What actually is VMsafe and the VMsafe API?


By Michael Haines, Sr. vCloud Architect (Security)

Today, security vendors, such as Trend Micro, McAfee and others are now entering the virtualization market and are looking for ways to develop and integrate their existing solutions (antivirus, personal firewall, intrusion detection, intrusion prevention, anti-spam, URL filtering, and etc…) to VMware's ESX Server while trying to differentiate themselves from the competition.

So, I am sure you have heard a great deal about VMsafe and in particular what the VMsafe API is, right? This word 'VMSafe API' gets bounded around way too often for my liking! So what is VMsafe and the VMSafe API?

When I think of VMsafe, I think of this as more of a partner ecosystem program delivered by VMware. That is to say, what we have created and offer as part of this ecosystem program are three sets of distinct Application Programming Interfaces (APIs) that can be used by ISVs and developers to develop and build security applications and solutions for the virtual environment. I might add this is not for the faint hearted! These APIs are split into three main areas:

- vCompute (CPU and Memory) API
- vNetwork Appliance (DVFilter) API
- VDDK API (for disk block inspection)


The vCompute CPU and Memory API.

So what does the vCompute CPU and Memory Inspection API do? At its most basic form, this API includes features that you can use for developing security applications that inspect memory access and CPU states before any code is actually executed.


The vNetwork Appliance (DVFilter) API

So what does the vNetwork Appliance (DVFilter) API do? This API enables you to provide a solution to protect network packet streams. With the DVFilter you can create network packet filters that you insert into the virtual packet stream. This network packet filter is inserted between the vNIC and virtual switch (vSwitch). There are one of two possible agents that can be used. These agents are referred to as the fast-path agent and slow-path agent, which make up the "filter". I’ll write more on the fast-path and slow-path agents in a future blog. One of the key messages here is that the vNetwork Appliance APIs are not just for security, we envision a lot more use cases moving forward. In fact, you may not be aware of this, but Lab Manager was the first product to use DVFilter.


The VDDK API

So what does the VDDK API do? The Virtual Disk Development Kit is a collection of C libraries, code samples, utilities, and documentation that enable a developer who is creating applications to manage virtual storage. Yes, it’s an API and Software Development Kit (SDK). The Virtual Disk Development Kit includes the Virtual Disk API library functions, VMware disk utilities (which include the disk mount and virtual disk manager) and documentation. The primary audience for VDDK are ISVs who develop, for example, anti-virus security products.

So, how does one get access to the VMsafe partner ecosystem program? Well, firstly this program itself is controlled in terms of which partners can get to it and use it. Today, only one API (VDDK) that is part of the VMsafe program is a public API. That is to say that the vCompute and vNetwork are not public APIs. As I mentioned earlier, these APIs are not end user APIs but rather are intended for security partners. For more information on these security partner APIs, go to  VMware's Advanced Developer Portal.  For more information on VMSafe in general, please visit us here