The Data Center in a Switch

We all know how security has been baked into virtualization projects from day 0. Ok, enough joking. Given our history with virtualization I'm a little scared when I read stories like Dawn of the App Aware Network that show switches becoming giant VM servers. If you didn't think of your routers and switches already as computers, you won't be able to ignore it once they are running such complex applications. I am looking forward to seeing who manages these beasts: network team or server team? Who will get blamed for poor performance? I love how these products are supposed to solve problems when the end result could be greater conflict within the IT department. I guess it won't matter when company IT departments aren't running these devices at all, since IT will be a service offered by an outsourced providers.

Comments

Anonymous said…
Richard,
I work in one of those "outsourced providers" and the discussion is the same, only the organization has changed! The real question for guys like us is.... who gets to secure the beast. Operations are consolidating, including security functions, so that security often becomes an standards definition and audit function. So who in ops is going to step and say "I own the operation of security." I bet its a last man standing deal, as in the slow one who failed to run away fast enough.

Even better - are we as security people prepared to define the standards for operation in this environment? We had better be or else we will be smearing security on instead of baking it in.
12:01 PM
Anonymous said…
@Anonyous: ha, enjoyed your comment - you sound like someone that knows this first hand :-)

@Richard: My view is that virtualization is proving to be an irresistable argument for IT decision makers as they demonstrate cost out in a global economic environment that is hardly 'pucker'. However, my take is that this is just a bridge to when business computing is 'in the cloud'. The primary driver will be cost but it has the somewhat unintentional but convenient side-benefit that an org can blame someone else (assume a reputable someone else) when things go wrong. When I look at what companies like VMware are doing with infrastructure portability (e.g. VMotion) I imagine a near term future where an org dynamically picks up their IT infrastructure from one cloud provider and moves it to another when certain SLA's get breached. From an infosec perspective I agree with Mr Anonymous above - its about standards and audit. But if you've ever tried pen-testing 3rd party webhosting providers you'll know they like to keep the pen-test monkey in the cage (literally!). It will be interesting to see how this plays out...
1:11 PM
Michael Janke said…
As far as operational management and security goes, how far is this from the direction that blade servers are already taking? The Windows team buys a blade chassis with x86 blades, a Cisco switch module, a Brocade FC module, installs ESX on the blade (Red Hat), hosts Linux and Windows VM's, zones out a few lun's and uses the virtual switch in ESX to VLAN out a few networks.

They are either going to cross over into other disciplines in a big way, or the other disciplines are going to co-manage the resulting heap. If they cross over, they'll get to learn about spanning tree loops all over again, except this time the packets will be in an endless circle at terabit speeds instead of gigabit speed.

Who gets the SMS when the power supply fails? What about change management? And when subcomponent 6 needs a firmware update for whatever reason, who gets to analyze and deconflict all the microkernel, firmware, app server, and whatever run-time versions for the rest of mess? The vendor?

Wait - it's outsourced. It'll just magically happen.
10:33 PM
Anonymous said…
@michael Janke: Good points and ones I totally resonate with.

@Rich: This is the battle for the datacenter OS I was referring to. All a matter of perspective. Cisco's Nexus switch is initially pushed as a virtualization I/O platform, but their ultimate goal is to run the apps, also:

http://rationalsecurity.typepad.com/blog/2008/01/io-virtualizati.html

Remember that post a while ago re: replacing the virtual switch in ESX with Cisco's? It's getting closer...

/Hoff
2:37 PM
Anonymous said…
The trend is obvious (look no further than recent Nexus 7000s + FCoE = FiberChannel-over-Ethernet, and possibly DCE = DataCenterEthernet (a.k.a. LowLatencyEthernet + 10-40-100Gbps more switches (top-of-rack?!?) probably linking back into 7000s) ... and all seems to collapse into "one". VSS from the 6500s (and whatever this is called now in the Nexus family) is definitely a virtualization technology that I instantaneously embraced, as it allows not only combining power of multiple switches, but also (FINALLY!) taking the spanning tree out of the network. The Nexus 7000s OS (NX-OS) is also indicative of things to come = IOS + SAN-OS, on top of a Linux kernel ... how far do you think is the day when other apps (ESX?!?) could install on the same hardware ;)

So - we (network geeks) better become server experts, or SAN gurus learn IOS, or server people get their CCIE - to me this is exciting and challenging ... it was getting boring in the network, lately :)
11:21 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more