"The Box" has got to go

Historically, service providers either managed or hosted various parts of a customer infrastructure in their facilities.

(Image: © Image source: Shutterstock/everything possible)

In our increasingly agile world, on-demand and self-service have become the standard by which we measure the applications and services we use. By this standard, the cloud is perhaps the most powerful tool that we have available to us when it comes to creating truly agile enterprise computing platforms. Yet, we’ve barely come close to unlocking its potential, thanks to our continued reliance on hosted services that leverage the same technology that the networking and security industries have relied upon for years.  

This point is echoed in a recent blog post from CIMI Corporation President Tom Nolle on the topic of virtualized network functions. He writes, “If we shed the boundaries of devices to become virtual, shouldn’t we think about the structure of services in a deeper way than assuming we succeed by just substituting networks of instances for networks of boxes?” This is the central question when it comes to the evolution of the cloud services provided by ISPs, CSPs and MSSPs. 

Historically, service providers either managed or hosted various parts of a customer infrastructure in their facilities. This created a perception of cloud – a shift from capital expense to an operational expense model - but still relied on the same underlying technology. “The box,” i.e. the physical infrastructure, remained, and service providers still had to buy, configure, update, upgrade, patch and maintain it. They were not truly leveraging the power of the cloud, so the cost of services remained high and agility stayed low. As security expert Graham Cluley has pointed out, the cloud was basically just “someone else’s computer.” 

Enter network function virtualization (NFV). Many service providers are pushing internal projects to provide various networking and security functions as cloud services. NFV infrastructure involves a management and orchestration layer that determines which services should be activated for a customer, and VNFs (virtual network functions) that represent the services themselves. In the context of firewalls, for example, these are virtual appliances from companies like Fortinet and Cisco.  

Still, “the box” remains, and it needs to be managed as a single instance, configured, upgraded and patched. The capacity going through the appliance has to be sized and the underlying infrastructure to run them can be very volatile in terms of load. This is not an ideal cloud service model in any sense.  

Tom Nolle makes the point that in order to fully utilize the cloud’s potential, a new application has to be built that leverages its agility, flexibility, and elasticity. It is simply not possible to take legacy applications and expect them to become cloud aware. Here is how I think about the delivery of cloud-based networking and security services.

#1: Get close to the user

Currently, service providers’ infrastructure is centred around major population areas. This means that the service provider's network is not distributed enough to reach all end users. What would optimum distribution look like to power a better system? Gartner, as a rule of thumb, says a business user or location should have 25ms or less latency from the nearest point of presence. The edge must get closer to the end user for truly effective cloud security solutions to be universally available. 

#2: Make network services available everywhere

As Nolle notes in his piece, many of today’s application architectures are directly descended from technology that dates back decades. The result is software that is tightly bound with the appliance it runs on. To solve this, applications must become more componentized. In the case of network security, this looks like a networking and security stack that’s seamlessly available everywhere - routing, encryption, optimization, firewalling, advanced malware protection etc. End users should be able to plug into the service without the need to specifically deploy a dedicated application to serve them at the point of access. 

#3: Build a low latency, multi-tenant virtual network architecture 

The services network must be completely virtual, and this virtual network must operate independently of the underlying physical implementation which could spread over multiple points of presence. A low latency network backbone is essential to enable the physically distributed service to effectively maintain a single virtual network that is formed by all network access points. These can be datacentres, remote locations, cloud infrastructure and applications, as well as mobile users. Virtual networks are the basis for a multi-tenant architecture to support an independent network for each organization without dedicated components (i.e. appliances). This is only possible on a large scale if the underlying architecture is designed from the ground up to support virtual global network for multiple internets.

The bottom line is that architecture, not perception, matters. The network of the future, and its capabilities, must truly live in the cloud. Amazon was the first to deliver on agile and on-demand infrastructure that is available everywhere by building a new platform for the cloud. The same must happen for other pillars of the IT stack, like networking and security, before service providers and end customers can realize their full potential. 

Gur Shatz, co-founder and CTO, Cato Networks
Image source: Shutterstock/everything possible