New Goldilocks security

Pat Gelsinger, CEO, VMware
Pat Gelsinger, CEO, VMware

Pat Gelsinger was in town recently, meeting with customers, partners and Toronto-based media to explain VMware strategy and priorities as the company negotiates the “tectonic shifts” associated with enterprise transition from the client-server to the mobile-cloud era. According to the CEO, VMware is moving forward with portfolio development across three fronts: the application of virtualization to the whole data centre though the ‘software defined data centre’; the enablement of seamless transfer of workloads on and off premise through hybrid cloud; and the creation of end user computing solutions that connect the device and the data centre.  In fact, coincident with Gelsinger’s visit to Toronto, the company announced Horizon 6, the latest version of VMware’s unified platform for secure management and virtual delivery of user desktops and Microsoft apps to a range of devices. With 150 new features and integration with the rest of the VMware portfolio, Gelsinger described Horizon’s unified approach as “the next step in how we intend to take leadership” in the “two horse race with Citrix.” But Gelsinger — and VMware’s — real enthusiasm appears to be for innovation in the company’s SDN platform, NSX.

Announced back in the spring of 2013, VMware’s network virtualization platform NSX is not news. However; the company’s efforts to transform NSX from a proprietary SDN solution to a platform for new innovation are. According to Gelsinger, NSX has become “a new tool to address security” through the insertion of virtualization in the space between “applications, which have great visibility but not a good position to enforce security policy, and networks and infrastructure, which have great ability to isolate and enforce but no visibility.” Sitting between these, the NSX platform will have “context” provided by the applications, and also function as a ubiquitous enforcement layer since it lies across all infrastructure. “NSX,” he explained, “has the unique ability to isolate and have context, and that’s why we called it the Goldilocks Zone — not too hot, not too cold, just right.”

VMware SDN slideAt a high level, the idea behind Goldilocks is to create zones and associate security mechanisms with these. Within these zones, aware applications set security policy for that app or a collection of vms which might include any number of different technologies — database, web server or business logic, for example. As data moves through the ingress and egress points of these zones, security mechanisms such as firewalls associated with the vm zone would be invoked. Ultimately, the NSX platform would generate a template purpose-built for the application with policies related to the associated security mechanism as well as enforcement of policies at the vm level — moving policies with the VM as it travels through the virtual network. Through this automation, need for what Gelsinger called “the error prone pieces of enterprise security today,” such as network reconfiguration or the rebuilding of firewall rules is eliminated.

While VMware has developed many of its own security mechanisms, Gelsinger noted that the company is “enabling the industry to participate” and has partnered with McAfee, Symantec and Palo Alto Networks in order to combine and layer in many security policies for ultimate determination by the NSX policy manager. In this early phase of Goldilocks, he added, projects such as the integration with Palo Alto Networks will allow the partners to “do cool joint engineering” that will also help VMware better understand what to include in general interfaces as it builds out the next stages of the project. Currently, a number of APIs and interfaces, including many of the developer kits that are driven by IEEE standards, have been made available as part of the VMware product for customers that want custom implementations.

In his discussion, Gelsinger stressed the “open industry approach” to network virtualization that VMware has taken. Referencing his chief networking architect, Martin Casado’s co-invention of OpenFlow, he described VMware’s proprietary product — the distributed control plane which is the core of NSX — as “complimentary to SDN” since it consumes and integrates all the SDN technologies into it but also VMware’s open interfaces. As example, he pointed to VMware leadership in the OpenStack networking-as-a-service project Neutron, which working on development of an open virtual switch that will be integrated into a number of different products. This open approach, he insisted, extends to security capabilities in the platform, where customers may choose to integrate their own or a third-party firewall or other security capability, “but still build it on our platform because we’re integrated through the virtual stack.” So while the company will continue to improve integration of its own technologies, customers can deploy best-of-breed on the VMware platform — with or without the rest of the VMware stack. As Gelsinger put it, “we fully expect it’s about enabling a broad industry of innovation with many open interfaces and standards.”

