The shape of networks to come

At last year’s Cisco Live, I sat in a room full of network engineers and architects who were openly hostile to the Cisco marketing person presenting to us. We were talking about control systems, the Internet of Things, and the networking needed to tie modern technologies together.

The presentation was basically “just buy more traditional route/switch gear and you’ll be prepped for this brave new world”, to which the audience almost universally responded “Umm, no.”

I hate being sold to, but something else irked me. I reject the philosophy they were selling all-together – that the current LAN/WAN model will be the path forward.

Popping the stack

Compute is no longer tied to individual, physical datacenters. It has become cloudified – abstracted to the point that we only really talk about the app and automation layers rather than single VMs or even datacenters. Sure, those things exist in the stack, but we don’t really care about them as discrete objects.

Transport (networking), is following the same trend. Switches, routers, firewalls, whathaveyou – are part of the stack, but managing them individually is no longer desirable or sustainable. To adapt to the flux of compute and apps, the network layer has to be handled in software via fullstack policies, rules, and configurations that are independent of individual paths, devices, or locations.

This app needs to be delivered to this user where-ever they are at, across whatever transport is available.

That’s the promise of software defined networking and the death of the LAN as the center of the universe. If we’re defining fullstack access policy and tying it to the identity and rights of each user or resource, the LAN (and WAN, to some extent) is largely dumb plumbing being assembled and re-assembled by software.

Centralized ingress/egress becomes less relevent as well, especially when host-to-host connections are built and policed dynamically. Host and platform-based firewall/IDS/IPS are able to adapt more effectively than centralized, monolithic solutions in this scenario.

VMware’s NSX is a good example of this model (at least in this transitional phase…). Assign an access policy to an app and it flows through the datacenter, across the WAN, and onto the remote device – all at an abstracted network layer that rides on top of the “dumb plumbing” referenced above.

Viptela, Silver Peak, Arista, and others (insert your favorite SDN startup)fit as well – Here are some diverse circuits, here’s the SLA for each application.  You figure it out, software.

Going forward, I no longer care about LAN or WAN – I care about data, software, and identity.

The Everywhere Network

Traditionally, if you want to build a corporate network, you order an expensive circuit from a carrier, put an endpoint like a router or firewall on it, and then build out an enclosed space behind it for trusted devices. If you want two or more locations with trusted devices to communicate with one another, you start looking at technologies like VPNs and MPLS to glue everything together.

If you want resiliency, you order more circuits and create multiple paths for your network traffic. Then you setup dynamic routing protocols and say “Perform! Self-heal! Abracadabra!”

That model, while somewhat flexible, is physical, cumbersome, and geographically pinned. It requires that IT staff wrap ever more complex and onerous controls around the network and attached devices, expanding their attack surface in an attempt to control their attack surface.

It’s a model that will continue to exist for the foreseeable future but will be pushed further and further upstream, into the domain of carriers and service providers, following the same path as compute.

A possible and, in my opinion, likely, future of the access network is one that is omnipresent and largely untrusted – a mobile, shared access WAN that obviates traditional network boundaries and segmentation.

Carriers and OEMs are testing 5G cellular network tech as I write this. It may be that 6G or 7G need to come into play before client access changes wholesale, but the progression seems natural to me; assume that the new, ubiquitous network is unsecure, collapse the security domain (reducing the attack surface) to account for that, and implement tech and controls around data, apps, and identity.

Given that direction, classical network management becomes less of a thing on the customer side and evolves to be more service provider-focused. But just like cloud compute, the corporate default will be to fallback to simpler, base network configs that serve as a underlayer to a virtualized, app-driven topology and to consume transport services rather than building and maintaining them.

This assumes that even the corporate network will be common utility rather than a proprietary diamond. (It also assumes that encryption doesn’t become illegal.) All technologies glide along the slope from rare to commodity – some take longer than others. There is no reason networking won’t follow this arc.

Photo credit: Screenpunk