I admit that I'm often fascinated by the development of big iron and I also see how to some this seems at odds with my position that technology isn't the answer to the "security" problem. Then again, it really depends on what "question" is being asked, what "problem" we're trying to solve and when we expect to solve them.
It's pretty clear that we're still quite some time off from having secure code, solid protocols, brokered authentication and encryption and information-centric based controls that provide the assurance dictated by the policies described by the information itself.
In between now and then, we see the evolution of some very interesting "solutions" from those focused on the network and host perspectives. It's within this bubble that things usually get heated between those proponents who argue that innovation in networking and security is constrained to software versus those who maintain that the way to higher performance, efficacy and coverage can only be achieved with horsepower found in hardware.
I always find it interesting that the networking front prompts argument in this vein, but nobody seems to blink when we see continued development in mainframes -- even in this age of Web3.0, etc. Take IBM's Z10, for example. What's funny is that a good amount of the world still ticks due to big iron in the compute arena despite the advances of distributed systems, SOA, etc., so why do we get so wrapped up when it comes to big iron in networking or security?
I dare you to say "value." ;)
I've had this argument on many fronts with numerous people and realized that in most cases what we were missing was context. There is really no argument to "win" here, but rather a need for examination of what most certainly is a manifest destiny of our own design and the "natural" phenomena associated with punctuated equilibrium.
An Example: Cisco's New Hardware...and Software to Boot [it.]
Both camps in the above debate would do well to consider the amount of time and money a bellwether in this space -- Cisco -- is investing in a balanced portfolio of both hardware and software.
If we start to see how the pieces are being placed on Cisco's chess board, it makes for some really interesting scenarios:
- 40 core QuantumFlow processor
- The 7000 series Nexus switch
- The ASR 1000 featuring the QuantumFlow
- IOS-XE Virtualization for the ASR 1000 powered by KVM/Linux
Many will look at these developments and simply dismiss them as platforms that will only solve the very most demanding of high-end customers and that COTS hardware trumps the price/performance index when compared with specialty high-performance iron such as this.
This is a rather short-sighted perspective and one that cyclically has proven inaccurate.
The notion of hardware versus software superiority is a short term argument which requires context. It's simply silly to argue one over the other in generalities. If you'd like to see what I mean, I refer you once again to Bob Warfield's "Multi-Core Crisis" meme. Once we hit cycle limits on processors we always find that memory, bus and other I/O contention issues arise. It ebbs and flows based upon semiconductor fabrication breakthroughs and the evolution and ability of software and operating systems to take advantage of them.
Toss a couple of other disruptive and innovative technologies into the mix and the landscape looks a little more interesting.
It's All About the Best Proprietary Open Platforms...
I don't think anyone -- including me at this point -- will argue that a good amount of "security" will just become a checkbox in (and I'll use *gasp* Stiennon's language) the "fabric." There will always be point solutions to new problems that will get bolted on, but most of the security solutions out there today are becoming features before they mature to markets due to this behavior.
What's interesting to me is where the "fabric" is and in what form it will take.
If we look downrange and remember that Cisco has openly discussed it's strategy of de-coupling its operating systems from hardware in order to provide for a more modular and adaptable platform strategy, all this investment in hardware may indeed seem to support this supposition.
If we also understand Cisco's investment in virtualization (a-la VMware and IOS-XE) as well as how top-side investment trickles down over time, one could easily see how circling the wagons around both hardware for high-end core/service provide platforms [today] and virtualized operating systems for mid-range solutions will ultimately yield greater penetration and coverage across markets.
We're experiencing a phase shift in the periodic oscillation associated with where in the stack networking vendors see an opportunity to push their agenda, and if you look at where virtualization and re-perimeterization are pushing us, the "network is the computer" axiom is beginning to take shape again.
I find the battle for the datacenter OS between the software-based virtualization players and the hardware-based networking and security gianst absolutely delicious, especially when you consider that the biggest in the latter (Cisco) is investing in the biggest of the former (VMware.)
They're both right. In the long term, we're all going to end up with 4-5 hypervisors in our environments supporting multiple modular, virtualized and distributed "fabrics." I'm not sure that any of that is going to get us close to solving the real problems, but if you're in the business of selling tin or the wrappers that go on it, you can smile...
Imagine a blade server from your favorite vendor with embedded virtualization capabilities coupled with dedicated network processing hardware supporting your favorite routing/switching vendor's networking code and running any set of applications you like -- security or otherwise -- with completely virtualized I/O functions forming a grid/utility compute model.*
Equal parts hardware, software, and innovation. Cool, huh?
Now, about that Information-Centricity Problem...
*The reality is that this is what attracted me to Crossbeam:
custom-built high-speed networking hardware, generic compute stacks
based on Intel-reference designs, both coupled with a Linux-based
operating system that supports security applications from multiple
sources as an on-demand scalable security services layer virtualized
across the network.
Trouble is, others have caught on now...