The conflicted rise of software-defined networking

FREE

Become An Insider

Sign up now and get free access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content from the best tech brands on the Internet: CIO, CITEworld, CSO, Computerworld, InfoWorld, ITworld and Network World. Learn more.

Some vendors crippled their SDN offerings to protect their hardware profits, but smarter providers are switching now

Software-defined networking (SDN) is becoming a huge deal. To many people, the term is opaque, almost to the point of being meaningless. After all, what part of anyone's network isn't software-dependent? Every firewall, router, and switch you run has software (firmware) to control it. But with SDN, the management and control planes aren't the only ones implemented in software -- the bulk of the data plane is as well.

Among the variety of important ramifications, one in particular stands out: With SDN, you're using commodity server hardware (typically on top of or within a virtualization hypervisor) to manage, control, and move your network's data. This is different from the pre-SDN approach of running management and control software on top of purpose-specific ASICs (specialty chips) that move the bits to and fro. This means you can deploy entire new network components, configure them, and bring them into production without touching a screwdriver or a piece of sheetmetal, thanks to SDN.

Early days for SDN

SDN is obviously popular in the context of server virtualization. The first SDN in fact might have been EMC VMware's vSwitch -- a simple way of isolating Layer 2 network segments in a virtualization host. Since then, SDN has grown to include virtualized firewalls, routers, fully functional switches, and intrusion detection and prevention systems (IDS/IPSs) -- essentially anything you deploy on your physical network, but run virtually.

However, SDN is new, so many of the largest networking vendors are still trying to figure out what to do with it. Instead of porting the capabilities of their physical networking appliances into similarly featured virtual equivalents, some vendors -- Cisco Systems, in particular -- have taken the teeth out of the virtual versions of their Layer 3 products. This has left a wide opening for "full SDN" competitors -- and several are hastily crashing through.

If you're a Cisco fan (not everyone is), you might look at the ASA 1000V and be psyched that you can deploy such a feature-rich firewall virtually. After all, it's awesome to have a capable traditional firewall that's unshackled by physical interfaces and can easily scale to meet almost any throughput or connectivity requirement simply by leveraging the capabilities of the underlying hypervisor. However, if you read the product description, you'll note that the ASA 1000V doesn't support more than an inside and outside interface, dynamic routing, IPS functionality, or a litany of other important features.

Hardware beware

Of course, some of the gulf between the physical ASA (which supports all those items) and its virtual counterpart may be due to hardware-enabled features Cisco hasn't yet reimplemented in software, but that can't possibly the only reason they're all missing. Instead, I believe Cisco has intentionally crippled the virtual version of its firewall so that it won't compete with its hardware firewall business. Consider: Your ability to run virtual firewalls (especially if you happen to run a cloud infrastructure or are a cloud provider) means Cisco might lose huge amounts of revenue on the hardware side. Cisco is just an example; the same calculus is in play for other major network vendors trying to figure out how to keep SDN from cannibalizing their high-margin network hardware businesses.

This uncomfortable relationship with SDN is understandable, but it's by no means universal. Some traditional networking companies are investing heavily in virtualized, software-only solutions. For example, Juniper and Fortinet both sell well-developed virtual firewall offerings, and Brocade's 2012 purchase of open source router vendor Vyatta puts it squarely in competition with a large swath of Cisco's product line. Even though Vyatta isn't yet as feature-rich as the combination of a hardware-based Cisco ASA and Cisco ISR router, it does enough of the important stuff and comes in an easily virtualized package. That presents real competition for Cisco -- like David versus Goliath, but with Brocade's financial backing.

Time will tell how Cisco and other incumbent network vendors react when easily virtualized SDN options really eat into their sales. This trend is unavoidable -- SDN is most certainly the way of the future, especially as more and more on-premises networks move into the cloud, where the techonology is nearly ubiquitous. Vendors that realize the shift early on and invest heavily will win business from the incumbent players that fail to adapt.

To continue reading, please begin the free registration process or sign in to your Insider account by entering your email address:
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies