They want networking to be utility? Let’s do it!

I was talking about virtual firewalls for almost an hour at the Troopers13 conference, and the first question I got after the presentation was “who is going to manage the virtual firewalls? The networking team, the security team or the virtualization team?”

There’s the obvious “silos don’t work” answer and “DevOps/NetOps” buzzword bingo, but the real solution requires everyone involved to shift their perspective.

Are your silos as strong as these ones?

We’ve been hearing for years how IT (and networking) infrastructure has to become utility and how clouds will make it happen. OK, let’s do it.

I would assume you had at least a fleeting interaction with power utility at least once in your professional career; after all, they deliver the juice your boxes need to make the magic smoke swirl inside. Are they also responsible if you fry yourself when touching bare wires? Of course not.

The power utility does install circuit breakers just before the handoff point – but they’re there to protect the distribution network, not yourself. If you want to protect your equipment or yourself, you have to install your own circuit breakers, residual current devices, surge protectors etc.; you’re assuming all the risk if you don’t do that. Would the power company install them for you? Maybe (but definitely not where I live) – but that would be a separate charge.

Now let’s move back into networking/security realm. Why should the networking (or security) team be responsible for protecting every single VM in the data center and making a swiss cheese out of the security policy by drilling new holes (aka installing new firewall rules) for every application that cannot adhere to a common framework?

Swiss Cheese
I need just one more hole in that cheese.

It’s high time for networking to become a transport utility: we provide transport and baseline security – Internet-facing firewalls, DDoS mitigation with traffic blackholing, BPDU guard, and a few other bits and pieces – and server or application teams become responsible for their own security. The security team should (a) help them when needed and (b) monitor everyone’s compliance.

You can imagine the response I would get from 99% of the environments (the non-Valley geographies in terms of Massimo Re Ferre), but the “infrastructure is utility” perspective is exactly what made Amazon AWS such a great service (and before you ask – if you use AWS, you’re responsible for your own protection). If everyone thinks moving to the (private or public) cloud is such a great idea, I’m all for it – but let’s do it right.

Amazingly, someone working for a very large European telecom attended the informal roundtable Enno Rey organized after the Troopers 13 conference ... and guess what – they have huge success doing exactly the things I’m preaching. It’s so refreshing to see some common sense in action.


  1. I, as one of the afore mentioned infrastructure managers, have been pleading for this. The application and virtualization teams welcome this opportunity. However, this has been squashed by turf wars and legacy management.

    I believe security, like most other IT disciplines, has obtained a base level of diversified knowledge such that firewall management is not a pinnacle any more. Most senior application and infrastructure personnel speak firewall policy and understand traffic flows.

    So, I raise my cup and cheer you on. Here! Here!
Add comment