[Secure] Distributed, Virtual Networking

One the heels of the vFabric buzz that opened VMworld 2010 in San Francisco, Day 3 showcased Howie Xu, R&D Director at VMworld, and his vision for the next gen of virtualized networks, that easily and effectively connect end-users and access devices to application workload regardless of location.  Howie defined VMworld’s vision of distributed virtualized network as a journey (vChassis Journey) that encompasses 4 key concepts, summarized here and further described at Kendrickcolemen.com.

–          Any workload size

–          Instantaneous provisioning of workloads with end-to-end networking

–          No network constrains when deploying workloads where computing capacity exist

–          Scaling networks up and out

Xu further describes the vChassis as “a platform to simplify and standardize the management and development of scale-out, interoperable, and automated network services”, from the Ethernet, data link-L2 layer, through to all components that address communication aspects of the application (e.g., identifying and establishing the availability of the intended communications partner, such a web application, mobile device, file transfer end-point).

Thoughts (or maybe questions) on Where Security is Built in

The security mantra for everything virtualized is build it in, don’t bolt it on.  So the vision that Xu lays out begs the question …..“does the platform for distributed virtual networks become a built in enabler for end-to-end security services – from the MAC address to the application?”  Standard security services and mechanism are part of the OSI reference model.  Services are a collection of mechanisms and features that protect networks and mechanisms are the controls that are implemented to provide the security services.  Here they are:

Security Services Security Mechanisms
Authentication Encryption
Access Control Digital Signatures
Data Confidentiality Access Controls
Data Integrity Data Integrity
Non-repudiation Authentication
Logging and Monitoring Traffic Padding
Routing Control

In his presentation,VMware’s Xu indicated that vChassis includes a “workload-centric platform” and new management layer that provides policy-level configurations and resources to a virtual machine when it’s created and wherever it goes.  But which security services and mechanisms are managed as part of this platform (e.g., vChassis Intrustion Detection)? And will the platform provide the security services and mechanisms (e.g., end-point authentication, data integrity), or just the configuration and management control over services and mechanisms enabled by other parts of the ecosystem?

Certainly another part of the bold vision for security at VMware.  At VMworld 2010, vChassis and vCSD, and vShield have joined VMSafe, vSphere trust zones, RSA DLP, Archer, enVision, and Ionix at the tip of the spear for VMware’s security platform.