield Endpoint. Currently, Trend Micro’s Deep Security is the only product that works with vShield Endpoint, which provides agentless protection with zero footprint inside the VM’s guest OS. But other vendors -- such as McAfee and Symantec – have announced future Endpoint-compatible products.

VShield Endpoint currently works only with 32-bit and 64-bit Windows operating systems running inside VMs.

VShield licensing
VShield Manager and the original vShield Zones product are included in vSphere Advanced, Enterprise and Enterprise Plus editions, and Zones is licensed on a per-host basis.

Meanwhile, vShield Endpoint, Edge and App are licensed separately and sold in 25-VM packs. Every vShield product is included in the vShield download, but the additional products are activated with license keys in vCenter Server.

Figure 1
(Click image for an enlarged view.)

The pricing for vShield Endpoint, Edge and App is listed below.

25-VM pack

Basic (12/5) support

Production (24/7) support

vShield App



vShield Edge



vShield Endpoint



VShield Edge is also included with vCloud Director, and the vCloud Director license key unlocks vShield Edge’s functionality. A vShield Endpoint license is also included with VMware View  Premier.In the next part of this vShield series, we look at implementing vShield as well as configuration and management tips.

Dig Deeper on Securing a VMware environment