Category Archives: Virtualization

IT Service Brokerage: Technical Mindset – Infrastructure

“…if an application moves from an environment where disks/volumes are mounted using WWNNs/WWPNs as end-point IDs (fibre channel) to an environment with IQNs as end-point IDs (iSCSI) we often have to re-validate and re-engineer. If the application were to list its own requirements it would actually just be something like ‘xGB block storage, isolated, with <performance guarantee 1> and <performance guarantee 2>’. There would be no mention of WWPNs or IQNs, fibre channel or iSCSI. The list above is the type of [automated/attached] description needed that would help make the application portable. It fits into a trust-based model (aka Promise Theory)…”

The above is an excerpt from my recent post on our Cisco UK & Ireland blog. You can read the full post here: http://gblogs.cisco.com/uki/it-service-brokerage-technical-mindset-infrastructure/

DevOps Collections #4

1 Reply

The plan is to produce some more guides/write-ups over the coming weeks… but for now, here’s the latest Continuous X and DevOps related noise:

Source CY14 W39–44

Business Agility without Compromising Governance (Collabnet Whitepaper)
Microservices (Martin Fowler) *
- Software development practices continue to evolve and vary and this post provides a good description of microservice-based design practices. Amongst many other things, this type of application architecture plays well with hyperscale cloud infrastructure offerings inc. charging models as individual instances tend to be very small vs. monolithic ‘3-tier’ application architecture which instead scales ‘up’ by having more resources applied to instances/VMs/PMs. Microservice even allows some orgs to run on a ‘Free Tier’ offered by Public Cloud providers. There is also a reference to Conway’s Law.
  “In short, the microservice architectural style is an approach to developing a single application as a suite of small services, each running in its own process and communicating with lightweight mechanisms, often a HTTP resource API. These services are built around business capabilities…”
  - A nice complementary bullet point list to describe the nature and pros: Scaling with Microservices and Vertical Decomposition (Otto)
Getting Granular With Microservices, PaaS, Twelve Factor Apps and Docker (ActiveState) *
- The pros of Microservice architecture and the new complexities to manage before and during runtime followed by a good overview of the infrastructure + app services platform (PaaS) evolution and requirements underneath
PuppetConf 2014 Session Recordings
- PuppetConf 2014 Recap: Part 1, Part 2, Part 3
- Notable:
  - The Phoenix Project: Lessons Learned – Gene Kim, IT Revolution Press
  - Case Study: Developing a Vblock Systems Based Private Cloud Platform with Puppet and VMware vCloud Suite – Peng Liu & Paul Harb, VCE
  - From Development to Testing to Deployment with Puppet Enterprise and Microsoft Azure – Ross Gardler, Microsoft Open Technologies, Inc.
  - Exploring the Final Frontier of Data Center Orchestration: Network Elements – Jason Pfeifer, Cisco
  - Fully Automate Application Delivery with Puppet and F5 – Colin Walker, F5
  - Infrastructure as Software – Dustin J. Mitchell, Mozilla, Inc.
Leveraging Cisco NX-API with Ansible to Make Your Life Easier (jedelman.com)
- More on this subject: Spine/Leaf Topology Explorer with Ansible (Keeping it classless)
  - A ‘DevOps against a Cisco network’ technical walk-through that leverages Ansible for config management and NX-API as the programmable interface on Nexus switches.
The new building blocks for IT: OpenStack, Continuous Delivery, and DevOps (Gigaom Pro)
- “The key building blocks of a modern IT organization include a highly flexible infrastructure, an automated software delivery life cycle, and a devops-driven IT organisation. These capabilities are essential to ensuring that IT remains relevant in an era of continuous change to customer-facing services and automated business operations.
