Tuesday, March 18, 2008

The Data Center in a Switch

We all know how security has been baked into virtualization projects from day 0. Ok, enough joking. Given our history with virtualization I'm a little scared when I read stories like Dawn of the App Aware Network that show switches becoming giant VM servers. If you didn't think of your routers and switches already as computers, you won't be able to ignore it once they are running such complex applications. I am looking forward to seeing who manages these beasts: network team or server team? Who will get blamed for poor performance? I love how these products are supposed to solve problems when the end result could be greater conflict within the IT department. I guess it won't matter when company IT departments aren't running these devices at all, since IT will be a service offered by an outsourced providers.

5 comments:

Anonymous said...

Richard,
I work in one of those "outsourced providers" and the discussion is the same, only the organization has changed! The real question for guys like us is.... who gets to secure the beast. Operations are consolidating, including security functions, so that security often becomes an standards definition and audit function. So who in ops is going to step and say "I own the operation of security." I bet its a last man standing deal, as in the slow one who failed to run away fast enough.

Even better - are we as security people prepared to define the standards for operation in this environment? We had better be or else we will be smearing security on instead of baking it in.

Craig Balding said...

@Anonyous: ha, enjoyed your comment - you sound like someone that knows this first hand :-)

@Richard: My view is that virtualization is proving to be an irresistable argument for IT decision makers as they demonstrate cost out in a global economic environment that is hardly 'pucker'. However, my take is that this is just a bridge to when business computing is 'in the cloud'. The primary driver will be cost but it has the somewhat unintentional but convenient side-benefit that an org can blame someone else (assume a reputable someone else) when things go wrong. When I look at what companies like VMware are doing with infrastructure portability (e.g. VMotion) I imagine a near term future where an org dynamically picks up their IT infrastructure from one cloud provider and moves it to another when certain SLA's get breached. From an infosec perspective I agree with Mr Anonymous above - its about standards and audit. But if you've ever tried pen-testing 3rd party webhosting providers you'll know they like to keep the pen-test monkey in the cage (literally!). It will be interesting to see how this plays out...

Michael Janke said...

As far as operational management and security goes, how far is this from the direction that blade servers are already taking? The Windows team buys a blade chassis with x86 blades, a Cisco switch module, a Brocade FC module, installs ESX on the blade (Red Hat), hosts Linux and Windows VM's, zones out a few lun's and uses the virtual switch in ESX to VLAN out a few networks.

They are either going to cross over into other disciplines in a big way, or the other disciplines are going to co-manage the resulting heap. If they cross over, they'll get to learn about spanning tree loops all over again, except this time the packets will be in an endless circle at terabit speeds instead of gigabit speed.

Who gets the SMS when the power supply fails? What about change management? And when subcomponent 6 needs a firmware update for whatever reason, who gets to analyze and deconflict all the microkernel, firmware, app server, and whatever run-time versions for the rest of mess? The vendor?

Wait - it's outsourced. It'll just magically happen.

Anonymous said...

@michael Janke: Good points and ones I totally resonate with.

@Rich: This is the battle for the datacenter OS I was referring to. All a matter of perspective. Cisco's Nexus switch is initially pushed as a virtualization I/O platform, but their ultimate goal is to run the apps, also:

http://rationalsecurity.typepad.com/blog/2008/01/io-virtualizati.html

Remember that post a while ago re: replacing the virtual switch in ESX with Cisco's? It's getting closer...

/Hoff

netfortius said...

The trend is obvious (look no further than recent Nexus 7000s + FCoE = FiberChannel-over-Ethernet, and possibly DCE = DataCenterEthernet (a.k.a. LowLatencyEthernet + 10-40-100Gbps more switches (top-of-rack?!?) probably linking back into 7000s) ... and all seems to collapse into "one". VSS from the 6500s (and whatever this is called now in the Nexus family) is definitely a virtualization technology that I instantaneously embraced, as it allows not only combining power of multiple switches, but also (FINALLY!) taking the spanning tree out of the network. The Nexus 7000s OS (NX-OS) is also indicative of things to come = IOS + SAN-OS, on top of a Linux kernel ... how far do you think is the day when other apps (ESX?!?) could install on the same hardware ;)

So - we (network geeks) better become server experts, or SAN gurus learn IOS, or server people get their CCIE - to me this is exciting and challenging ... it was getting boring in the network, lately :)