The Wall of Fire – 07 – SDN and the future of firewalls

There has been a quite a bit of ‘SDN-washing’ when it comes to what the future holds. Just because there is an API it doesn’t necessarily mean a product leverages SDN. As marketecture around next generations firewalls hits its peak we are seeing new ways of provisioning and interacting with firewalls.

Cloud management platforms such as OpenStack and vCloud Director allow for policy driven software instantiation of firewalls, load balancers and other appliances such as IDS/IPS as a part of a workflow. Combine this with the neutron plugin for OpenStack and you have the ability to provision ports on switches, access-lists, VLANs and more.

When you look at a cloud environment where workloads are dynamically driven by requirements this becomes more important. There may be three different customers using different test environments that are dynamically provisioned from a self-service catalogue. Logical isolation, firewalls, load balancers all require configuration and there is potential overlap of the IP address space. A single public IP address could be NAT’d to the outside world and a VPN back to a client site. With all that work that may take a single network administrator a day or two with manual work. In a software environment this can be automated, the workflow repeated through a template and delivered to a customer. The network and firewall devices are taking orders from the CMP!

With software driving the next generation data centres there are benefits to be had for all consumers of virtualization. As IT departments seek to reduce cost the ability to service chain and deliver in hypervisor services improve the time to market. It is great to know that network services and be deployed with correct settings via automated processes , eliminating the human element, with a lower cost than ever. True self provisioning which has been around in the server virtualization space for some time now is here for the network.

Auditing will be so much simpler and less requirements on tying up human resources performing these tasks as logs and transaction records will highlight what changes have been performed and when. The ability to interrogate the software and get real-time information back including rule sets used to a management platform like vCOPS/vCD or OpenStack is unprecedented.

The future is bright for firewalls. There has been a long bugbear against these platforms where their features have not kept up, the ability to meet requirements of modern networks have not matched the current workloads or their criticality has crippled change and progress. There is a chance with service chaining, automation and dynamic rule creation driven by programmed policy to increase the profile of the firewall to new heights whilst keeping it in the shadows.

Leave a Reply

Your email address will not be published. Required fields are marked *