SDN and NFV, meaning “network virtualization”, is obviously going to have a significant impact on networking overall, even parts of networking that might not seem to be obvious targets. We’ve had some announcements and M&A that illustrate this, and that offer us a chance to think about just how profoundly network virtualization could change things.
One of the most interesting M&A moves was Cisco’s announcement that they’re acquiring OpenDNS. Many of us are familiar with OpenDNS as an alternative provider of DNS services. While it’s not widely known, many of the “Internet problems” users experience aren’t their ISP’s network but their ISP’s DNS. The default behavior for most Internet clients is to obtain a DNS address from the provider, and that will almost always be the provider’s own DNS. If it’s overloaded or down, you’re in trouble. OpenDNS and Google DNS are alternatives that will nearly always work better for you.
That’s not why Cisco bought them, of course. While most people know OpenDNS for…well, obviously, DNS services, they got into security services starting three or four years ago, and it’s security that Cisco is most interested in. Given that Cisco has a pretty thriving security business you might wonder why, and I think that SDN and NFV are a part of the mix.
The big problem with Cisco’s security strategy, and almost everyone else’s, is that it depends on devices or functions that become a part of the network. In an age of virtualization, it’s harder for this approach to work, not because you can’t put functions into a virtual network but because you can put anyone’s functions there. The security function/appliance space is going to get very crowded, competitive, and commoditized.
OpenDNS is almost an analytic view of security, derived from understanding Internet addressing and activity. It’s holistic, it’s outside the traditional “network” of a user, and it’s an asset that would be much harder for a competitor to commoditize. It also works under nearly all of the foreseeable virtualized network models, even models that use SDN to segment networks into application or service-specific pieces (it’s not as useful in that case, IMHO, but it could still add value).
Perhaps the most interesting thing about OpenDNS’ approach is that it would in theory be possible to link the data that OpenDNS provides (via convenient APIs) with remediation software that might involve controlling legacy Cisco gear or even an SDN controller. If OpenDNS tools detected a DDoS attack it would be able to quench it, at least at a point close to the site being attacked. If the capability to quench was offered by operators as a service, it’s possible you could quench close to the source.
It’s also possible to use DNS tools to back-check IP addresses that are contacted by malware or to check source IP addresses of intruders. It’s not a normal DNS function, but if you assume that an access device has the ability to validate “new” incoming IP addresses or ones emerging from apps, it could reduce intrusions and keep Trojans from calling home.
You also have to wonder whether Cisco might have its eye on other DNS-based services that would be impacted by network virtualization. Load balancing is essential in NFV if you’re going to have failover or scaling of VNFs, and we know from the Metaswitch Project Clearwater example that you can do the job with a modified DNS.
Of course, all of this might be idle speculation. Cisco has bought a lot of companies that could have presented great strategic stories but nothing came of them. We’ll have to track the developments, and in particular how Cisco positions the security APIs, to get an idea.
The other interesting announcement is, in comparative industry terms, “deeper” because it involves network monitoring. NetScout is “combining” its monitoring business with Dahaner’s communications business, which includes Tektronix Communications, Arbor Networks, and Fluke Networks. Tektronix Communications has a broad portfolio of carrier-oriented stuff including some monitoring. Fluke Networks has monitoring products, and Arbor Networks is primarily a security company. The combination of these companies would create the biggest monitoring player by far and bring in related network technologies too.
Network monitoring hasn’t been exactly a hot sector, in no small part because most traditional monitoring tasks are simply too difficult for users to undertake even without the complication of virtualization. The advent of things like the cloud and SDN and NFV have generally caught the monitoring community unawares. The question I used to get when asked about monitoring in the virtual age was “what do the protocols look like?” indicating that the people thought all they had to do was understand the format of a new protocol or two.
SDN and NFV have a profound impact on monitoring. You almost have to think of the future in terms of “virtual probes” because everything in SDN and NFV moves around, and you don’t want to hairpin through physical probe points. I proposed the notion of “Monitoring as a Service” in the CloudNFV work in 2013, but nothing came of the effort.
MaaS was based on the idea that if you have virtualization in place on a large scale, you can deploy monitoring virtually and avoid the hairpinning. You could also establish specific probe points where you’d equipped your network with either taps or your infrastructure with high-performance hosting so that introducing DPI-based monitoring would be of limited impact. You could also link in edge elements that had knowledge of packet associations with services or applications, and of course tie in the service-to-resource bindings.
IMHO, there is no way to make traditional monitoring into a viable business for the same reason that security can’t keep on in the same old way. SDN and NFV change the game too much, and without a strategy to incorporate those changes into products, the NetScout/Danaher combination is simply consolidation.
We’ve not seen the end of this. There are going to be massive changes down the line, starting as early as next year, if SDN and NFV build as much momentum as they could. These two industry events prove that the big and small, “shallow” in technical terms and “deep”, are all going to have to face a virtual future unless both our revolutions stall for lack of support. Defensive vendors may hope for that outcome, but opportunity is its own reward and some vendors will surely take the aggressive track, leading the industry with them.