“What is the easiest way to securely connect tens of thousands of computers, hosted at multiple cloud service providers in dozens of locations around the globe?”
We think it’s Nebula; which is why we chose it to be the foundation for Enclave. A few years ago Ryan Huber and Nate Brown–then security architects at Slack–, pondered that very question and two years ago they shared their answer with the world.
What is Nebula? In their own words
Nebula is a mutually authenticated peer-to-peer software defined network built on the Noise Protocol Framework.
It uses certificates to assert a node’s IP address, name, and membership within user-defined groups.
Nebula’s user-defined groups allow for provider agnostic traffic filtering between nodes. Discovery nodes allow individual peers to find each other and optionally use UDP hole punching to establish connections from behind most firewalls or NATs.
Users can move data between nodes in any number of cloud service providers, data centers, and endpoints, without needing to maintain a particular addressing scheme.
Nebula uses Elliptic-curve Diffie-Hellman (ECDH) key exchange and AES-256-GCM in its default configuration. Nebula can be configured to CHACHA-20 if desired.
Why build Enclave, with Nebula?
Our motivations for building Enclave are covered in another post but in short we chose Nebula for its stability, scalability and inclusion of elements important to security; like identity and encryption. In our quest to simplify cybersecurity for businesses of all sizes we realized the opportunity Nebula presented to bring microsegmentation to the masses.
As great as it is, we knew it needed a bit of polish to make it more approachable to someone with not a lot of time to tinker. So we set out to build a radically simple experience that enables even the most novice among us to complete the objective; which is successfully segment the network.
The Bureau of Labor Statistics expects computer network architect positions in the U.S. to grow five percent between 2019 and 2029. That’s a lot of opportunities to support todays’ cybersecurity newbies to develop into the cybersecurity professionals of tomorrow.
The deceptively simple click & drag interface is the first element you’ll notice. Behind its simple frame is an extremely powerful protocol capable of equally supporting organizations with 3 or 30000 connections with equal deference.
Support is the second element. Nebula is a powerful tool for enabling connection, the open source community around it is a valuable resource when figuring out how to create new things with it; but the process, while fun, is time intensive. We knew we needed to remove work from the end user’s plate; not add more tasks however enjoyable they might be. So we built a very short onboarding experience, with a dedicated support and service team into Enclave. We’ve deployed Enclave in as little as 15 minutes, and though environments vary greatly, we’ve built an experience we’d be happy to maintain; so we include in most subscription tiers and will maintain it for you.
And there’s much more in store. Nebula is community reviewed and approved. It’s used and is constantly improved by experts. We’ll continue developing feature sets on it, as new needs emerge and as we hear from the you, our community, about what would make it perfect for you.
We are already thinking about Enclave’s role in a post-quantum world. When our data security needs inevitably shift, and new vulnerabilities present, we’ll be ready. The underlying tech is sound, stress tested and is built with security in mind. There’s really not much more we could ask for. H/t to Ryan and Nate for their contribution to the community. Thank you for building something so great and sharing it with the world so we can all be safer, in community and connected to each other.