How do you bring the virtualization operations model to networking? That will be the job of Martin Casado, CTO of networking and security at VMware which this week launched NSX, the company's over-arching network virtualization package. Casado was one of the creators of OpenFlow, the protocol that spawned the software defined networking (SDN) movement. He was also the CTO of OpenFlow software provider Nicira, which VMware purchased in 2012, and which provides the basis for much of NSX. Casado met with Network World Senior Editor Ellen Messmer to talk about NSX networking and security implications.
Tell us about the security piece in NSX, such as this so-called NSX Service Composer.
NSX is a platform for virtual networking. If I create virtual machines, I can attack them in a virtual environment if they talk to anything on that network or the physical network. The attack surface is actually very large today. NSX introduces a layer of security and isolation. All communication in NSX has the capacity to be encrypted.
For a long time, VMware has talked about its virtualized firewalls in terms of vShield. Where is that going now?
VShield Edge is a component of NSX, a gateway for north-south firewalling. But NSX is more than that, it's the distributed firewalling.
In terms of the new vCloud Hybrid Service (vCHS) that VMware is offering through its four data centers, will vCHS support NSX, and if so, when? At a conference session about vCHS here at VMworld, the two technical marketing managers presenting the vCHS architecture indicated it's based on VMware's existing ESX and vShield Edge technology, not NSX which won't ship till closer to year end. They said they expected to start using NSX at some point in vCHS but weren't sure when that might be.
VCHS does not have NSX yet and when that will be, I don't know. The data centers concern the current VMware technology, and it will support older versions of the technology. NSX is the next software upgrade. It's important to maintain compatibility.
VMware is making a point these days of expressing support for multi-vendor hypervisors. Can you tell us about that and what might be the security limitations around it related to NSX?
Our goal is to change the network and we have to integrate with everything the network touches. Our charter is not to sell vSphere, it's to change the network. We need to be at each point-of presence in the network to do that. There are heterogeneous hypervisors deployed today, and physical workloads that aren't virtualized. Xen, KVM, Hyper-V — we've got customers with OpenStack KVM deployments. NSX is an independent technology, a software layer that runs on servers at the edge, running on Xen, KVM, Hyper-V or control top of rack switches. Some of these platforms we don't totally control, like Linux. We have to go to the community upstream in a process for them to consider it. It may take time. In security services we can do what we want with ESX, we own the bits. With KVM, we have to go through the Linux community. There may be differences in time when some security services are available. There's a distributed firewall that runs in the hypervisor, available in ESX but not KVM. It will take upstream support. But eventually, all will be available on all platforms.
Sign up for Computerworld eNewsletters.