We Have to Learn How to Manage the Cattle
Not long after I published the blog post arguing against physical appliances, Oven wrote a very valid comment: "But then you'd have 20 individual systems to manage, add licenses to for additional features, updates etc."
Even though the blog post (and the comment) was written in 2013, not much has changed in the meantime.
We’re still dealing with big hardware appliances that are managed like pets instead of smaller virtual appliances that could be managed like cattle, the only exception being distributed firewalls in environments like VMware NSX.
To learn more about pet-versus-cattle analogy, start with the original Randy Bias’ presentation or an updated version.
Even though everyone mostly agrees on the benefits of using the network-services-as-cattle approach, most enterprise environments still haven’t solved the challenge of managing a large number of small appliances, and the appliance vendors still want to charge per box (making the cattle model untenable) instead of by value added (= total throughput or something similar).
It would be great to have a list of firewall and load balancing vendors that got the memo and implemented a throughput-based licensing model for their on-premises virtual appliances. If you encountered one (or are working for one) please leave a comment. Also note that having an appliance on AWS marketplace doesn’t count ;)
There are two ways to manage network services appliances at scale:
- You make your cattle someone else's pet: each application team becomes responsible for their own firewall and load balancer. This approach works surprisingly well for public cloud vendors, and there’s no reason why organizations that talk about moving into a public cloud wouldn’t implement the same approach for on-premises workloads… or maybe it's all talk and no action.
- You need tools that allow you to manage at scale. Server people solved that with Puppet/Chef/Ansible/Salt, apps people solved that with Zookeeper (and the like), forward-looking networking engineers already started automating their networks, but the majority of the networking/security industry is yet again a decade or more behind the others, the only exception being the management systems for VM-NIC virtual firewalls (because nobody would be crazy enough to buy them without such a system).
Not surprisingly, the network security management systems follow what the appliance vendors are doing and thus have the wrong focus - instead of focusing on managing 10K rules on a single giant FW, they should focus on managing the cattle - enforcing single policy across all tenants.
I recently read F5 now has a "per-app" licensing model for its load balancing and WAF modules.
Disclaimer - I'm a Juniper employee.