TIBURON, Calif. — Not surprisingly, a VMware technology executive says that container technology is not a threat to VMware’s virtual machine (VM) franchise, because customers are going to use them together to improve network automation and security of virtualized networks.
“We have several customers running containers inside VMs. The isolation of containers is very weak — it’s basically no more than the solution of a Linux kernel,” said Guido Appenzeller, Chief Technology Strategy Officer for Network and Security, VMware, speaking here at the NetEvents conference. “They take all of the containers and put them into one virtual machine.”
Appenzeller says that despite the immense growth in container technology, which packages applications as “microservices” and can run apps on an OS without a hypervisor VM, the hypervisor technology will be preserved because of the security benefit of adding another layer between the application and the infrastructure. In addition, Appenzeller said that adding security functions to VMs is an area of focus for VMware.
“An attacker can take over a virtual switch [not running on a hypervisor] and now they are on the network and they can compromise the network. Having a hypervisor here is a really good idea.”
VMware will introduce more secure virtualization technology so that containers can run inside of virtual machines, creating a more secure layer, said Appenzeller.
This trend is part of a larger trend of the virtualization of all network functions, known as Network Functions Virtualization (NFV). Appenzeller says that security technology such as firewalls will migrate into the virtualized infrastructure because cloud services are not easily protected with hardware-based security appliances.
“This is really, really hard [protecting the network with hardware-based firewalls]. The first problem is sheer cost: You need the same firewall capacity as a top-of-rack switch. This would be cost prohibitive, and setting up the rules would be very complicated.
“If you move the firewalls to the virtual infrastructure, this becomes possible. How this works: If a VM is deployed, you automatically push out the firewall rules to the hypervisor. One big problem with firewalls is managing rules.”
Appenzeller said that VMware will be making technology moves in this area, though the specifics have not been announced. He hinted at one idea: that VMware is working using micro-segmentation by creating security modules that live within individual hypervisors and whose job it is to manage security functions.
Appenzeller also gave an customer update on NSX. He said it now has 400 customers, 70 Production deployments, 80% of the top banks have purchased NSX and they are doubling sales every six months.