Start-up Nicira has revealed more detail about a novel networking virtualisation technology that allows companies to create secure networks without having to rely on proprietary hardware.
Nicira gave further information on its Network Virtualization Platform (NVP) technology on Monday, and announced that large web-orientated companies like eBay, Rackspace and AT&T are customers. The software is designed to take the headache out of managing security policies across a large multi-vendor IT stack and is aimed at cloud providers.
How Nicera's network virtualisation works. Image credit: Nicera
"Network virtualisation frees cloud service providers from the tyranny of vendor lock-in, including slow network hardware upgrade cycles," Nicira wrote in a whitepaper (PDF). "In a virtualised network, security policies can be programmatically configured and centrally managed, then pushed to and enforced at the edge of the network."
NVP breaks the ties between networking equipment and the network itself, letting companies treat their equipment as a pool of network capacity, rather than a group of individual, isolated bits of hardware. It lets them create networks from layers two to seven of the Open Systems Interconnection model (OSI model) in software. In other words, NVP creates and manages a network from its basic point-to-point data transmission, right up to how it interfaces with the applications that the end-user sees.
"Nicira requires no hardware upgrades," the company wrote in the whitepaper, "if your hardware provides IP connectivity, you already have what is needed for the physical network."
NVP works in two ways, either by integrating the open-source Open vSwitch (OVS) software into server hypervisors or by placing OVS into a virtual or physical appliance. Data from either of these OVS installs feeds into an NVP Controller via an API. The controller sits on the edge of the network on a cluster of servers and manages the virtual network.
Security from the network edge
This means an NVP-enabled network can have real-time, centrally managed security policies that are administered from the network's edge. This gets rid of the problem of having to manually configure the rules and access control lists associated with inline routers and firewalls, the company said, which is helpful for major cloud companies with lots of equipment from different vendors. It also means that administrators can create isolated networks for individual customers' applications, allowing them to offer guarantees relating to data and how it moves through the network.
NVP can support "fully isolated, multi-tenant cloud environments," the company said — a key concern for colocation datacentre providers. ZDNet UK has visited many colocation datacentres where network isolation was achieved by sticking a single customer's gear in a metal cage with its own networking kit, and in some cases fibre out of the facility. NVP's approach would make all these approaches unnecessary, from an administrator's standpoint, as they could create this network security in software rather than hardware.
NVP can also cut a business's spend on networking hardware, as many of the typically costly features of high-end networking hardware can be implemented in software, Nicira said, prolonging the lifespan of routers and switches.
It integrates with all the major hypervisors — ESX, Xen, Xen Server, KVM and Hyper-V. Because OVS sits inside the hypervisor, it breaks an application's dependency on the network, so administrators can move virtualised applications across their network without having to tweak the underlying hardware.
NVP has been available since July 2011. Customers pay for it via a monthly subscription that scales according to how many virtual network ports they use. The software can work with the open-source OpenStack cloud administration platform.