The Goldilocks principle states that, in a system, a thing cannot sustain itself within extremes. It typically settles into a certain margin to achieve equilibrium. For example, the economic "Goldilocks zone" is where the market runs warm enough that growth continues, but doesn't run so hot that inflation explodes. Martin Casado, chief technology officer at VMware and co-inventor of OpenFlow, said network and information security is struggling to find its own Goldilocks zone, and he believes that hypervisors and software-defined data centers can get us there.
Casado said he originally pursued his Ph.D. at Stanford University (where his research led to OpenFlow) and founded network virtualization startup Nicira (acquired by VMware for $1.2 billion) in an effort to solve security problems. Ultimately, his work led to the emergence of SDN and its myriad upheavals in the networking industry. In this Q&A, Casado explains how he is returning to solving the original problem of security and why VMware can bridge the gap between context and isolation that frustrates network security systems on a daily basis.
What is the architectural problem in network security that you are trying to solve?
Martin Casado: We don't have a ubiquitous and horizontal security layer that provides both context and isolation. Where do we normally put security controls? We put it in one of two places.
We might put it in the physical infrastructure, which is great because you have isolation. If I have ACLs [access control lists] or a firewall or an IDS [intrusion detection system], I put it in a separate box and I put it away from the applications so that the attack surface is pretty small and it's totally isolated.
[In that situation], you have isolation, but you have no context. We all know that IP addresses don't really mean anything. They don't mean users, they don't mean end hosts. Ports are horrible for [identifying] applications. There is no way to determine what data is being accessed. I think things like next-generation firewalls are a total admission to this, that ACLs are pretty much meaningless. And even looking from within the network context is a very limited view.
Another place we put security is in the end host, an application or operating system. This suffers from the opposite problem. You have all the context that you need -- applications, users, the data being accessed -- but you have absolutely no isolation. So even though you can derive all this meaningful stuff, if you don't trust the application or user or end host, [the network] will just turn it off.
A next-generation firewall has no idea what goes on within a guest -- like users accessing data. It doesn't have data-level visibility. You normally only look at the first 1,500 bytes of packets, just sampling. It's a step in the right direction, but if you look at the context that an operating system has versus a next-generation firewall, they're almost incomparable. An operating system knows what's happening at a process level, at a file level, at a data level and at a user level. A next-generation firewall has no idea what user is on a machine unless it plugs into LDAP. So if you have a multiuser machine and it is not using the network to authenticate, [the firewall] has no idea who is on the machine. The operating system does.
So how do you solve the problem?
Casado: We're transitioning to a cloud and software-defined data center world, where things in the data center are following a more software-driven model. If you look at a software-defined data center, chances are there's going be a hypervisor. I believe the hypervisor is a Goldilocks zone for security leverage. It's close enough to the application to have deep semantics and visibility. [A hypervisor is] co-resident [with operating systems and applications]; you can look in-memory and you can get a guest presence. But it's far enough away to get isolation, and it's totally ubiquitous. In a virtualized data center, it touches every workload.
So you have this horizontal layer [of hypervisors]. It does have security properties and it does have context. The question we're asking at VMware is, how do we use this layer to build out a platform that our partners can use to enhance their security offerings?
More Martin Casado and other SDN stars
Casado on managing physical and virtual networks in parallel
Casado on the importance of OpenStack networking plug-ins
Jennifer Rexford on building SDN programming languages
Marco Canini on hybrid SDN deployments
Dave Meyer on the IRTF SDN Research Group
This cuts across so many layers of security. [VMware] is not building out security products, but we're providing the ability for security products to bridge this gap between context and isolation.
Think about vulnerability scanning. It is a box that sits in the network and sends traffic. It guesses whether something is vulnerable by the way [that host] responds to traffic. If you do vulnerability scanning from within the hypervisor, you're sitting in there co-resident. You have much deeper introspection.
With data loss prevention, we can hook into every system call and see all the data that's being accessed without having to piece it together from within the network. If [antivirus vendors] want to build out a system that can't be turned off, they can implement within our system.
How will you make this happen? How will VMware combine context and isolation?
Casado: We will provide the platform so that [security technology] can extract information from the end hosts, but we will also extend it for extracting information that is more interesting to them. We can integrate with the operating system. We can protect the integrity of that driver from within the hypervisor. It has all visibility that the host has -- every process that gets started, every system call, all the data that gets accessed, all the users on the machine. We can derive all that information and make it available to our partners.
On top that, strategically it would be very interesting for us to allow them to extend that driver in a way that is still protected so they can drive information they view as useful. Let's say a threat detection company has way of scanning things and determining that a guest is compromised. We can allow that code to be protected by the hypervisor and we can relay that information that the guest is compromised so it can be used for enforcement. Now, a piece of physical infrastructure, like a firewall, can know this guest is compromised and limit access or quarantine it.
Any big change in security architecture is going to require a green light from compliance and risk management. Divorcing security architecture from hardware will make them nervous.
Casado: There is a technical argument and then there is a touchy-feely argument. The technical argument reduces to trust consolidation in the hypervisor. Today, in many large companies, the hypervisor is trusted. The large clouds will use it to enforce multi-tenancy in some of the most attacked surfaces in the world. Look at things like Amazon EC2 or Rackspace. They certainly trust the hypervisor to some degree. We have at least a decade of experience with how these things operate in wild.
The hypervisor is a large codebase, but it's one codebase compared to everything that is running on top of it. And everything that's running on top of it is the sum total of every line of code for every version of every operating system and every application. There are orders of magnitude of difference in the amount of code we have to correct in order to protect the hypervisor.
Another thing to realize: If you're doing something in physical infrastructure, it's not being done in hardware. It's still being configured and managed by software. It's just separated by a network. The attack surface is arguably limited, but it's still a software-driven thing. The only difference is if the hypervisor is separated through address-level isolation at a memory level and the physical network is separated by the actual network itself.
But we can look at the largest operations in the world that do use hypervisors and as an example. For those who are comfortable with hypervisor as security mechanism, this is a slam dunk. For those who are not, I think that requires a discussion on why the attack surface is actually protected. I think that precedence is on our side. But like any new context, this takes some getting used to.
How will VMware deliver this Goldilocks zone to IT organizations?
Casado: We want this to be a core part of the platform that our customers can use. How it's shipped and sold, I'm not super clear on it at this point. Right now pieces of it are available in products we have. [We're doing work] with antivirus guys, with Palo Alto Networks. There's been this fairly reasonable track record of being able provide some access to the hypervisor for enforcement and some access to context for enabling it, but there hasn't been a broad focus on this as a general platform. VMware is pretty serious about security. It feels like it has an architectural advantage and it's going to enable the ecosystem. There are 40 million workloads running on top of this architecturally consistent layer today. This is the missing piece that is connecting the semantics of the application to the infrastructure. I think we're in the perfect position to do that. And we're already there. It's still early days, but it's nice to have a clear vision.