  This report focuses in particular on OpenStack as an underlying cloud platform to support this new type of organization. In addition, it examines a handful of ecommerce and Software-as-a-Service (SaaS) providers and the challenges these companies seek to solve by adopting a more agile software development and deployment process using OpenStack.”
Scrum for Operations: Just Add DevOps (the agile admin)
- A diary-like account of an organisation’s experiences of applying Scrum and DevOps practices
Microsoft partners with Docker to bring containers to Windows Server (devops.com)
HealthCare.gov: Lessons From Continuous Software Delivery
DevOps Culture Clash: Think Process (InformationWeek)
- A more pragmatic view of ‘just do the culture that we need will ya’
DevOps: A Software Architect’s Perspective book excerpts
6 Challenges Facing DevOps and Operations Teams in 2015 (Smartbear)
- “Networking, not servers, is often the immutable object that is not easy to make agile. Even when working with vLans there is a spider web of IPs, Ports, Routers, routing tables, perimeter networks etc who’s interdependency can’t simply be changed, broken, moved, or replicated.”
How “Shifting Left” in Software Development Can Help Fuel Your Company’s Growth Engine (siliconAngle)
- “A long talked about theory in software development is the idea of “shifting left,” where software development and testing teams work to bring higher degrees of quality – usually through testing – earlier in the software development life cycle. The problem is that the majority of testing is not done until the service is completed—after integration and user acceptance testing—making it nearly impossible to test quality into a system”
8 Characteristics of our DevOps Organization *
- DevOps in a large enterprise. Comments on org structure that works etc. “I now work at a ~$20 billion company with 40,000+ people. If DevOps can work here, it can work anywhere.” There’s a mention of Slack for collaboration between sites.
DevOps4Networks summary by Nathan Sowatskey who presented at the event
- Youtube videos can be found here
How to talk to your CFO about DevOps (devops.com) *
- How do you explain the benefits of DevOps to your CFO in order to justify any associated cost?
Spiderman and Azure (DevOps in the Enterprise)
- Anecdotal information on Azure
Why Rejecting ‘Enterprise DevOps’ Hurts The Movement (Contino – Benjamin Wootton) *
- Why Is DevOps Different In The Enterprise? -> People, Process and Technology broken down. “There are many books and degree courses on organisational change and transformation. People can make careers out of it. It’s a complex area full of best practice, insight and accumulated experience. We need to bring that thinking into DevOps”
Companies Focused on Software and Development Outperform Peers (CA Technologies) *
Infrastructure automation by example (practicingruby)
- Down a level to an example of the process of setting up something in-line with Infrastructure-as-code. Find yourself an Ubuntu machine…
DevOps.com Examines DevOps-as-a-Service
- Yep, you guessed it… ‘as-a-service’ has been bolted on to DevOps… a comment on buying in ‘DevOps’: “If DevOps is a growth engine for your company, then outsourcing it is like building a car with the motor located elsewhere”
Gene Kim: Learn about DevOps directly from the pros (The Enterprisers Project)
- An interview with the author of “The Phoenix Project”
  - Another interview: DevOps: From Unicorns to Horses
Mesos, Docker – The Next Disruptive Wave? (Strand Weaving)
- Apache Mesos: “In terms of your datacenter or cloud provider think of this as a layer between your applications and the hardware”
Batman & Robin: How DevOps pairings can succeed (Gigaom)
Is DevOps Killing Some Types of Jobs? (IBM Developer Site)
IT deployment standards: why now?
DevOps for CEOs (Ranger4 ThoughtPaper)
The New Software Imperative: Fast Delivery With Quality: Eight DevOps Practices Are The Key To Success (Forrester Consultative Paper commissioned by IBM)
Paying Down Technical Debt (devops.com) *
Right-Picking the First Project to Go DevOps On and Counterpoint: Right-Picking the First Project to Go DevOps On

