The Software Defined Perimeter, Led By Open Source
In the early 1990s, I was a software consultant with Digital Equipment Corporation, an influential computer company in its day. At one of our semi-annual VMS Partner meetings, I had the privilege of listening to a presentation from a software visionary named David Stone about a revolutionary concept he called the “Information Utility.” Stone was vice-president of software products and hemade a case that within a generation, nobody other than maybe the Pentagon would operate private data centers. Instead, everyone would connect devices to an information grid. Information utility companies would deliver data services over this grid, just like electricity.
In an era before smartphones, before anyone besides a few researchers had ever heard of the world wide web, before cloud became a popular word, before IoT became a popular acronym, Stone’s presentation was right out of Star Trek. It opened my mind to a whole new world of possibilities. Followed by a world of security concerns.
Today, we don’t have warp drive yet, but much of Stone’s information utility vision is here. Cloud services are everywhere andIoT is coming. Open source communities are leading the way, with companies like Red Hat contributing major engineering talent around projects such as RHEL, RHEV, OpenStack, CloudForms, and others. The pace of innovation is amazing, and accelerating.
We’ve heard plenty of talk in our new cloud connected worldaboutthe confidentiality leg of the confidentiality, availability, and integrity security triad. But nobody is talking about integrity and availability.And why should anyone be concerned? After all, today’s big cloud providers have massive, redundant data centers around the world and more telecom capacity than most countries. Don’t integrity and availability issues go away? Isn’t that why we’re embracing cloud services? What’s the big deal?
Three words: The last mile.
What happens if thetelecom connection to your end user site has a problem? Imagine a site full of thin clients with virtual desktops inside a cloud provider. Suddenly, the connection drops and a whole company stops working because nobody canaccess their (not-so) local desktops. If you’re a cloud customer, that connection is now your lifeline. It needs near 100 percent availability. Even one percent downtime adds up to 3.65 dead days every year.
"Open source communities are leading the way,with companies like Red Hat contributing major engineering talent"
For non-tech people: If your on-ramp is closed, it doesn’t matter how good the freeway is – you’re not getting on.
So what do we do about it?
Stretching the freeway metaphor, every cloud dependent site needs another on-ramp. Bring in redundant telecom, preferably using a different technology than the primary feed. If the primary feed has a problem, fail over to the backup.
Enter the lowly firewall. That black box sitting at the boundary between you and the Internet. The box nobody understands, but everyone says you need. The box your telecom providers blame for every hiccup. Instead of thinking outside the box, think about that box for a minute. That box is in the perfect position to juggle those telecom feeds and give you priceless diagnostic information about your network.
Right here – where the private network meets the public Internet – is a great opportunity for open source at its best. Instead of an expensive, proprietary black box, think about the possibilities using low cost, off-the-shelf hardware powered by open source software. Think about interacting with it like any other computer. Use simple pings and trace routes directly from the firewall to diagnose many telecom issues. Think about helping ISPs track down what routers in their own systems are misbehaving. Or watching latency to help diagnose sloppy wiring connections.
Add software tools such as tcpdump to watch packets in and out, wireshark to drill down into details as necessary, iptraf to look at real-time volume levels, or MRTG to look at graphical representations of historical bandwidth usage trends. Set upIPSEC, OpenVPN, or even older PPTP tunnels to connect branch sites and traveling workers. Add some scripting to juggle multiple Internet feeds and do automated failover and failback routing. Use glusterfs to build HA firewall systems using an active/standby pair. Set up segregated public and private wifi access for visitors and employees, with all the traffic meeting at the firewall.Use snort to look for traffic patterns and detect intrusion attempts. The list goes on. All using low cost, off-the-shelf hardware and freely available open source software.
These capabilities are nothing new. Fortune 100 companies have been writing big checks for proprietary implementations for years. With open source, now everyone can afford them.
Now consider a next evolutionary step. Given an existing on premise HA virtualized environment, why have a physical firewall at all? Connect a physical NIC on each hypervisor host to the Internet and useHA virtual machines to define your perimeter. This could come in handy in colocation scenarios where physical space costs money.
Sound familiar? It’s the same potential offered by software defined storage and software defined networking, only this time at the perimeter. Call it a software defined perimeter and give it a new acronym, SDP. It does everything proprietary perimeter products did and more, but with more flexible deployment options, for a fraction of the cost. It’sled by open source communities and nurtured by companies like Red Hat. It solves the last mile availability problem and more.
With all these great benefits, why isn’t everyone doing it? One big reason: FUD (Fear, Uncertainty and Doubt). Nobody got fired for buying from (pick your incumbent vendor) and SDP is a threat to the incumbents. Enter Red Hat again and a little publicized offering called embedded RHEL. Through reseller partners, end user customers can now take advantage of a support subscription from a vendor with deep pockets. And partners can build physical and virtual security appliances for pennies on the dollar versus the proprietary approach.
With open source already leading the way to the cloud, watch for the rise of SDP. The economics are too good to ignore.