This is Omar Sultan's Typepad Profile.
Join Typepad and start following Omar Sultan's activity
Join Now!
Already a member? Sign In
Omar Sultan
California
Data Center Solutions, Cisco
Recent Activity
Chris: As always, you can be counted on to goose the conversation in a useful direction. When people look at the term "unified computing", they tend to obsess about the "computing", when the real key is the "unified" part which is what we need to really move the ball forward. A useful end-state is going to require that a) we can treat something like security policy holistically across infrastructure and b) we abstract policy from the specifics of the underlying infrastructure. This was one of the underlying principles behind VN-Link--the ability to move a VM and associated network and security policy around without sweating the underlying physical pieces and parts. Omar Sultan Cisco
1 reply
I can see the VC (or is it the WC) community getting all excited about SAAS (sanitation as a service). I do think, however, you need to extend the model to address mobility with the inclusion of port-a-potties. Either way, make sure your design is robust enough that a core dump won't bring it down (or clog it up).
1 reply
Hoff, The other thing to bear in mind is that VMs do consume resources such as CAM table space, FC world wide names and add to things like STP complexity. When adding physical servers, there is some natural throttling of the rate of increase of the consumption of resources (or growth in complexity) because, most organizations are limited in the rate at which they can physically deploy new servers. The concern I hear chatting with network and storage folks is that, with VMs, that natural throttling goes away, so it could become very easy to outpace their ability to respond and adapt. Omar
Toggle Commented Dec 23, 2008 on Rogue VM Sprawl? Really? at Rational Survivability
1 reply
Hoff: The implicit shift in this scenario to keep the security wonk out out of the cardiac care unit is to decouple the implementation of security policy from the infrastructure needed to deliver it. So, if you go back to Doug's scenario, what if you could define a infrastructure security policy and have that policy follow an app/VM around the data center? We have done this to some degree with VN-Link and the Nexus 1000V--we can define a port policy for a VM that includes things like ACLs, private VLAN policy, Cisco TrustSec policy, and the like and have that policy follow the VM around a VI cluster regardless of where it ends up. Now, this is only a first step and Doug's example requires a much more sophisticated and encompassing implementation of this concept, but I think the overall approach is feasible. But that's just Omar the Plumber talking... :)
1 reply
Hoff: I think your point from the second post is key: "It means making sure your policies extend and are applicable "outside the castle." As folks look to add cloud services to their repertoire, they need to raise the bar. Presumably, most service providers can do a reasonable job with things like access control and perimeter security. The question is how well they can dynamically implement your particular security or compliance policy in an auditable manner. Minimally, as a cloud operator, I need to: 1) Have an mgmt interface/protocol to receive policy requirement from a customer 2) Assess the policy and see if I have the infrastructure to support it 3) See if I have the resources to support the policy and then arbitrate the new policy against existing policies I am supporting 4) Implement the policy 5) Accept the workload from the customer 6) Provide documentation and an audit trail Should be interesting to see how this unfolds. :) Omar Sultan Cisco Systems
1 reply
Hoff: These are some good points to bring up and I think it will see how these different approaches pan out. As always, I think you will see different options with different trade-offs, which is one of the reasons we created VN-link with both a hardware and software based option. Unfortunately, right now, I don't have anything to share. We will, however, be starting some formal testing shortly and I promise I'll share as soon as we have something to publish to give folks an idea of what to expect. As we get closer to actual shipping, we'll have some more formal docs that will give customers some guidance on performance and impact on the server. Omar Sultan Cisco Systems
1 reply