You do that with a virtual firewall on the host?
That's correct. They call it the logically distributed firewall.
Do you use VMware's virtual firewall for that?
Yes. Right now we're focusing on Layer 1-43 for their firewalling. Your higher level inspection is generally your north-south inspection, so we still have that hardware firewall at the edge, and we have other security devices that do the inspection before it reaches the data center. But we know we'd like to add some Layer 54-7 on the east-west traffic as well, so we're looking at vendors for that. And that's where this interesting philosophy called service chaining comes in.
With service chaining I can insert devices into traffic flows, but without the typical network limitations. Routing is not too specific, so today I've got to take all the traffic from this workload and route it to the firewall security device and then filter it and then send it. But why would I want to send my backup traffic to something like to the web application firewall? So we tend to overload security devices because we had to have all the traffic go through them.
But with service chaining, the controller will be smart enough to say, "Oh, if that's Port 80 or 443, then shunt that traffic over through the web application firewall, but Port 7777 backup traffic, there's no sense sending you through there." So we can be much more selective about the traffic. And the whole idea is to decrease the amount of capacity we need to buy for those devices.
Coming back to the idea of bringing physical devices into the virtual world, can you expand on that.
We have some XML firewalls and some load balancers and credit card tokenization boxes, so from my app perspective, if I need to tokenize a credit card number I send it over there and get it back, and the same goes for other services.
Now if I create virtual interfaces on the hardware boxes that provide those services, then I can map those virtual interfaces to the overlay networks and make each box appear in several overlays. So now it's very simple for the service owners. They think they're talking to their token broker. "It's the same IP address space, so it must be my token broker." We've just obfuscated that and given them a presence inside their bubble.
Will you use OpenFlow to tie in some of this hardware?
The goal of the hardware vendors is to participate in the SDN network. And they have to because the whole thing is strung together with tunnels, if you look at it. Even with OpenFlow, it's still strung together with tunnels. So there has to be some way for the packet to know that it's got to go over to that switch and then deliver it to that switch with the VNI and have the VNI convert it to a VXLAN. Where does it get that information? The best place to get it from is the controller.
Sign up for Computerworld eNewsletters.