SAN FRANCISCO – VMware used its annual user conference to put new emphasis on the security and micro-segmentation aspects of NSX and lay out a road map for its software-defend networking product.
The latest version of the product will provide microsegmentation and security for both VMs and container workloads in both the private and public clouds, and an NSX research project is trying to establish verified network trust domains that can be used to check network and endpoint configurations for monitoring anomalies.
At VMworld, VMware gave its customers a limited look at the roadmap for NSX. Near term, a preview edition of the next NSX version was used in several network security demos. Longer term, VMware talked about security architectures that leverage virtual networks and software-defined data centers. Tom Corn, senior vice president for security at VMware, said, "We are bringing out a new suite of security products that will be built on top of NSX and also vSphere." But, Corn could not go into specific details about the future products.
The new security battlefield
At his VMworkd 2015 presentation, The Software Defined Datacenter: Security for the new battlefield, Corn reviewed the on-going security war with capable attackers penetrating into the data center. He noted that the kind of security needed at the end-point is difficult to achieve due to an architecture where the systems we use are on shared networks that are not individually segmented.
"The battlefield has changed and we are struggling to align our controls with what we are protecting," Corn said, adding that data centers are hyper-connected with a growing distributed policy problem and, "...we are forced to make a context/isolation trade-off based on where we are placing security controls."
This is because today security controls and monitoring are in the same trust domain that the attacker can access. Current limited efforts on segmentation are usually based only on asset class, like web servers and database servers.
Corn thinks the solution requires the microsegmentation that network virtualization can provide. In essence, it is now possible to treat key parts of the application infrastructure as if they were in virtual mini-data centers. This provides both the correct context and isolation.
"It's not just a barrier, it's a policy perimeter. ... This type of microsegmentation is very powerful," Corn said. "It allows us to compartmentalize risk."
VMware is re-imagining network services, Corn said. One area VMware is focusing on is distributed network encryption. Issues with key management and non-inspectable encrypted traffic makes this a difficult problem, Corn said. But with encryption running at virtual switches, all the elements of an application can be treated as a single logical encryption domain and both concerns become more tractable. "Because it is everywhere, because we are distributing processing ... we have pretty decent performance. Because we are encrypting at the vNIC level, the application has no idea that encryption is happening," he said.
"We're innovating around simplicity and it's allowing us to do what we want to do," Corn said.
VMware's Project Goldilocks
VMware also used its VMworld conference to unveil a new technology preview called Project Goldilocks, which tries to establish a trusted point of presence between the VM guest and the network. This would be a secure execution space and a place to verify provisioning and credentials and would be similar to a Trusted Platform Module that would extend from the hypervisor space up into the guest address space.
Goldilocks would be a kernel module and establish a secure communications path to the VMs. Then it would be possible to monitor critical data and run trusted code. This code can tell operations staff that a VM may be compromised or out of the provisioned scope.
Another VMworld session, The Next Horizon for Cloud Networking and Security, was presented by Guido Appenzeller, chief technology and strategy officer, networking and security.
Appenzeller has been working at VMware for only a year but noted the extreme growth of NSX with enterprise customers, almost tripling to 700 announced customers from 250 in 2014, many being large deployments at multi-millions of dollars.
Over the last year, software-defined networking and network virtualization has become an accepted part of modern data center architecture. The transformation of networking into a software industry has accelerated innovation
Appenzeller compared virtual networking and the software-defined data center to major revolutions like the PC and video on demand.
"We are changing the way we deploy infrastructure," he said. This change could end the endless purchase cycles of boxes and cabling by switching to virtual networks where policy and firewall rules can be implemented in minutes instead of weeks and at significantly lower cost, he said.
How NSX can help secure containers and public clouds
In a demonstration of container isolation, or lack thereof, Appenzeller showed that traditional hosting of containers on an ordinary host allowed hackers full lateral exploration and eventual escape into the networking environment, including enumeration and control of other containers and hosts. This is because all containers access the same kernel and the same network.
Next, he ran the containers with microsegmentation of the on-premise network, a capability of NSX today. He separated and segmented the endpoints with NSX acting as a firewall, gating traffic between the endpoints. Then, with a technical preview edition of NSX, he showed how this microsegmentation can be added in the near future to the public cloud by spinning up Amazon Machine Images on Amazon Web Services (AWS) that networked via NSX with workloads running in the private data center.
NSX, Appenzeller explained, will be able to provide network security underneath a public cloud infrastructure as well as on-premise. In the AWS demo, the NSX preview created virtual networks with the same security and policies as on-premise VMs.
"From a networking point of view, all these instances on Amazon are working exactly if they were running on-premise with the same set of rules," Appenzeller said. "All the routing, all the firewall rules, even the IP spaces apply, it's like they were plugged into the same switch."
Appenzeller also talked about the security challenges of moving between public clouds and between these clouds and the enterprise with different APIs on each. An advanced use case would be to provide seamless security when moving VMs and containers across different public clouds and help reduce the pain of public cloud lock-in.