DevOps Collections #3

1 Reply

Another aggregation of Continuous X and DevOps news and information put together for colleagues at work but thought to be worth sharing outside of that group. * = help with prioritising what to read if you’re hard pressed for time.

Where does DevOps work in the enterprise? (itskeptic.org) *
- The terms “Bimodal IT” and “Trimodal IT” have recently been used to describe the potential split of strategies for different classifications of IT systems – i.e. ‘old stuff’ and ‘new stuff’ and the different opportunities with each (pretty much = don’t hold up ‘new stuff’ because of ‘old stuff’ requirements – they’re different). This article talks about ‘DevOps in Enterprise’ being more successful when when addressing the ‘new stuff’ rather than being reverse engineered against existing/legacy systems.
Making DevOps Work in Complex Enterprise Environments (devops.com)
- However, if you are going to try to reverse engineer against the ‘old stuff’ to some degree then here’s a starting point. Interestingly, we have reference to where data centre tech/infrastructure services can make a different in a more generic sense: “Save that bespoke Windows config as a virtual machine, then you can subsequently redeploy it… use an enterprise infrastructure-as-a-service (IaaS), whether private or public cloud, hosted or on-premises, especially for newer applications… adopt platform-as-a-service (PaaS), either out-of-the-box or by building a PaaS that will support your unique environments”
DevOps with a purpose: It’s about your applications (devops.com) *
- “I recommend analyzing your business goals and application portfolio using the pace-layering method, which focuses on three categories of applications – systems of record, systems of differentiation, and systems of innovation”. Back to the ‘old stuff’ vs. ‘new stuff’ but with a bigger link to systems thinking and what can really affect the business – I like these classifications.
Docker closes C round for $40m (DevOps.com)
- “There have now been 21 million downloads of the Docker platform, up from 3 million at DockerCon. Over 35,000 “Dockerized” applications are now available on the Docker Hub Registry, and more than 13,000 Docker-related projects have launched on GitHub. Docker has also seen rapid growth in the technology partner ecosystem with over 100 companies – including industry heavyweights Amazon, Google, IBM, Microsoft, Red Hat and VMware – having announced Docker–supporting platform initiatives.”
The DevOps Mindset: Real-World Insights From Tech Leaders (Rackspace – Click “Download Now”)
- Collaborative culture, elevated & shared goals, collaborative culture, elevated & shared goals, collaborative culture… if people say it enough it will happen everywhere right? Some interesting comments from ‘DevOps leaders’ within different orgs in this document. The real question that still remains is what changes in the DevOps model in order to apply it within a large multi-national organisation? You may notice that none of the interviewees sit within an org bigger than 2000, most are in the hundreds… the question still remains.
Microservices and PaaS (activestate.com) *
- An interesting overview of complementary application architecture changes – small distributed units/modules instead of big monolithic tiers. A 3 part article.
Change your thinking about Change Management (devops.com – Chris Riley)
- “change management, the tools, can be detached from change management the governance. And then no longer tied to the reactive philosophy”. A practical look at opportunities around Change Management within a DevOps philosophy.
Putting the Ops in DevOps (indecorous.com)
- “the nearest I can come to “you’re doing it wrong” is when people announce the death of Ops as a job function…. in truth it’s very, very hard to excel in both the development and operational aspects of building and running a large computer system. These people do exist, but trying to find them and hire them is hard (and expensive). Moreover, beyond a certain (small) scale it’s actually woefully inefficient to have everyone doing everything.” Tips from someone ‘doing DevOps’.
To Help DevOps-ify The World, ScriptRock Raises $8.7M (Forbes)
- ”the company’s product, GuardRail, focuses on helping IT departments understand how their various systems are operating wherever they may be located. Instead of this information being strewn across the organization in multiple departments and locations, GuardRail brings it all to one central location”.
How to skill up in DevOps and what rates you can expect in 2014-15 (eSynergy)
- An insight into the kind of rates contractors can expect for a ‘DevOps’ skillset.
Developing and enabling a DevOps culture in your team (devops.com) *
- An interesting take on how to revitalise existing personnel under a DevOps effort instead of seeing them as a barrier to change.
  - Additional anecdotal points elsewhere: theopsmgr
Dissecting Effective Developer Workflows to Save Time & Lower Costs (Flux7)
- A look at the realities and results of ‘shifting things left’.
Harvard Business Review Survey: IT responsiveness predicts business success (devops.com)
- “Nearly half of respondents reported that their companies have missed opportunities because their IT department was too slow to respond to shifting business needs. And approximately 49 percent reported that a lack of bandwidth in IT is the primary obstacle of the organization to take advantage of digital technologies… Approximately 42 percent of organizations report that they have a poor track record of facilitating collaboration across IT and business functions.”
The Road to DevOps (ActiveState)
- An example of the dangerous mindset out there that can cause ‘Ops’ to go against the grain of a DevOps movement. This article is not the guidance needed for establishing the right culture imo.
Q & A: Puppet Labs CIO Nigel Kersten (devops.com)
Leading the Horses to Drink … Support and Initiate a devops transformation – Damon Edwards (video)

FYI The DevOps Cookbook is reportedly at draft/review stage. This will likely turn out to be a ‘must read’.

