The use of network virtualization is increasing in enterprises, and with it the security concerns that accompany squeezing more resources into one space.
To meet this need HyTrust Inc. said this morning that the just released version 4.5 of its CloudControl access control software now includes VMware’s NSX virtual network platform as well as VMware vSphere for servers. (Also this morning VMware announced a new version of NSX. See below.)
Virtualization has given “God-like powers” to virtual system administrators that could destroy systems or foil security and audit requirements, Eric Chiu, co-founder and president, HyTrust Inc. pointed out in an interview. As CISOs adopt NSX, network administrators will have the same powers that need to be checked.
NSX lets IT pros treat a physical network as a pool of transport capacity. Although it comes with security policies, CloudControl adds an access layer. As it does for vSphere, the suite allows CISOs to separate duties and monitoring, including the use of two-factor authentication using Radius or TACACS protocols.
“We enable you to segment users based on role, so you can have different administrators who can administer networking, security and other related functions like load balancing,” Chiu said, “and you also enforce object level segmentation of the environment, so administrators can only do certain functions to certain resources.” There are also audit and compliance controls.
A long-time VMware partner, HyTrust is making the announcement at the annual VMworld conference because, Chiu said, “we are seeing a lot of our customers, who are VMware’s largest Fortune 1,000 customers, moving to or exploring NSX.” According to VMware, more than 700 customers are using the platform, although only have it in production in their data centres.
Pricing for CloudControl starts at US$1,650 per socket.
Also included in 4.5 is boundary control (announced at VMworld last year as a proof-of-concept, which enables CloudControl to be tied to HyTrust DataControl 3.0, an encryption and key management solution. “It enables you to enforce physical or location based boundaries over where your data can be decrypted and run,” Chiu said.
Meanwhile HyTrust continues to slowly expand its sales in this country. Chiu acknowledged that in this country his firm is still “pretty new.” Earlier this year HyTrust hired a vice-president of international sales. Canada, Chiu vowed, “is a big focus of ours, especially going into next year” when he expects his company will open an office here.
As for the new version of NSX, VMware said 6.2 also has more than 20 new features. These include better integration with physical infrastructure, enabling simplified and consistent operations for the entire data center network and the extension of micro-segmentation to physical servers. Finally, new capabilities such as Traceflow and Central CLI further simplify operations and visibility.
According to a company blog, the new capabilities allow
- More control within and across data centres: There is better support for application continuity and disaster recovery use cases through support for cross vCenter vMotion over VXLAN with routing and security. Administrators can now migrate across vCenter Server systems seamlessly without losing historical data about the virtual machine, VMware says. Customers can scale out vSphere environments within a single data center and across data centers by moving the entire networking and security model with the VM, without any requirement to change underlying physical infrastructure.
- Deeper integration into physical infrastructure thanks to support for Open vSwitch Database (OVSDB) in vSphere environments, enabling simplified operations for the entire data center network and the extension of micro-segmentation to physical servers. Support for OVSDB enables integration with hardware switching partners and advanced load balancing solutions through a standards-based mechanism, making it even easier to deploy network virtualization in data centers
- Advancements in operations and trouble-shooting: Traceflow lets network admins synthetically create a packet that looks exactly like it came from a guest VM and inject it into the data path. Traceflow then traces its handling all the way through the forwarding pipeline (switching, routing, firewalling, service insertion), across the physical network, and through the forwarding pipeline again before it’s intercepted just prior to delivery to the remote VM. Central CLI is a new troubleshooting tool VMware says gives the ability to capture the shared state run-time information from all the distributed components in the system and present it from one single interface. Unlike traditional scenarios where one has to hop from device to device to collect information and manually correlate the data to build a complete picture for troubleshooting a network; one can now have a single consistent view of information.