VMware Aims to Use Encryption to Secure Virtualization

Network virtualization is a backbone that security can make use of with an approach VMware is referring to as Distributed Network Encryption.

VMware, network virtualization, encryption

VMware is working on new encryption technology to improve the security of virtual networks and application workloads that run on them. Although encryption has been in use in various forms for a long time, VMware is aiming to use it in more extensively inside data centers.

Making encryption easily usable in a meaningful way has been challenging, said Martin Casado, senior vice president and general manager of the Networking and Security business unit at VMware. Among the key challenges is how to manage the key distribution problem.

Network virtualization might hold the key to making pervasive encryption more usable since it's already a distribution platform, managing things in a disturbed way as they move around an environment, Casado said. Network virtualization is a backbone that security can make use of with an approach VMware is referring to as Distributed Network Encryption (DNE), he explained.

"With DNE, encryption just becomes a native attribute to an application," Casado told eWEEK. "You spin up an application, click a checkbox to encrypt all the packets in an application, and you don't have to worry about all the traditional encryption issues that have slowed adoption."

Currently, the DNE effort is still in early development, though Casado has some solid ideas on how and where it will fit into an existing network deployment. VMware's NSX network virtualization technology creates virtual networks by way of an API call. The basic idea for DNE is that, when an API call is made to NSX, that attribute is included to make sure the packets are encrypted.

"NSX will then take care of key management and setting up security associations," Casado said. "Then all of the tunnel end-points of the virtual network, running within the hypervisors, will encrypt and decrypt packets."

In the Web world, Secure Sockets Layer/Transport Layer Security (SSL/TLS) is the normal form of encryption, which Casado doesn't see as being entirely sufficient for virtualized data center application traffic. With DNE, an entire application workflow is encrypted as packets traverse a network, he explained.

Additionally, with SSL/TLS, there is often a challenge with authenticity and validating the integrity of a given connection. Certificate Authorities (CAs) are the general way that SSL/TLS integrity is maintained, but it's not without challenges, Casado said. With DNE, the challenge of authenticity is somewhat reduced, given that it's intended to be a data center technology.

"In the data center, we know all the end-points, so we don't have to rely on a public authority," Casado said.

Yet SSL/TLS has a role to play in the DNE world that VMware is now building. Casado explained that DNE is an infrastructure-level technology. So, for example, with a virtual network, there is a virtual switch and router, and with DNE, all packets will be encrypted between them.

"So there is some infrastructure, but it doesn't do anything at the application layer above it," Casado said. "I think you need to protect at every layer."

The DNE effort at VMware is currently under active development with code being written, though it's not yet entirely clear when the technology will become generally available.

"This is something we're investing in materially with research and development resources, right now," Casado said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.