There is also apparently ‘DevOps Training’ for ‘DevOps Certifications’ popping up now. While it helps with the foundational knowledge side of things it is also an indication of the beginnings of a cottage industry that might ultimately break the DevOps ‘following’. With that in mind, two more articles:

DevOps Is Dead (Long Live DevOps)
- A pictorial glimpse of the DevOps journey vs. hype cycle.
Has DevOps Gone Off the Rails? (CMCrossroads – Clifford Berg) *
- Let’s stop this madness!! A snap back to reality needed??

DevOps Collections #2

Leave a reply

Another inch up the curve… As before, there are notes so that you can be selective with your reading and there are * against the reads to maybe prioritise if you’re hard pressed for time.

E nterprise DevOps – The Opportunity & The Challenge (Benjamin Wootton) -> A concise slide deck that could act as a guide to your own talking points if facilitating an ‘Intro to DevOps’ session.
Common Objections to DevOps from Enterprise Operations (Dev2Ops) -> “The quickened pace puts a lot more pressure on the centralized ops team because they often get the work late in the project cycle (i.e. when it’s time to release to production). Because of time pressure or because they are over worked, operations teams have difficulty turning requested work around and begin to hear developers want to do things for themselves….. unfortunately, a centralized devops team can become a silo and suffer from the same “late in the cycle” handoff challenges the traditional ops group sees. -> A practical view of the kind of situation ‘Agile‘ can create on the Ops side when it’s mainly Dev pushing a cultural shift towards DevOps. *
Include Ops people in user stories for Operability (HighOps) -> “Many organisations use terminology which is unhelpful and counter-productive towards Operability”
The Continuous Delivery Maturity Model (InfoQ) -> Taking five key categories, Culture & Organisation, Design & Architecture, Build & Deploy, Test & Verification and Information & Reporting, the aim of this article is to establish a method of measurement for where an organisation is with ‘Continuous X’. This particular model defines five maturity levels: base, beginner, intermediate, advanced and expert. Measuring against this model can help you to work out how best to support your customer. Image available. *
Two Ways DevOps Unlocks the True Potential of Agile (devops.com) -> “The good news is, organizations can close their gaps and realize the true value of Agile development by incorporating DevOps processes and tools into their systems development life cycle (SDLC)… The DevOps principle to employ here is getting the operations team involved in testing earlier in the SDLC – essentially shifting their work left – and the tool that can help is service virtualisation”. This article is effectively saying if Ops are involved earlier in the SDLC then they can help get QA/testing environments as close to a real-world Production environment as possible and monitor the whole SDLC. This is advantageous when considering the implications of Continuous Delivery and Deployment. “By simulating constrained or unavailable systems across the SDLC, service virtualization enables developers, testers and performance teams to work in parallel for faster delivery and higher application quality and reliability”
DevOps and Change Control (sdncentral) -> A rhetoric and some guidance on ‘if everything’s constantly changing, how do we manage and track the change?’
Why DevOps Matters To The CIO (contino) -> “technology that can be used to innovate and succeed in a competitive marketplace… the challenge of delivering technology that enables their business to succeed… DevOps is a movement and set of best practices that has a lot of value for the CIO who is operating against this backdrop.” Effectively a DevOps sales pitch to a CIO. *
How to Celebrate DevOps Success (ranger4) -> “So what might a DevOps SMART goal look like?” Metrics and rewards acting as a stimulus for successful DevOps…? Status, Certainty, Autonomy, Relatedness and Fairness (SCARF) needs to be looked at in each person’s role/group of people in the eyes of this writer.
DevOps: The Operational Amplifier (DevOps Journal) -> “Maintenance windows exist in the enterprise, after all, to manage expectations with respect to downtime and disruption specifically because of the interdependent nature of enterprise applications…..The thing is, these numbers are only going to get worse as the Internet of Things continues to put pressure on organisations” This article takes a look at the unaligned growth of IT services vs. the people operating said services. DevOps can be the tool, the ‘amplifier’ to allow a few Ops folks to manage a world of [near] exponential growth. “That means APIs – strong APIs – as well as extensibility and flexibility. Infrastructure cannot remain rigid and static in an environment that is rapidly changing. It must be dynamically configured, extensible, and imminently flexible.” *
Testing in a Continuous Delivery world (SD Times – Rob Marvin) -> “If there’s one overarching principle, it’s to automate everything” This article gives a good indication of the anticipated push of automation through the entire stack from a SDLC perspective. We at Cisco talk about automating at an infrastructure level but tying full software revision control inclusive of infrastructure services is where things are heading… i.e. Regression testing is mentioned in this article – if I regress my software, I’d like to regress the infrastructure state below it… in an automated fashion…

DevOps Collections #1

Leave a reply

DevOps continues to heave itself up the hype bell curve and with that there are some very interesting reads out there. I put the list below together for my team at work, it’s a summary of recent articles that touch on different sub-areas of DevOps. I’ve added notes so that you can be selective with your reading. I’ve also put * against the reads to maybe prioritise if you’re hard pressed for time.

