Let’s say you have a complex hybrid infrastructure. That is, you are standing up virtual machines and perhaps containers in a variety of places. Some of those workloads are in one or more public clouds. Some of those workloads are in your own privately owned facilities.
Now further imagine that workloads and workload locations are shifting regularly. Maybe workloads are moving around based on cost. Or desired performance characteristics. And beyond that, as application demands change, the number of application instances servicing user requests change, adjusting elastically up and down to optimize both performance and efficiency.
Now imagine that you need some of those workloads to be able to talk to each other. You don’t want to simply plumb highways between each of these environments and let everyone speak to everyone else. Rather, you want to limit who can talk to whom. This might be for multi-tenancy reasons. This might be to contain the inexorable spread of malware.
How do you accomplish this? Not by hand–that much is certain. There are several software entrants into this nascent space, offering controllers that allow system operators to create security policy that is then pushed into the endpoints, filtering communications between those endpoints and the rest of the world.
Zentera is one such entrant, although interestingly, you can’t buy their product directly. Zentera partners with other vendors to deliver their technology. What is their technology? They call it “Cloud over IP®,” a term you’ll note they’ve registered. Essentially, Cloud-over-IP (CoIP®) is an agent-driven platform that stitches together any hosts, anywhere using an SSL-based network overlay providing connectivity and security.
Got firewalls between environments, and don’t relish the thought of punching holes through them to permit SSL tunnels? Fear not. Zentera offers an edge gateway that will proxy SSL tunnels through firewalls for you, easing perimeter firewall administration requirements.
Zentera’s main components are a centralized controller communicating with agents running on a variety of endpoints. Agents can be deployed on VMs, containers, and servers running most popular Linux distributions as well as Microsoft Windows Servers 2008 and 2012. The agent receives instructions from Zentera’s zCenter, a central controller that functions like an SDN controller.
System operators interact with zCenter via a web portal or APIs to define security groups and policies. Rules for each host are dynamically created and applied to each host in the Zentera domain. Each host gets the rules it needs from its own point of view. The controller is the arbiter of communications, and the agent the enforcer of rules. Is this traffic allowed in? Should this SSL tunnel be allowed out? The host OS kernel is still the originator of the traffic–the agent is merely the gatekeeper.
To enhance performance, traffic inspection is limited to the first packet of a flow. Once a flow is known to be compliant with the security policy, that flow is effectively authenticated. This will sound familiar to folks who understand stateful firewalls, as that’s exactly what’s going on here–stateful firewalling is part of CoIP.
To stateful firewalling, Zentera adds a unique feature they call “application interlock.” Application interlock controls which applications running on the CoIP endpoint are able to access the CoIP network. In other words, rogue applications can’t access the secure CoIP network, helping to contain malware.
When workloads move, Zentera ensures that the security policy moves with it. The end result? Centrally managed security for dynamic multicloud computing environments.
If you’re interested in Zentera, you might see “Zentera Inside” branding being sold by cloud vendors like CenturyLink, RackSpace, AWS, and MS Azure.
Not all vendors will use the Zentera brand, however. For instance, Zentera publicly lists partners such as McAfee, Palo Alto Networks, RedHat, Symantec, TrendMicro, and VMware. Those partners might be leveraging Zentera in some of their products, but under their own flag instead of Zentera’s.
Zentera is growing their partner ecosystem, looking for technology partners, channel partners, and cloud ecosystem partners, and technology and integration partners.