Home Product vGate Key Features Access Control

Access Control

vGate builds an authentication layer featuring explicit access control and privilege delegation - on top of the standard VMware security model. From user and administrator perspective, the only difference is a simple logon screen that prompts them for credentials before they can access the virtual environment’s management tools and virtual machines.

To ensure users cannot access and/or alter the virtual environment without prior authentication and privilege check, vGate:

  • Optionally prevents local access to VMware servers.
  • Provides for centralized management of IP, port and MAC filtering. Access rules can be configured, for example, so that a particular ESX server can be accessed only through a dedicated port by a certain user from a certain machine or network segment.

Security Labels

With vGate everything has an associated security label: users, virtual machines, network interfaces, ESX servers and network attached storages. You can easily customize label ranges to tailor them to particular business needs (organizational structure, information types, etc.).
Every time a user accesses the system, security labels are checked and authenticated to determine whether or not the requested operation is allowed. The figure below shows a hypothetical "color world" where "red," "blue," "yellow" and "green" users exist. Once a user is successfully authenticated, every time they want to do something, their label is verified against the label assigned to the object in question. In our example below, the "green" ESX host can be accessed only by users having "green" label.
vGate security labels

Separation of Duties

Due to vGate’s flexible security model, system administrators that maintain virtual environments can be granted only the privileges they require to perform their assigned tasks.
In return, personnel in charge of privilege management and security auditing can be restricted from accessing the virtual environment itself. Security officers can even be blocked from logon to ESX servers and virtual machines or to run VE management tools.

This flexibility provides a good platform for implementing corporate security policies that delegate administrative privileges or involve dedicated information security teams.