Of course the proof is in the pudding — or in this case, in the inputting of the virtual networking platform. WestJet Airlines, which Gelsinger described as one of the company’s most advanced customers — “They are taking a very sophisticated airline, booking, billing, multi-layer SOA application and are implementing it entirely on an NSX distributed security architecture. It’s as good as it gets anywhere in the world” — was also the first customer to receive the NSX beta product.

Richard Sillito, technologist, IT security, WestJet
Richard Sillito, technologist, IT security, WestJet

WestJet’s security initiative was intended as one piece of a broader data centre update designed to address issues with the network, which Richard Sillito, technologist in IT security at WestJet, described as “under strain.” Designed for north/south but not east/west traffic, the network had a proliferation of DMZs, an ever growing number of secured internal zones that were incapable of handling, without a lot of network “hopping,” the integration of business applications (loyalty program, booking engine, enterprise notification system, etc.) that management was looking to achieve. While WestJet was committed to deployment of new networking gear featuring fabric that could handle multidirectional traffic, this would not necessarily reduce strain on physical networks, nor solve security issues. For this, Sillito developed a unique security model that proved intriguing to VMware technical staff: “they saw the value in that model and wanted to implement it on the NSX product,” he explained. A pre-proof-of-concept on MVware’s vCNS (virtual Cloud Networking and Security) product went well, and WestJet was subsequently chosen as the first NSX customer.

In the WestJet lab, the team was able to implement its security model in the NSX platform to address security problems, but also data centre traffic issues: as Sillito explained “it’s that concept of keeping the network traffic on the hypervisor that will reduce the stress on the network. By using overlay networks, you’re able to really reduce the number of things that the underlying physical network has to do. Once you do that, you simplify the network because the complexity is up at the virtual level.”

Using “micro segmentation” they were also able to place everything, including security, DMZs, internal zones, etc. associated with SOA services, “inside that cloud,” specifying ports and firewall rules, and ultimately eliminating the need for separate DMZs altogether. “In effect, the entire data centre becomes a DMZ,” Sillito concluded, with servers, applications and security residing on a vm host that is open only to traffic that policy has allowed. The WestJet security model was built independently of the VMware platform (the team was originally looking at BigIron firewalls as opposed to SDN); however, it was “easy to implement in NSX,” Sillito claimed, for a “vteam” composed of network, storage, security, architecture and business process experts, who were focused on developing data centre automation. In the facility, WestJet relies on Cisco networking infrastructure and HP blade servers, and this heterogeneous environment presented no implementation challenges for NSX: the platform’s “not really dependent on the technologies underneath. The big thing it’s dependent on is IP (Internet Protocol), and it would be very difficult to find a data centre that doesn’t use IP,” he added.

The WestJet team had strong executive sponsorship (CIO and CEO buy in) for its data centre update, in fact was tasked specifically with the creation of innovative solutions to networking and security issues. Working with NSX, they were able deploy their own security architecture while also achieving improved network performance, a foundation for the agile development and continuous delivery demanded by the business side of WestJet’s IT department. Sillito explained, “NSX is going to deliver that performance, and it’s going to do that using our existing hardware. It’s going to push that security component very close to the workloads — and that’s very important. If we push the policy to the edge, just before the virtual workloads, it doesn’t matter what the channel is, we will still apply security in a consistent fashion. So we’re getting consistent policy enforcement. And this paves the way to automation, which paves the way to self-service.”

WestJet’s NSX deployment speaks to the kind of joint innovation that VMware is hoping will differentiate its solution in the marketplace. A hot topic — and growing market — in the networking industry, software defined networking and network virtualization promise new levels of efficiency, but also new levels of customer control and input, as well as freedom from proprietary lock in. In this increasingly crowded space, both are becoming table stakes; to stand out, vendors need also to facilitate innovation that will expand or enhance security and other capabilities within the network.  Gelsinger says VMware will announce many more components aimed at enabling innovation over the next year or so. Stay tuned.





Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.