• 04/11/2014
    12:08 PM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Networking, Security, And Grand Unified Theory

With a system that can address both networking and security in NSX, Martin Casado of VMware is borrowing an idea from the world of physics.
Security has been a hot topic in the networking world recently. For example, Martin Casado, CTO of networking at VMware, has been talking quite a bit about his vision for security. He appeared on the keynote stage with Pat Gelsinger at Interop Las Vegas and talked at length about the increasing amount of IT spending focused on security. He also laid the groundwork for his next big project, namely the integration of open policy-driven security through initiatives such as the OpenStack Congress project.

Casado's shift from open networking to security should not be surprising. He was once involved in the intelligence community early in his career, so he's well versed in security. Many think that this move signals his departure from the networking he has spent the last few years building. I believe it's exactly the opposite.

In the world of physics, there exists an idea that the fundamental forces of the universe are actually very similar in a given energy state. This has been proven time and again via experimentation no matter how dissimilar they may initially look. This Grand Unified Theory works because these forces behave in the same predictable manner at a high-energy level.

On the surface, networking and security seem very different. Networking is fundamentally about the delivery of packets from one location to another. IT security is more about making sure packets don't get delivered based on a set of conditions. The two ideas couldn't be more different. Or could they?

What Casado is suggesting with his policy-based security could apply equally to networking as well. Why should restricting packet flows be the domain of security? Why should the network only be concerned with delivery? The context of a policy allows the systems to determine if a packet should be delivered or not. There is no need for external firewalls or detection devices. Security is integrated into the network, just as the fundamental forces are integrated at a high energy state.

This software-defined Unified Theory makes networking and security the same. Policy will determine how best to utilize resources for delivery or non-delivery. The constructs created to handle these decisions -- firewalls, IPS, and other devices -- will cease to exist as their functions are integrated into the larger network. This is only possible due to the integration of security features due to software.

[Read about other use cases Martin Casado envisions for network virtualization in "VMware's Casado: Network Virtualization The Right Way."]

The basis for these ideas has already been explored in VMware's NSX; you can attach firewalls and load balancing devices to the end host with little added effort. The security is integrated into the network hypervisor.

The implications of this integration are huge for both the networking and security teams in IT organizations. Now, both teams can rapidly deploy services and applications without confusion and delay. Plain language can be used to describe outcomes without worrying about syntax issues between a security access control entry and a network access control list. Security is also an inherent part of the system at all levels rather than being spread thinly to critical areas.

The end result for physics and IT are the same. By understanding the higher order interactions of the individual forces in the world, we gain a clearer picture of their behavior and can better plan for the future. As we learn how security and networking are linked and behave as one, our future systems will contain both elements in the correct proportions.


Software or Hardware?

"software-defined Unified Theory"?

Ohhh no you dit-'nt, girlfriend. SDUT? Minus one point for putting "Software Defined" in front of yet another concept. ;-)

To run with your Grand Unified Theory story, and quote Wikipedia (please forgive me):

"As of 2012, all GUT models which aim to be completely realistic are quite complicated, even compared to the Standard Model, because they need to introduce additional fields and interactions [...]. Due to this difficulty, and due to the lack of any observed effect of grand unification so far, there is no generally accepted GUT model."

In other words, it's a nice idea but we'll have to see if it eventually pans out the way it's hoped. What I'd say is that while the separation of networking and security is a current truism, that's mainly because security has by necessity (for scale and management) been deployed as separate dedicated devices. Now that we have this wonderful handle on distributed compute and virtualization, we can scale firewalls in a very different way, if we have the CPU cycles spare and the money to pay the appropriate licensing costs to instantiate all these firewalls.

I strongly believe that pushing security functions to the edge is a valuable step forward, not least because it's better to stop stuff before it wastes networking resource than once it has already used it and arrived at the destination. So at least within our sphere of influence, we can get more out of the network.

On the other hand, there's also no reason why such security functionality has to be distributed to hypervisors. In the last few paras you mention the concept of defining policies in more friendly terms, but once you have software in place to do that, it's a matter of taste whether you push that to a firewall, a hypervisor or, heaven forbid, a programmable edge switch. Protocols like Openflow (as an example) would facilitate using the network hardware to implement security for you.

Ultimately then, it comes down to the management plane as much as it does having security capabilities in the network or server hardware. Integrating that management with awareness of virtualization is critical, as well as being synced into any other automation processes so that the security device is aware of all deployments.

Re: Software or Hardware?

Plus 1! I nominate jgherbert as winner of the comment of the day!!!

Re: Software or Hardware?

I second the nomination!