Security has been a hot topic in the networking world recently. For example, Martin Casado, CTO of networking at VMware, has been talking quite a bit about his vision for security. He appeared on the keynote stage with Pat Gelsinger at Interop Las Vegas and talked at length about the increasing amount of IT spending focused on security. He also laid the groundwork for his next big project, namely the integration of open policy-driven security through initiatives such as the OpenStack Congress project.
Casado's shift from open networking to security should not be surprising. He was once involved in the intelligence community early in his career, so he's well versed in security. Many think that this move signals his departure from the networking he has spent the last few years building. I believe it's exactly the opposite.
In the world of physics, there exists an idea that the fundamental forces of the universe are actually very similar in a given energy state. This has been proven time and again via experimentation no matter how dissimilar they may initially look. This Grand Unified Theory works because these forces behave in the same predictable manner at a high-energy level.
On the surface, networking and security seem very different. Networking is fundamentally about the delivery of packets from one location to another. IT security is more about making sure packets don't get delivered based on a set of conditions. The two ideas couldn't be more different. Or could they?
What Casado is suggesting with his policy-based security could apply equally to networking as well. Why should restricting packet flows be the domain of security? Why should the network only be concerned with delivery? The context of a policy allows the systems to determine if a packet should be delivered or not. There is no need for external firewalls or detection devices. Security is integrated into the network, just as the fundamental forces are integrated at a high energy state.
This software-defined Unified Theory makes networking and security the same. Policy will determine how best to utilize resources for delivery or non-delivery. The constructs created to handle these decisions -- firewalls, IPS, and other devices -- will cease to exist as their functions are integrated into the larger network. This is only possible due to the integration of security features due to software.
[Read about other use cases Martin Casado envisions for network virtualization in "VMware's Casado: Network Virtualization The Right Way."]
The basis for these ideas has already been explored in VMware's NSX; you can attach firewalls and load balancing devices to the end host with little added effort. The security is integrated into the network hypervisor.
The implications of this integration are huge for both the networking and security teams in IT organizations. Now, both teams can rapidly deploy services and applications without confusion and delay. Plain language can be used to describe outcomes without worrying about syntax issues between a security access control entry and a network access control list. Security is also an inherent part of the system at all levels rather than being spread thinly to critical areas.
The end result for physics and IT are the same. By understanding the higher order interactions of the individual forces in the world, we gain a clearer picture of their behavior and can better plan for the future. As we learn how security and networking are linked and behave as one, our future systems will contain both elements in the correct proportions.