The Network Is the Computer…(Is the Network, Is the Computer…)
If there's one motif emerging from VMworld this year, it's very much the maxim "be careful what you ask for, because you might just get it."
The precipitate convergence of virtualized compute, network and storage is really beginning to take significant form; after five hard years of hungering for the materialization of the technology, enterprise architecture, and market/business readiness, the notion of a virtualized datacenter OS with a value proposition larger than just " cost-optimized infrastructure" has now become a deliciously palpable reality.
The overlap and collision of many leading technology providers' "next generation" datacenter (OS) blueprints is something I have written about before. In many cases there's reasonable alignment between the overall messaging and promised end result, but the proof is in the implementation pudding. I'm not going to rehash this here because I instead want to pick on something I've been talking about for quite some time.
From a network and security perspective, things are about to (again) fundamentally and profoundly change in terms of how we operationally design, provision, orchestrate, manage, govern and secure our infrastructure, applications and information. It's important to realize that this goes way beyond just adding a 'v' to the name of a product.
What's incredibly interesting is the definition and context of where and what makes up the "network" that transports all our bits and how the resources and transports interact to deliver them securely.
It should be clear that even in a homogenous platform deployment, there exists an overwhelming complex conglomerate of mechanisms that make up the machinery enabling virtualization today. I think it's fair to say that we're having a difficult time dealing with the non-virtualized model we have today. Virtualization? She's a cruel mistress bent on reminding us we've yet to take out the trash as promised.
I'm going to use this post to highlight just how "complexly simple" virtual networking and security have become using as an example the last two days' worth of announcements, initiatives and demonstrations of technology and solutions from Intel, VMware, Cisco and the dozens of security ISV's we know and love.
Each of the bumps in these virtual wires deserves its own post, which they are going to get, especially VMware's vNetwork/VMsafe, distributed network switch, and Cisco's Nexus 1000v virtual switch announcements. I'm going to break each of these elemental functions down in much more detail later as they are simply amazing.
Now that networking is abstracted across almost every layer of this model and in many cases managed by separate organizational siloes and technologies, how on earth are we going to instantiate a security policy that is consistent across all strata? We're used to this problem today in physical appliances, but the isolation and well-definable goesinta/goesouta perimeterized boundaries allows us to easily draw lines around where these
policy differentials intersect.
It's used to be the devil you knew. Now it's eleven different devils in disguise.
As you visualize the model below and examine how it applies to your experience, I challenge you to tell me where the "network" lives in this stack and how, at a minimum, you think you're going to secure it. This is where all those vendor roadmaps that are colliding and intersecting start to look like a hodgepodge:
In the example model I show here, any one of these elements — potentially present in a single VMware ESX host — can directly or indirectly instantiate a set of networking or security functions and policies that are discrete from one another's purview but ultimately interrelated or even dependent in ways and using methods we've not enjoyed before.
In many cases, these layered components are abstracted from one another and managed by separate groups. We're seeing the re-emergence of network-centricity, it's just that the network is camouflaged in all its cloudy goodness. This isn't a story where we talk about clearly demarcated hosts that plug into "THE" network, regardless of whether there's a hypervisor in the picture.
Here's where it gets fun…
In this model you have agents in the Guest OS interacting with security/networking virtual appliances on the ESX host either inline or via vnetworking APIs (switching or security) which in turn uses a fastpath networking kernel driver connected to VMware's vSwitch while another VA/VM is connected to a Cisco Nexus 1000v vSwitch implemented as a second distributed virtual network switching fabric which are all running atop an Intel CPU utilizing SR-IOV via VT-d in the chipset which in turn allows VM's to direct attach (bypassing the VMM) to NIC cards with embedded switching connected to your network/storage fabrics…
Mass hysteria, cats and dogs living together…
So I'll ask you again: "Where's the network in that picture?" Or, more precisely, "where isn't it?"
This so hugely profound, but that may because I've been exposed to each of the bubbles in this diagram and see how each of them relate or do not. When you step back and look at how, as an example, Cisco and VMware are both going through strategic sea changes in how they are thinking about networking and security, it's truly
amazing but I think the notion of network intelligence is a little less cut and dry as some might have us believe.
Is this as mind-blowing to you as it is to me? If not, wait until I rip open the whole vNetworking and Nexus 1000v stuff. Very, very cool.
/Hoff
@Hoff
You hit it on the nose in terms of the sea change happening right now. The reason we created VN-link was in recognition that the VM the new building block in the data center and we need to do things differently from a network and storage perspective to support that.
Looking forward to hearing your perspectives and what you think the next steps need to be. If you are still at VMworld, swing by the booth.
Omar Sultan
Cisco
Yowza.
In the "good old days" the policy you'd want to configure your infrastructure with bordered on unknowable (too many users, too many needs, too much change, etc.) but at least the infrastructure was relatively straightforward. Now perhaps the infrastructure becomes unknowable as well. Smells like an opportunity to me 🙂
–Ted
Seatbelts, Seatbacks, and Traytables Folks – Virtualization Changes Everything
If you're not reading Chris Hoff's blog, you probably should be. There are a ton of reasons, but among them is that he's mining the intersection of security and virtualization like no one else I know of. There are a
My university professor must have been a visionary because he predicted just this about 10 years ago.
I think maybe we have reached the point (again) where the network is just too complex to protect.
We may just have to go back to assuming that the network is unsafe and protect each bit of information.
Or we may need to standardise on one protection mechanism and treat it like we would a physical device.
Or maybe create pockets of systems and just protect the information that moves between the pockets.
We need a "network fabric" object that defines a set of attributes, functions, events, API …
Then the vendors can go innovate like crazy and as long as their instantiation of a "network" supports the standard object definition and API …
We can build technology that will monitor, manage and secure it.
If we don't get a common object framework that defines "network" then we are going to have some interesting (as in Chinese curse) times.
Michael
To your question: "Is this as mind-blowing to you as it is to me? If not, wait until I rip open the whole vNetworking and Nexus 1000v stuff."
You're damn right it's mind-blowing. And thanks for laying this out so clearly, Hoff. I'm looking forward to more of the vNetworking and Nexus 1000V stuff. I hope I can throw in a few worthwhile observations we've made at Replicate.
I'd also like to point out that when taking a look at virtualized datacenter infrastructure with other types of service levels in mind … particularly that of resilience rather than security … most of the same comments hold true, and for the same reasons.
Where is the network? Hah! Where ISN'T it a network in the virtualized datacenter??
"…it's just that the network is camouflaged in all its cloudy goodness."
"Mass hysteria, cats and dogs living together…"
Do I smell a fellow Whedon fan? 🙂
Bittman (Gartner) on VDC Infrastructure Management
Whedon ??? More like Akroyd and Ramis.
Dr. Peter Venkman: This city is headed for a disaster of biblical proportions!!… Human sacrifice, dogs and cats living together… mass hysteria!