Entries in Leinwand (1)

Saturday
Jan302010

Where ARE the Network Virtual Appliances?

A good friend of mine ping'd me by email on Friday, asking me about Allan Leinwand's article on GigaOM entitled

Where Are the Network Virtual Appliances?

As server virtualization moves into the enterprise and cloud data centers, networking needs to follow with virtual appliances.

I'm a long-standing believer in Allan's vision for network virtual appliances.

Yep. I've often taken to the soapbox and extolled the virtues of network appliances (though I tend to start with firewalls rather than routers and switches). I'm completely taken with the concept of appliances that can be virtualized and 'scaled up' to deal with demand, and 'scaled back' when demand was not great.

Allan's also making this very important point: the providers are making a real mistake with virtual network appliances by taking the images that have previously been poured into hardware and simply package them up as a virtual appliance (... i.e., without the hardware). That is a dry hole.

If a vendor is going to sell network virtual appliances, the nva's should be designed from the get-go to be scalable (both 'up' and 'out'), and designed with the notion that the 'appliance' is not just a physical appliance without the box. That is 'horseless carriage' product design, which casts new technologies in exactly the same roles as their precursors.

What Allan doesn't say is that this may require the wider deployment of network infrastructure designed specifically for virtualized appliances and converged IO. It's not just whitebox, commodity x86 hardware running general purpose virtual machine environments for server virtualization. Cisco's Datacenter 3.0 and UCS is a good place to look for guidance about how operating environments for network virtual appliances might evolve. Some interesting potential directions are showing up in product lines like Arista's vEOS and those of companies like 3Leaf. Yet another alternative future for nva's comes from the chip makers ... Intel in particular ... as they start putting more specialized virtualization support into their chipsets, so that running virtual network appliances on 'commodity' infrastructure is encouraged and enhanced.

Now's the time to develop the principles on which those virtual firewalls, load balancers, port filters, distributed virtual switches, etc. get designed and the building starts. If there's one area that clearly must be addressed, and for which network virtualization may also be the answer, it's security. The notion of 'spreading traffic', like DDOS attacks, across multiple firewalls that one can spin up or down at will is arguably the way all kinds of network-oriented defense and access control should be done.   I look to the efforts of people like Chris Hoff, Rich Mogull and Craig Baldling not only to throw light on the specific demands for network security that result from the adoption of virtualization and clouds, but also to help think outside the box on how virtual networks and virtual network appliances can be the basis of solutions.