bluebay2014 - Fotolia
VMware CEO Pat Gelsinger sounded a clarion call to the computer security world, calling for professionals and their companies to level up, and use new modes of server and network virtualization to redefine future security architectures at the 2016 RSA security conference.
Gelsinger argued the industry never really had a dedicated architecture for security.
"Every organization has policies they want to see enforced across all of their security tools ... this is the great divide," he said. "We have a whole set of tools on the one side and all these policies on the other, and an inability to align those policies with the objectives and services.
A ubiquitous layer of virtualization provides for alignment between the physical infrastructure and the applications above.
"Fundamentally, we need an architecture that allows us to bridge this divide," Gelsinger continued. "And a ubiquitous layer of virtualization allows us to cross this divide.
VMware had a large overall presence at RSA, which included a large booth, three technical sessions, a morning-long talk on network virtualization for security at the RSA Community Day and Gelsinger's keynote speech.
At the start of his keynote, Gelsinger briefly plugged NSX as VMware's network virtualization product, and said it's now used by more than 1,200 customers. Most users benefit from the microsegmentation it provides, he said.
Gelsinger then pivoted, saying "it also enables the entire security industry to become a platform for innovation."
This could be a first step in positioning VMware's NSX to compete with Cisco's enhanced Enterprise Network Functions Virtualization software stack.
Gelsinger also noted that it's the first ubiquitous layer that cuts across multiple data centers -- as well as compute, storage and network. He also added that it cuts across clouds now as well.
Distributed network encryption in action
Both at the keynote and in the longer session at the VMware track on Community Day, Tom Corn, VMware's head of security products, demonstrated VMware's distributed network encryption -- currently in technical preview -- which provides top-to-bottom encryption and key management for cloud-based microsegments wherever they are located.
"We have an opportunity to easily create least-privilege environments everywhere," Corn said in an interview, noting that with an abstraction layer like virtualization, each app has its own network. "We can now leverage this in ways we couldn't imagine before. And we are encouraging security vendors to think differently about this."
Most applications are a distributed set of components, with the actual data traversing an open network. Encryption is often mentioned in security discussions, but can be a practical challenge.
"Encryption is a great way of securing that, but it's so hard to implement in a physical world," Corn said. "You'd be tracing all of those components down to switches, to IP subnets and NICs, setting up encryption tunnels for every communications pair.
"In a virtual world, the physics are very different. We can say, 'This microsegment represents my sensitive application, and I'd like to encrypt it.'"
Corn said it can be done without needing to trace the servers, and manually setting up keys and crypto-tunnels all over the network.
In his session, Corn set up a demonstration of a mock "break" into a bank, in which he tried to zero out his own mortgage. The bank environment was configured as a three-tier app, with Django and MySQL, all with their default security settings.
The theoretical bad guys could easily sniff traffic to plan their break-in, and then use Metasploit to send an attack package. Corn easily gained admin access, and then set the mortgage balance to zero in just a few minutes.
In the next round, Corn focused on NSX security and used the prototype of VMware's distributed network encryption, which leverages the virtual infrastructure and network segmentation.
"We know where all those systems are, which virtual switches they are connected to, and we can push policies to encrypt and authenticate ... across all those connection points related to that application," Corn explained, adding that it just becomes a checkbox.
A dashboard gave insight into the public and private clouds used by the fictitious bank, and microsegments were available in each. On the mortgage microsegment, the bank used VMware's distributed network encryption to initiate a policy for data encryption end to end, including network transit. This was done simply as a drag-and-drop action on the dashboard. That was all that is needed to fully encrypt the selected microsegment. At that point, sniffing network traffic was useless to all attackers, and the infrastructure within the microsegment was secure.
"In the demonstration, we took it a step further to show the direction we are heading by extending this not to just the private cloud, but also to the public cloud," Corn said. "You can add some machines to the public cloud as a logical microsegment -- 'a logical abstraction for the application' -- and an admin can stop worrying about which hardware it is on, and just make it so."
Corn added that, while key management is needed, it can be simplified because of the microsegment.
"We understand who should have access, we know all of the machines in this microsegment, and in the demonstration, we actually used a key for each microsegment," Corn said. "We were able to isolate that key in each hypervisor area, and remove the complexity of key management from the admin."
VMware also held an NSX hands-on lab. Participants had four hours and were given a technical overview of the VMware NSX security features, including the distributed firewall, edge firewall, data security, activity monitoring and flow monitoring.
Is hybrid cloud networking the future of NSX?
What you need to know before investing in VMware NSX networking
Where are the VMware NSX use cases?
What you should expect at VMworld 2016 US?
NSX turning into VMware's top product