Julian Stecklina · 4 min read

Introducing enclosed: Simplified Compartmentalization and VM Management

Management and secure configuration of virtual machines can be as daunting as navigating a labyrinth. Our powerful tool 'enclosed' effortlessly transforms the complex task of compartmentalizing and managing VMs into an intuitive and streamlined process. Overcome the intricacies of low-level tools and use a higher level of abstraction with 'enclosed'. Learn how to shield your virtual environments with unmatched ease and security in this article.

Introducing enclosed: Simplified Compartmentalization and VM Management

In the ever-evolving landscape of virtualization and system management, we announce enclosed: a robust solution designed to simplify management and secure compartmentalization of virtual machines (VM). With enclosed we address the challenges faced by users of low-level tools (such as libvirt): a higher level of abstraction and a user-friendly approach to creating and managing strongly isolated VM compartments. enclosed users manage virtual machines with mixed security levels efficiently.

libvirt is a powerful and widely-used toolkit for managing virtualized platforms, but it operates at a low level. It requires users to delve into intricate details of networking and security. Users are burdened with the responsibility of ensuring that VMs from different compartments remain isolated. This process can be complex, time-consuming, and prone to errors. enclosed takes care of that complexity.

Securing VMs with enclosed

Getting started with enclosed is simple. Define your compartments and VMs in the YAML configuration file, and let enclosed take care of the rest. Focus on your VMs and their applications. Leave the complexities of compartmentalization to us.

Our example configuration below describes two isolated compartments and three virtual machines. The two VMs in the worker compartment are security sensitive and must be isolated from the network. We want to route their traffic through a firewall VM in the other compartment. The firewall VM is the only one with access to the outside world.

To easily see the system we want to build, let’s visualize the setup:

The configuration is easily readable by humans and therefore simple to review and sufficiently high-level to be understood quickly.

# Compartments separate the resources of the system.
compartments:
  - name: worker
    description: Runs critical production services
    memory: 8GB
    cpus: 4

  - name: gateway
    description: Safely connects workers to the network
    memory: 2GB
    cpus: 2

# Virtual machines belong to specific compartments and have
# connection points for network devices and hardware.
virtual_machines:
  - name: worker0
    compartment: worker
    image: ubuntu20.04.img
    # This VM controls a device via RS232.
    devices:
      - rs232
    veth:
      - net0

  - name: worker1
    compartment: worker
    image: windows.img
    devices:
      - usb
    veth:
      - net0

  - name: firewall
    compartment: gateway
    image: fwos.img
    veth:
      - internet
      - net0
      - net1

# Finally, the different connection points of each VM are connected.
connections:
  - firewall:net0 <-> worker0:net0
  - firewall:net1 <-> worker1:net0
  # The firewall has a physical NIC mapped to one of its network devices.
  - firewall:internet = pci:03:01.0
  # This worker has direct access to a serial port.
  - worker0:rs232 = /dev/ttyS4
  # This worker sees all smart cards connected via USB.
  - worker1:usb = usb:class=smartcard:device=*

From this view, it can be clearly seen that our workers have no direct access to the outside world and their traffic is routed through the firewall. The firewall is itself the only component that can talk to the outside network.

The simply example illustrates only a fraction enclosed’s feature set. We may add a virtual network function as a companion to the firewall VM or introduce additional components that interact via vsocks.

enclosed: Your Shield in the Virtual Realm

enclosed enables users to create secure compartments and safely partition their systems by ensuring that compartments are isolated from each other. Our declarative approach removes the burden of determining the exact steps needed to achieve isolation. The result is a high-level interface that simplifies the creation isolated compartments.

Integrates with the Cyberus Hypervisor

enclosed is designed to work as part of the Cyberus Hypervisor. The Cyberus Hypervisor provides strong isolation between VMs. enclosed adds an intuitive configuration layer - free from clutter.

Focus on What Matters

enclosed allows users to focus on what they want to achieve. Describe VMs and communication channels between these VMs, free from the clutter of irrelevant details and rest assured these are the only communication channels.

enclosed introduces a straightforward YAML configuration that defines compartments and their respective VMs. This intuitive approach eliminates the need for users to manually write complex XML configurations or shell scripts. The high-level approach is easier to review and certify and allows users to focus on building their products and services.

Automated Isolation

With enclosed, the burden of ensuring VM isolation is lifted from the user. The system automatically handles segmentation of system resources, such as CPUs, memory, network devices, ensuring that VMs within different compartments remain securely isolated by default. There is no potential for oversights.

Secure Defaults

enclosed prioritizes security. It minimizes the risk of misconfigurations by having secure defaults. The system is designed to create a secure environment from the ground up, reducing the chance of accidental exposure or unwanted connectivity between VMs.

enclosed empowers users to isolate their workloads without the steep learning curve associated with low-level tools. Contact us to try enclosed today and experience a new level of simplicity.

Subscribe to our newsletter

Enter your email address below to stay up to date with latest news and updates on our enclosed.

Share: