Networks without Borders
Posted March 30, 2009on:
Look ma – no borders!
Enterprise networks are going through phenomenal transformations, driven by the business’ determination to reduce cost and become highly agile. In the process, both internal and external borders or edges (or perimeters or boundaries) of enterprise networks are dissipating. Traditionally, network edges have been quite critical as many intelligent services are applied to network traffic crossing the edge.
Canonically, network edges can be mapped into three main categories: Campus-facing, External-facing, and Server-facing. In the new world, all three network edges are being re-defined.
1) Campus-facing network edge: In a typical campus environment, end user devices – e.g. desktops, laptops, IP phones – connect to the network through wiring closet switches and wireless access points. With virtual desktop infrastructure (VDI), the PC itself is moving to the data center and hence no longer connected to the campus edge. End users would connect to their “data center PCs” via smart terminals (e.g. ones that support RDP – the remote desktop protocol). Cost savings are obvious: OS patching, HW/SW upgrades, etc. are now done centrally, and, thanks to serer virtualization, server HW can be shared across multiple users. Edge features such as NAC, protocol recognition, … are no longer relevant on networking devices.
2) External-facing network edge: Traditionally, this edge delineated the trusted inside vs the untrusted outside using network firewalls. Firewalls provided controlled access to designated network segments, e.g. demilitarized zone (DMZ), ExtraNet zone. Because inter-enterprise collaboration is rapidly becoming web based and identity driven, network firewalls are no longer effective in providing the necessary controls to HTTP and SSL transactions – these transactions pass through the FW! Controls need to move much closer to servers/applications, taking into account user identity & attributes (not just source IP address), application attributes such as URLs & sub-sites & folders & files (not just destination IP address & port number) and potentially application-specific actions that are exposed in the protocol (e.g. via HTTP query string, header attributes, methods and even payload). This “vanishing perimeter” phenomenon has been widely covered in the industry and vendors are providing appliance-based solutions to re-establish controls through policy-driven virtual zones (vZones).
3) Server-facing network edge: Not too long ago, physical servers connected to a “top of rack” or “end of rack” switch, which formed the server-facing network edge. With the advent of blade servers, this edge moved into the blade servers in the form of a blade switch. Now with server virtualization coming to fame, that server-facing network edge has further moved out to the virtual “hypervisor” switch that connect multiple virtual machines within a server (or server blade). Interestingly, these virtual switches have been provided by server virtualization vendors; Cisco is the first traditional networking vendor that recently announced plans to offer its own virtual switch product, the Nexus 1000v.
Additionally, with the emergence of cloud computing, enterprise network edges are to be extended to the cloud – sometimes deterministically and other times on demand, e.g. on a per application basis or even on a per workload basis. And, as the network edges get re-defined, so must the network design best practices. After a long pause, the new world of networking is getting interesting again!
Update (25 April 2009): Network World article on “Cloud computing a ‘security nightmare,’ says Cisco CEO“ quoted Tom Gillis, vice president of marketing with Cisco’s Security Technology Business Unit: “The move to collaboration, whether it be video or the use of Web 2.0 technologies or mobile devices is really dissolving the corporate perimeter. This notion of security as a line that you draw in the sand… that notion is just gone.”