Home > Disruptive Innovation, Information Security, Networking, Virtualization > Incomplete Thought: The Time Is Now For OCP-like White Box Security Appliances

Incomplete Thought: The Time Is Now For OCP-like White Box Security Appliances

Over the last couple of years, we’ve seen some transformative innovation erupt in networking.

In no particular order OR completeness:

  • CLOS architectures and protocols are evolving
  • the debate over Ethernet and IP fabrics is driving toward the outcome that we need both
  • x86 is finding a home in networking at increasing levels of throughput thanks to things like DPDK and optimized IP stacks
  • merchant silicon, FPGA and ASICs are seeing increased investment as the speeds/feeds move from 10 > 40 > 100 Gb/s per NIC
  • programmable abstraction and the operational models to support it has been proven at scale
  • virtualization and virtualized services are now common place architectural primitives in discussions for NG networking
  • Open Source is huge in both orchestration as well as service delivery
  • Entirely new network operating systems like that of Cumulus have emerged to challenge incumbents
  • SDN, NFV and overlays are starting to see production at-scale adoption beyond PoCs
  • automation is starting to take root for everything from provisioning to orchestration to dynamic service insertion and traffic steering

Stir in the profound scale-out requirements of mega-scale web/cloud providers and the creation and adoption of Open Compute Platform compliant network, storage and compute platforms, and there’s a real revolution going on:

The Open Compute Networking Project is creating a set of technologies that are disaggregated and fully open, allowing for rapid innovation in the network space. We aim to facilitate the development of network hardware and software – together with trusted project validation and testing – in a truly open and collaborative community environment.

We’re bringing to networking the guiding principles that OCP has brought to servers & storage, so that we can give end users the ability to forgo traditional closed and proprietary network switches – in favor of a fully open network technology stack. Our initial goal is to develop a top-of-rack (leaf) switch, while future plans target spine switches and other hardware and software solutions in the space.

Now, interestingly, while there are fundamental shifts occurring in the approach to and operations of security — the majority of investment in which is still network-centric — as an industry, we are still used to buying our security solutions as closed appliances or chassis form-factors from vendors with integrated hardware and software.

While vendors offer virtualized versions of their hardware solutions as virtual appliances that can also run on bare metal, they generally have not enjoyed widespread adoption because of the operational challenges involved with the operationally-siloed challenges involved in distinguishing the distribution of security as a service layer across dedicated appliances or across compute fabrics as an overlay.

But let’s just agree that outside of security, software is eating the world…and that at some point, the voracious appetite of developers and consumers will need to be sated as it relates to security.

Much of the value (up to certain watermark levels of performance and latency) of security solutions is delivered via software which when coupled with readily-available hardware platforms such as x86 with programmable merchant silicon, can provide some very interesting and exciting solutions at a much lower cost.

So why then, like what we’ve seen with networking vendors who have released OCP-compliant white-box switching solutions that allow end-users to run whatever software/NOS they desire, have we not seen the same for security?

I think it would be cool to see an OCP white box spec for security and let the security industry innovate on the software to power it.






  1. Erik Freeland
    January 25th, 2015 at 22:15 | #1

    Dont we already refer to “OCP white box spec for security” as servers?

  2. March 17th, 2015 at 04:33 | #2

    Why am I troubled? I suspect because you seemed to found the premise of the question on the basis of network evolution. (But then you know that I am a Deperimeterisation freak)

    Accepting that we have much to change about how we think about security, as you stated we all seem to think Network Centric Security. We also put security into a negative or anti-clockwise box. Perhaps the most important thing to change is to stop thinking, that security is about stopping bad things from happening, and to start thinking that security is also about ensuring that great things happen with an excessive frequency. I vote for shifting to KERS thinking “Brakes are also things that give me the opportunity to overtake around the corner!”

    Then I can fully buy into the wonders of OCP for the Security White Box.
    For the box would be able to use Clockwise or Anti-clockwise security approaches as appropriate.

    The exciting things is that we would be specifying in this approach the Clockwise Security outcomes, that we want to see, as well as the Anti-Clockwise security capabilities.

    What! Do you mean the OCP White Box would also support Customer Attraction and Retention!?

    As long as it is integrated into the value propositions of a business, of course it would!

    The days of bolt on security died with KERS!

  3. cloudtoad
    May 13th, 2015 at 07:21 | #3

    Indeed… What we haven’t seen is an OVS-on-DPDK equivalent happen inside of linux. Perhaps nftables-on-DPDK? nftables seems to be doing the right things… a packet selector language so extensions don’t have to be written to support new protocols, for instance.

    Suricata is aiming for better nftables integration, it seems, with every release.. not to mention they’ve been continuously improving their GPU support.

    Have you looked at Snabb Switch? You can build packet forwarding pipelines with it…

  1. No trackbacks yet.