Two Ways DevOps Unlocks the True Potential of Agile -> Practical thoughts on how DevOps aids software getting people where they need to be in the Software Development Lifecycle (SDLC).
IT Teams Thriving with DevOps -> Slides covering DevOps in numbers and the cultural aspect of the change.
Security considerations for DevOps adoption -> IBM on the practicalities of incorporating good security practices into a DevOps model. They identify how open source software use and lessened checking of the software chain introduces risk. There’s also the human factor in a more ‘relaxed’ and collaborative approach (malicious and non-malicious).*
DevOps, ITIL, and Operability -> An extract from their free eBook ‘Software Operability: a DevOps cornerstone HighOps’. This delves into the operational impact on an IT org inc. managing change control etc. It also touches on “CAMS” which is based on the CALMS model (i.e. minus the L[EAN]).
Applying Lean and DevOps for better business outcomes -> A good holistic view of DevOps. An interesting mention of “IBM DevOps Subject Matter Expert (SME)”. Along with the ‘DevOps engineer’ job role there is clearly an effort to separate the skill set associated with DevOps.
Exploring the ENTIRE DevOps Toolchain for (Cloud) Teams -> The entire swiss army knife of tools for end-to-end systems thinking ideology against IT.*
The Rise of the DevOps Movement -> Timeline and current day ‘where are we?’
John Willis on the “State Of The Union” for DevOps -> The link between Agile -> DevOps -> Software-defined and the impact on infrastructure from a modularisation and abstraction perspective.
What’s Trending with DevOps Tools: A Study Using Google -> A look at the rise (and fall) of tools associated with the movement. Fair to say Docker growth is beyond exponential…
DevOps vs Outsourcing -> Particularly apt. in PubSec – how do the two come together? I’d say with great great difficulty…*
“sprint based mini-IT teams” is the future IT structure -> IT teams of the future?*
ING Netherlands’ Measured Improvements on Transition to DevOps -> Interesting graphs and numbers to back up the effort behind change.*
Intersections: People, Process and Code -> “Application monitoring and load testing should not be considered the end of a release process. It is just the beginning. Over time, the results from multiple tests and releases in production will show how well your overall deployment process is working.” – Data and information feedback loops…

If you wish to read something that takes you on a bit of a ‘business view, real world’ journey through ‘Why DevOps, what does it deliver, etc.’, I can recommend The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win. It’s actually a candidate for bedtime reading without the person (i.e. me on this occasion) telling you so with a smirk on their face!

Give me what you’ve got!

Leave a reply

Application Centric Infrastructure (ACI) gets me as giddy as UCS did, here’s a great demo video very recently published:

We’ll be looking at ACI from a number of different angles over the coming months…

Run that last bit by me again

Leave a reply

Near and far: The image above is a simple representation of the ‘true and absolute’ technical convergence that Cisco’s Unified Computing System (UCS) introduced in 2009. This led to some considerations regarding roles and demarcations between subject-matter expertise (SME) within ICT Departments/Organisations.

Consolidation, rationalisation, convergence.. whatever apt/buzz word you want to use, ICT has continuously made use of this general concept to move things forward and be more efficient. From Cisco’ s Architecture for Voice, Video and Integrated Data (AVVID) way back when to LAN and SAN convergence underpinned by the innovation around Data Center Bridging (DCB) and to a certain extent IP-based storage protocol evolution, there are benefits to customers and vendors when moving forward using this general construct. Vendors can focus their R’n’D, engineering and support efforts on what matters (and also monetise innovation), customers and providers can ‘do more with less’ and more-easily adapt to the ever changing nature of their business or sector.

A couple of general technical themes that slim technology down are 1) Modularisation (inc. ‘re-use’) and 2) Taking an [often physical] element and emulating it in a new logical form, whether that be abstracted over a [new?] common foundation or by merging two elements using the ‘pros’ of both/all existing paradigms and [hopefully] dropping the things that aren’t so good.

Other than the maturing of these technical shifts, humans are without doubt the main hurdle to deal with. If we take Voice, Video and Data convergence in the ‘noughties’ we were taking very distinct areas and bringing them together with one area appearing more influential; a case of adapt or risk becoming irrelevant -> individuals with positive and/or negative intent went against the grain… Back in the DC, UCS didn’t necessitate anything quite as a drastic as that but there is/was potentially at least some blurring of the lines.

One point of control, three areas of expertise… you choose the demarcation lines between humans (if any):

Holistically speaking:

In addition to some obvious reasons for the lack of a need for severe changes around the alignment + skills of people when adopting UCS, there was also a shift in how we interfaced with the infrastructure… and that’s really the crux of this post and what will make new systems and market shifts easier and easier to adopt…

UCS introduced a clear single point of control with an associated API for Compute, LAN (Access) and SAN (Edge/Initiator). Other than the obvious uses of this API; Unified Computing System Manager itself (i.e. the tabs above) and other mainstream software packages with wider remit, we have seen ‘raw’ applications of the native HTTP-based interface and also some adoption of a Microsoft PowerShell option that wraps common API calls into “cmdlets”.

One of the notable differences between convergence today and the convergence of the past is an ‘alleviation’ offered by programmability and standardised scripting + automation. Taking a broader look at expertise areas, there has been a ‘meet in the middle’ occurring between Infrastructure teams and Programming & Development teams (i.e. not only within the infrastructure bit). This effort to meet in the middle encompasses some skills development focused on common and universal ways for people from different ‘infrastructure’ SME backgrounds to be more similar to each other than in the past.

i.e. Less of this 😉 (image courtesy of a very talented colleague…):

Ok ok I get it!… an example please?

Let’s take the creation of a UCS Service Profile. I’m a Network SME… I might create these items so that they can be used within one or many Service Profiles:

A new org/container.
Segments (aka VLANs today) to be supported northbound of UCS and made available within the system.
MAC Address Pools – Using ‘my own’ prefixes so that I can identify zones/workload-types in a granular and structured way vs. standard non-hierarchical defaults.
virtual Network Interface Card (“vNIC”) templates and their associated characteristics such as the VLANs trunked to the OS/Hypervisor, QoS policy, pinning policy, etc.
“Dynamic Connection Policies” to bring together a multi-vNIC connection profile that can be associated with a given x86 node/service profile/service profile template (e.g. ‘I want those pre-defined 6 x vNIC templates and those pre-defined 2 x vHBAs as an over-arching template’).
etc.

I’m a Compute SME… I will make use of the items created by the Network SME (and others from a Storage SME) and add to them to complete a Service Profile (or SP Template):

UUID Pools – Using ‘my own’ prefixes so that I can identify zones/workload-types in a granular and structured way vs. less-structured ‘burned-in’ defaults.
Re-usable BIOS policies for different workloads.
Boot-order configuration templates inc. boot-from-SAN for different workloads.
Full firmware packages.
A Service Profile Template including an option from each of the above and a pre-defined dynamic connection policy (or selected vNIC/vHBA templates).
Individual Service Profiles spawned from a Service Profile template.
etc.

However, if both SMEs wished to interface using the UCS HTTP-based API they could adopt an approach using Microsoft PowerShell (aka “UCS PowerTools” in this case). Here’s a subset of configuration from each of the lists above:

Network SME:

Compute SME:

It all looks pretty consistent to all people involved now doesn’t it? Static text mixed with variables for the bits that we want to define… all ‘translatable’ if read through to most involved. The same would apply if we used XML/JSON and a REST/SOAP mechanism instead… which I will detail further in my next post (a bit too much for this one). These common and universal ways of interfacing with the system(s) can often make it easier for people of different backgrounds to interpret what other SMEs are having to consider and therefore configure. The view is of the ‘basic requests’ and not of the complexity associated with the old/existing views into technology silos… inc. GUIs and the frightening introductory view that they give!

Humanised security and the real world

Leave a reply

TIL opening up the possibility of abstracted security policies probably produces just as many questions as it does answers.

There is often a big bonus to be had from having people from multiple areas of expertise in the same room when they share a common goal but have their own institutionalised view on the uniques of their organisation and the IT platform(s) hosting their apps. In the case of a particular meeting I was involved in (and I will mention that I’m not typecasting the people involved into the rather blunt description above!), it made approaching the realities of moving from a data centre security model historically defined by the traditional coupling of endpoint ‘location’ and ‘identity’ to one that doesn’t have that “burden”. This new option could potentially be put under the huge umbrella of ‘software definition’ which, metaphorically speaking, is now an umbrella that has the niagara falls crashing on top of its 2 square mile surface area with a 4 foot tall man cowering underneath!.

On a basic level, the advent of distributed virtual firewalling (and the diminishing no. of designs based on a multi-context service module approach) has addressed:

The problem of hairpinning through an aggregatory/central stateful device to support a virtualised server and desktop workload environment.
The avoidance of larger sizing of firewall appliance(s) when compared to historical sizing (i.e. this includes paying more than we have in the past). This would be needed to deal with additional East-West [10GE] firewalling in a virtual environment hosting multiple security [sub-]zones.
The ability to position multiple firewall ‘contexts’ close to the virtual workload on commodity x86 hosts… tied to the workload in fact… thus, they’re also mobile and potentially mult-tenant in nature.

In addition, the close proximity to the virtual workload has also added the ability to understand and tie-in with the platform that it sits upon better – i.e. the hypervisor. It’s possible to define policy based on ‘humanised’ items such as definitions that we put in names and IDs. For example, very simply put, the name given to a virtual machine could automatically cause it to inherit a pre-defined security policy. The identity of the endpoint and its location are then separate. We’re no longer talking about IP host addresses + prefixes when agreeing on where to position or drop VMs. A server/virtualisation subject matter expert (SME) is no longer potentially looking for the path of least resistance because ‘we know that a virtual network in the drop-down list for vNICs is pinned to a firewall ACL more open than the one above it in the drop-down list’… ‘I just want want to get this working’ is perfectly understandable.

The questions though… How do I take my existing E-W associated firewall policy and migrate it into this new world? Do I mimic it all? Do I standardise more general options and drop into those? Would that actually work? When the automation engine or an administrator drops a VM into a given virtual network how can I wrap a security policy around that without adding new rules and policy each time?

It’s much easier when I have a blank canvas-style shiny new data centre or all of the services/apps/’tenants’ are completely new!

An attempt at answering the above from a Systems Engineer’s perspective…

…based on currently shipping Cisco products such as Cisco Nexus 1000v and Cisco Prime Network Services Controller + Cisco Virtual Security Gateway.

There is a possibility that this effort is part of a larger DC-related project. A move of security policies may have to include historical definitions of firewall rulebase as other bigger shifts in the DC architecture are quite frankly enough to handle. We have existing VMs with a naming standard but its not always as granular or ‘selectable’ as what we’d prefer.

My feeling is that the process could look like this:

The idea above tags workload in order to identify it easily while not initially linking to any definition of policy. Nothing is broken by the names of port-profiles but you have an identifier readily available for when you need it (which comes in the latter stages of the flow above). We can collect the port-profiles and other attributes in groupings (which go by the name of “vZones”) ready for use when needed but a ‘big bang’ approach hasn’t been necessitated up front.

Opinions may differ:

I’m fully aware that my thought process around this subject may go against the thoughts of my peers, individuals or collectives more observant than I and those that have visited this subject a few times more than I. I’d be interested to hear just what you think about this. If we look at the future of application hosting you have to feel that this step change is necessary, how different organisations choose to get there will of course differ.

Supporting background information in the blogosphere and t’internet:

A brief port-profile introduction
A more in-depth overview
IP Space VSG 101

p.s. For those looking at CLI and thinking ‘Tut’, there are APIs available!

	chandu230 on A blogger’s perspective…
	Devops Course on DevOps Collections #4
	visualpath on DevOps Collections #3
	Capturing DevOps… on Capturing DevOps – Part…

…snapshots of relevance…

Data Centres , Clouds, and Apps

Category Archives: Virtualization

DevOps Collections #3

DevOps Collections #2

DevOps Collections #1

Humanised security and the real world

TIL opening up the possibility of abstracted security policies probably produces just as many questions as it does answers.

An attempt at answering the above from a Systems Engineer’s perspective…

Opinions may differ: